From 344b48e6231b47a8ed14a3a69a7c89fddfd1c08e Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Tue, 13 Jun 2023 13:34:40 -0700 Subject: [PATCH] Inject KeyCloak JWT service token when enabled - When configured to inject service account tokens into the build, pass a build arg to the Docker build as SERVICE_TOKEN=. This allows builds to contact additional services in the cluster using a specific service account identity. The value is consumed by adding to the Dockerfile: ARG SERVICE_TOKEN --- go.mod | 2 +- pkg/api/hephaestus/v1/types.go | 2 ++ .../imagebuild/component/builddispatcher.go | 15 ++++++++++++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index b16a7e79..cba935a2 100644 --- a/go.mod +++ b/go.mod @@ -45,6 +45,7 @@ require ( require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 + github.com/Nerzal/gocloak/v13 v13.7.0 github.com/dominodatalab/amqp-client v0.1.3 github.com/dominodatalab/controller-util v0.0.2 github.com/hashicorp/go-retryablehttp v0.7.1 @@ -70,7 +71,6 @@ require ( github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect github.com/Microsoft/go-winio v0.5.2 // indirect - github.com/Nerzal/gocloak/v13 v13.7.0 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32 // indirect diff --git a/pkg/api/hephaestus/v1/types.go b/pkg/api/hephaestus/v1/types.go index 456b0592..8455bb7a 100644 --- a/pkg/api/hephaestus/v1/types.go +++ b/pkg/api/hephaestus/v1/types.go @@ -26,6 +26,8 @@ const ( PhaseFailed Phase = "Failed" ) +const ServiceTokenArgName = "SERVICE_TOKEN" + type BasicAuthCredentials struct { Username string `json:"username,omitempty"` Password string `json:"password,omitempty"` diff --git a/pkg/controller/imagebuild/component/builddispatcher.go b/pkg/controller/imagebuild/component/builddispatcher.go index a746c327..74692b40 100644 --- a/pkg/controller/imagebuild/component/builddispatcher.go +++ b/pkg/controller/imagebuild/component/builddispatcher.go @@ -7,7 +7,7 @@ import ( "sync" "time" - _ "github.com/Nerzal/gocloak/v13" // temporary to prevent removal + "github.com/Nerzal/gocloak/v13" "github.com/dominodatalab/controller-util/core" "github.com/go-logr/logr" "github.com/newrelic/go-agent/v3/newrelic" @@ -185,6 +185,19 @@ func (c *BuildDispatcherComponent) Reconcile(ctx *core.Context) (ctrl.Result, er } clientInitSeg.End() + // TODO: Also inspect CR to determine if JWT injection is allowed + if c.keycloakCfg.Enabled { + kc := gocloak.NewClient(c.keycloakCfg.Server) + jwt, err := kc.LoginClient(buildCtx, c.keycloakCfg.ClientID, c.keycloakCfg.ClientSecret, c.keycloakCfg.Realm) + if err != nil { + log.Error(err, fmt.Sprintf( + "Failed to acquire [%s] Keycloak creds at [%s]", c.keycloakCfg.ClientID, c.keycloakCfg.Server)) + } else { + obj.Spec.BuildArgs = append(obj.Spec.BuildArgs, fmt.Sprintf("%s=%s", hephv1.ServiceTokenArgName, jwt.AccessToken)) + log.Info(fmt.Sprintf("Injected %s token as build-arg %s", c.keycloakCfg.ClientID, hephv1.ServiceTokenArgName)) + } + } + buildOpts := buildkit.BuildOptions{ Context: obj.Spec.Context, Images: obj.Spec.Images,