(WIP) chore: authenticate user before each api call

cmd/commands/server.go

@@ -19,10 +19,10 @@ package commands
 import (
 	"strings"
 
+	"github.com/spf13/cobra"
+
 	sharedutil "github.com/numaproj/numaflow/pkg/shared/util"
 	svrcmd "github.com/numaproj/numaflow/server/cmd"
-
-	"github.com/spf13/cobra"
 )
 
 func NewServerCommand() *cobra.Command {
@@ -32,6 +32,8 @@ func NewServerCommand() *cobra.Command {
 		namespaced       bool
 		managedNamespace string
 		baseHref         string
+		disableAuth      bool
+		dexServerAddr    string
 	)
 
 	command := &cobra.Command{
@@ -44,13 +46,25 @@ func NewServerCommand() *cobra.Command {
 			if !strings.HasSuffix(baseHref, "/") {
 				baseHref = baseHref + "/"
 			}
-			svrcmd.Start(insecure, port, namespaced, managedNamespace, baseHref)
+			opts := svrcmd.ServerOptions{
+				Insecure:         insecure,
+				Port:             port,
+				Namespaced:       namespaced,
+				ManagedNamespace: managedNamespace,
+				BaseHref:         baseHref,
+				DisableAuth:      disableAuth,
+				DexServerAddr:    dexServerAddr,
+			}
+			server := svrcmd.NewServer(opts)
+			server.Start()
 		},
 	}
 	command.Flags().BoolVar(&insecure, "insecure", false, "Whether to disable TLS, defaults to false.")
 	command.Flags().IntVarP(&port, "port", "p", 8443, "Port to listen on, defaults to 8443 or 8080 if insecure is set")
 	command.Flags().BoolVar(&namespaced, "namespaced", false, "Whether to run in namespaced scope, defaults to false.")
 	command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system"), "The namespace that the server watches when \"--namespaced\" is \"true\".")
 	command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.")
+	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Whether to disable authentication and authorization, defaults to false.")
+	command.Flags().StringVar(&dexServerAddr, "dex-server-addr", "http://numaflow-dex-server:5556", "The address of the Dex server.")
 	return command
 }

config/advanced-install/namespaced-numaflow-server.yaml

@@ -75,6 +75,21 @@ subjects:
   name: numaflow-server-sa
 ---
 apiVersion: v1
+data:
+  rbac-policy.csv: |
+    # Policies go here
+    p, role:admin, *, *, POST
+    p, role:admin, *, *, PUT
+    p, role:admin, *, *, PATCH
+    p, role:admin, *, *, DELETE
+    p, role:admin, *, *, GET
+  rbac.properties: |
+    policy.default: role:readonly
+kind: ConfigMap
+metadata:
+  name: numaflow-server-rbac-config
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: numaflow-server
@@ -106,6 +121,7 @@ spec:
       containers:
       - args:
         - server
+        - --disable-auth=true
         - --namespaced
         env:
         - name: NAMESPACE
@@ -136,6 +152,8 @@ spec:
         - mountPath: /ui/build/index.html
           name: env-volume
           subPath: index.html
+        - mountPath: /etc/numaflow
+          name: rbac-config
       initContainers:
       - args:
         - server-init
@@ -152,3 +170,6 @@ spec:
       volumes:
       - emptyDir: {}
         name: env-volume
+      - configMap:
+          name: numaflow-server-rbac-config
+        name: rbac-config

config/advanced-install/numaflow-server.yaml

@@ -77,6 +77,22 @@ subjects:
   namespace: numaflow-system
 ---
 apiVersion: v1
+data:
+  rbac-policy.csv: |
+    # Policies go here
+    p, role:admin, *, *, POST
+    p, role:admin, *, *, PUT
+    p, role:admin, *, *, PATCH
+    p, role:admin, *, *, DELETE
+    p, role:admin, *, *, GET
+  rbac.properties: |
+    policy.default: role:readonly
+kind: ConfigMap
+metadata:
+  name: numaflow-server-rbac-config
+  namespace: numaflow-system
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: numaflow-server
@@ -139,6 +155,8 @@ spec:
         - mountPath: /ui/build/index.html
           name: env-volume
           subPath: index.html
+        - mountPath: /etc/numaflow
+          name: rbac-config
       initContainers:
       - args:
         - server-init
@@ -155,3 +173,6 @@ spec:
       volumes:
       - emptyDir: {}
         name: env-volume
+      - configMap:
+          name: numaflow-server-rbac-config
+        name: rbac-config

config/base/dex/CreateCerts.sh

@@ -0,0 +1 @@
+kubectl create secret tls numaflow-dex-certs --cert=tls.crt --key=tls.key -n numaflow-system

config/base/dex/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - numaflow-dex-secrets.yaml
+  - numaflow-dex-server-deployment.yaml
+  - numaflow-dex-server-role.yaml
+  - numaflow-dex-server-rolebinding.yaml
+  - numaflow-dex-server-sa.yaml
+  - numaflow-dex-server-service.yaml
+  - numaflow-dex-server-configmap.yaml

config/base/dex/numaflow-dex-secrets.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: numaflow-dex-secrets
+stringData:
+  dex-github-client-id: c1812606eaf8c6e53a79
+  dex-github-client-secret: c5244582cb71f9e341968fc9bcd72edec3c5aebc

config/base/dex/numaflow-dex-server-configmap.yaml

@@ -0,0 +1,34 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: numaflow-dex-server
+data:
+  config.yaml: |
+    issuer: hostname/dex
+    storage:
+      type: memory
+    web:
+      https: 0.0.0.0:5556
+      tlsCert: /etc/numaflow/dex/certs/tls.crt
+      tlsKey: /etc/numaflow/dex/certs/tls.key
+    staticClients:
+      - id: numaflow-server-app
+        redirectURIs: 
+          - 'hostname/login'
+        name: 'Numaflow Server App'
+        pubilc: true
+    connectors:
+    - type: github
+      id: github
+      name: GitHub
+      config:
+        clientID: $GITHUB_CLIENT_ID
+        clientSecret: $GITHUB_CLIENT_SECRET
+        redirectURI: hostname/dex/callback
+        orgs:
+        - name: namespace-name
+          teams:
+          - admin
+          - readonly
+    oauth2:
+      skipApprovalScreen: true

config/base/dex/numaflow-dex-server-deployment.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: numaflow-dex-server
+    app.kubernetes.io/part-of: numaflow
+    app.kubernetes.io/component: dex-server
+  name: numaflow-dex-server
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: numaflow-dex-server
+      app.kubernetes.io/part-of: numaflow
+      app.kubernetes.io/component: dex-server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: numaflow-dex-server
+        app.kubernetes.io/part-of: numaflow
+        app.kubernetes.io/component: dex-server
+    spec:
+      serviceAccountName: numaflow-dex-server
+      containers:
+        - name: dex
+          image: docker.intuit.com/docker-rmt/dexidp/dex:v2.25.0
+          imagePullPolicy: Always
+          command: ["/usr/local/bin/dex","serve","/etc/numaflow/dex/cfg/config.yaml"]
+          ports:
+            - containerPort: 5556
+          volumeMounts:
+            - mountPath: "/etc/numaflow/dex/cfg"
+              name: config
+            - mountPath: "/etc/numaflow/dex/certs"
+              name: certs
+              readOnly: true
+            - mountPath: "/etc/numaflow/dex/secrets"
+              name: secrets
+              readOnly: true
+          env:
+          - name: GITHUB_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: numaflow-dex-secrets
+                key: dex-github-client-id
+          - name: GITHUB_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: numaflow-dex-secrets
+                key: dex-github-client-secret
+      volumes:
+        - name: certs
+          secret:
+            secretName: numaflow-dex-certs
+        - name: secrets
+          secret:
+            secretName: numaflow-dex-secrets
+        - name: config
+          configMap:
+            name: numaflow-dex-server
+            items:
+              - key: config.yaml
+                path: config.yaml

config/base/dex/numaflow-dex-server-role.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: numaflow-dex-server
+    app.kubernetes.io/part-of: numaflow
+    app.kubernetes.io/component: dex-server
+  name: numaflow-dex-server
+  namespace: numaflow-system
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch

config/base/dex/numaflow-dex-server-rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: numaflow-dex-server
+    app.kubernetes.io/part-of: numaflow
+    app.kubernetes.io/component: dex-server
+  name: numaflow-dex-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: numaflow-dex-server
+subjects:
+  - kind: ServiceAccount
+    name: numaflow-dex-server

config/base/dex/numaflow-dex-server-sa.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: numaflow-dex-server
+    app.kubernetes.io/part-of: numaflow
+    app.kubernetes.io/component: dex-server
+  name: numaflow-dex-server

config/base/dex/numaflow-dex-server-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: numaflow-dex-server
+    app.kubernetes.io/part-of: numaflow
+    app.kubernetes.io/component: dex-server
+  name: numaflow-dex-server
+spec:
+  ports:
+    - name: https
+      protocol: TCP
+      port: 5556
+      targetPort: 5556
+  selector:
+    app.kubernetes.io/name: numaflow-dex-server

config/base/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - crds/full
   - controller-manager
   - numaflow-server
+  - dex
 
 images:
   - name: quay.io/numaproj/numaflow

config/base/numaflow-server/kustomization.yaml

@@ -3,5 +3,6 @@ kind: Kustomization
 
 resources:
   - numaflow-server-sa.yaml
+  - numaflow-server-rbac-config.yaml
   - numaflow-server-deployment.yaml
   - numaflow-server-service.yaml

config/base/numaflow-server/numaflow-server-deployment.yaml

@@ -21,6 +21,9 @@ spec:
       volumes:
       - name: env-volume
         emptyDir: {}
+      - name: rbac-config
+        configMap:
+          name: numaflow-server-rbac-config
       initContainers:
       - name: server-init
         image: quay.io/numaproj/numaflow:latest
@@ -35,6 +38,8 @@ spec:
           image: quay.io/numaproj/numaflow:latest
           args:
           - "server"
+          # By default, turn off authentication and authorization.
+          - "--disable-auth=true"
           imagePullPolicy: Always
           volumeMounts:
           - mountPath: /ui/build/runtime-env.js
@@ -43,6 +48,8 @@ spec:
           - mountPath: /ui/build/index.html
             name: env-volume
             subPath: index.html
+          - mountPath: /etc/numaflow
+            name: rbac-config
           env:
             - name: NAMESPACE
               valueFrom:

config/base/numaflow-server/numaflow-server-rbac-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: numaflow-server-rbac-config
+data:
+  rbac-policy.csv: |
+    # Policies go here
+    p, role:admin, *, *, POST
+    p, role:admin, *, *, PUT
+    p, role:admin, *, *, PATCH
+    p, role:admin, *, *, DELETE
+    p, role:admin, *, *, GET
+  rbac.properties: |
+    policy.default: role:readonly