Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global floatingUserId #577

Merged
merged 1 commit into from
Aug 9, 2024
Merged

Global floatingUserId #577

merged 1 commit into from
Aug 9, 2024

Conversation

sheidkamp
Copy link
Contributor

@sheidkamp sheidkamp commented Aug 8, 2024

Description

Adds the ability to render deployments templates with a reference global floatingUserId field. This field is used to globally unset the runAsUser field in container securityContexts (like the painter's floatingUserId) and supresses the rendering of the pod's securityContext.

This feature is enabled by setting the GlobalFloatingUserIdPath in the Operator to the path of the global field, and defaults to an empty string (disabled).

Context

This has been added to facilitate OpenShift deployments by creating a single field that can apply the changes necessary to deploy with OpenShift. The template generation is used by Gloo Gateway EE to create its Portal deployments, and this change will allow the global setting to be applied.

Example usage: https://github.com/solo-io/solo-projects/compare/consistent-floating-user-id...consistent-floating-user-id-with-portal-operator

Manual validation

There is a solo-projects PR that has the non-skv2 related Helm changes to support the new global flag for OpenShift which has been validated by Field Engingeering. Because the skv2 generated templated has not been updated, gateway-portal-web-server.glooPortalServer. floatingUserId=true needs to be set.

The approach for this test is to generate the Helm from that branch with gateway-portal-web-server.glooPortalServer. floatingUserId=true and use it as the baseline against which to validate the skv2 changes.

We will then generate helm in that branch without gateway-portal-web-server.glooPortalServer. floatingUserId=true to see the changes from not including that flag - runAsUser is rendered for the portal, and we can ignore the generated security artifacts:

diff /tmp/openshift-compatible-helm.yaml /tmp/broken-portal-helm.yaml
72c72
<   signing-key: "akNjQVdvM0thSQ=="
---
>   signing-key: "VUJ5b3lKR3UySg=="
85,86c85,86
<   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPldJc014UTc2NE02Q1Y1NUlKWFBxd1REQVB3djRPSGs1eW9MTkh6U0diWnMxcG9lUmRicmkwRGZsRGRtYmUxU3g=
<   redis-password: V0lzTXhRNzY0TTZDVjU1SUpYUHF3VERBUHd2NE9IazV5b0xOSHpTR2JaczFwb2VSZGJyaTBEZmxEZG1iZTFTeA==
---
>   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPlh5c3R5OHdjWjl2N084Ynp3NjN2cG5aRzJOeXh4bG41Sk51enpmZHZqcm9HT3FacU5BNFRFZG1RS1NoZmpBNlo=
>   redis-password: WHlzdHk4d2NaOXY3Tzhienc2M3ZwblpHMk55eHhsbjVKTnV6emZkdmpyb0dPcVpxTkE0VEVkbVFLU2hmakE2Wg==
1721a1722
>           runAsUser: 10101

We then switch to a fork of that branch which has had the SKv2 changes pulled in an regenerate the Helm without gateway-portal-web-server.glooPortalServer. floatingUserId=true and validate that it matches the original helm ( ignoring the generated security artifacts)

diff /tmp/openshift-compatible-helm.yaml /tmp/new-portal-helm.yaml
72c72
<   signing-key: "akNjQVdvM0thSQ=="
---
>   signing-key: "ZXZEV0VBR0drSQ=="
85,86c85,86
<   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPldJc014UTc2NE02Q1Y1NUlKWFBxd1REQVB3djRPSGs1eW9MTkh6U0diWnMxcG9lUmRicmkwRGZsRGRtYmUxU3g=
<   redis-password: V0lzTXhRNzY0TTZDVjU1SUpYUHF3VERBUHd2NE9IazV5b0xOSHpTR2JaczFwb2VSZGJyaTBEZmxEZG1iZTFTeA==
---
>   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPmt1aEF5RjFzdkxhWktXSGh0MnJDTlhrN3A5dE5JaER2aGIyOHRBZFRRSnhJY1cxa1BnVnJJQWQ3bEFOV0x6MDE=
>   redis-password: a3VoQXlGMXN2TGFaS1dIaHQyckNOWGs3cDl0TkloRHZoYjI4dEFkVFFKeEljVzFrUGdWcklBZDdsQU5XTHowMQ==

We are now rendering the OpenShift-compatible helm without the

Script to generate and diff helm. Expand to see results:
# This script generates helm templates for OpenShift in the following configurations:
# 1) Using the consistent-floating-user-id branch with "gateway-portal-web-server.glooPortalServer.floatingUserId=true" and "global.securitySettings.floatingUserId=true".
#    - this has been validated by Field Engineer to work with OpenShift and will be used as the "target" helm
# 2) Using the consistent-floating-user-id branch with "global.securitySettings.floatingUserId=true" and "gateway-portal-web-server.glooPortalServer.floatingUserId" as the default (false)
#    - this will show the results of this configuration do not provide the expected helm
# 3) Using the consistent-floating-user-id-with-portal-operator which has the skv2 changes pulled in and the same Helm values as 2)
#    - this will show that the skv2 changes result in rendering the desired Helm without needing to set "gateway-portal-web-server.glooPortalServer.floatingUserId=true"

echo "git checkout consistent-floating-user-id - this branch has been validated by field engineering"
git checkout consistent-floating-user-id

echo "VERSION=1.0.0-ci make build-test-chart"
VERSION=1.0.0-ci make build-test-chart > /dev/null

echo "\ncreating /tmp/helm-values-with-portal-floating-userid.yaml"

cat << EOF > /tmp/helm-values-with-portal-floating-userid.yaml
gloo:
  kubeGateway:
    enabled: true
  gatewayProxies:
    gatewayProxy:
      disabled: true
  gateway:
    persistProxySpec: true
    logLevel: info
    validation:
      alwaysAcceptResources: false
  gloo:
    logLevel: info
    deployment:
      replicas: 1
      customEnv:
        - name: GG_PORTAL_PLUGIN
          value: "true"
      livenessProbeEnabled: true
  discovery:
    enabled: false
  rbac:
    namespaced: true
    nameSuffix: gg-demo
observability:
  enabled: false
prometheus:
  enabled: false
grafana:
  defaultInstallationEnabled: false
gloo-fed:
  enabled: false
  glooFedApiserver:
    enable: false
gateway-portal-web-server:
  enabled: true
  glooPortalServer:
    floatingUserId: true # <-------------------- SHOULD NOT BE NEEDED
settings:
  disableKubernetesDestinations: true
global:
  securitySettings:
    floatingUserId: true
  extensions:
    rateLimit:
      enabled: true
    extAuth:
      enabled: true
  istioSDS:
    enabled: true
  istioIntegration:
    enabled: true
    enableAutoMtls: true
EOF

echo "\nFile contents:"
cat /tmp/helm-values-with-portal-floating-userid.yaml


echo "\ncreating /tmp/helm-values-without-portal-floating-userid.yaml"

cat << EOF > /tmp/helm-values-without-portal-floating-userid.yaml
gloo:
  kubeGateway:
    enabled: true
  gatewayProxies:
    gatewayProxy:
      disabled: true
  gateway:
    persistProxySpec: true
    logLevel: info
    validation:
      alwaysAcceptResources: false
  gloo:
    logLevel: info
    deployment:
      replicas: 1
      customEnv:
        - name: GG_PORTAL_PLUGIN
          value: "true"
      livenessProbeEnabled: true
  discovery:
    enabled: false
  rbac:
    namespaced: true
    nameSuffix: gg-demo
observability:
  enabled: false
prometheus:
  enabled: false
grafana:
  defaultInstallationEnabled: false
gloo-fed:
  enabled: false
  glooFedApiserver:
    enable: false
gateway-portal-web-server:
  enabled: true
settings:
  disableKubernetesDestinations: true
global:
  securitySettings:
    floatingUserId: true
  extensions:
    rateLimit:
      enabled: true
    extAuth:
      enabled: true
  istioSDS:
    enabled: true
  istioIntegration:
    enabled: true
    enableAutoMtls: true
EOF

echo "\nFile contents:"
cat /tmp/helm-values-without-portal-floating-userid.yaml

echo "\n\nGenerating templates with glooPortalServer.floatingUserId=true - this is the 'target' chart that is known to work in OpenShift"
echo "helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=$GLOO_LICENSE_KEY -f /tmp/helm-values-with-portal-floating-userid.yaml > /tmp/openshift-compatible-helm.yaml"
helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=$GLOO_LICENSE_KEY -f /tmp/helm-values-with-portal-floating-userid.yaml > /tmp/openshift-compatible-helm.yaml

echo "\n\nGenerating templates without glooPortalServer.floatingUserId - this is the is to show the effects of the glooPortalServer.floatingUserId field"
echo "helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=$GLOO_LICENSE_KEY -f /tmp/helm-values-without-portal-floating-userid.yaml > /tmp/broken-portal-helm.yaml"
helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz  --namespace gloo-system --set-string license_key=$GLOO_LICENSE_KEY -f /tmp/helm-values-without-portal-floating-userid.yaml > /tmp/broken-portal-helm.yaml


echo "\nGenerating diff - expecting to see runAsUser from the portal security context:"
echo "diff /tmp/openshift-compatible-helm.yaml /tmp/broken-portal-helm.yaml"
diff /tmp/openshift-compatible-helm.yaml /tmp/broken-portal-helm.yaml

echo "\n Checking out branch with SKv2 updates:"
echo "git checkout consistent-floating-user-id-with-portal-operator"
git checkout consistent-floating-user-id-with-portal-operator

echo "VERSION=1.0.0-ci make build-test-chart"
VERSION=1.0.0-ci make build-test-chart > /dev/null

echo "\n\nRe-generating templates without glooPortalServer.floatingUserId - this should match the original helm"
echo "helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=$GLOO_LICENSE_KEY -f /tmp/helm-values-without-portal-floating-userid.yaml > /tmp/new-portal-helm.yaml"
helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz  --namespace gloo-system --set-string license_key=$GLOO_LICENSE_KEY -f /tmp/helm-values-without-portal-floating-userid.yaml > /tmp/new-portal-helm.yaml

echo "\nGenerating diff - should match target helm except for generated security artifacts:"
echo "diff /tmp/openshift-compatible-helm.yaml /tmp/new-portal-helm.yaml"
diff /tmp/openshift-compatible-helm.yaml /tmp/new-portal-helm.yaml

echo "\nCleanup"
rm /tmp/helm-values-with-portal-floating-userid.yaml /tmp/helm-values-without-portal-floating-userid.yaml /tmp/openshift-compatible-helm.yaml /tmp/broken-portal-helm.yaml  /tmp/new-portal-helm.yaml
Results:
git checkout consistent-floating-user-id - this branch has been validated by field engineering
Switched to branch 'consistent-floating-user-id'
Your branch is up to date with 'origin/consistent-floating-user-id'.
VERSION=1.0.0-ci make build-test-chart

creating /tmp/helm-values-with-portal-floating-userid.yaml

File contents:
gloo:
  kubeGateway:
    enabled: true
  gatewayProxies:
    gatewayProxy:
      disabled: true
  gateway:
    persistProxySpec: true
    logLevel: info
    validation:
      alwaysAcceptResources: false
  gloo:
    logLevel: info
    deployment:
      replicas: 1
      customEnv:
        - name: GG_PORTAL_PLUGIN
          value: "true"
      livenessProbeEnabled: true
  discovery:
    enabled: false
  rbac:
    namespaced: true
    nameSuffix: gg-demo
observability:
  enabled: false
prometheus:
  enabled: false
grafana:
  defaultInstallationEnabled: false
gloo-fed:
  enabled: false
  glooFedApiserver:
    enable: false
gateway-portal-web-server:
  enabled: true
  glooPortalServer:
    floatingUserId: true # <-------------------- SHOULD NOT BE NEEDED
settings:
  disableKubernetesDestinations: true
global:
  securitySettings:
    floatingUserId: true
  extensions:
    rateLimit:
      enabled: true
    extAuth:
      enabled: true
  istioSDS:
    enabled: true
  istioIntegration:
    enabled: true
    enableAutoMtls: true

creating /tmp/helm-values-without-portal-floating-userid.yaml

File contents:
gloo:
  kubeGateway:
    enabled: true
  gatewayProxies:
    gatewayProxy:
      disabled: true
  gateway:
    persistProxySpec: true
    logLevel: info
    validation:
      alwaysAcceptResources: false
  gloo:
    logLevel: info
    deployment:
      replicas: 1
      customEnv:
        - name: GG_PORTAL_PLUGIN
          value: "true"
      livenessProbeEnabled: true
  discovery:
    enabled: false
  rbac:
    namespaced: true
    nameSuffix: gg-demo
observability:
  enabled: false
prometheus:
  enabled: false
grafana:
  defaultInstallationEnabled: false
gloo-fed:
  enabled: false
  glooFedApiserver:
    enable: false
gateway-portal-web-server:
  enabled: true
settings:
  disableKubernetesDestinations: true
global:
  securitySettings:
    floatingUserId: true
  extensions:
    rateLimit:
      enabled: true
    extAuth:
      enabled: true
  istioSDS:
    enabled: true
  istioIntegration:
    enabled: true
    enableAutoMtls: true


Generating templates with glooPortalServer.floatingUserId=true - this is the 'target' chart that is known to work in OpenShift
helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=eyJhZGRPbnMiOltdLCJleHAiOjE3MjE4MzAwNTEsImlhdCI6MTcwNjI4MTY1MSwiayI6Ii90NDlLUSIsImx0IjoiZW50IiwicHJvZHVjdCI6Imdsb28ifQ.mWbudY_axUczC0chYLRpmX7hMNinUSg-SyIeVtBe12Y -f /tmp/helm-values-with-portal-floating-userid.yaml > /tmp/openshift-compatible-helm.yaml


Generating templates without glooPortalServer.floatingUserId - this is the is to show the effects of the glooPortalServer.floatingUserId field
helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=eyJhZGRPbnMiOltdLCJleHAiOjE3MjE4MzAwNTEsImlhdCI6MTcwNjI4MTY1MSwiayI6Ii90NDlLUSIsImx0IjoiZW50IiwicHJvZHVjdCI6Imdsb28ifQ.mWbudY_axUczC0chYLRpmX7hMNinUSg-SyIeVtBe12Y -f /tmp/helm-values-without-portal-floating-userid.yaml > /tmp/broken-portal-helm.yaml

Generating diff - expecting to see runAsUser from the portal security context:
diff /tmp/openshift-compatible-helm.yaml /tmp/broken-portal-helm.yaml
72c72
<   signing-key: "TTkyZGg4UTB1Vg=="
---
>   signing-key: "b1c2RktpQWUyMA=="
85,86c85,86
<   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPmtFY0RnVmFuRWJFT3FWRlRjcTB4Rmh6SVdlSWF5UE51Z3lscGZTb2N1S3V2MXdnVUE1N0NsRlRWWHIydEZIR0M=
<   redis-password: a0VjRGdWYW5FYkVPcVZGVGNxMHhGaHpJV2VJYXlQTnVneWxwZlNvY3VLdXYxd2dVQTU3Q2xGVFZYcjJ0RkhHQw==
---
>   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPmQ4QzZVQUFnM1cyYktkb0xMT3N6ZTUyZWh3Z2R0OWRwWGpET3k4S05udW1DMm8wb2QzMEowYUVoMUNPd0xsYzc=
>   redis-password: ZDhDNlVBQWczVzJiS2RvTExPc3plNTJlaHdnZHQ5ZHBYakRPeThLTm51bUMybzBvZDMwSjBhRWgxQ093TGxjNw==
1721a1722
>           runAsUser: 10101

 Checking out branch with SKv2 updates:
git checkout consistent-floating-user-id-with-portal-operator
Switched to branch 'consistent-floating-user-id-with-portal-operator'
Your branch is up to date with 'origin/consistent-floating-user-id-with-portal-operator'.
VERSION=1.0.0-ci make build-test-chart


Re-generating templates without glooPortalServer.floatingUserId - this should match the original helm
helm template gloo-ee _test/gloo-ee-1.0.0-ci.tgz --namespace gloo-system --set-string license_key=eyJhZGRPbnMiOltdLCJleHAiOjE3MjE4MzAwNTEsImlhdCI6MTcwNjI4MTY1MSwiayI6Ii90NDlLUSIsImx0IjoiZW50IiwicHJvZHVjdCI6Imdsb28ifQ.mWbudY_axUczC0chYLRpmX7hMNinUSg-SyIeVtBe12Y -f /tmp/helm-values-without-portal-floating-userid.yaml > /tmp/new-portal-helm.yaml

Generating diff - should match target helm except for generated security artifacts:
diff /tmp/openshift-compatible-helm.yaml /tmp/new-portal-helm.yaml
72c72
<   signing-key: "TTkyZGg4UTB1Vg=="
---
>   signing-key: "ZldsczA4aDJudg=="
85,86c85,86
<   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPmtFY0RnVmFuRWJFT3FWRlRjcTB4Rmh6SVdlSWF5UE51Z3lscGZTb2N1S3V2MXdnVUE1N0NsRlRWWHIydEZIR0M=
<   redis-password: a0VjRGdWYW5FYkVPcVZGVGNxMHhGaHpJV2VJYXlQTnVneWxwZlNvY3VLdXYxd2dVQTU3Q2xGVFZYcjJ0RkhHQw==
---
>   users.acl: dXNlciBkZWZhdWx0ICtAYWxsIGFsbGtleXMgb24gPkpQN2Y5cnZXWnlZdEp0TGJpc29tWlVFd0YzTXBuaGdmS1FvVm43c1I4TDhTUDhONDZmektsR3JYY25WbTJUQUY=
>   redis-password: SlA3ZjlydldaeVl0SnRMYmlzb21aVUV3RjNNcG5oZ2ZLUW9WbjdzUjhMOFNQOE40NmZ6S2xHclhjblZtMlRBRg==

Cleanup

@solo-changelog-bot
Copy link

Issues linked to changelog:
solo-io/gloo#5034

@soloio-bulldozer soloio-bulldozer bot merged commit 19e35e1 into main Aug 9, 2024
3 checks passed
@soloio-bulldozer soloio-bulldozer bot deleted the globalFloatingUserId branch August 9, 2024 18:27
sheidkamp added a commit that referenced this pull request Aug 9, 2024
sheidkamp added a commit that referenced this pull request Aug 9, 2024
sheidkamp added a commit that referenced this pull request Aug 9, 2024
soloio-bulldozer bot pushed a commit that referenced this pull request Aug 9, 2024
* Global floatingUserId (#577)

* Global floatingUserId (#577)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants