Add Support for AWS Dex Basic-Authentication (kubeflow#357)

vpavlin · Jul 10, 2020 · 74bba39 · 74bba39
1 parent f44e230
commit 74bba39
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 51 deletions.
diff --git a/pkg/kfapp/aws/aws.go b/pkg/kfapp/aws/aws.go
@@ -45,7 +45,6 @@ import (
 	"github.com/kubeflow/kfctl/v3/pkg/utils"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
-	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 )
@@ -110,6 +109,7 @@ func GetPlatform(kfdef *kfconfig.KfConfig) (kftypes.Platform, error) {
 			path: path.Join(KUBEFLOW_MANIFEST_DIR, "istio-install", "base", "istio-noauth.yaml"),
 		},
 	}
+
 	ingressManifests := []manifest{
 		{
 			name: "ALB Ingress",
@@ -344,49 +344,24 @@ func (aws *Aws) generateInfraConfigs() error {
 	return nil
 }
 
-// Use username and password provided by user and create secret for basic auth.
-func (aws *Aws) createBasicAuthSecret(client *clientset.Clientset) error {
+func (aws *Aws) generateBasicAuthPasswordHash() (string, error) {
 	awsPluginSpec, err := aws.GetPluginSpec()
 	if err != nil {
-		return err
+		return "", err
 	}
 
-	if awsPluginSpec.Auth == nil || awsPluginSpec.Auth.BasicAuth == nil || awsPluginSpec.Auth.BasicAuth.Password.Name == "" {
-		err := errors.WithStack(fmt.Errorf("BasicAuth.Password.Name must be set"))
-		return err
+	if awsPluginSpec.Auth == nil || awsPluginSpec.Auth.BasicAuth == nil || awsPluginSpec.Auth.BasicAuth.Password == "" {
+		err := errors.WithStack(fmt.Errorf("BasicAuth.Password must be set if enabled BasicAuth"))
+		return "", err
 	}
 
-	password, err := aws.kfDef.GetSecret(awsPluginSpec.Auth.BasicAuth.Password.Name)
-	if err != nil {
-		log.Errorf("There was a problem getting the password for basic auth; error %v", err)
-		return err
-	}
-
-	encodedPassword, err := base64EncryptPassword(password)
+	encodedPassword, err := base64EncryptPassword(awsPluginSpec.Auth.BasicAuth.Password)
 	if err != nil {
 		log.Errorf("There was a problem encrypting the password; %v", err)
-		return err
+		return "", err
 	}
 
-	secret := &v1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      BASIC_AUTH_SECRET,
-			Namespace: aws.kfDef.Namespace,
-		},
-		Data: map[string][]byte{
-			"username":     []byte(awsPluginSpec.Auth.BasicAuth.Username),
-			"passwordhash": []byte(encodedPassword),
-		},
-	}
-	_, err = client.CoreV1().Secrets(aws.kfDef.Namespace).Update(secret)
-	if err != nil {
-		log.Warnf("Updating basic auth login failed, trying to create one: %v", err)
-		return createSecret(client, BASIC_AUTH_SECRET, aws.kfDef.Namespace, map[string][]byte{
-			"username":     []byte(awsPluginSpec.Auth.BasicAuth.Username),
-			"passwordhash": []byte(encodedPassword),
-		})
-	}
-	return nil
+	return encodedPassword, nil
 }
 
 func base64EncryptPassword(password string) (string, error) {
@@ -483,14 +458,16 @@ func (aws *Aws) Generate(resources kftypes.ResourceEnum) error {
 		return errors.WithStack(err)
 	}
 
-	// TODO: AWS doesn't enable BasicAuth yet.
-	if aws.kfDef.Spec.UseBasicAuth {
-		if err := aws.kfDef.SetApplicationParameter("istio", "clusterRbacConfig", "OFF"); err != nil {
+	if pluginSpec.Auth != nil && pluginSpec.Auth.BasicAuth != nil && pluginSpec.Auth.BasicAuth.Password != "" {
+		if err := aws.kfDef.SetApplicationParameter("dex", "static_email", pluginSpec.Auth.BasicAuth.Username); err != nil {
 			return errors.WithStack(err)
 		}
-
-		if pluginSpec.Auth.BasicAuth == nil {
-			return errors.WithStack(fmt.Errorf("AwsPluginSpec has no BasicAuth but UseBasicAuth set to true"))
+		if encodedPasswordHash, err := aws.generateBasicAuthPasswordHash(); err == nil {
+			if err := aws.kfDef.SetApplicationParameter("dex", "static_password_hash", encodedPasswordHash); err != nil {
+				return errors.WithStack(err)
+			}
+		} else {
+			return errors.WithStack(err)
 		}
 	} else {
 		if pluginSpec.Auth.Cognito != nil {

diff --git a/pkg/kfconfig/awsplugin/types.go b/pkg/kfconfig/awsplugin/types.go
@@ -1,7 +1,6 @@
 package awsplugin
 
 import (
-	"github.com/kubeflow/kfctl/v3/pkg/kfconfig"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -61,8 +60,8 @@ type Auth struct {
 }
 
 type BasicAuth struct {
-	Username string              `json:"username,omitempty"`
-	Password *kfconfig.SecretRef `json:"password,omitempty"`
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
 }
 
 type OIDC struct {
@@ -94,7 +93,7 @@ func (plugin *AwsPluginSpec) IsValid() (bool, string) {
 			msg += "BasicAuth requires username. "
 		}
 
-		if plugin.Auth.BasicAuth.Password == nil {
+		if plugin.Auth.BasicAuth.Password == "" {
 			isValid = false
 			msg += "BasicAuth requires password. "
 		}

diff --git a/pkg/kfconfig/awsplugin/zz_generated.deepcopy.go b/pkg/kfconfig/awsplugin/zz_generated.deepcopy.go