Support for JWT Authorization and token refresh

Signed-off-by: Kevin Conner <kev.conner@getupcloud.com>

.github/workflows/docker.yaml

@@ -22,6 +22,8 @@ jobs:
             image: operator
           - dockerfile: cmd/worker/Dockerfile
             image: worker
+          - dockerfile: cmd/refreshtoken/Dockerfile
+            image: refreshtoken
     steps:
       - name: checkout
         uses: actions/checkout@v4

Makefile

@@ -1,6 +1,7 @@
 # Image URL to use all building/pushing image targets
 IMG ?= operator:latest
 WORKER_IMG ?= worker:latest
+TOKENREFRESH_IMG ?= tokenrefresh:latest
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.29.3
@@ -97,9 +98,10 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 ##@ Build
 
 .PHONY: build
-build: manifests generate fmt vet ## Build manager and worker binaries.
+build: manifests generate fmt vet ## Build manager, worker and tokenrefresh binaries.
 	go build -o bin/manager cmd/main.go
 	go build -o bin/worker cmd/worker/main.go
+	go build -o bin/tokenrefresh cmd/tokenrefresh/main.go
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
@@ -116,6 +118,10 @@ docker-build: test ## Build docker image with the manager.
 docker-build-worker: test ## Build docker image with worker.
 	$(CONTAINER_TOOL) build -t ${WORKER_IMG} -f cmd/worker/Dockerfile .
 
+.PHONY: docker-build-tokenrefresh
+docker-build-tokenrefresh: test ## Build docker image with tokenrefresh.
+	$(CONTAINER_TOOL) build -t ${TOKENREFRESH_IMG} -f cmd/tokenrefresh/Dockerfile .
+
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	$(CONTAINER_TOOL) push ${IMG}
@@ -124,6 +130,10 @@ docker-push: ## Push docker image with the manager.
 docker-push-worker: ## Push docker image with worker.
 	$(CONTAINER_TOOL) push ${WORKER_IMG}
 
+.PHONY: docker-push-tokenrefresh
+docker-push-tokenrefresh: ## Push docker image with tokenrefresh.
+	$(CONTAINER_TOOL) push ${TOKENREFRESH_IMG}
+
 # PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
 # architectures. (i.e. make docker-buildx IMG=myregistry/myoperator:0.0.1). To use this option you need to:
 # - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
@@ -191,9 +201,10 @@ kind-create-cluster: kind ## Create a local Kubernetes cluster with Kind
 	$(KIND) create cluster --name $(CLUSTER_NAME)
 
 .PHONY: kind-load-images
-kind-load-images: kind docker-build docker-build-worker ## Build and load docker images into Kind nodes
-	$(KIND) load docker-image ${IMG}
-	$(KIND) load docker-image ${WORKER_IMG}
+kind-load-images: kind docker-build docker-build-worker docker-build-tokenrefresh ## Build and load docker images into Kind nodes
+	$(KIND) load docker-image -n $(CLUSTER_NAME) ${IMG}
+	$(KIND) load docker-image -n $(CLUSTER_NAME) ${WORKER_IMG}
+	$(KIND) load docker-image -n $(CLUSTER_NAME) ${TOKENREFRESH_IMG}
 
 ##@ Build Dependencies
 

charts/zora/README.md

@@ -143,6 +143,26 @@ The following table lists the configurable parameters of the Zora chart and thei
 | httpsProxy | string | `""` | HTTPS proxy URL |
 | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
 | updateCRDs | bool | `true` for upgrades | Specifies whether CRDs should be updated by operator at startup |
+| tokenRefresh.image.repository | string | `"ghcr.io/undistro/zora/tokenrefresh"` | tokenrefresh image repository |
+| tokenRefresh.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| tokenRefresh.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| tokenRefresh.rbac.create | bool | `true` | Specifies whether Roles and RoleBindings should be created |
+| tokenRefresh.rbac.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| tokenRefresh.rbac.serviceAccount.annotations | object | `{}` | Annotations to be added to service account |
+| tokenRefresh.rbac.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| tokenRefresh.minRefreshTime | string | `"1m"` | Minimum time to wait before checking for token refresh |
+| tokenRefresh.refreshThreshold | string | `"2h"` | Threshold relative to the token expiry timestamp, after which a token can be refreshed. |
+| tokenRefresh.nodeSelector | object | `{}` | [Node selection](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node) to constrain a Pod to only be able to run on particular Node(s) |
+| tokenRefresh.tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) for pod assignment |
+| tokenRefresh.affinity | object | `{}` | Map of node/pod [affinities](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) |
+| tokenRefresh.podAnnotations | object | `{"kubectl.kubernetes.io/default-container":"manager"}` | Annotations to be added to pods |
+| tokenRefresh.podSecurityContext | object | `{"runAsNonRoot":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to the pod |
+| tokenRefresh.securityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `manager` container |
+| zoraauth.domain | string | `""` | The domain associated with the tokens |
+| zoraauth.clientId | string | `""` | The client id associated with the tokens |
+| zoraauth.accessToken | string | `""` | The access token authorizing access to the SaaS API server |
+| zoraauth.tokenType | string | `"Bearer"` | The type of the access token |
+| zoraauth.refreshToken | string | `""` | The refresh token for obtaining a new access token |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

charts/zora/templates/_helpers.tpl

@@ -77,6 +77,25 @@ Create the name of the service account to use in Operator
 {{- end }}
 {{- end }}
 
+{{/*
+TokenRefresh selector labels
+*/}}
+{{- define "zora.tokenRefreshSelectorLabels" -}}
+{{ include "zora.selectorLabels" . }}
+app.kubernetes.io/component: token-refresh
+{{- end }}
+
+{{/*
+Create the name of the service account to use in TokenRefresh
+*/}}
+{{- define "zora.tokenRefreshServiceAccountName" -}}
+{{- if .Values.tokenRefresh.rbac.serviceAccount.create }}
+{{- default (printf "%s-%s" (include "zora.fullname" .) "token-refresh") .Values.tokenRefresh.rbac.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.tokenRefresh.rbac.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{- define "zora.imagePullSecret" }}
 {{- with .Values.imageCredentials }}
 {{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
@@ -149,3 +168,7 @@ Truncate a name to a specific length
 {{- $isHourBad := not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $hour) -}}
 {{- or $isMinuteBad $isHourBad -}}
 {{- end -}}
+
+{{- define "zora.saasTokenSecretName" -}}
+{{- printf "%s-saas-tokens" (include "zora.fullname" .) -}}
+{{- end }}

charts/zora/templates/hooks/install.yaml

@@ -37,6 +37,7 @@ spec:
         - |
           curl -kfsS -X POST '{{ tpl .Values.saas.installURL . }}' \
             -H 'content-type: application/json' \
+            -H 'Authorization: {{ .Values.zoraauth.tokenType }} {{ .Values.zoraauth.accessToken }}' \
           {{- if .Values.httpsProxy }}
             -x '{{ .Values.httpsProxy}}' \
           {{- end }}

charts/zora/templates/operator/deployment.yaml

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 {{ $secretName := printf "%s-serving-cert" (include "zora.fullname" .) -}}
+{{ $saasTokensSecretName := (include "zora.saasTokenSecretName" .) -}}
 {{- $serviceName := printf "%s-webhook" (include "zora.fullname" .) -}}
 {{- if .Values.operator.webhook.enabled -}}
 {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
@@ -118,6 +119,7 @@ spec:
             - --inject-conversion={{ .Values.operator.webhook.enabled }}
             - --webhook-service-name={{ $serviceName }}
             - --webhook-service-namespace={{ .Release.Namespace }}
+            - --token-path=/tmp/jwt-tokens/token
           image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
           ports:
@@ -131,11 +133,16 @@ spec:
             - containerPort: 9443
               name: webhook-server
               protocol: TCP
+          {{- end }}
           volumeMounts:
+          {{- if .Values.operator.webhook.enabled }}
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
               readOnly: true
           {{- end }}
+            - mountPath: /tmp/jwt-tokens
+              name: jwt-tokens
+              readOnly: true
           livenessProbe:
             httpGet:
               path: /healthz
@@ -152,14 +159,19 @@ spec:
             {{- toYaml .Values.operator.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.operator.securityContext | nindent 12 }}
-      {{- if .Values.operator.webhook.enabled }}
       volumes:
+      {{- if .Values.operator.webhook.enabled }}
         - name: cert
           secret:
             defaultMode: 420
             secretName: {{ $secretName }}
             optional: true
       {{- end }}
+        - name: jwt-tokens
+          secret:
+            defaultMode: 420
+            secretName: {{ $saasTokensSecretName }}
+            optional: true
       securityContext:
         {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "zora.operatorServiceAccountName" . }}

charts/zora/templates/tokenrefresh/deployment.yaml

@@ -0,0 +1,93 @@
+# Copyright 2022 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.saas.workspaceID -}}
+{{ $secretName := (include "zora.saasTokenSecretName" .) -}}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: undistro.io/jwtTokens
+data:
+{{- if $existingSecret }}
+  {{- toYaml $existingSecret.data | nindent 2 }}
+{{- else }}
+  token: {{ printf "{ \"access_token\": \"%s\", \"refresh_token\": \"%s\", \"token_type\": \"%s\" }" .Values.zoraauth.accessToken .Values.zoraauth.refreshToken .Values.zoraauth.tokenType | b64enc }}
+{{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "zora.fullname" . }}-tokenrefresh
+  labels:
+    {{- include "zora.tokenRefreshSelectorLabels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "zora.tokenRefreshSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.tokenRefresh.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "zora.tokenRefreshSelectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: tokenrefresh
+          {{- if .Values.httpsProxy }}
+          env:
+            - name: HTTPS_PROXY
+              value: {{ .Values.httpsProxy | quote }}
+            - name: NO_PROXY
+              value: {{ .Values.noProxy | quote }}
+          {{- end }}
+          command:
+            - /tokenrefresh
+          args:
+            - --secret-name={{ $secretName }}
+            - --namespace={{ .Release.Namespace }}
+            - --domain={{ .Values.zoraauth.domain }}
+            - --client-id={{ .Values.zoraauth.clientId }}
+            - --min-refresh-time={{ .Values.tokenRefresh.minRefreshTime }}
+            - --refresh-threshold={{ .Values.tokenRefresh.refreshThreshold }}
+          image: "{{ .Values.tokenRefresh.image.repository }}:{{ .Values.tokenRefresh.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.tokenRefresh.image.pullPolicy }}
+          resources:
+            {{- toYaml .Values.tokenRefresh.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.tokenRefresh.securityContext | nindent 12 }}
+      volumes:
+        - name: jwt-tokens
+          secret:
+            defaultMode: 420
+            secretName: {{ $secretName }}
+      securityContext:
+        {{- toYaml .Values.tokenRefresh.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ include "zora.tokenRefreshServiceAccountName" . }}
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.tokenRefresh.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tokenRefresh.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tokenRefresh.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}

charts/zora/templates/tokenrefresh/rbac.yaml

@@ -0,0 +1,53 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.saas.workspaceID -}}
+{{ if .Values.tokenRefresh.rbac.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}
+  labels:
+  {{- include "zora.tokenRefreshSelectorLabels" . | nindent 4 }}
+  {{- with .Values.tokenRefresh.rbac.serviceAccount.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{ end }}
+{{- if .Values.tokenRefresh.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}-secret-access
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}-secret-access
+subjects:
+- kind: ServiceAccount
+  name: {{ include "zora.tokenRefreshServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end -}}
+---

charts/zora/values.yaml

@@ -305,3 +305,54 @@ noProxy: kubernetes.default.svc.*,127.0.0.1,localhost
 # -- (bool) Specifies whether CRDs should be updated by operator at startup
 # @default -- `true` for upgrades
 updateCRDs:
+
+tokenRefresh:
+  image:
+    # -- tokenrefresh image repository
+    repository: ghcr.io/undistro/zora/tokenrefresh
+    # -- Overrides the image tag whose default is the chart appVersion
+    tag: ""
+    # -- Image pull policy
+    pullPolicy: IfNotPresent
+  rbac:
+    # -- Specifies whether Roles and RoleBindings should be created
+    create: true
+    serviceAccount:
+      # -- Specifies whether a service account should be created
+      create: true
+      # -- Annotations to be added to service account
+      annotations: {}
+      # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
+      name: ""
+  # -- Minimum time to wait before checking for token refresh
+  minRefreshTime: "1m"
+  # -- Threshold relative to the token expiry timestamp, after which a token can be refreshed.
+  refreshThreshold: "2h"
+  # -- [Node selection](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node) to constrain a Pod to only be able to run on particular Node(s)
+  nodeSelector: {}
+  # -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) for pod assignment
+  tolerations: []
+  # -- Map of node/pod [affinities](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration)
+  affinity: {}
+  # -- Annotations to be added to pods
+  podAnnotations:
+    kubectl.kubernetes.io/default-container: manager
+  # -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to the pod
+  podSecurityContext:
+    runAsNonRoot: true
+  # -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `manager` container
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+
+zoraauth:
+  # -- The domain associated with the tokens
+  domain: ""
+  # -- The client id associated with the tokens
+  clientId: ""
+  # -- The access token authorizing access to the SaaS API server
+  accessToken: ""
+  # -- The type of the access token
+  tokenType: "Bearer"
+  # -- The refresh token for obtaining a new access token
+  refreshToken: ""