diff --git a/controllers/devworkspace/solver/che_routing.go b/controllers/devworkspace/solver/che_routing.go index 6364874c8f..d76f66f076 100644 --- a/controllers/devworkspace/solver/che_routing.go +++ b/controllers/devworkspace/solver/che_routing.go @@ -370,7 +370,7 @@ func addToTraefikConfig(namespace string, workspaceID string, machineName string rtrs[name] = traefikConfigRouter{ Rule: fmt.Sprintf("PathPrefix(`%s`)", prefix), Service: name, - Middlewares: []string{name}, + Middlewares: []string{name + "-header", name + "-prefix", name + "-auth"}, Priority: 100, } @@ -384,11 +384,27 @@ func addToTraefikConfig(namespace string, workspaceID string, machineName string }, } - mdls[name] = traefikConfigMiddleware{ - StripPrefix: traefikConfigStripPrefix{ + mdls[name+"-prefix"] = traefikConfigMiddleware{ + StripPrefix: &traefikConfigStripPrefix{ Prefixes: []string{prefix}, }, } + + mdls[name+"-auth"] = traefikConfigMiddleware{ + ForwardAuth: &traefikConfigForwardAuth{ + Address: "http://127.0.0.1:8089?namespace=" + namespace, + }, + } + + mdls[name+"-header"] = traefikConfigMiddleware{ + Plugin: &traefikPlugin{ + HeaderRewrite: &traefikPluginHeaderRewrite{ + From: "X-Forwarded-Access-Token", + To: "Authorization", + Prefix: "Bearer ", + }, + }, + } } } } diff --git a/controllers/devworkspace/solver/che_routing_test.go b/controllers/devworkspace/solver/che_routing_test.go index 82486abef5..2c89a0937c 100644 --- a/controllers/devworkspace/solver/che_routing_test.go +++ b/controllers/devworkspace/solver/che_routing_test.go @@ -260,9 +260,35 @@ func TestCreateRelocatedObjects(t *testing.T) { t.Fatalf("Expected exactly one traefik router but got %d", len(workspaceConfig.HTTP.Routers)) } - if _, ok := workspaceConfig.HTTP.Routers["wsid-m1-9999"]; !ok { + wsid := "wsid-m1-9999" + if _, ok := workspaceConfig.HTTP.Routers[wsid]; !ok { t.Fatal("traefik config doesn't contain expected workspace configuration") } + + if len(workspaceConfig.HTTP.Routers[wsid].Middlewares) != 3 { + t.Fatalf("Expected 3 middlewares in router but got '%d'", len(workspaceConfig.HTTP.Routers[wsid].Middlewares)) + } + + if len(workspaceConfig.HTTP.Middlewares) != 3 { + t.Fatalf("Expected 3 middlewares set but got '%d'", len(workspaceConfig.HTTP.Middlewares)) + } + + mwares := []string{wsid + "-auth", wsid + "-prefix", wsid + "-header"} + for _, mware := range mwares { + if _, ok := workspaceConfig.HTTP.Middlewares[mware]; !ok { + t.Fatalf("traefik config doesn't set middleware '%s'", mware) + } + found := false + for _, r := range workspaceConfig.HTTP.Routers[wsid].Middlewares { + if r == mware { + found = true + } + } + if !found { + t.Fatalf("traefik config route doesn't set middleware '%s'", mware) + } + } + }) } diff --git a/controllers/devworkspace/solver/traefik_config.go b/controllers/devworkspace/solver/traefik_config.go index 3e0394888c..fd9cc0447f 100644 --- a/controllers/devworkspace/solver/traefik_config.go +++ b/controllers/devworkspace/solver/traefik_config.go @@ -23,7 +23,9 @@ type traefikConfigService struct { } type traefikConfigMiddleware struct { - StripPrefix traefikConfigStripPrefix `json:"stripPrefix"` + StripPrefix *traefikConfigStripPrefix `json:"stripPrefix,omitempty"` + ForwardAuth *traefikConfigForwardAuth `json:"forwardAuth,omitempty"` + Plugin *traefikPlugin `json:"plugin,omitempty"` } type traefikConfigLoadbalancer struct { @@ -37,3 +39,17 @@ type traefikConfigLoadbalancerServer struct { type traefikConfigStripPrefix struct { Prefixes []string `json:"prefixes"` } + +type traefikConfigForwardAuth struct { + Address string `json:"address"` +} + +type traefikPlugin struct { + HeaderRewrite *traefikPluginHeaderRewrite `json:"header-rewrite,omitempty"` +} + +type traefikPluginHeaderRewrite struct { + From string `json:"from"` + To string `json:"to"` + Prefix string `json:"prefix"` +} diff --git a/pkg/deploy/gateway/gateway.go b/pkg/deploy/gateway/gateway.go index 9f567530ef..c15d2759ea 100644 --- a/pkg/deploy/gateway/gateway.go +++ b/pkg/deploy/gateway/gateway.go @@ -101,6 +101,11 @@ func syncAll(deployContext *deploy.DeployContext) error { } else { return err } + + kubeRbacProxyConfig := getGatewayKubeRbacProxyConfigSpec(instance) + if _, err := deploy.Sync(deployContext, &kubeRbacProxyConfig, configMapDiffOpts); err != nil { + return err + } } traefikConfig := getGatewayTraefikConfigSpec(instance) @@ -424,6 +429,31 @@ skip_provider_button = true`, instance.Spec.Server.CheHost, instance.Spec.Auth.O } } +func getGatewayKubeRbacProxyConfigSpec(instance *orgv1.CheCluster) corev1.ConfigMap { + return corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: corev1.SchemeGroupVersion.String(), + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "che-gateway-config-kube-rbac-proxy", + Namespace: instance.Namespace, + Labels: deploy.GetLabels(instance, GatewayServiceName), + }, + Data: map[string]string{ + "authorization-config.yaml": ` +authorization: + rewrites: + byQueryParameter: + name: "namespace" + resourceAttributes: + apiVersion: v1 + resource: services + namespace: "{{ .Value }}"`, + }, + } +} + func generateRandomCookieSecret() []byte { return []byte(base64.StdEncoding.EncodeToString([]byte(util.GeneratePasswd(16)))) } @@ -620,6 +650,13 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container { "--insecure-listen-address=127.0.0.1:8089", "--upstream=http://127.0.0.1:8090/ping", "--logtostderr=true", + "--config-file=/etc/kube-rbac-proxy/authorization-config.yaml", + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "kube-rbac-proxy-config", + MountPath: "/etc/kube-rbac-proxy", + }, }, }) } @@ -690,6 +727,17 @@ func getVolumesSpec(instance *orgv1.CheCluster) []corev1.Volume { }, }, }) + + volumes = append(volumes, corev1.Volume{ + Name: "kube-rbac-proxy-config", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "che-gateway-config-kube-rbac-proxy", + }, + }, + }, + }) } return volumes