Added htpasswd option to the OpenShift OAuth type

Signed-off-by: Juraci Paixão Kröhling <juraci@kroehling.de>
jaegertracing · Jul 31, 2019 · 1fe0103 · 1fe0103
1 parent 60f5ed6
commit 1fe0103
Show file tree

Hide file tree

Showing 5 changed files with 100 additions and 19 deletions.
diff --git a/deploy/examples/openshift/custom-sar-oauth-proxy.yaml b/deploy/examples/openshift/custom-sar-oauth-proxy.yaml
@@ -6,4 +6,4 @@ spec:
   ingress:
     openshift:
       sar: '{"namespace": "default", "resource": "pods", "verb": "get"}'
-      delegate-urls: '{"/":{"namespace": "default", "resource": "pods", "verb": "get"}}'
+      delegateUrls: '{"/":{"namespace": "default", "resource": "pods", "verb": "get"}}'
diff --git a/deploy/examples/openshift/with-htpasswd.yaml b/deploy/examples/openshift/with-htpasswd.yaml
@@ -0,0 +1,18 @@
+# create the htpasswd with: htpasswd -cs /tmp/htpasswd jdoe
+# create the secret with: kubectl create secret generic htpasswd --from-file=htpasswd=/tmp/htpasswd
+apiVersion: jaegertracing.io/v1
+kind: Jaeger
+metadata:
+  name: with-htpasswd
+spec:
+  ingress:
+    openshift:
+      sar: '{"namespace": "default", "resource": "pods", "verb": "get"}'
+      htpasswdFile: /usr/local/data/htpasswd
+  volumeMounts:
+  - name: htpasswd-volume
+    mountPath: /usr/local/data
+  volumes:
+  - name: htpasswd-volume
+    secret:
+      secretName: htpasswd
diff --git a/pkg/apis/jaegertracing/v1/jaeger_types.go b/pkg/apis/jaegertracing/v1/jaeger_types.go
@@ -199,7 +199,10 @@ type JaegerIngressOpenShiftSpec struct {
 	SAR string `json:"sar,omitempty"`
 
 	// +optional
-	DelegateURLs string `json:"delegate-urls,omitempty"`
+	DelegateURLs string `json:"delegateUrls,omitempty"`
+
+	// +optional
+	HtpasswdFile string `json:"htpasswdFile,omitempty"`
 }
 
 // JaegerAllInOneSpec defines the options to be used when deploying the query

diff --git a/pkg/inject/oauth-proxy.go b/pkg/inject/oauth-proxy.go
@@ -44,6 +44,19 @@ func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
 		"--upstream=http://localhost:16686",
 	}
 
+	volumeMounts := []corev1.VolumeMount{{
+		MountPath: "/etc/tls/private",
+		Name:      service.GetTLSSecretNameForQueryService(jaeger),
+	}}
+
+	if len(jaeger.Spec.Ingress.OpenShift.HtpasswdFile) > 0 {
+		args = append(args, fmt.Sprintf("--htpasswd-file=%s", jaeger.Spec.Ingress.OpenShift.HtpasswdFile))
+		args = append(args, "--display-htpasswd-form=false")
+
+		// we can only get VolumeMounts from the top-level node
+		volumeMounts = append(volumeMounts, jaeger.Spec.JaegerCommonSpec.VolumeMounts...)
+	}
+
 	if len(jaeger.Spec.Ingress.OpenShift.SAR) > 0 {
 		args = append(args, fmt.Sprintf("--openshift-sar=%s", jaeger.Spec.Ingress.OpenShift.SAR))
 	}
@@ -57,13 +70,10 @@ func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
 	commonSpec := util.Merge([]v1.JaegerCommonSpec{jaeger.Spec.Ingress.JaegerCommonSpec, jaeger.Spec.JaegerCommonSpec})
 
 	return corev1.Container{
-		Image: viper.GetString("openshift-oauth-proxy-image"),
-		Name:  "oauth-proxy",
-		Args:  args,
-		VolumeMounts: []corev1.VolumeMount{{
-			MountPath: "/etc/tls/private",
-			Name:      service.GetTLSSecretNameForQueryService(jaeger),
-		}},
+		Image:        viper.GetString("openshift-oauth-proxy-image"),
+		Name:         "oauth-proxy",
+		Args:         args,
+		VolumeMounts: volumeMounts,
 		Ports: []corev1.ContainerPort{
 			{
 				ContainerPort: 8443,

diff --git a/pkg/inject/oauth-proxy_test.go b/pkg/inject/oauth-proxy_test.go
@@ -17,37 +17,37 @@ import (
 )
 
 func TestOAuthProxyContainerIsNotAddedByDefault(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyContainerIsNotAddedByDefault"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
 	assert.Len(t, dep.Spec.Template.Spec.Containers, 1)
 	assert.Equal(t, "jaeger-query", dep.Spec.Template.Spec.Containers[0].Name)
 }
 
 func TestOAuthProxyContainerIsAdded(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyContainerIsAdded"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
 	assert.Len(t, dep.Spec.Template.Spec.Containers, 2)
 	assert.Equal(t, "oauth-proxy", dep.Spec.Template.Spec.Containers[1].Name)
 }
 
 func TestOAuthProxyTLSSecretVolumeIsAdded(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyTLSSecretVolumeIsAdded"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
 	assert.Len(t, dep.Spec.Template.Spec.Volumes, 1)
 	assert.Equal(t, dep.Spec.Template.Spec.Volumes[0].Name, service.GetTLSSecretNameForQueryService(jaeger))
 }
 
 func TestOAuthProxyTLSSecretVolumeIsNotAddedByDefault(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyTLSSecretVolumeIsNotAddedByDefault"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
 	assert.Len(t, dep.Spec.Template.Spec.Volumes, 0)
 }
 
 func TestOAuthProxyConsistentServiceAccountName(t *testing.T) {
 	// see https://github.com/openshift/oauth-proxy/issues/95
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyConsistentServiceAccountName"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
 
@@ -61,7 +61,7 @@ func TestOAuthProxyConsistentServiceAccountName(t *testing.T) {
 }
 
 func TestOAuthProxyWithCustomSAR(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyWithCustomSAR"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	jaeger.Spec.Ingress.OpenShift.SAR = `{"namespace": "default", "resource": "pods", "verb": "get"}`
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
@@ -75,11 +75,61 @@ func TestOAuthProxyWithCustomSAR(t *testing.T) {
 	assert.True(t, found)
 }
 
+func TestOAuthProxyWithHtpasswdFile(t *testing.T) {
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
+	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
+	jaeger.Spec.Ingress.OpenShift.HtpasswdFile = "/etc/htpasswd"
+	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
+
+	found := false
+	for _, a := range dep.Spec.Template.Spec.Containers[1].Args {
+		if a == fmt.Sprintf("--htpasswd-file=%s", jaeger.Spec.Ingress.OpenShift.HtpasswdFile) {
+			found = true
+		}
+	}
+	assert.True(t, found)
+}
+
+func TestMountVolumeSpecifiedAtMainSpec(t *testing.T) {
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
+	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
+	jaeger.Spec.Ingress.OpenShift.HtpasswdFile = "/etc/passwd"
+	jaeger.Spec.VolumeMounts = []corev1.VolumeMount{{
+		Name: "the-volume",
+	}}
+	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
+
+	found := false
+	for _, a := range dep.Spec.Template.Spec.Containers[1].VolumeMounts {
+		if a.Name == "the-volume" {
+			found = true
+		}
+	}
+	assert.True(t, found)
+}
+
+func TestDoNotMountWhenNotNeeded(t *testing.T) {
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
+	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
+	jaeger.Spec.VolumeMounts = []corev1.VolumeMount{{
+		Name: "the-volume",
+	}}
+	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
+
+	found := false
+	for _, a := range dep.Spec.Template.Spec.Containers[1].VolumeMounts {
+		if a.Name == "the-volume" {
+			found = true
+		}
+	}
+	assert.False(t, found)
+}
+
 func TestOAuthProxyWithCustomDelegateURLs(t *testing.T) {
 	viper.Set("auth-delegator-available", true)
 	defer viper.Reset()
 
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyWithCustomDelegateURLs"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	jaeger.Spec.Ingress.OpenShift.DelegateURLs = `{"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}`
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
@@ -100,7 +150,7 @@ func TestOAuthProxyWithCustomDelegateURLsWithoutProperClusterRole(t *testing.T)
 		setDefaults()
 	}()
 
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyWithCustomDelegateURLs"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	jaeger.Spec.Ingress.OpenShift.DelegateURLs = `{"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}`
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
@@ -115,7 +165,7 @@ func TestOAuthProxyWithCustomDelegateURLsWithoutProperClusterRole(t *testing.T)
 }
 
 func TestOAuthProxyOrderOfArguments(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyConsistentServiceAccountName"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 	dep := OAuthProxy(jaeger, deployment.NewQuery(jaeger).Get())
 
@@ -129,7 +179,7 @@ func TestOAuthProxyOrderOfArguments(t *testing.T) {
 }
 
 func TestOAuthProxyResourceLimits(t *testing.T) {
-	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxyResourceLimits"})
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "my-instance"})
 	jaeger.Spec.Resources = corev1.ResourceRequirements{
 		Limits: corev1.ResourceList{
 			corev1.ResourceLimitsCPU:              *resource.NewQuantity(1024, resource.BinarySI),