GithubHelp home page GithubHelp logo

projectcontour / contour-authserver Goto Github PK

View Code? Open in Web Editor NEW
43.0 10.0 39.0 255 KB

An Envoy-compatible authorization server.

License: Apache License 2.0

Dockerfile 1.36% Makefile 3.77% Go 93.02% Shell 1.85%
envoy authorization-backends contour

contour-authserver's Introduction

contour-authserver

contour-authserver implements the Envoy external authorization GRPC protocol (both v2 and v3). It can be used for testing Envoy external authorization. contour-authserver has two authorization backends that are selected by subcommands.

testserver

Usage:

Run a testing authentication server

Usage:
  contour-authserver testserver [OPTIONS]

Flags:
      --address string         The address the authentication endpoint binds to. (default ":9090")
  -h, --help                   help for testserver
      --tls-ca-path string     Path to the TLS CA certificate bundle.
      --tls-cert-path string   Path to the TLS server certificate.
      --tls-key-path string    Path to the TLS server key.

testserver will authorize any path that contains the string allow, and will reject other requests with a 401 status code.

htpasswd

Usage:

Run a htpasswd basic authentication server

Usage:
  contour-authserver htpasswd [OPTIONS]

Flags:
      --address string             The address the authentication endpoint binds to. (default ":9090")
      --auth-realm string          Basic authentication realm. (default "default")
  -h, --help                       help for htpasswd
      --metrics-address string     The address the metrics endpoint binds to. (default ":8080")
      --selector string            Selector (label-query) to filter Secrets, supports '=', '==', and '!='.
      --tls-ca-path string         Path to the TLS CA certificate bundle.
      --tls-cert-path string       Path to the TLS server certificate.
      --tls-key-path string        Path to the TLS server key.
      --watch-namespaces strings   The list of namespaces to watch for Secrets.

htpasswd Secrets

The htpasswd backend implements HTTP basic authentication against a set of Secrets that contain htpasswd formatted data. The htpasswd data must be stored in the auth key, which is compatible with ingress-nginx auth-file Secrets.

The htpasswd backend only accesses Secrets that are annotated with projectcontour.io/auth-type: basic.

Secrets that are annotated with the projectcontour.io/auth-realm will only be used if the annotation value matches the value of the --auth-realm flag. The projectcontour.io/auth-realm: * annotation explicitly marks a Secret as being valid for all realms. This is equivalent to omitting the annotation.

When it authenticates a request, the htpasswd backend injects the Auth-Username and Auth-Realm headers, which contain the authenticated user name and the basic authentication realm respectively.

The --watch-namespaces flag specifies the namespaces where the htpasswd backend will discover Secrets. If this flag is empty, Secrets from all namespaces will be used.

The --selector flag accepts a label selector that can be used to further restrict which Secrets the htpasswd backend will consume.

oidc

Usage:

Run a oidc authentication server

Usage:
  contour-authserver oidc [OPTIONS]

Flags:
      --config string              Path to config file ( yaml format )
  -h, --help                       help for htpasswd
      --tls-ca-path string         Path to the TLS CA certificate bundle.
      --tls-cert-path string       Path to the TLS server certificate.
      --tls-key-path string        Path to the TLS server key.

Oidc configuration can be specified with configmaps. Please visit DexIDP for more detail.

## The following entries are the variables  accepted by the Contour OIDC module.
## server address and port 
address: ":9443"

## OIDC issuer URL 
issuerURL: "http://<path to your SSO server>"

## App redirect path ( usually point back to app url)
redirectURL: "https://<path to your applications>"
redirectPath: "/callback"
allowEmptyClientSecret: false
scopes:
- openid
- profile
- email
- offline_access
usernameClaim: "nickname"
emailClaim: ""
serveTLS: false
clientID: "<your client id>"
clientSecret: "<your client secret>"

Request Headers

Both authorization backends emit the Auth-Handler header, which publishes the name of the backend that approved or rejected the authorization.

The authorization context is also reflected into HTTP headers prefixed with Auth-Context-. Note that This can generate malformed HTTP headers. The testserver backend always creates the context headers, but the htpasswd backend only does so for authenticated requests (i.e. the origin server gets them bu the client never does.)

Deploying contour-authserver

The recommended way to deploy contour-authserver is to use the Kustomize deployment YAML. This will deploy services for testserver , htpasswd and oidc backends. For developer deployments, Skaffold seems to work reasonably well.

There are no versioned releases or container images yet.

Releasing contour-authserver

Maintainers who need to release a new version of contour-authserver can follow the following steps:

# Ensure that you have a Github token either in $GITHUB_TOKEN or in ~/.config/goreleaser/github_token.
# Ensure that goreleaser is installed.

# Tag the release.
$ ./hack/make-release-tag.sh $OLDVERS $NEWVERS

# Push the release tag to Github.
$ git push origin $NEWVERS

# Build and release binaries and Docker images.
$ make release

# Log in with your GitHub account and token to push the images.
$ docker login -u <GitHub username>
$ docker push ghcr.io/projectcontour/contour-authserver:$NEWVERS
$ docker push ghcr.io/projectcontour/contour-authserver:latest

# Log out.
$ docker logout

contour-authserver's People

Contributors

b1gb4by avatar dependabot[bot] avatar jpeach avatar robinfoe avatar skriss avatar stevesloka avatar surajssd avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jpeach stevesloka ossys c53mike cdwlabs imranismail albertocavalcante xaleeks acnodal tsaarni surajssd annegies tannevaled skriss wquist houz42 operationaldev inductor b1gb4by jduepmeier longbeachhxc zinneranast tobiash abanna conblem ksrajeev jphanvenafi huangyingting kyama902 iammasariya recoverxai glb-bds-sf epic-gateway inloco projectsesame ourzora t-jegou

contour-authserver's Issues

Automated image builds for new commits/tags

Please describe the problem you have
[A clear, concise, description of the problem you are facing. What is the problem that feature X would solve for you?]
Currently, it seems that everything needed to build this project is present but the official image is about one year old.
I would propose that:

  • the image gets rebuild whenever there is a change to the code -> tag latest
  • tagged to a version whenever a Git tag is created

That way, a user would be able to test (and potentially use) the latest features without the need to do a custom build / manage the hosting of the custom image.

Remove "experimental" from contour-authserver

This issue covers work to harden contour-authserver so that people could conceivably use it as a production-quality translation layer between Envoy ext_authz and other forms of RBAC. The idea here is that we can say confidently that Contour can support OIDC as close to out-of-the-box as possible.

Note that the right way to do this may be to send contour-authserver to the Envoy project, or add support into OIDC providers for Envoy's ext_authz directly.

Consistent Versioning

We should make the versioning consistent across the projectcontour repos. The latest release currently is v2. It would be nice to follow what contour does (e.g. v2.0.0)

Envoy disconnects because of TLSV1_ALERT_PROTOCOL_VERSION

What steps did you take and what happened:
After deploying this project using the provided resources and creating an extensionservice to target this authserver, the envoy sends the requests there but receives a TLSV1_ALERT_PROTOCOL_VERSION and rejects every connection with UAEX.

The request doesn't even get logged by contour-authserver.

❯ kubectl logs envoy-jxg5p -c envoy
[...]
[2021-12-07 15:11:07.906][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:101] starting async DNS resolution for 127.0.0.1
[2021-12-07 15:11:07.906][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:109] async DNS resolution complete for 127.0.0.1
[2021-12-07 15:11:07.906][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:155] DNS refresh rate reset for 127.0.0.1, refresh rate 5000 ms
[2021-12-07 15:11:07.975][1][debug][main] [source/server/server.cc:199] flushing stats
[2021-12-07 15:11:07.994][13][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:79] tls inspector: new connection accepted
[2021-12-07 15:11:08.007][13][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:150] tls:onServerName(), requestedServerName: example.app.k8s.domain
[2021-12-07 15:11:08.008][13][debug][conn_handler] [source/server/connection_handler_impl.cc:501] [C304] new connection
[2021-12-07 15:11:08.199][1][debug][upstream] [source/common/upstream/upstream_impl.cc:278] transport socket match, socket default selected for host with address 100.75.36.192:8001
[2021-12-07 15:11:08.199][1][debug][upstream] [source/common/upstream/strict_dns_cluster.cc:167] DNS refresh rate reset for contour, refresh rate 5000 ms
[2021-12-07 15:11:08.314][13][debug][http2] [source/common/http/http2/codec_impl.cc:1184] [C304] updating connection-level initial window size to 268435456
[2021-12-07 15:11:08.314][13][debug][http] [source/common/http/conn_manager_impl.cc:254] [C304] new stream
[2021-12-07 15:11:08.315][13][debug][http] [source/common/http/conn_manager_impl.cc:886] [C304][S4958010076065905179] request headers complete (end_stream=true):
':method', 'GET'
':path', '/'
':scheme', 'https'
':authority', 'example.app.k8s.domain'
'authorization', 'Basic <basic-auth-header>'
'user-agent', 'curl/7.64.1'
'accept', '*/*'

[2021-12-07 15:11:08.315][13][debug][http] [source/common/http/filter_manager.cc:755] [C304][S4958010076065905179] request end stream
[2021-12-07 15:11:08.316][13][debug][lua] [source/extensions/filters/common/lua/lua.cc:39] coroutine finished
[2021-12-07 15:11:08.316][13][debug][router] [source/common/router/router.cc:425] [C0][S326086556289697609] cluster 'extension/ingress/contour-authserver-htpasswd' match for URL '/envoy.service.auth.v3.Authorization/Check'
[2021-12-07 15:11:08.316][13][debug][router] [source/common/router/router.cc:582] [C0][S326086556289697609] router decoding headers:
':method', 'POST'
':path', '/envoy.service.auth.v3.Authorization/Check'
':authority', 'extension/ingress/contour-authserver-htpasswd'
':scheme', 'https'
'te', 'trailers'
'grpc-timeout', '200m'
'content-type', 'application/grpc'
'x-envoy-internal', 'true'
'x-forwarded-for', '100.64.2.77'
'x-envoy-expected-rq-timeout-ms', '200'

[2021-12-07 15:11:08.317][13][debug][pool] [source/common/http/conn_pool_base.cc:79] queueing stream due to no available connections
[2021-12-07 15:11:08.317][13][debug][pool] [source/common/conn_pool/conn_pool_base.cc:106] creating a new connection
[2021-12-07 15:11:08.317][13][debug][client] [source/common/http/codec_client.cc:41] [C305] connecting
[2021-12-07 15:11:08.317][13][debug][connection] [source/common/network/connection_impl.cc:860] [C305] connecting to 100.64.2.76:9443
[2021-12-07 15:11:08.317][13][debug][connection] [source/common/network/connection_impl.cc:876] [C305] connection in progress
[2021-12-07 15:11:08.317][13][debug][http2] [source/common/http/http2/codec_impl.cc:1184] [C305] updating connection-level initial window size to 268435456
[2021-12-07 15:11:08.318][13][debug][connection] [source/common/network/connection_impl.cc:666] [C305] connected
[2021-12-07 15:11:08.319][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:224] [C305] TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
[2021-12-07 15:11:08.319][13][debug][connection] [source/common/network/connection_impl.cc:241] [C305] closing socket: 0
[2021-12-07 15:11:08.320][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:224] [C305] TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
[2021-12-07 15:11:08.320][13][debug][client] [source/common/http/codec_client.cc:99] [C305] disconnect. resetting 0 pending requests
[2021-12-07 15:11:08.320][13][debug][pool] [source/common/conn_pool/conn_pool_base.cc:343] [C305] client disconnected, failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
[2021-12-07 15:11:08.320][13][debug][router] [source/common/router/router.cc:1026] [C0][S326086556289697609] upstream reset: reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
[2021-12-07 15:11:08.321][13][debug][http] [source/common/http/async_client_impl.cc:101] async http request response headers (end_stream=true):
':status', '200'
'content-type', 'application/grpc'
'grpc-status', '14'
'grpc-message', 'upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION'

[2021-12-07 15:11:08.321][13][debug][http] [source/common/http/filter_manager.cc:839] [C304][S4958010076065905179] Sending local reply with details ext_authz_error
[2021-12-07 15:11:08.321][13][debug][http] [source/common/http/conn_manager_impl.cc:1484] [C304][S4958010076065905179] encoding headers via codec (end_stream=true):
':status', '403'
'date', 'Tue, 07 Dec 2021 15:11:07 GMT'
'server', 'envoy'

[2021-12-07 15:11:08.321][13][debug][http2] [source/common/http/http2/codec_impl.cc:964] [C304] stream closed: 0
[2021-12-07 15:11:08.478][13][debug][connection] [source/common/network/connection_impl.cc:634] [C304] remote close
[2021-12-07 15:11:08.478][13][debug][connection] [source/common/network/connection_impl.cc:241] [C304] closing socket: 0
[2021-12-07 15:11:08.478][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:308] [C304] SSL shutdown: rc=1
[2021-12-07 15:11:08.478][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:224] [C304]
[2021-12-07 15:11:08.479][13][debug][conn_handler] [source/server/connection_handler_impl.cc:164] [C304] adding to cleanup list

What did you expect to happen:

Valid response by contour-authserver.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Software version:
    • contour-authserver: master branch
    • contour: 1.12.0
    • envoy: 1.17.0
  • Kubernetes version: (use kubectl version): 1.20.9
  • Kubernetes installer & version: n/a
  • Cloud provider or hardware configuration: n/a
  • OS (e.g. from /etc/os-release): n/a

Basic auth realm '*' doesn't validate

Labeling a htpasswd secret with the projectcontour.io/auth-realm=* label is intended to make that secret available in any basic auth realm, but * isn't allowed in a label value.

$ k label secret jpeach projectcontour.io/auth-realm=*
error: invalid label value: "projectcontour.io/auth-realm=*": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

OIDC support should propagate any claims back to the request

Please describe the problem you have
[A clear, concise, description of the problem you are facing. What is the problem that feature X would solve for you?]
The OIDC support should propagate any claims received back to the initiating request.

Help: OIDC connection with keycloak

Hi there,

I am struggling to configure the contour-authserver to perform an OIDC connection with Keycloak.

When I access my website, envoy correctly root the trafic to contour-authserver to perform the authentication. Once the authentication is done, the connection is close and I do not access my web site.

In the redirectUri, I use the contour-authserver address targetting the port 9443 (but I feel this port only support gRPC request).

Should I configure the website url ? Is there another port which handle the http connection ?

Thank you in advance for the helm you may bring

OIDC support should be on a per-vhost basis

Please describe the problem you have
[A clear, concise, description of the problem you are facing. What is the problem that feature X would solve for you?]
The OIDC support implemented in #13 sets the same config for all vhosts serviced by the authserver installation.

We should consider making it so that the config can be different on a per-vhost basis.

Release Docker images

We need to add some release process to build and release Docker images so that contour-authserver can be installed.

Very poor performance

What steps did you take and what happened:

  • Started contour-authserver as Pod in a Kubernetes Cluster.
  • Added one user with password 1234
  • Send 20 http Requests per second
  • CPU load goes op to 100% almost 90% used by contour-authserver

What did you expect to happen:

  • Almost no significant increase of the CPU load since the number of requests are very low.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Software version: v2
  • Kubernetes version: (use kubectl version): v1.22.7
  • Cloud provider or hardware configuration: Azure AKS
  • OS (e.g. from /etc/os-release): Ubuntu

OIDC support in contour and contour-authserver

At a recent maintainer meeting we discussed what the path forward is for the Contour project providing support for OIDC in Contour and the contour-authserver repos.

Our end goal here is to have a story for external auth OIDC integration and provide some guidance for how to do things in production. We will provide deployment examples with a specific provider (e.g. https://github.com/dexidp/dex) but generally Contour should work with any with an appropriate shim/provider that can speak over grpc with Envoy.

Some steps we must complete for this are:

  • Mark this repo as experimental
    • It currently should not be treated as a production-ready piece of software as it was initially created for integration testing Contour
    • Initial OIDC support will also be experimental
  • Merge #13 which adds OIDC to this repo
  • Provide documentation for how contour-authserver can be used to initially experiment with OIDC and Contour
  • Investigate what state of art is in this area, see if we want to contribute/invest in another project for production use cases
    • e.g. contribute ability to connect to the Envoy grpc interface etc. to an OIDC provider
    • This is so we do not have to have the burden as projectcontour of owning another piece of production-grade software
  • Maybe productionize/harden contour-authserver repo as needed (depending on outcome of previous step)

Newer API version of cert-manager should be supported

What steps did you take and what happened:

The provided config file has an old version of cert-manager. Ref. https://github.com/projectcontour/contour-authserver/blob/main/config/htpasswd/certificate.yaml

apiVersion: cert-manager.io/v1alpha3 is old and now we want to use cert-manager.io/v1.

What did you expect to happen:

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Software version:
  • Kubernetes version: (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.