Support custom proxy-admin role (#1169)

* Support custom define proxy-admin role * Fixed vault * Add cluster name to env (cherry picked from commit 6d061d5)
streamnative · Jun 13, 2024 · 9910bda · 9910bda
1 parent 0e54a20
commit 9910bda
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 3 deletions.
diff --git a/...form/conf/vault/init_vault_streamnative_console/proxy-super-service-account-template.json b/...form/conf/vault/init_vault_streamnative_console/proxy-super-service-account-template.json
@@ -0,0 +1,5 @@
+{
+    "rolename": {{identity.entity.aliases.MOUNT_ACCESSOR.metadata.role_name}},
+    "id": {{identity.entity.aliases.MOUNT_ACCESSOR.id}},
+    "type": "service-account"
+}
diff --git a/charts/sn-platform/conf/vault/init_vault_streamnative_console/startup.sh b/charts/sn-platform/conf/vault/init_vault_streamnative_console/startup.sh
@@ -49,6 +49,12 @@ if [ -n "$CUSTOM_SUPER_TOKEN_PAYLOAD" ]; then
     done
 fi
 
+if [ -n "$CUSTOM_PROXY_SUPER_TOKEN_PAYLOAD" ]; then
+    echo "$CUSTOM_PROXY_SUPER_TOKEN_PAYLOAD" | tr '|' '\n' | while read item; do
+        sed -i "2a  ${item}," $BASEDIR/../tmp/proxy-super-service-account-template.json;
+    done
+fi
+
 if [ -n "$CUSTOM_NON_SUPER_TOKEN_PAYLOAD" ]; then
     echo "$CUSTOM_NON_SUPER_TOKEN_PAYLOAD" | tr '|' '\n' | while read item; do
         sed -i "2a  ${item}," $BASEDIR/../tmp/service-account-template.json;
@@ -64,6 +70,8 @@ sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/service-ac
 sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/service-account.hcl > $TMP_DIR/service-account.hcl
 sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/super-service-account.hcl > $TMP_DIR/super-service-account.hcl
 sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/super-service-account-template.json > $TMP_DIR/super-service-account-template.json
+sed "s#MOUNT_ACCESSOR#$serviceAccountMountAccessor#g" $BASEDIR/../tmp/proxy-super-service-account-template.json > $TMP_DIR/proxy-super-service-account-template.json
+
 
 vault policy write service-account $TMP_DIR/service-account.hcl
 vault write identity/entity name="service-account" policies="service-account"
@@ -103,6 +111,15 @@ vault write identity/oidc/role/super-service-account-non-expire key=super-servic
 nonExpireSuperServiceAccountClientId=$(vault read identity/oidc/role/super-service-account-non-expire | grep client_id |  awk '{print $2}')
 vault write identity/oidc/key/super-service-account-non-expire name=super-service-account-non-expire rotation_period=256000h verification_ttl=1752000h allowed_client_ids=$nonExpireSuperServiceAccountClientId
 
+vault policy write proxy-super-service-account-non-expire $TMP_DIR/super-service-account.hcl
+vault write identity/entity name="proxy-super-service-account-non-expire" policies="super-service-account"
+canonicalId=$(vault read identity/entity/name/proxy-super-service-account-non-expire | grep -v _id | grep id | awk '{print $2}')
+vault write identity/entity-alias name="proxy-super-service-account-non-expire"  mount_accessor=$serviceAccountMountAccessor canonical_id=$canonicalId metadata=name='proxy-super-service-account-non-expire'
+vault write identity/oidc/key/proxy-super-service-account-non-expire name=proxy-super-service-account-non-expire rotation_period=256000h verification_ttl=1752000h
+vault write identity/oidc/role/proxy-super-service-account-non-expire key=proxy-super-service-account-non-expire ttl=1314000h template=@$TMP_DIR/proxy-super-service-account-template.json
+proxyNonExpireSuperServiceAccountClientId=$(vault read identity/oidc/role/proxy-super-service-account-non-expire | grep client_id |  awk '{print $2}')
+vault write identity/oidc/key/proxy-super-service-account-non-expire name=proxy-super-service-account-non-expire rotation_period=256000h verification_ttl=1752000h allowed_client_ids=$proxyNonExpireSuperServiceAccountClientId
+
 vault write auth/approle/role/$superApproleName policies=super-service-account
 proxyApproleName=proxy-admin
 vault write auth/approle/role/$proxyApproleName policies=service-account
@@ -158,11 +175,11 @@ echo "VAULT_PROXY_ROLE_ID: "$VAULT_PROXY_ROLE_ID
 echo "VAULT_PROXY_SECRET_ID: "$VAULT_PROXY_SECRET_ID
 echo "oidc info ====="
 echo "oidc client ids: serviceAccount,superServiceAccount,user,superUser,nonExpireSuperServiceAccount,nonExpireServiceAccount"
-echo $serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId
+echo $serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$proxyNonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId
 
 
 echo "" > /tmp/pm_env
-echo "PULSAR_PREFIX_OIDCTokenAudienceID="$serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId >> /tmp/pm_env
+echo "PULSAR_PREFIX_OIDCTokenAudienceID="$serviceAccountClientId,$superServiceAccountClientId,$userClientId,$superUserClientId,$nonExpireSuperServiceAccountClientId,$proxyNonExpireSuperServiceAccountClientId,$nonExpireServiceAccountClientId >> /tmp/pm_env
 echo "VAULT_HOST="$VAULT_ADDR >> /tmp/pm_env
 echo "VAULT_USERPASS_MOUNT_ACCESSOR="$VAULT_USERPASS_MOUNT_ACCESSOR >> /tmp/pm_env
 echo "VAULT_SUPER_USER_NAME="$VAULT_SUPER_USER_NAME >> /tmp/pm_env
@@ -187,7 +204,7 @@ if [[ -n "$CUSTOM_SUPER_TOKEN_PAYLOAD" && -n "$CUSTOM_NON_SUPER_TOKEN_PAYLOAD" ]
         --header "X-Vault-Token: $PROXY_VAULT_APPROLE_SUPER_TOKEN" \
         --request GET \
         --data $TMP_DIR/proxy-payload.json \
-        $VAULT_ADDR/v1/identity/oidc/token/super-service-account-non-expire | jq -r ".data.token")
+        $VAULT_ADDR/v1/identity/oidc/token/proxy-super-service-account-non-expire | jq -r ".data.token")
     echo "PROXY_brokerClientAuthenticationParameters=$PROXY_brokerClientAuthenticationParameters" >> /tmp/pm_env
 
     echo "create secret for toolset token -> $TOOLSET_TOKEN_SECRET_NAME"

diff --git a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
@@ -125,6 +125,8 @@ spec:
             value: {{ .Values.streamnative_console.configData.DEFAULT_NAME }}
           - name: INSTANCE_NAME
             value: {{ .Values.streamnative_console.configData.INSTANCE_NAME }}
+          - name: CLUSTER_NAME
+            value: {{ template "pulsar.fullname" . }}
           {{- if .Values.streamnative_console.configData.GLOBAL_RESOURCE_READ_ONLY }}
           - name: GLOBAL_RESOURCE_READ_ONLY
             value: "true"

diff --git a/charts/sn-platform/templates/vault/vault-initialize.yaml b/charts/sn-platform/templates/vault/vault-initialize.yaml
@@ -100,6 +100,10 @@ spec:
         - name: CUSTOM_SUPER_TOKEN_PAYLOAD
           value: {{ .Values.vault.oidcToken.customPayload.superToken }}
         {{- end }}
+        {{- if and .Values.vault.oidcToken.customPayload.proxySuperToken }}
+        - name: CUSTOM_PROXY_SUPER_TOKEN_PAYLOAD
+          value: {{ .Values.vault.oidcToken.customPayload.proxySuperToken }}
+        {{- end }}
         {{- if and .Values.vault.oidcToken.customPayload.nonSuperToken }}
         - name: CUSTOM_NON_SUPER_TOKEN_PAYLOAD
           value: {{ .Values.vault.oidcToken.customPayload.nonSuperToken }}

diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml
@@ -2410,6 +2410,8 @@ vault:
     ttl: 12h
     customPayload:
       superToken: ""
+      # \\\"roles\\\":[\\\"proxy-admin\\\"]
+      proxySuperToken: ""
       nonSuperToken: ""
   serviceType: "ClusterIP"
   tolerations: []