Giter Club home page Giter Club logo

proxyinjector's Introduction

Proxy Injector

A Kubernetes controller to inject an authentication proxy container to relevant pods

Get started with Stakater

Problem Statement

We want to automatically inject an authentication proxy container in a pod, for any deployment that requires to connect to our SSO provider, instead of manually adding a sidecar container with each deployment

Solution

This controller will continuously watch deployments in specific or all namespaces, and automatically add a sidecar container for the authentication proxy. Configuration for the proxy is managed through annotations of the respective deployment or with ConfigMap of the ProxyInjector.

Supported proxies

For now the ProxyInjector only supports Keycloak Gatekeeper as the authentication proxy, to work with Keycloak Server

Usage

The following quickstart let's you set up ProxyInjector:

  1. Add configuration to the ProxyInjector The following arguments can either be added to the proxy injector config.yaml in the ConfigMap/Secret for centralized configuration, or as annotations on the individual target deployments with a authproxy.stakater.com/ prefix. In case of both, the deployment annotation values will override the central configuration.

    Key Description
    listen the interface address and port the proxy should be listening on
    upstream-url url for the upstream endpoint you wish to proxy
    resources list of resources to proxy uri, methods, roles
    client-id client id used to authenticate to the oauth service
    client-secret client secret used to authenticate to the oauth service
    gatekeeper-image Keycloak Gatekeeper image e.g. keycloak/keycloak-gatekeeper:6.0.1

The rest of the available options can be found at the Keycloak Gatekeeper documentation

Note 1: See the section Using Secrets below if you do not want to use ConfigMap (because client-id and client-secret in plain text) and want to use Secrets to hide them.

  1. Deploy the controller by running the following command:

    For Kubernetes Cluster using kubectl

    kubectl apply -f https://raw.githubusercontent.com/stakater/ProxyInjector/master/deployments/kubernetes/proxyinjector.yaml -n default

  2. When deploying any application that needs Keycloak authentication, add the following annotations to the deployment. The service will not need changes as such, all configuration can be provided as annotations in the deployment for the app. And proxy injector automatically modifies the service when injecting the sidecar container.

    Key Description
    authproxy.stakater.com/enabled (true/false, default=false) Enables Keycloak gatekeeper configuration
    authproxy.stakater.com/source-service-name Name of service that needs to be reconfigured to connect to the proxy. instead of the service directly routing to the app container, it will now route to the proxy sidecar instead.
    authproxy.stakater.com/target-port (default=80) the port on the pod where the proxy sidecar (keycloak gatekeeper) will be listening. If not specified, the default value of 80 is used. This port should match the listen configuration
    authproxy.stakater.com/resources String of resources separated by & e.g. (`uri=/*

    The authproxy.stakater.com/listen annotation or the listen property in the ProxyInjector ConfigMap should specify where the proxy sidecar will listen for incoming requests, e.g. "0.0.0.0:80" i.e. local port 80

Using Secrets

To use secrets:

  1. Open values.yaml file by navigating to deployments/kubernetes/chart/proxyinjector/

  2. Set proxyinjector.mount equals to "secret" and pass the data in the data section at the bottom.

  3. Run helm template . > proxyinjector.yaml

  4. Deploy using the Deploying section below.

To use existing Secrets:

  1. Set proxyinjector.mount equals to "secret"
  2. set proxyinjector.existingSecret equals to EXISTING_SECRET_NAME

Using ConfigMap

To pass user credentials/ API keys in secrets:

  1. Open values.yaml file by navigating to deployments/kubernetes/chart/proxyinjector/

  2. Set proxyinjector.mount equals to "configmap" and pass the data in the data section at the bottom.

  3. Run helm template . > proxyinjector.yaml

  4. Deploy using the Deploying section below.

Deploying

You can deploy the controller in the namespace you want to monitor by running the following kubectl command:

kubectl apply -f proxyinjector.yaml -n <namespace>

Note: Before applying proxyinjector.yaml, You need to modify the namespace in the RoleBinding subjects section to the namespace you want to apply RBAC to.

Help

Documentation

You can find more documentation here

Have a question?

File a GitHub issue, or send us an email.

Talk to us on Slack

Join and talk to us on the #tools-proxyinjector channel for discussing the ProxyInjector

Join Slack Chat

License

Apache2 © Stakater

About

The ProxyInjector is maintained by Stakater. Like it? Please let us know at [email protected]

See our other projects or contact us in case of professional services and queries on [email protected]

Contributers

Stakater Team and the Open Source community! 🏆

proxyinjector's People

Contributors

ahmedwaleedmalik avatar ahsan-storm avatar faizanahmad055 avatar kahootali avatar rasheedamir avatar stakater-user avatar usamaahmadkhan avatar waseem-h avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

openshift-training eupraxialabs cameronbraid blu3gui7ar deenamanick qingwave chuegel m4ldonado pastnullinfinity laashub-soa jacobjohansen prasanthkp89 bobclaerhout alexrogalskiy isabella232

proxyinjector's Issues

proxyinjector fails on kubernetes 1.16

When deploying on kubernetes 1.16 proxyinjector fails with:

reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1beta1.Deployment: the server could not find the requested resource

This is due to the change in the api to apiVersion: apps/v1

OIDC client-secret gets passed to the proxy as a cli argument even if set as a Secret

The Proxy Injector supports taking parameters as a Secret, which would have made me believe that the injected sidecar would do the same, which is not the case.

When configuring the sidecar container, the ProxyInjector will always set the configuration of Gatekeeper as command line arguments,making the whole point of passing sensitive variables as a Secret moot.

In particular, these lines are problematic:

ProxyInjector/internal/pkg/handler/create.go

Lines 199 to 201 in 63fc7ea

if config.ClientSecret != "" && annotations[constants.AnnotationPrefix+"client-secret"] == "" {
configArgs = append(configArgs, "--client-secret="+config.ClientSecret)
}

What i would expect is that the ProxyInjector controller would create a separate Secret for the client-secret, and mount it as a VolumeMount inside the Gatekeeper container.

As it stands, this issue makes the whole premise of the {{- if eq .Values.proxyinjector.mount "secret" }} option inside the configuration of ProxyInjector pretty much useless ☹️

not all config parameters are parsed

Hi,

ProxyInjector is a really nice idea so we played around a bit and noticed that not all config parameters are parsed into the container when launching a annotated application.

Here is my ProxyInjector deployment:

---
# Source: proxyinjector/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: 0.0.1
    chart: "proxyinjector-0.0.1"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: 0.0.1
    chart: "proxyinjector-0.0.1"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector-role
  namespace: test-proxyinjector
rules:
- apiGroups:
  - ""
  - "extensions"
  - "apps"
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - services
  verbs:
  - list
  - get
  - watch
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: 0.0.1
    chart: "proxyinjector-0.0.1"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector-role-binding
  namespace: test-proxyinjector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: proxyinjector-role
subjects:
- kind: ServiceAccount
  name: proxyinjector
  namespace: test-proxyinjector




---
# Source: proxyinjector/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: 0.0.1
    chart: "proxyinjector-0.0.1"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: proxyinjector
      group: com.stakater.platform
      provider: stakater
  template:
    metadata:
      labels:
        app: proxyinjector
        group: com.stakater.platform
        provider: stakater
    spec:
      containers:
      - env:
        image: "stakater/proxyinjector:0.0.1"
        imagePullPolicy: Always
        name: proxyinjector
      serviceAccountName: proxyinjector

---
# Source: proxyinjector/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: v0.0.16
    chart: "proxyinjector-v0.0.16"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector
  namespace: idm-test
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: proxyinjector
      group: com.stakater.platform
      provider: stakater
  template:
    metadata:
      labels:
        app: proxyinjector
        group: com.stakater.platform
        provider: stakater
    spec:
      containers:
      - env:
        - name: CONFIG_FILE_PATH
          value: "/etc/ProxyInjector/config.yml"
        image: "stakater/proxyinjector:v0.0.16"
        imagePullPolicy: IfNotPresent
        name: proxyinjector
        volumeMounts:
          - mountPath: /etc/ProxyInjector
            name: config-volume
      serviceAccountName: proxyinjector
      volumes:
      - configMap:
          name: proxyinjector
        name: config-volume

---
# Source: proxyinjector/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: v0.0.16
    chart: "proxyinjector-v0.0.16"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: v0.0.16
    chart: "proxyinjector-v0.0.16"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector-role
  namespace: idm-test
rules:
  - apiGroups:
      - ""
      - "extensions"
      - "apps"
    resources:
      - deployments
      - daemonsets
      - statefulsets
      - services
      - configmaps
    verbs:
      - list
      - get
      - watch
      - update
      - create
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  labels:
    app: proxyinjector
    group: com.stakater.platform
    provider: stakater
    version: v0.0.16
    chart: "proxyinjector-v0.0.16"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector-role-binding
  namespace: idm-test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: proxyinjector-role
subjects:
  - kind: ServiceAccount
    name: proxyinjector
    namespace: idm-test
---
# Source: proxyinjector/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: proxyinjector
    version: v0.0.16
    group: com.stakater.platform
    provider: stakater
    chart: "proxyinjector-v0.0.16"
    release: "RELEASE-NAME"
    heritage: "Tiller"
  name: proxyinjector
data:
  config.yml:
    |-
      gatekeeper-image: "keycloak/keycloak-gatekeeper:latest"
      discovery-url: http://nas-10-keycloak.lan:8080/auth/realms/sso
      client-id: metropolis
      listen: 0.0.0.0:3000
      client-secret: #####0ef-4c84-##19-80ca-9c21#####4e7
      encryption-key: AgXa7xRco#####0ZDSH4X0XhL5Q#####
      preserve-host: true
      http-only-cookie: true
      enable-token-header: true
      enable-login-handler: true
      enable-authorization-header: true
      enable-refresh-tokens: true
      enable-session-cookies: true
      redirection-url: http://nas-10-metropolis.lan
      secure-cookie: false
      http-only-cookie: true
      verbose: true
      enable-default-deny: true
      add-claims:
       - name
       - email
       - given_name
      resources:
      - uri: /*
        roles:
        - metropolis
      - uri: /superman/*
        roles:
        - metropolis-admins

the created configmap:

gatekeeper-image: "keycloak/keycloak-gatekeeper:latest"
discovery-url: http://nas-10-keycloak.lan:8080/auth/realms/sso
client-id: metropolis
listen: 0.0.0.0:3000
client-secret: #####0ef-4c84-##19-80ca-9c21#####4e7
encryption-key: AgXa7xRco#####0ZDSH4X0XhL5Q#####
preserve-host: true
http-only-cookie: true
enable-token-header: true
enable-login-handler: true
enable-authorization-header: true
enable-refresh-tokens: true
enable-session-cookies: true
redirection-url: http://nas-10-metropolis.lan
secure-cookie: false
http-only-cookie: true
verbose: true
enable-default-deny: true
add-claims:
 - name
 - email
 - given_name
resources:
- uri: /*
  roles: 
  - metropolis
- uri: /superman/*
  roles:
  - metropolis-admins

and here the yaml of the deployed application:

apiVersion: apps/v1beta2
kind: Deployment
metadata:
  annotations:
    authproxy.stakater.com/enabled: "true"
    authproxy.stakater.com/listen: 0.0.0.0:3000
    authproxy.stakater.com/redirection-url: http://nas-10-metropolis.lan
    authproxy.stakater.com/source-service-name: metropolis
    authproxy.stakater.com/upstream-url: http://127.0.0.1
    deployment.kubernetes.io/revision: "2"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{"authproxy.stakater.com/enabled":"true","authproxy.stakater.com/listen":"0.0.0.0:3000","authproxy.stakater.com/redirection-url":"http://nas-10-metropolis.lan","authproxy.stakater.com/source-service-name":"metropolis","authproxy.stakater.com/upstream-url":"http://127.0.0.1"},"name":"metropolis","namespace":"idm-test"},"spec":{"replicas":1,"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx:1.7.9","name":"nginx","ports":[{"containerPort":80}]}]}}}}
  creationTimestamp: "2019-05-20T16:48:57Z"
  generation: 2
  labels:
    app: nginx
  name: metropolis
  namespace: idm-test
  resourceVersion: "225959"
  selfLink: /apis/apps/v1beta2/namespaces/idm-test/deployments/metropolis
  uid: 295c27ce-7b1f-11e9-af34-c6fdae0627ad
spec:
  progressDeadlineSeconds: 2147483647
  replicas: 1
  revisionHistoryLimit: 2147483647
  selector:
    matchLabels:
      app: nginx
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - args:
        - --client-id=metropolis
        - --client-secret= #####0ef-4c84-##19-80ca-9c21#####4e7
        - --discovery-url=http://nas-10-keycloak.lan:8080/auth/realms/sso
        - --secure-cookie=false
        - --verbose=true
        - --resources=uri=/*
        - --resources=uri=/superman/*
        - --listen=0.0.0.0:3000
        - --redirection-url=http://nas-10-metropolis.lan
        - --upstream-url=http://127.0.0.1
        image: keycloak/keycloak-gatekeeper:latest
        imagePullPolicy: Always
        name: proxy
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      - image: nginx:1.7.9
        imagePullPolicy: IfNotPresent
        name: nginx
        ports:
        - containerPort: 80
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2019-05-20T16:48:58Z"
    lastUpdateTime: "2019-05-20T16:48:58Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 2
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

as you see there are a lot of config options missing.

Edit:

when deploying the app annotated like this

authproxy.stakater.com/resources: uri=/*|roles=metropolis,metropolis-admins

it works:

...
template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - args:
        - --client-id=metropolis
        - --client-secret=#####0ef-4c84-##19-80ca-9c21#####4e7
        - --discovery-url=http://nas-10-keycloak.lan:8080/auth/realms/sso
        - --secure-cookie=false
        - --verbose=true
        - --listen=0.0.0.0:3000
        - --redirection-url=http://nas-10-metropolis.lan
        - --upstream-url=http://127.0.0.1
        - --resources=uri=/*|roles=metropolis,metropolis-admins
        image: keycloak/keycloak-gatekeeper:latest
...

ProxyInjector crashes if service is for sidecar deleted

Scenario

  • Deploy ProxyInjector
  • Deploy an application and service with ProxyInjector sidecar configuration
  • Delete the service deployed in step 2
  • ProxyInjector app is crashed with following trace

`time="2021-03-15T09:37:32Z" level=info msg="Updated resource... topui"
time="2021-03-15T09:37:32Z" level=error msg="Failed to get latest version of Service: services "topui" not found"
E0315 09:37:32.145170 1 runtime.go:78] Observed a panic: runtime.boundsError{x:0, y:0, signed:true, code:0x0} (runtime error: index out of range [0] with length 0)
goroutine 98 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1279240, 0xc00059d720)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:74 +0xa3
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:48 +0x82
panic(0x1279240, 0xc00059d720)
/usr/local/go/src/runtime/panic.go:679 +0x1b2
github.com/stakater/ProxyInjector/internal/pkg/handler.updateService.func1(0xc000336420, 0xc00016e2e8)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/handler/create.go:177 +0x2f3
k8s.io/client-go/util/retry.OnError.func1(0x0, 0x203000, 0x203000)
/go/pkg/mod/k8s.io/[email protected]/util/retry/util.go:64 +0x3c
k8s.io/apimachinery/pkg/util/wait.ExponentialBackoff(0x989680, 0x3ff0000000000000, 0x3fb999999999999a, 0x5, 0x0, 0xc000453658, 0xc000336450, 0x30)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:292 +0x51
k8s.io/client-go/util/retry.OnError(0x989680, 0x3ff0000000000000, 0x3fb999999999999a, 0x5, 0x0, 0x13bf308, 0xc000453718, 0x468732, 0xa)
/go/pkg/mod/k8s.io/[email protected]/util/retry/util.go:63 +0xa6
k8s.io/client-go/util/retry.RetryOnConflict(...)
/go/pkg/mod/k8s.io/[email protected]/util/retry/util.go:83
github.com/stakater/ProxyInjector/internal/pkg/handler.updateService(0xc00064c640, 0xc000712960, 0x3, 0xc0007129e0, 0x5, 0xc0007129e8, 0x4)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/handler/create.go:167 +0x130
github.com/stakater/ProxyInjector/internal/pkg/handler.ResourceCreatedHandler.Handle(0x130b2a0, 0xc00013d200, 0xc00010f5c0, 0x22, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/handler/create.go:118 +0xac4
github.com/stakater/ProxyInjector/internal/pkg/controller.(*Controller).processNextItem(0xc0003354a0, 0x0)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/controller/controller.go:111 +0x179
github.com/stakater/ProxyInjector/internal/pkg/controller.(*Controller).runWorker(0xc0003354a0)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/controller/controller.go:94 +0x2b
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1(0xc00038a000)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152 +0x5e
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00038a000, 0x3b9aca00, 0x0, 0x1, 0xc0000fc600)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153 +0xf8
k8s.io/apimachinery/pkg/util/wait.Until(0xc00038a000, 0x3b9aca00, 0xc0000fc600)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88 +0x4d
created by github.com/stakater/ProxyInjector/internal/pkg/controller.(*Controller).Run
/go/src/github.com/stakater/ProxyInjector/internal/pkg/controller/controller.go:86 +0x1ff
panic: runtime error: index out of range [0] with length 0 [recovered]
panic: runtime error: index out of range [0] with length 0

goroutine 98 [running]:
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:55 +0x105
panic(0x1279240, 0xc00059d720)
/usr/local/go/src/runtime/panic.go:679 +0x1b2
github.com/stakater/ProxyInjector/internal/pkg/handler.updateService.func1(0xc000336420, 0xc00016e2e8)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/handler/create.go:177 +0x2f3
k8s.io/client-go/util/retry.OnError.func1(0x0, 0x203000, 0x203000)
/go/pkg/mod/k8s.io/[email protected]/util/retry/util.go:64 +0x3c
k8s.io/apimachinery/pkg/util/wait.ExponentialBackoff(0x989680, 0x3ff0000000000000, 0x3fb999999999999a, 0x5, 0x0, 0xc000453658, 0xc000336450, 0x30)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:292 +0x51
k8s.io/client-go/util/retry.OnError(0x989680, 0x3ff0000000000000, 0x3fb999999999999a, 0x5, 0x0, 0x13bf308, 0xc000453718, 0x468732, 0xa)
/go/pkg/mod/k8s.io/[email protected]/util/retry/util.go:63 +0xa6
k8s.io/client-go/util/retry.RetryOnConflict(...)
/go/pkg/mod/k8s.io/[email protected]/util/retry/util.go:83
github.com/stakater/ProxyInjector/internal/pkg/handler.updateService(0xc00064c640, 0xc000712960, 0x3, 0xc0007129e0, 0x5, 0xc0007129e8, 0x4)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/handler/create.go:167 +0x130
github.com/stakater/ProxyInjector/internal/pkg/handler.ResourceCreatedHandler.Handle(0x130b2a0, 0xc00013d200, 0xc00010f5c0, 0x22, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/handler/create.go:118 +0xac4
github.com/stakater/ProxyInjector/internal/pkg/controller.(*Controller).processNextItem(0xc0003354a0, 0x0)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/controller/controller.go:111 +0x179
github.com/stakater/ProxyInjector/internal/pkg/controller.(*Controller).runWorker(0xc0003354a0)
/go/src/github.com/stakater/ProxyInjector/internal/pkg/controller/controller.go:94 +0x2b
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1(0xc00038a000)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152 +0x5e
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00038a000, 0x3b9aca00, 0x0, 0x1, 0xc0000fc600)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153 +0xf8
k8s.io/apimachinery/pkg/util/wait.Until(0xc00038a000, 0x3b9aca00, 0xc0000fc600)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88 +0x4d
created by github.com/stakater/ProxyInjector/internal/pkg/controller.(*Controller).Run
/go/src/github.com/stakater/ProxyInjector/internal/pkg/controller/controller.go:86 +0x1ff`

Take Sensitive Information from Secrets

Right now ProxyInjector uses Client-secret directly as a string. It would be a better and secure approach if it takes this sensitive information from Secrets

Error when deploying in another namespace

Hello,

It seems that deploying in another namespace does not work:

 kubectl delete -f https://raw.githubusercontent.com/stakater/ProxyInjector/master/deployments/kubernetes/proxyinjector.yaml -n infra
```

Gives this
```
✗ k get pods 
NAME                             READY   STATUS             RESTARTS   AGE
proxyinjector-599674c9bf-qzq88   0/1     CrashLoopBackOff   3          92s


➜ configs git:(develop) ✗ k logs -f proxyinjector-599674c9bf-qzq88 
time="2019-07-17T16:04:01Z" level=info msg="Starting ProxyInjector"
time="2019-07-17T16:04:01Z" level=warning msg="KUBERNETES_NAMESPACE is unset, will detect changes in all namespaces."
2019/07/17 16:04:01 Reading YAML Configuration
2019/07/17 16:04:01 open config.yaml: no such file or directory
panic: open config.yaml: no such file or directory

goroutine 1 [running]:
log.Panic(0xc420139990, 0x1, 0x1)
	/usr/local/go/src/log/log.go:326 +0xc0
github.com/stakater/ProxyInjector/internal/pkg/config.ReadConfig(0x108cd6d, 0xb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/go/src/github.com/stakater/ProxyInjector/internal/pkg/config/config.go:35 +0x14a
github.com/stakater/ProxyInjector/internal/pkg/config.GetControllerConfig(0xc4203ffd40, 0x0, 0x0)
	/go/src/github.com/stakater/ProxyInjector/internal/pkg/config/config.go:53 +0x74
github.com/stakater/ProxyInjector/internal/pkg/cmd.startProxyInjector(0xc420287400, 0x1824a20, 0x0, 0x0)
	/go/src/github.com/stakater/ProxyInjector/internal/pkg/cmd/proxyinjector.go:38 +0x13a
github.com/stakater/ProxyInjector/vendor/github.com/spf13/cobra.(*Command).execute(0xc420287400, 0xc42000e180, 0x0, 0x0, 0xc420287400, 0xc42000e180)
	/go/src/github.com/stakater/ProxyInjector/vendor/github.com/spf13/cobra/command.go:766 +0x2c1
github.com/stakater/ProxyInjector/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420287400, 0x1085f60, 0xe74401, 0xc420287400)
	/go/src/github.com/stakater/ProxyInjector/vendor/github.com/spf13/cobra/command.go:852 +0x334
github.com/stakater/ProxyInjector/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420287400, 0xc420287400, 0xe7c966)
	/go/src/github.com/stakater/ProxyInjector/vendor/github.com/spf13/cobra/command.go:800 +0x2b
github.com/stakater/ProxyInjector/internal/pkg/app.Run(0xc420139f70, 0xe7d1a9)
	/go/src/github.com/stakater/ProxyInjector/internal/pkg/app/app.go:8 +0x9a
```

spec.template.spec.containers[0].image: Required value

After upgrading to 0.0.23 I get following error when I want to inject a proxy container:

time="2019-12-31T18:03:23Z" level=error msg="Deployment.apps \"http-svc\" is invalid: spec.template.spec.containers[0].image: Required value"

time="2019-12-31T18:03:23Z" level=info msg="Updated service... http-svc"

This is the deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-svc 
  annotations:
    authproxy.stakater.com/enabled: "true"
    authproxy.stakater.com/redirection-url: http://hello.xxxxx.com
    authproxy.stakater.com/resources: uri=/*|roles=g-xxxx-Admin|require-any-role=true
    authproxy.stakater.com/source-service-name: "http-svc"
    authproxy.stakater.com/target-port: "3000"
    authproxy.stakater.com/upstream-url: http://127.0.0.1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: http-svc
  template:
    metadata:
      labels:
        app: http-svc
    spec:
      containers:
      - name: http-svc
        image: gcr.io/kubernetes-e2e-test-images/echoserver:2.1
        ports:
        - containerPort: 8080
        env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP

---

apiVersion: v1
kind: Service
metadata:
  name: http-svc
  labels:
    app: http-svc
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http
  selector:
    app: http-svc

Unable to Proxy to Kubernetes Dashboard

I am trying to use proxyinjector to protect the kubernetes-dashboard. But I can't figure how to fix the 502 error I'm getting.

My kubernetes dashboard deployment (relavent bits)

kind: Deployment
apiVersion: apps/v1
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
  annotations:
    authproxy.stakater.com/client-id: kubernetes
    authproxy.stakater.com/client-secret: <redacted>
    authproxy.stakater.com/discovery-url: 'https://keycloak.example.com/auth/realms/master'
    authproxy.stakater.com/enabled: 'true'
    authproxy.stakater.com/gatekeeper-image: 'keycloak/keycloak-gatekeeper:6.0.1'
    authproxy.stakater.com/listen: '0.0.0.0:3000'
    authproxy.stakater.com/redirection-url: 'https://k8s.example.com'
    authproxy.stakater.com/resources: uri=/*|roles=Kubernetes Admin
    authproxy.stakater.com/skip-upstream-tls-verify: 'true'
    authproxy.stakater.com/source-service-name: kubernetes-dashboard
    authproxy.stakater.com/target-port: '3000'
    authproxy.stakater.com/upstream-url: 'https://127.0.0.1:443'

When I try to go to the homepage of the dashboard, instead of redirecting me to the auth proxy, I get a 502. The nginx controller logs shows the following:

2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET / HTTP/1.1", upstream: "https://10.42.0.189:3000/", host: "k8s.example.com"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET / HTTP/1.1", upstream: "https://10.42.0.189:3000/", host: "k8s.example.com"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET / HTTP/1.1", upstream: "https://10.42.0.189:3000/", host: "k8s.example.com"
10.0.0.20 - - [06/Dec/2019:03:55:12 +0000] "GET / HTTP/1.1" 502 556 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 682 0.006 [kube-system-kubernetes-dashboard-443] [] 10.42.0.189:3000, 10.42.0.189:3000, 10.42.0.189:3000 0, 0, 0 0.000, 0.004, 0.000 502, 502, 502 0b7f6ff1b42200f35afc8066538a8043
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.42.0.189:3000/favicon.ico", host: "k8s.example.com", referrer: "https://k8s.example.com/"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.42.0.189:3000/favicon.ico", host: "k8s.example.com", referrer: "https://k8s.example.com/"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.42.0.189:3000/favicon.ico", host: "k8s.example.com", referrer: "https://k8s.example.com/"
10.0.0.20 - - [06/Dec/2019:03:55:12 +0000] "GET /favicon.ico HTTP/1.1" 502 556 "https://k8s.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 632 0.006 [kube-system-kubernetes-dashboard-443] [] 10.42.0.189:3000, 10.42.0.189:3000, 10.42.0.189:3000 0, 0, 0 0.000, 0.004, 0.004 502, 502, 502 6dd815a57a5fca80c3f271e7e0f038b2

It seems like it's failing because one of them is using the wrong SSL version. Though I thought it shouldn't be bothing to verify SSL anyway, as I have that disabled in the config for the deployment. How can I change either of those settings, or otherwise get proxyinjector working with kubernetes-dashboard?

add support for statefulsets

Currently only k8s resources from type deployment are supported by the proxyinjector.
It will be great to also support statefulset resources.

thanks and regards

multiple resource annotations do not work

currently it is not possible to have multiple resources configured (e.g. 'uri=/x|white-listed=true' and 'uri=/y|white-listed=true' when annotating a deployment with authproxy.stakater.com/resources
if you add multiple annotations for resources, only the last one is considered.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.