Use kube-authz-proxy with dbgate (#1)

Signed-off-by: Tamal Saha <[email protected]>
kubedb · Jul 16, 2024 · 70efc7c · 70efc7c
1 parent 14f3f6d
commit 70efc7c
Show file tree

Hide file tree

Showing 24 changed files with 590 additions and 156 deletions.
diff --git a/charts/dbgate/README.md b/charts/dbgate/README.md
diff --git a/charts/dbgate/templates/cluster-role-binding.yaml b/charts/dbgate/templates/cluster-role-binding.yaml
@@ -0,0 +1,15 @@
+# to delegate authentication and authorization
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "dbgate.fullname" . }}-auth-delegator
+  labels:
+    {{- include "dbgate.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: {{ include "dbgate.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/dbgate/templates/deployment.yaml b/charts/dbgate/templates/deployment.yaml
@@ -37,11 +37,52 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
+        {{- if .Values.authzproxy.enabled }}
+        - name: authz-proxy
+          securityContext:
+            {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
+          image: "{{ .Values.authzproxy.repository }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - run
+            - --listen={{ .Values.authzproxy.params.listen }}
+            - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
+            - --secret-name={{ .Values.app.authSecret.name }}
+            - --secret-namespace={{ .Release.Namespace }}
+            - --target-url=http://localhost:3000
+            - --platform-url={{ .Values.authzproxy.params.platformURL }}
+            {{- if .Values.authzproxy.params.platformCABundle }}
+            - --platform-ca-file=/var/platform-auth/ca.crt
+            {{- end }}
+          ports:
+            - name: proxy
+              containerPort: {{ .Values.authzproxy.params.listen }}
+              protocol: TCP
+            - name: metrics
+              containerPort: {{ .Values.authzproxy.params.metricsAddr }}
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.authzproxy.resources | nindent 12 }}
+          {{- if .Values.authzproxy.params.platformCABundle }}
+          volumeMounts:
+            - mountPath: /var/platform-auth
+              name: platform-auth
+          {{- end }}
+        {{ end }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if not .Values.authzproxy.enabled }}
           env:
             - name: CONNECTIONS
               value: "PRIMARY"
@@ -63,6 +104,7 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.app.authSecret.name }}
                   key: password
+          {{- end }}
           ports:
             - name: http
               containerPort: 3000
@@ -77,6 +119,13 @@ spec:
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      {{- if .Values.authzproxy.params.platformCABundle }}
+      volumes:
+        - name: platform-auth
+          secret:
+            defaultMode: 420
+            secretName: {{ include "dbgate.fullname" . }}-platform-auth
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/dbgate/templates/platform-auth.yaml b/charts/dbgate/templates/platform-auth.yaml
@@ -0,0 +1,17 @@
+{{ $data := dict }}
+
+{{- with .Values.authzproxy.params.platformCABundle }}
+{{ $_ := set $data "ca.crt" . }}
+{{- end }}
+
+{{- if $data }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "dbgate.fullname" . }}-platform-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dbgate.labels" . | nindent 4 }}
+type: Opaque
+stringData: {{ $data | toJson }}
+{{- end }}
diff --git a/charts/dbgate/templates/service.yaml b/charts/dbgate/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http
+      targetPort: {{- if .Values.authzproxy.enabled }}"proxy"{{ else }}"http"{{ end }}
       protocol: TCP
       name: http
   selector:

diff --git a/charts/dbgate/templates/serviceaccount.yaml b/charts/dbgate/templates/serviceaccount.yaml
@@ -10,4 +10,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: true
 {{- end }}
diff --git a/charts/dbgate/values.yaml b/charts/dbgate/values.yaml
@@ -122,3 +122,30 @@ app:
 bind:
   name: ""
   namespace: ""
+
+authzproxy:
+  enabled: false
+  # KubeDB operator container image
+  repository: ghcr.io/appscode/kube-authz-proxy
+  # KubeDB operator container image tag
+  tag: "v0.0.1"
+  # Security options this container should run with
+  securityContext: # +doc-gen:break
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
+  # Compute Resources required by this container
+  resources: {}
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  params:
+    listen: 8000
+    metricsAddr: 8080
+    platformURL: ""
+    platformCABundle: ""
diff --git a/charts/kafka-ui/artifacthub-repo.yml b/charts/kafka-ui/artifacthub-repo.yml
@@ -0,0 +1,15 @@
+# Artifact Hub repository metadata file
+#
+# Some settings like the verified publisher flag or the ignored packages won't
+# be applied until the next time the repository is processed. Please keep in
+# mind that the repository won't be processed if it has not changed since the
+# last time it was processed. Depending on the repository kind, this is checked
+# in a different way. For Helm http based repositories, we consider it has
+# changed if the `index.yaml` file changes. For git based repositories, it does
+# when the hash of the last commit in the branch you set up changes. This does
+# NOT apply to ownership claim operations, which are processed immediately.
+#
+repositoryID: 243d43a8-9c5f-42b8-8173-c23350ed1e7a
+owners:
+  - name: maintainers.kafka-ui
+    email: [email protected]
diff --git a/charts/kafka-ui/index.yaml b/charts/kafka-ui/index.yaml
@@ -0,0 +1,3 @@
+apiVersion: v1
+entries: {}
+generated: "2021-11-11T12:26:08.479581+03:00"