Inject KeyCloak JWT service token when enabled

- When configured to inject service account tokens into the build, pass a build arg to the Docker build as SERVICE_TOKEN=<JWT>. This allows builds to contact additional services in the cluster using a specific service account identity. The value is consumed by adding to the Dockerfile: ARG SERVICE_TOKEN
dominodatalab · Jun 22, 2023 · 344b48e · 344b48e
1 parent 3e69c34
commit 344b48e
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/go.mod b/go.mod
@@ -45,6 +45,7 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
+	github.com/Nerzal/gocloak/v13 v13.7.0
 	github.com/dominodatalab/amqp-client v0.1.3
 	github.com/dominodatalab/controller-util v0.0.2
 	github.com/hashicorp/go-retryablehttp v0.7.1
@@ -70,7 +71,6 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Nerzal/gocloak/v13 v13.7.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32 // indirect

diff --git a/pkg/api/hephaestus/v1/types.go b/pkg/api/hephaestus/v1/types.go
@@ -26,6 +26,8 @@ const (
 	PhaseFailed Phase = "Failed"
 )
 
+const ServiceTokenArgName = "SERVICE_TOKEN"
+
 type BasicAuthCredentials struct {
 	Username string `json:"username,omitempty"`
 	Password string `json:"password,omitempty"`

diff --git a/pkg/controller/imagebuild/component/builddispatcher.go b/pkg/controller/imagebuild/component/builddispatcher.go
@@ -7,7 +7,7 @@ import (
 	"sync"
 	"time"
 
-	_ "github.com/Nerzal/gocloak/v13" // temporary to prevent removal
+	"github.com/Nerzal/gocloak/v13"
 	"github.com/dominodatalab/controller-util/core"
 	"github.com/go-logr/logr"
 	"github.com/newrelic/go-agent/v3/newrelic"
@@ -185,6 +185,19 @@ func (c *BuildDispatcherComponent) Reconcile(ctx *core.Context) (ctrl.Result, er
 	}
 	clientInitSeg.End()
 
+	// TODO: Also inspect CR to determine if JWT injection is allowed
+	if c.keycloakCfg.Enabled {
+		kc := gocloak.NewClient(c.keycloakCfg.Server)
+		jwt, err := kc.LoginClient(buildCtx, c.keycloakCfg.ClientID, c.keycloakCfg.ClientSecret, c.keycloakCfg.Realm)
+		if err != nil {
+			log.Error(err, fmt.Sprintf(
+				"Failed to acquire [%s] Keycloak creds at [%s]", c.keycloakCfg.ClientID, c.keycloakCfg.Server))
+		} else {
+			obj.Spec.BuildArgs = append(obj.Spec.BuildArgs, fmt.Sprintf("%s=%s", hephv1.ServiceTokenArgName, jwt.AccessToken))
+			log.Info(fmt.Sprintf("Injected %s token as build-arg %s", c.keycloakCfg.ClientID, hephv1.ServiceTokenArgName))
+		}
+	}
+
 	buildOpts := buildkit.BuildOptions{
 		Context:                  obj.Spec.Context,
 		Images:                   obj.Spec.Images,