storage/kubernetes: add CRD support

This commit is contained in:
rithu john 2017-09-13 13:38:10 -07:00
parent 146481375e
commit 1311caf864
5 changed files with 113 additions and 91 deletions

View file

@ -4,13 +4,68 @@ Dex requires persisting state to perform various tasks such as track refresh tok
Storage breaches are serious as they can affect applications that rely on dex. Dex saves sensitive data in its backing storage, including signing keys and bcrypt'd passwords. As such, transport security and database ACLs should both be used, no matter which storage option is chosen.
## Kubernetes third party resources
## Kubernetes custom resource definitions (CRDs)
__NOTE:__ Dex requires Kubernetes version 1.4+.
__NOTE:__ CRDs are only supported by Kubernetes version 1.7+.
Kubernetes third party resources are a way for applications to create new resources types in the Kubernetes API. This allows dex to run on top of an existing Kubernetes cluster without the need for an external database. While this storage may not be appropriate for a large number of users, it's extremely effective for many Kubernetes use cases.
Kubernetes [custom resource definitions](crd) are a way for applications to create new resources types in the Kubernetes API. The Custom Resource Definition (CRD) API object was introduced in Kubernetes version 1.7 to replace the Third Party Resource (TPR) extension. CRDs allows dex to run on top of an existing Kubernetes cluster without the need for an external database. While this storage may not be appropriate for a large number of users, it's extremely effective for many Kubernetes use cases.
The rest of this section will explore internal details of how dex uses `ThirdPartyResources`. __Admins should not interact with these resources directly__, except when debugging. These resources are only designed to store state and aren't meant to be consumed by humans. For modifying dex's state dynamically see the [API documentation](api.md).
The rest of this section will explore internal details of how dex uses CRDs. __Admins should not interact with these resources directly__, except while debugging. These resources are only designed to store state and aren't meant to be consumed by end users. For modifying dex's state dynamically see the [API documentation](api.md).
The following is an example of the AuthCode resource managed by dex:
```
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
creationTimestamp: 2017-09-13T19:56:28Z
name: authcodes.dex.coreos.com
resourceVersion: "288893"
selfLink: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/authcodes.dex.coreos.com
uid: a1cb72dc-98bd-11e7-8f6a-02d13336a01e
spec:
group: dex.coreos.com
names:
kind: AuthCode
listKind: AuthCodeList
plural: authcodes
singular: authcode
scope: Namespaced
version: v1
status:
acceptedNames:
kind: AuthCode
listKind: AuthCodeList
plural: authcodes
singular: authcode
conditions:
- lastTransitionTime: null
message: no conflicts found
reason: NoConflicts
status: "True"
type: NamesAccepted
- lastTransitionTime: 2017-09-13T19:56:28Z
message: the initial names have been accepted
reason: InitialNamesAccepted
status: "True"
type: Established
```
Once the `CustomResourceDefinition` is created, custom resources can be created and stored at a namespace level. The CRD type and the custom resources can be queried, deleted, and edited like any other resource using `kubectl`.
## Kubernetes third party resources(TPRs)
__NOTE:__ TPRs will be deprecated by Kubernetes version 1.8.
The default behavior of dex from release v2.7.0 onwards is to utitlize CRDs to manage its custom resources. If users would like to use dex with a Kubernetes version lower than 1.7, they will have to force dex to use TPRs instead of CRDs by setting the `UseTPR` flag in the storage configuration as shown below:
```
storage:
type: kubernetes
config:
kubeConfigFile: kubeconfig
useTPR: true
```
The `ThirdPartyResource` type acts as a description for the new resource a user wishes to create. The following an example of a resource managed by dex:
@ -166,3 +221,4 @@ Any proposal to add a new implementation must address the following:
[issues-transaction-tests]: https://github.com/coreos/dex/issues/600
[k8s-api]: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api-conventions.md#concurrency-control-and-consistency
[psql-conn-options]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
[crd]: https://kubernetes.io/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/

View file

@ -249,7 +249,7 @@ func (c *client) put(resource, name string, v interface{}) error {
return checkHTTPErr(resp, http.StatusOK)
}
func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, logger logrus.FieldLogger, apiVersion string) (*client, error) {
func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, logger logrus.FieldLogger, useTPR bool) (*client, error) {
tlsConfig := cryptopasta.DefaultTLSConfig()
data := func(b string, file string) ([]byte, error) {
if b != "" {
@ -325,13 +325,13 @@ func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, l
}
}
// if the apiVersion is not configured default to `oidc.coreos.com/v1`
if apiVersion == "" {
// the API Group and version differ depending on if CRDs or TPRs are used.
apiVersion := "dex.coreos.com/v1"
if useTPR {
apiVersion = "oidc.coreos.com/v1"
}
logger.Infof("kubernetes client apiVersion = %s", apiVersion)
// TODO(ericchiang): make API Group and version configurable.
return &client{
client: &http.Client{Transport: t},
baseURL: cluster.Server,

View file

@ -47,10 +47,13 @@ type CustomResourceDefinitionNames struct {
type ResourceScope string
const (
ClusterScoped ResourceScope = "Cluster"
// ClusterScoped is the `cluster` scope for a custom resource.
ClusterScoped ResourceScope = "Cluster"
// NamespaceScoped is the `namespaced` scope for a custom resource.
NamespaceScoped ResourceScope = "Namespaced"
)
// ConditionStatus reflects if a resource
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.

View file

@ -38,8 +38,7 @@ const (
type Config struct {
InCluster bool `json:"inCluster"`
KubeConfigFile string `json:"kubeConfigFile"`
APIVersion string `json:"apiVersion"` // API Group and version
UseCRD bool `json:"useCRD"` // Flag option to use CRDs instead of TPRs
UseTPR bool `json:"useTPR"` // Flag option to use TPRs instead of CRDs
}
// Open returns a storage using Kubernetes third party resource.
@ -79,57 +78,26 @@ func (c *Config) open(logger logrus.FieldLogger, errOnResources bool) (*client,
return nil, err
}
cli, err := newClient(cluster, user, namespace, logger, c.APIVersion)
cli, err := newClient(cluster, user, namespace, logger, c.UseTPR)
if err != nil {
return nil, fmt.Errorf("create client: %v", err)
}
ctx, cancel := context.WithCancel(context.Background())
if c.UseCRD {
if !cli.createCustomResourceDefinitions() {
if errOnResources {
cancel()
return nil, fmt.Errorf("failed creating custom resource definitions")
}
}
// Try to synchronously create the custom resource definitions once. This doesn't mean
// they'll immediately be available, but ensures that the client will actually try
// once.
logger.Errorf("failed creating custom resource definitions: %v", err)
go func() {
for {
if cli.createCustomResourceDefinitions() {
return
}
select {
case <-ctx.Done():
return
case <-time.After(30 * time.Second):
}
}
}()
// If the client is closed, stop trying to create third party resources.
cli.cancel = cancel
return cli, nil
}
if !cli.createThirdPartyResources() {
if !cli.registerCustomResources(c.UseTPR) {
if errOnResources {
cancel()
return nil, fmt.Errorf("failed creating third party resources")
return nil, fmt.Errorf("failed creating custom resources")
}
// Try to synchronously create the third party resources once. This doesn't mean
// Try to synchronously create the custom resources once. This doesn't mean
// they'll immediately be available, but ensures that the client will actually try
// once.
logger.Errorf("failed creating third party resources: %v", err)
logger.Errorf("failed creating custom resources: %v", err)
go func() {
for {
if cli.createThirdPartyResources() {
if cli.registerCustomResources(c.UseTPR) {
return
}
@ -142,64 +110,56 @@ func (c *Config) open(logger logrus.FieldLogger, errOnResources bool) (*client,
}()
}
// If the client is closed, stop trying to create third party resources.
// If the client is closed, stop trying to create resources.
cli.cancel = cancel
return cli, nil
}
// createThirdPartyResources attempts to create the third party resources dex
// requires or identifies that they're already enabled. It logs all errors,
// returning true if the third party resources were created successfully.
// registerCustomResources attempts to create the custom resources dex
// requires or identifies that they're already enabled. This function creates
// third party resources(TPRs) or custom resource definitions(CRDs) depending
// on the `useTPR` flag passed in as an argument.
// It logs all errors, returning true if the resources were created successfully.
//
// Creating a third party resource does not mean that they'll be immediately available.
// Creating a custom resource does not mean that they'll be immediately available.
//
// TODO(ericchiang): Provide an option to wait for the third party resources
// to actually be available.
func (cli *client) createThirdPartyResources() (ok bool) {
// TODO(ericchiang): Provide an option to wait for the resources to actually
// be available.
func (cli *client) registerCustomResources(useTPR bool) (ok bool) {
ok = true
for _, r := range thirdPartyResources {
err := cli.postResource("extensions/v1beta1", "", "thirdpartyresources", r)
if err != nil {
switch err {
case storage.ErrAlreadyExists:
cli.logger.Infof("third party resource already created %s", r.ObjectMeta.Name)
case storage.ErrNotFound:
cli.logger.Errorf("third party resources not found, please enable API group extensions/v1beta1")
ok = false
default:
cli.logger.Errorf("creating third party resource %s: %v", r.ObjectMeta.Name, err)
ok = false
}
continue
}
cli.logger.Errorf("create third party resource %s", r.ObjectMeta.Name)
length := len(customResourceDefinitions)
if useTPR {
length = len(thirdPartyResources)
}
return ok
}
// createCustomResourceDefinitions attempts to create the custom resource definitions(CRDs)
// required by dex. If the CRDs exist, this information is logged. It logs all errors,
// returning true if the CRDs were created successfully.
//
// TODO: Provide an option to wait for the CRDs to actually be available.
func (cli *client) createCustomResourceDefinitions() (ok bool) {
ok = true
for _, r := range customResourceDefinitions {
err := cli.postResource("apiextensions.k8s.io/v1beta1", "", "customresourcedefinition", r)
for i := 0; i < length; i++ {
var err error
var resourceName string
if useTPR {
r := thirdPartyResources[i]
err = cli.postResource("extensions/v1beta1", "", "thirdpartyresources", r)
resourceName = r.ObjectMeta.Name
} else {
r := customResourceDefinitions[i]
err = cli.postResource("apiextensions.k8s.io/v1beta1", "", "customresourcedefinitions", r)
resourceName = r.ObjectMeta.Name
}
if err != nil {
switch err {
case storage.ErrAlreadyExists:
cli.logger.Infof("custom resource definition already created %s", r.ObjectMeta.Name)
cli.logger.Infof("custom resource already created %s", resourceName)
case storage.ErrNotFound:
cli.logger.Errorf("custom resource definition not found, please enable API group apiextensions.k8s.io/v1beta1")
cli.logger.Errorf("custom resources not found, please enable the respective API group")
ok = false
default:
cli.logger.Errorf("creating custom resource definition %s: %v", r.ObjectMeta.Name, err)
cli.logger.Errorf("creating custom resource %s: %v", resourceName, err)
ok = false
}
continue
}
cli.logger.Errorf("create custom resource definition %s", r.ObjectMeta.Name)
cli.logger.Errorf("create custom resource %s", resourceName)
}
return ok
}

View file

@ -119,8 +119,8 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Version: "v1",
Names: k8sapi.CustomResourceDefinitionNames{
Plural: "authrequests",
Singular: "authcodrequest",
Kind: "AuthRequests",
Singular: "authrequest",
Kind: "AuthRequest",
},
},
},
@ -135,7 +135,7 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Names: k8sapi.CustomResourceDefinitionNames{
Plural: "oauth2clients",
Singular: "oauth2client",
Kind: "Oauth2Client",
Kind: "OAuth2Client",
},
},
},
@ -148,6 +148,9 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Group: apiGroup,
Version: "v1",
Names: k8sapi.CustomResourceDefinitionNames{
// `signingkeies` is an artifact from the old TPR pluralization.
// Users don't directly interact with this value, hence leaving it
// as is.
Plural: "signingkeies",
Singular: "signingkey",
Kind: "SigningKey",
@ -195,7 +198,7 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Names: k8sapi.CustomResourceDefinitionNames{
Plural: "offlinesessionses",
Singular: "offlinesessions",
Kind: "OfflineSessions",
Kind: "OfflineSession",
},
},
},