Bearer token

Each API expects bearer token to be present in the authorization header in the form ``` Authorization: Bearer <token> ``` Each request will: 1. Get token from authorization header 2. Validate the token by querying the ServerVersion 3. Get user from token At this point behavior is different from query to query: 1. queries to fetch SveltosClusters or CAPI Clusters will first verify if user has permissions to list cluster instances in all namespaces. If so data cached by the manager is returned. If not, walk all existing clusters and for each cluster validate whether user is allowed to get it. Return only clusters the user has permissions for. 2. queries to get helm charts/resources/profiles for a given cluster will first verify whether the user has permission to get that specific cluster. Only if permissions are in place, result will be returned.
projectsveltos · Oct 11, 2024 · 839f491 · 839f491
1 parent 180b633
commit 839f491
Show file tree

Hide file tree

Showing 7 changed files with 552 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -12,6 +12,12 @@ Please refere to sveltos [documentation](https://projectsveltos.github.io/svelto
 ## What this repository is
 This repo contains a service that exposes all APIs used by Sveltos frontend.
 
+### Authorization Header
+
+Using authorization header is the only way to contact backend as an user, when accessing it over HTTP.
+To use authorization header you simply need to pass `Authorization: Bearer <token>` in every request.
+To create sample user and to get its token, see [Creating sample user](#how-to-get-token) guide.
+
 ### Get ClusterAPI powered clusters
 
 ```/capiclusters```
@@ -108,7 +114,7 @@ This API supports pagination. Use:
 
 ### Get Helm Releases deployed in a cluster
 
-```/helmcharts?namespace=<namespace>&name=<cluster-name>&type=<cluster type>```
+```/helmcharts?user=<user>&namespace=<namespace>&name=<cluster-name>&type=<cluster type>```
 
 where cluster type can either be __capi__ for ClusterAPI powered clusters or __sveltos__ for SveltosClusters
 
@@ -171,7 +177,7 @@ returns
 ```
 ### Get Kubernetes Resources deployed in a cluster
 
-```/resources?namespace=<namespace>&name=<cluster-name>&type=<cluster type>```
+```/resources?user=<user>&namespace=<namespace>&name=<cluster-name>&type=<cluster type>```
 
 where cluster type can either be __capi__ for ClusterAPI powered clusters or __sveltos__ for SveltosClusters
 
@@ -216,7 +222,7 @@ returns
 
 ### Get Cluster Status 
 
-```/getClusterStatus?namespace=<namespace>&name=<cluster-name>&type=<cluster-type>```
+```/getClusterStatus?user=<user>&namespace=<namespace>&name=<cluster-name>&type=<cluster-type>```
 
 where cluster type can either be __capi__ for ClusterAPI powered clusters or __sveltos__ for SveltosClusters
 
@@ -260,6 +266,39 @@ returns
 }
 ```
 
+### How to get token
+
+First, create a service account in the desired namespace:
+
+```
+kubectl create sa <user> -n <namespace>
+```
+
+Give the service account permissions to access the Calico Enterprise Manager UI, and a Calico Enterprise cluster role:
+
+```
+kubectl create clusterrolebinding <binding_name> --clusterrole <role_name> --serviceaccount <namespace>:<service_account>
+```
+
+where:
+
+- **binding_name** is a descriptive name for the rolebinding.
+- **role_name** is one of the default cluster roles (or a custom cluster role) specifying permissions.
+- **namespace** is the service account's namespace.
+- **service_account** is the service account that the permissions are being associated with.
+
+Next, create a bearer token for the service account. Using the running example of a service account named, sveltos in the _default_ namespace:
+
+```
+kubectl create token sveltos --duration=24h
+```
+
+it should print somthing like
+
+```
+eyJhbGciOiJSUzI1NiIsImtpZCI6IkVsYW8zRU9BMWw3UTZ2QUpjNGFRLXljcTU4M1NhaXBZd1ZNWXJySkVtMTAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzI4NzE3NjA0LCJpYXQiOjE3Mjg2MzEyMDQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiZmQ1OWU4OTctODZlNS00MDQ4LWEwZjAtMDMxYjM5MjVlYjQwIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJwbGF0Zm9ybSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJtZ2lhbmx1YyIsInVpZCI6ImJjZWUwZDEwLWM2MTQtNDIzNi1iNmZmLTAyYWU2M2M1MjcxZiJ9fSwibmJmIjoxNzI4NjMxMjA0LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6cGxhdGZvcm06bWdpYW5sdWMifQ.JlEN38Whyb4mlNsWkC4RAQ82dVUJmWvmdvar7VVxEw2SUgoQthQQPsV-l28bGYpuQspFlsdaO2JRdhm6MGctlMJziweHHm3PNv_RBnFMPRQ01y7ciaRZXE7HEB3sAndvBEQKNWyo4wmmyRnEE2tR79ICQRTLmuWO17MjRIZFChXMHsCsam5OsuE6mE1fj3RSUSbvfRbQwrsTcWOrnYxzquyNVyJyOKxQ97Nm175rez5x9EflHPwueYu5FmNgz3cxMsdkHwkrMnhMqMyNN8WBqKUrju-gPJ9GB-cOcrR_38JyeQBPXYTo9J0tueIWEyaiwKvmPqAsnyHKPT5p-7hFCQ
+```
+
 ## Contributing 
 
 ❤️ Your contributions are always welcome! If you want to contribute, have questions, noticed any bug or want to get the latest project news, you can connect with us in the following ways:

diff --git a/cmd/main.go b/cmd/main.go
@@ -71,6 +71,7 @@ var (
 	healthAddr           string
 	profilerAddress      string
 	httpPort             string
+	insecureSkipVerify   bool
 )
 
 const (
@@ -145,8 +146,8 @@ func main() {
 	go startClusterController(ctx, mgr, setupLog)
 	go startClusterSummaryController(mgr)
 
-	server.InitializeManagerInstance(ctx, mgr.GetClient(), scheme,
-		httpPort, ctrl.Log.WithName("gin"))
+	server.InitializeManagerInstance(ctx, mgr.GetConfig(), mgr.GetClient(), scheme,
+		httpPort, insecureSkipVerify, ctrl.Log.WithName("gin"))
 
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctx); err != nil {
@@ -173,6 +174,9 @@ func initFlags(fs *pflag.FlagSet) {
 	fs.IntVar(&concurrentReconciles, "concurrent-reconciles", defaultReconcilers,
 		"concurrent reconciles is the maximum number of concurrent Reconciles which can be run. Defaults to 10")
 
+	fs.BoolVar(&insecureSkipVerify, "insecure-skip-verify", false,
+		"controls whether a client verifies the server's certificate chain and host name")
+
 	const defautlRestConfigQPS = 20
 	fs.Float32Var(&restConfigQPS, "kube-api-qps", defautlRestConfigQPS,
 		fmt.Sprintf("Maximum queries per second from the controller client to the Kubernetes API server. Defaults to %d",

diff --git a/internal/controller/sveltoscluster_controller_test.go b/internal/controller/sveltoscluster_controller_test.go
@@ -67,7 +67,7 @@ var _ = Describe("SveltosClusterReconciler", func() {
 
 		ctx, cancel := context.WithCancel(context.Background())
 		defer cancel()
-		server.InitializeManagerInstance(ctx, c, scheme, httpPort, logger)
+		server.InitializeManagerInstance(ctx, nil, c, scheme, httpPort, false, logger)
 
 		reconciler := getSveltosClusterReconciler(c)
 
@@ -89,7 +89,8 @@ var _ = Describe("SveltosClusterReconciler", func() {
 		}
 
 		manager := server.GetManagerInstance()
-		clusters := manager.GetManagedSveltosClusters()
+		clusters, err := manager.GetManagedSveltosClusters(context.TODO(), true, randomString())
+		Expect(err).To(BeNil())
 		_, ok := clusters[*cluster]
 		Expect(ok).To(BeTrue())
 
@@ -101,7 +102,8 @@ var _ = Describe("SveltosClusterReconciler", func() {
 		})
 		Expect(err).ToNot(HaveOccurred())
 
-		clusters = manager.GetManagedSveltosClusters()
+		clusters, err = manager.GetManagedSveltosClusters(context.TODO(), true, randomString())
+		Expect(err).To(BeNil())
 		_, ok = clusters[*cluster]
 		Expect(ok).To(BeFalse())