From 4a69d9e60541ae19aa4b75984c5964b90c8d822d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=BE=84=E6=BD=AD?= Date: Wed, 4 Jan 2023 17:52:07 +0800 Subject: [PATCH] support xds auth (#117) --- go.mod | 1 + go.sum | 1 + .../templates/controller-clusterrole.yaml | 5 +++++ pkg/bootstrap/server.go | 18 ++++++++++++++++++ 4 files changed, 25 insertions(+) diff --git a/go.mod b/go.mod index f48646994..295aacbf1 100644 --- a/go.mod +++ b/go.mod @@ -70,6 +70,7 @@ require ( github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect github.com/containerd/continuity v0.1.0 // indirect + github.com/coreos/go-oidc/v3 v3.1.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect github.com/docker/cli v20.10.7+incompatible // indirect diff --git a/go.sum b/go.sum index 357199196..efb323eaf 100644 --- a/go.sum +++ b/go.sum @@ -354,6 +354,7 @@ github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmeka github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw= github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= diff --git a/helm/higress/templates/controller-clusterrole.yaml b/helm/higress/templates/controller-clusterrole.yaml index e13b53479..b065597d4 100644 --- a/helm/higress/templates/controller-clusterrole.yaml +++ b/helm/higress/templates/controller-clusterrole.yaml @@ -45,3 +45,8 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] + + # Used to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/pkg/bootstrap/server.go b/pkg/bootstrap/server.go index e87ea4967..92d9f32cc 100644 --- a/pkg/bootstrap/server.go +++ b/pkg/bootstrap/server.go @@ -25,6 +25,7 @@ import ( "google.golang.org/grpc/reflection" "istio.io/api/mesh/v1alpha1" configaggregate "istio.io/istio/pilot/pkg/config/aggregate" + "istio.io/istio/pilot/pkg/features" istiogrpc "istio.io/istio/pilot/pkg/grpc" "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/server" @@ -37,6 +38,9 @@ import ( "istio.io/istio/pkg/config/schema/gvk" "istio.io/istio/pkg/keepalive" istiokube "istio.io/istio/pkg/kube" + "istio.io/istio/pkg/security" + "istio.io/istio/security/pkg/server/ca/authenticate" + "istio.io/istio/security/pkg/server/ca/authenticate/kubeauth" "istio.io/pkg/env" "istio.io/pkg/ledger" "istio.io/pkg/log" @@ -149,6 +153,7 @@ func NewServer(args *ServerArgs) (*Server, error) { s.initHttpServer, s.initConfigController, s.initRegistryEventHandlers, + s.initAuthenticators, } for _, f := range initFuncList { @@ -156,6 +161,7 @@ func NewServer(args *ServerArgs) (*Server, error) { return nil, err } } + s.server.RunComponent(func(stop <-chan struct{}) error { s.kubeClient.RunAndWait(stop) return nil @@ -332,6 +338,18 @@ func (s *Server) initGrpcServer() error { return nil } +func (s *Server) initAuthenticators() error { + authenticators := []security.Authenticator{ + &authenticate.ClientCertAuthenticator{}, + } + authenticators = append(authenticators, + kubeauth.NewKubeJWTAuthenticator(s.environment.Watcher, s.kubeClient, s.RegistryOptions.KubeOptions.ClusterID, nil, features.JwtPolicy)) + if features.XDSAuth { + s.xdsServer.Authenticators = authenticators + } + return nil +} + func (s *Server) initKubeClient() error { if s.kubeClient != nil { // Already initialized by startup arguments