mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
be069eddd563da2cdbe47d8647a3fba5c28653a6
object-browser/restapi/mkube.go
Lenin Alevski 1e7f272a67 MCS service account authentication with Mkube (#166) 
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable

````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
2020-06-23 11:37:46 -07:00

91 lines
2.8 KiB
Go
Raw Blame History

// This file is part of MinIO Console Server
// Copyright (c) 2020 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package restapi
import (
"bufio"
"bytes"
"errors"
"fmt"
"log"
"net/http"
"strings"
apiErrors "github.com/go-openapi/errors"
"github.com/minio/mcs/pkg/auth"
"github.com/minio/mcs/pkg/auth/mkube"
)
// serverMkube handles calls for mkube
func serverMkube(client *http.Client, w http.ResponseWriter, req *http.Request) {
// extract the service account token inside the jwt encrypted claims
claims, err := auth.GetClaimsFromTokenInRequest(req)
if err != nil {
apiErrors.ServeError(w, req, err)
return
}
m3SAToken := claims.SessionToken
if m3SAToken == "" {
apiErrors.ServeError(w, req, errors.New("service M3 is not available"))
return
}
// destination of the request, the mkube server
req.URL.Path = strings.Replace(req.URL.Path, "/mkube", "", 1)
targetURL := fmt.Sprintf("%s%s", mkube.GetMkubeEndpoint(), req.URL.String())
body := new(bytes.Buffer)
_, err = body.ReadFrom(req.Body)
if err != nil {
apiErrors.ServeError(w, req, err)
return
}
// set the HTTP method, url, and m3Req body
m3Req, err := http.NewRequest(req.Method, targetURL, body)
if err != nil {
apiErrors.ServeError(w, req, err)
log.Println("error creating m3 request:", err)
return
}
// Set the m3Req authorization headers
// Authorization Header needs to be like "Authorization Bearer <jwt_token>"
token := fmt.Sprintf("Bearer %s", m3SAToken)
m3Req.Header.Add("Authorization", token)
m3Req.Header.Add("Content-type", "application/json; charset=utf-8")
resp, err := client.Do(m3Req)
if err != nil {
log.Println("error on m3 request:", err)
if strings.Contains(err.Error(), "connection refused") {
apiErrors.ServeError(w, req, errors.New("service M3 is not available"))
return
}
apiErrors.ServeError(w, req, err)
return
}
defer resp.Body.Close()
w.Header().Add("Content-Type", resp.Header.Get("Content-Type"))
// Write the m3 response to the response writer
scanner := bufio.NewScanner(resp.Body)
for scanner.Scan() {
w.Write(scanner.Bytes())
}
if err := scanner.Err(); err != nil {
log.Println("error scanning m3 response:", err)
apiErrors.ServeError(w, req, err)
}
}
Reference in New Issue View Git Blame Copy Permalink