Use kube-authz-proxy with dbgate

Signed-off-by: Tamal Saha <[email protected]>
kubedb · Jul 8, 2024 · f6560f8 · f6560f8
1 parent 9db0126
commit f6560f8
Show file tree

Hide file tree

Showing 7 changed files with 157 additions and 1 deletion.
diff --git a/charts/dbgate/templates/cluster-role-binding.yaml b/charts/dbgate/templates/cluster-role-binding.yaml
@@ -0,0 +1,15 @@
+# to delegate authentication and authorization
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "dbgate.fullname" . }}-auth-delegator
+  labels:
+    {{- include "dbgate.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: {{ include "dbgate.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/dbgate/templates/deployment.yaml b/charts/dbgate/templates/deployment.yaml
@@ -77,6 +77,41 @@ spec:
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+
+        {{ if .Values.authzProxy.enabled }}
+        - name: authz-proxy
+          securityContext:
+            {{- toYaml .Values.authzProxy.securityContext | nindent 12 }}
+          image: "{{ .Values.authzProxy.repository }}:{{ .Values.authzProxy.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - run
+            - --listen={{ .Values.authzProxy.params.listen }}
+            - --metrics-addr={{ .Values.authzProxy.params.metricsAddr }}
+            - --platform-url={{ .Values.authzProxy.params.platformURL }}
+            # - --platform-ca-file=<mount-csi-driver>
+            - --secret-name={{ .Values.app.authSecret.name }}
+            - --secret-namespace={{ .Release.Namespace }}
+            - --target-url=http://localhost:3000
+          ports:
+            - name: proxy
+              containerPort: {{ .Values.authzProxy.params.listen }}
+              protocol: TCP
+            - name: metrics
+              containerPort: {{ .Values.authzProxy.params.metricsAddr }}
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.authzProxy.resources | nindent 12 }}
+        {{ end }}
+
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/dbgate/templates/service.yaml b/charts/dbgate/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http
+      targetPort: {{ if .Values.authzProxy.enabled }}"proxy"{{ else }}"http"{{ end }}
       protocol: TCP
       name: http
   selector:

diff --git a/charts/dbgate/templates/serviceaccount.yaml b/charts/dbgate/templates/serviceaccount.yaml
@@ -10,4 +10,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: true
 {{- end }}
diff --git a/charts/dbgate/values.yaml b/charts/dbgate/values.yaml
@@ -122,3 +122,30 @@ app:
 bind:
   name: ""
   namespace: ""
+
+authzProxy:
+  enabled: true
+  # KubeDB operator container image
+  repository: ghcr.io/appscode/kube-authz-proxy
+  # KubeDB operator container image tag
+  tag: "v0.0.1"
+  # Security options this container should run with
+  securityContext: # +doc-gen:break
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
+  # Compute Resources required by this container
+  resources: {}
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  params:
+    listen: 8000
+    metricsAddr: 8080
+    platformURL: https://accounts.tamal-k3s-chennai-com-nhsee.bytebuilders.xyz
+    platform-ca-file: <mount-csi-driver>
diff --git a/charts/pgadmin/templates/deployment.yaml b/charts/pgadmin/templates/deployment.yaml
@@ -29,6 +29,52 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
+        - name: authz-proxy
+          args:
+          - --listen=8000
+          - --metrics-addr=8080
+          - --platform-url=<https://api.appscode.com>
+          - --platform-ca-file=<mount-csi-driver>
+          - --secret-name=<auth-secret>
+          - --secret-namespace=${Release.namespace}
+          - --target-url=http://localhost:<pgadmin-port>
+
+
+authProxy:
+  # Docker registry used to pull KubeDB operator image
+  registry: kubedb
+  # KubeDB operator container image
+  repository: kubedb-provisioner
+  # KubeDB operator container image tag
+  tag: ""
+  # Security options this container should run with
+  securityContext: # +doc-gen:break
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65534
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # Compute Resources required by this container
+  resources: {}
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  enable: <>
+  - --listen=8000
+  - --metrics-addr=8080
+  - --platform-url=<https://api.appscode.com>
+  - --platform-ca-file=<mount-csi-driver>
+  - --secret-name=<auth-secret>
+  - --secret-namespace=${Release.namespace}
+  - --target-url=http://localhost:<pgadmin-port>
+
+
+
+
+
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}

diff --git a/charts/pgadmin/values.yaml b/charts/pgadmin/values.yaml
@@ -115,3 +115,35 @@ app:
 bind:
   name: ""
   namespace: ""
+
+authzProxy:
+  enable: <>
+  # Docker registry used to pull KubeDB operator image
+  registry: appscode
+  # KubeDB operator container image
+  repository: kube-authz-proxy
+  # KubeDB operator container image tag
+  tag: "v0.0.1"
+  # Security options this container should run with
+  securityContext: # +doc-gen:break
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
+  # Compute Resources required by this container
+  resources: {}
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  params:
+    listen: 8000
+    metricsAddr: 8080
+    platformURL: <https://api.appscode.com>
+    platform-ca-file: <mount-csi-driver>
+    secretName: <auth-secret>
+    secretNamespace: ${Release.namespace}
+    targetURL: http://localhost:<pgadmin-port>