From 617c1ca13eaf4d7c8ef5edc132568e7e5151daeb Mon Sep 17 00:00:00 2001 From: Frank Dai Date: Sun, 16 Feb 2020 17:30:19 -0800 Subject: [PATCH 1/4] Add keycloak support --- Dockerfile | 12 +-------- kubernetes/puppetboard.yml.erb | 47 ++++++++++++++++++++++++++-------- puppetboard_pam | 14 ---------- services/app/log/run | 3 --- services/app/run | 7 ----- services/nginx/log/run | 3 --- services/nginx/nginx.conf | 45 -------------------------------- services/nginx/run | 5 ---- 8 files changed, 37 insertions(+), 99 deletions(-) delete mode 100644 puppetboard_pam delete mode 100755 services/app/log/run delete mode 100755 services/app/run delete mode 100755 services/nginx/log/run delete mode 100644 services/nginx/nginx.conf delete mode 100755 services/nginx/run diff --git a/Dockerfile b/Dockerfile index 8e0e87f..a1edecd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,17 +5,11 @@ ARG PUPPETBOARD_VERSION RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ git \ - libpam-krb5 \ - nginx \ python3 \ - runit \ virtualenv \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -COPY services/nginx/nginx.conf /etc/nginx -COPY puppetboard_pam /etc/pam.d/puppetboard - RUN mkdir -p /opt/puppetboard RUN chown nobody:nogroup /opt/puppetboard WORKDIR /opt/puppetboard @@ -24,10 +18,6 @@ USER nobody RUN git clone https://github.com/voxpupuli/puppetboard.git . \ && git checkout $PUPPETBOARD_VERSION -# Only allow users in the ocfstaff group to access puppetboard -RUN echo "ocfstaff" > /opt/puppetboard/allowed-groups - -COPY --chown=nobody:nogroup services /opt/puppetboard/services COPY --chown=nobody:nogroup settings.py /opt/puppetboard RUN virtualenv -ppython3 /opt/puppetboard/venv \ @@ -36,4 +26,4 @@ RUN virtualenv -ppython3 /opt/puppetboard/venv \ ENV PUPPETBOARD_SETTINGS /opt/puppetboard/settings.py -CMD ["runsvdir", "/opt/puppetboard/services"] +CMD ["/opt/puppetboard/venv/bin/gunicorn", "-b", "127.0.0.1:8000", "puppetboard.app:app"] diff --git a/kubernetes/puppetboard.yml.erb b/kubernetes/puppetboard.yml.erb index c2c7dc4..36bc6ef 100644 --- a/kubernetes/puppetboard.yml.erb +++ b/kubernetes/puppetboard.yml.erb @@ -26,6 +26,32 @@ spec: app: puppetboard spec: containers: + - name: auth + image: "keycloak/keycloak-gatekeeper:6.0.1" + args: + - --client-id=puppetboard + - --client-secret=$(KEYCLOAK_SECRET) + - --encryption-key=$(ENCRYPTION_KEY) + - --redirection-url=https://puppet.ocf.berkeley.edu/ + - --discovery-url=https://auth.ocf.berkeley.edu/auth/realms/ocf + - --enable-default-deny=true + - --enable-session-cookies + - --listen=:8080 + - --upstream-url=http://localhost:8000 + - --resources=uri=/*|roles=ocfstaff + env: + - name: KEYCLOAK_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client + key: secret + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: keycloak-client + key: encryption_key + ports: + - containerPort: 8080 - name: puppetboard image: "docker.ocf.berkeley.edu/puppetboard:<%= version %>" resources: @@ -33,20 +59,10 @@ spec: memory: 2048Mi cpu: 750m ports: - - containerPort: 8080 + - containerPort: 8000 volumeMounts: - mountPath: /opt/puppetboard/keys name: secrets - livenessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 volumes: - name: secrets hostPath: @@ -69,3 +85,12 @@ spec: - backend: serviceName: service servicePort: 80 +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client +type: Opaque +stringData: + secret: <%= keycloak_secret %> + encryption_key: <%= keycloak_encryption_key %> diff --git a/puppetboard_pam b/puppetboard_pam deleted file mode 100644 index 0f8c01b..0000000 --- a/puppetboard_pam +++ /dev/null @@ -1,14 +0,0 @@ -# Restrict access to ocfstaff users only, because we don't want the general -# public to be able to see everything about puppet including failures which -# could contain passwords, etc. -# -# Note that this PAM service is used only for authentication to the nginx -# proxy, puppetboard is just running as a simple upstream that nginx proxies to - -@include common-auth -@include common-account -@include common-password -@include common-session - -# Must be in the ocfstaff group to access -auth required pam_listfile.so onerr=fail item=group sense=allow file=/opt/puppetboard/allowed-groups diff --git a/services/app/log/run b/services/app/log/run deleted file mode 100755 index 8f48025..0000000 --- a/services/app/log/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -set -euo pipefail -exec /opt/share/utils/sbin/stdin2syslog puppetboard-app diff --git a/services/app/run b/services/app/run deleted file mode 100755 index ae0c563..0000000 --- a/services/app/run +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -set -euo pipefail -exec 2>&1 - -cd /opt/puppetboard -exec /opt/puppetboard/venv/bin/gunicorn -b 127.0.0.1:8000 puppetboard.app:app diff --git a/services/nginx/log/run b/services/nginx/log/run deleted file mode 100755 index 997f39e..0000000 --- a/services/nginx/log/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -set -euo pipefail -exec /opt/share/utils/sbin/stdin2syslog puppetboard-nginx diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf deleted file mode 100644 index 9943dec..0000000 --- a/services/nginx/nginx.conf +++ /dev/null @@ -1,45 +0,0 @@ -error_log /dev/stderr; -daemon off; -pid /tmp/nginx_pid; - -# Load the pam module for authentication -load_module /usr/lib/nginx/modules/ngx_http_auth_pam_module.so; - -events {} - -http { - include /etc/nginx/mime.types; - access_log /dev/stderr; - - upstream puppetboard { - server 127.0.0.1:8000; - } - - server { - # We can't listen on a port below 1024 when running as nobody (instead - # of root), so listen on 8080 instead - listen 8080; - - client_body_temp_path /tmp/nginx_client_temp; - fastcgi_temp_path /tmp/nginx_fastcgi_temp; - proxy_temp_path /tmp/nginx_proxy_temp; - scgi_temp_path /tmp/nginx_scgi_temp; - uwsgi_temp_path /tmp/nginx_uwsgi_temp; - - # Require authentication to access puppetboard - auth_pam "Puppetboard"; - auth_pam_service_name "puppetboard"; - - location /static { - alias /opt/puppetboard/puppetboard/static; - } - - location / { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_pass http://puppetboard; - } - } -} diff --git a/services/nginx/run b/services/nginx/run deleted file mode 100755 index d94aeb2..0000000 --- a/services/nginx/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -set -euo pipefail -exec 2>&1 - -exec nginx -c nginx.conf -p $(pwd) From c8befc7b464bfc1483bbcfdb19292cc81b3b2b8c Mon Sep 17 00:00:00 2001 From: Frank Dai Date: Sun, 16 Feb 2020 17:35:38 -0800 Subject: [PATCH 2/4] Add back liveness probes --- kubernetes/puppetboard.yml.erb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kubernetes/puppetboard.yml.erb b/kubernetes/puppetboard.yml.erb index 36bc6ef..ab31507 100644 --- a/kubernetes/puppetboard.yml.erb +++ b/kubernetes/puppetboard.yml.erb @@ -52,6 +52,16 @@ spec: key: encryption_key ports: - containerPort: 8080 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 - name: puppetboard image: "docker.ocf.berkeley.edu/puppetboard:<%= version %>" resources: From 8343f59a3d1dd3dbf9aa9f2039d3f490accc9a18 Mon Sep 17 00:00:00 2001 From: Frank Dai Date: Sun, 16 Feb 2020 17:42:55 -0800 Subject: [PATCH 3/4] Remove dependencies on ocf docker --- Dockerfile | 2 +- Jenkinsfile | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index a1edecd..de9c872 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.ocf.berkeley.edu/theocf/debian:buster +FROM debian:buster ARG PUPPETBOARD_VERSION diff --git a/Jenkinsfile b/Jenkinsfile index 7dae52e..6c719c2 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,5 +1,3 @@ -servicePipeline( - upstreamProjects: ['dockers/master'], -) +servicePipeline() // vim: ft=groovy From c414b805e419c5cb3faf033d22a88228c17358ea Mon Sep 17 00:00:00 2001 From: Frank Dai Date: Sun, 16 Feb 2020 18:01:12 -0800 Subject: [PATCH 4/4] Only use ipv4 for puppetboard --- kubernetes/puppetboard.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/puppetboard.yml.erb b/kubernetes/puppetboard.yml.erb index ab31507..dd6f5e9 100644 --- a/kubernetes/puppetboard.yml.erb +++ b/kubernetes/puppetboard.yml.erb @@ -37,7 +37,7 @@ spec: - --enable-default-deny=true - --enable-session-cookies - --listen=:8080 - - --upstream-url=http://localhost:8000 + - --upstream-url=http://127.0.0.1:8000 - --resources=uri=/*|roles=ocfstaff env: - name: KEYCLOAK_SECRET