From 6d061d59909216db7af86b50ffbbd762cb2b5cb6 Mon Sep 17 00:00:00 2001
From: Guangning E <guangning@streamnative.io>
Date: Thu, 6 Jun 2024 09:04:00 +0800
Subject: [PATCH] Support custom proxy-admin role (#1169)

* Support custom define proxy-admin role

* Fixed vault

* Add cluster name to env
---
 .../proxy-super-service-account-template.json |  5 ++++
 .../startup.sh                                | 23 ++++++++++++++++---
 .../streamnative-console-statefulset.yaml     |  2 ++
 .../templates/vault/vault-initialize.yaml     |  4 ++++
 charts/sn-platform/values.yaml                |  2 ++
 5 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 charts/sn-platform/conf/vault/init_vault_streamnative_console/proxy-super-service-account-template.json

diff --git a/charts/sn-platform/conf/vault/init_vault_streamnative_console/proxy-super-service-account-template.json b/charts/sn-platform/conf/vault/init_vault_streamnative_console/proxy-super-service-account-template.json
new file mode 100644
index 00000000..643ee37d
--- /dev/null
+++ b/charts/sn-platform/conf/vault/init_vault_streamnative_console/proxy-super-service-account-template.json
@@ -0,0 +1,5 @@
+{
+    "rolename": {{identity.entity.aliases.MOUNT_ACCESSOR.metadata.role_name}},
+    "id": {{identity.entity.aliases.MOUNT_ACCESSOR.id}},
+    "type": "service-account"
+}
\ No newline at end of file
diff --git a/charts/sn-platform/conf/vault/init_vault_streamnative_console/startup.sh b/charts/sn-platform/conf/vault/init_vault_streamnative_console/startup.sh
index ebec8a96..1ea0a104 100644
--- a/charts/sn-platform/conf/vault/init_vault_streamnative_console/startup.sh
+++ b/charts/sn-platform/conf/vault/init_vault_streamnative_console/startup.sh
@@ -39,6 +39,12 @@ if [ -n "$CUSTOM_SUPER_TOKEN_PAYLOAD" ]; then
     done
 fi
 
+if [ -n "$CUSTOM_PROXY_SUPER_TOKEN_PAYLOAD" ]; then
+    echo "$CUSTOM_PROXY_SUPER_TOKEN_PAYLOAD" | tr '|' '\n' | while read item; do
+        sed -i "2a  ${item}," $BASEDIR/../tmp/proxy-super-service-account-template.json;
+    done
+fi
+
 if [ -n "$CUSTOM_NON_SUPER_TOKEN_PAYLOAD" ]; then
     echo "$CUSTOM_NON_SUPER_TOKEN_PAYLOAD" | tr '|' '\n' | while read item; do
         sed -i "2a  ${item}," $BASEDIR/../tmp/service-account-template.json;
@@ -54,6 +60,8 @@ sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/service-ac
 sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/service-account.hcl > $TMP_DIR/service-account.hcl
 sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/super-service-account.hcl > $TMP_DIR/super-service-account.hcl
 sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/super-service-account-template.json > $TMP_DIR/super-service-account-template.json
+sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/proxy-super-service-account-template.json > $TMP_DIR/proxy-super-service-account-template.json
+
 
 vault policy write service-account $TMP_DIR/service-account.hcl
 vault write identity/entity name="service-account" policies="service-account"
@@ -93,6 +101,15 @@ vault write identity/oidc/role/super-service-account-non-expire key=super-servic
 nonExpireSuperServiceAccountClientId=$(vault read identity/oidc/role/super-service-account-non-expire | grep client_id |  awk '{print $2}')
 vault write identity/oidc/key/super-service-account-non-expire name=super-service-account-non-expire rotation_period=256000h verification_ttl=1752000h allowed_client_ids=$nonExpireSuperServiceAccountClientId
 
+vault policy write proxy-super-service-account-non-expire $TMP_DIR/super-service-account.hcl
+vault write identity/entity name="proxy-super-service-account-non-expire" policies="super-service-account"
+canonicalId=$(vault read identity/entity/name/proxy-super-service-account-non-expire | grep -v _id | grep id | awk '{print $2}')
+vault write identity/entity-alias name="proxy-super-service-account-non-expire"  mount_accessor=$serviceAccountMountAccessor canonical_id=$canonicalId metadata=name='proxy-super-service-account-non-expire'
+vault write identity/oidc/key/proxy-super-service-account-non-expire name=proxy-super-service-account-non-expire rotation_period=256000h verification_ttl=1752000h
+vault write identity/oidc/role/proxy-super-service-account-non-expire key=proxy-super-service-account-non-expire ttl=1314000h template=@$TMP_DIR/proxy-super-service-account-template.json
+proxyNonExpireSuperServiceAccountClientId=$(vault read identity/oidc/role/proxy-super-service-account-non-expire | grep client_id |  awk '{print $2}')
+vault write identity/oidc/key/proxy-super-service-account-non-expire name=proxy-super-service-account-non-expire rotation_period=256000h verification_ttl=1752000h allowed_client_ids=$proxyNonExpireSuperServiceAccountClientId
+
 vault write auth/approle/role/$superApproleName policies=super-service-account
 proxyApproleName=proxy-admin
 vault write auth/approle/role/$proxyApproleName policies=service-account
@@ -148,11 +165,11 @@ echo "VAULT_PROXY_ROLE_ID: "$VAULT_PROXY_ROLE_ID
 echo "VAULT_PROXY_SECRET_ID: "$VAULT_PROXY_SECRET_ID
 echo "oidc info ====="
 echo "oidc client ids: serviceAccount,superServiceAccount,user,superUser,nonExpireSuperServiceAccount,nonExpireServiceAccount"
-echo $serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId
+echo $serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$proxyNonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId
 
 
 echo "" > /tmp/pm_env
-echo "PULSAR_PREFIX_OIDCTokenAudienceID="$serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId >> /tmp/pm_env
+echo "PULSAR_PREFIX_OIDCTokenAudienceID="$serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$proxyNonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId >> /tmp/pm_env
 echo "VAULT_HOST="$VAULT_ADDR >> /tmp/pm_env
 echo "VAULT_USERPASS_MOUNT_ACCESSOR="$VAULT_USERPASS_MOUNT_ACCESSOR >> /tmp/pm_env
 echo "VAULT_SUPER_USER_NAME="$VAULT_SUPER_USER_NAME >> /tmp/pm_env
@@ -177,7 +194,7 @@ if [[ -n "$CUSTOM_SUPER_TOKEN_PAYLOAD" && -n "$CUSTOM_NON_SUPER_TOKEN_PAYLOAD" ]
         --header "X-Vault-Token: $PROXY_VAULT_APPROLE_SUPER_TOKEN" \
         --request GET \
         --data $TMP_DIR/proxy-payload.json \
-        $VAULT_ADDR/v1/identity/oidc/token/super-service-account-non-expire | jq -r ".data.token")
+        $VAULT_ADDR/v1/identity/oidc/token/proxy-super-service-account-non-expire | jq -r ".data.token")
     echo "PROXY_brokerClientAuthenticationParameters=$PROXY_brokerClientAuthenticationParameters" >> /tmp/pm_env
 
     echo "create secret for toolset token -> $TOOLSET_TOKEN_SECRET_NAME"
diff --git a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
index c7359cc0..8a0fdb33 100644
--- a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
+++ b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
@@ -110,6 +110,8 @@ spec:
             value: {{ .Values.streamnative_console.configData.DEFAULT_NAME }}
           - name: INSTANCE_NAME
             value: {{ .Values.streamnative_console.configData.INSTANCE_NAME }}
+          - name: CLUSTER_NAME
+            value: {{ template "pulsar.fullname" . }}
           {{- if .Values.streamnative_console.configData.GLOBAL_RESOURCE_READ_ONLY }}
           - name: GLOBAL_RESOURCE_READ_ONLY
             value: "true"
diff --git a/charts/sn-platform/templates/vault/vault-initialize.yaml b/charts/sn-platform/templates/vault/vault-initialize.yaml
index c04d787c..02e6a2f6 100644
--- a/charts/sn-platform/templates/vault/vault-initialize.yaml
+++ b/charts/sn-platform/templates/vault/vault-initialize.yaml
@@ -85,6 +85,10 @@ spec:
         - name: CUSTOM_SUPER_TOKEN_PAYLOAD
           value: {{ .Values.vault.oidcToken.customPayload.superToken }}
         {{- end }}
+        {{- if and .Values.vault.oidcToken.customPayload.proxySuperToken }}
+        - name: CUSTOM_PROXY_SUPER_TOKEN_PAYLOAD
+          value: {{ .Values.vault.oidcToken.customPayload.proxySuperToken }}
+        {{- end }}
         {{- if and .Values.vault.oidcToken.customPayload.nonSuperToken }}
         - name: CUSTOM_NON_SUPER_TOKEN_PAYLOAD
           value: {{ .Values.vault.oidcToken.customPayload.nonSuperToken }}
diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml
index 3fdb5839..6602ddbf 100644
--- a/charts/sn-platform/values.yaml
+++ b/charts/sn-platform/values.yaml
@@ -2395,6 +2395,8 @@ vault:
     ttl: 12h
     customPayload:
       superToken: ""
+      # \\\"roles\\\":[\\\"proxy-admin\\\"]
+      proxySuperToken: ""
       nonSuperToken: ""
   serviceType: "ClusterIP"
   tolerations: []