Add tke-auth-controller into installer and oidc url change to tke-aut…

…h-api

cmd/tke-auth-controller/app/options/feature.go

@@ -36,12 +36,12 @@ const (
 )
 
 const (
- configPolicyPath = "feature.policy_path"
- configCategoryPath = "feature.category_path"
- configTenantAdmin = "feature.tenant_admin"
- configTenantAdminSecret = "feature.tenant_admin_secret"
- configCasbinModelFile = "feature.casbin_model_file"
- configCasbinReloadInterval = "feature.casbin_reload_interval"
+ configPolicyPath = "features.policy_path"
+ configCategoryPath = "features.category_path"
+ configTenantAdmin = "features.tenant_admin"
+ configTenantAdminSecret = "features.tenant_admin_secret"
+ configCasbinModelFile = "features.casbin_model_file"
+ configCasbinReloadInterval = "features.casbin_reload_interval"
 )
 
 type FeatureOptions struct {

cmd/tke-auth-controller/app/options/options.go

@@ -41,7 +41,7 @@ func NewOptions(serverName string, allControllers []string, disabledByDefaultCon
  return &Options{
  Log: log.NewOptions(),
  Debug: apiserveroptions.NewDebugOptions(),
- SecureServing: apiserveroptions.NewSecureServingOptions(serverName, 9456),
+ SecureServing: apiserveroptions.NewSecureServingOptions(serverName, 9458),
  Component: controlleroptions.NewComponentOptions(allControllers, disabledByDefaultControllers),
  AuthAPIClient: controlleroptions.NewAPIServerClientOptions("auth", true),
  FeatureOptions: NewFeatureOptions(),

cmd/tke-installer/app/installer/certs/certs.go

@@ -35,7 +35,7 @@ var (
  "tke-platform-api",
  "tke-business-api",
  "tke-notify-api",
- "tke-auth",
+ "tke-auth-api",
  "tke-console",
  "tke-monitor-api",
  "tke-registry-api",

cmd/tke-installer/app/installer/images/images.go

@@ -36,7 +36,8 @@ type Components struct {
  ProviderRes containerregistry.Image
 
  TKEGateway containerregistry.Image
- TKEAuth containerregistry.Image
+ TKEAuthAPI containerregistry.Image
+ TKEAuthController containerregistry.Image
  TKEBusinessAPI containerregistry.Image
  TKEBusinessController containerregistry.Image
  TKEMonitorAPI containerregistry.Image
@@ -69,7 +70,8 @@ var components = Components{
 
  ProviderRes: containerregistry.Image{Name: "provider-res", Tag: "v1.14.6-1"},
 
- TKEAuth: containerregistry.Image{Name: "tke-auth", Tag: Version},
+ TKEAuthAPI: containerregistry.Image{Name: "tke-auth-api", Tag: Version},
+ TKEAuthController: containerregistry.Image{Name: "tke-auth-controller", Tag: Version},
  TKEBusinessAPI: containerregistry.Image{Name: "tke-business-api", Tag: Version},
  TKEBusinessController: containerregistry.Image{Name: "tke-business-controller", Tag: Version},
  TKEGateway: containerregistry.Image{Name: "tke-gateway", Tag: Version},

cmd/tke-installer/app/installer/installer.go

@@ -419,8 +419,12 @@ func (t *TKE) initSteps() {
  if t.Para.Config.Auth.TKEAuth != nil {
  t.steps = append(t.steps, []handler{
  {
- Name: "Install tke-auth",
- Func: t.installTKEAuth,
+ Name: "Install tke-auth-api",
+ Func: t.installTKEAuthAPI,
+ },
+ {
+ Name: "Install tke-auth-controller",
+ Func: t.installTKEAuthController,
  },
  }...)
  }
@@ -1470,7 +1474,7 @@ func (t *TKE) installETCD() error {
  })
 }
 
-func (t *TKE) installTKEAuth() error {
+func (t *TKE) installTKEAuthAPI() error {
  redirectHosts := t.servers
  redirectHosts = append(redirectHosts, "tke-gateway")
  if t.Para.Config.Gateway != nil && t.Para.Config.Gateway.Domain != "" {
@@ -1482,20 +1486,41 @@ func (t *TKE) installTKEAuth() error {
 
  option := map[string]interface{}{
  "Replicas": t.Config.Replicas,
- "Image": images.Get().TKEAuth.FullName(),
+ "Image": images.Get().TKEAuthAPI.FullName(),
  "OIDCClientSecret": t.readOrGenerateString(constants.OIDCClientSecretFile),
  "AdminUsername": t.Para.Config.Auth.TKEAuth.Username,
  "AdminPassword": string(t.Para.Config.Auth.TKEAuth.Password),
  "TenantID": t.Para.Config.Auth.TKEAuth.TenantID,
  "RedirectHosts": redirectHosts,
  }
- err := apiclient.CreateResourceWithDir(t.globalClient, "manifests/tke-auth/*.yaml", option)
+ err := apiclient.CreateResourceWithDir(t.globalClient, "manifests/tke-auth-api/*.yaml", option)
+ if err != nil {
+ return err
+ }
+
+ return wait.PollImmediate(5*time.Second, 10*time.Minute, func() (bool, error) {
+ ok, err := apiclient.CheckDeployment(t.globalClient, t.namespace, "tke-auth-api")
+ if err != nil {
+ return false, nil
+ }
+ return ok, nil
+ })
+}
+
+func (t *TKE) installTKEAuthController() error {
+ err := apiclient.CreateResourceWithDir(t.globalClient, "manifests/tke-auth-controller/*.yaml",
+ map[string]interface{}{
+ "Replicas": t.Config.Replicas,
+ "Image": images.Get().TKEAuthController.FullName(),
+ "AdminUsername": t.Para.Config.Auth.TKEAuth.Username,
+ "AdminPassword": string(t.Para.Config.Auth.TKEAuth.Password),
+ })
  if err != nil {
  return err
  }
 
  return wait.PollImmediate(5*time.Second, 10*time.Minute, func() (bool, error) {
- ok, err := apiclient.CheckDeployment(t.globalClient, t.namespace, "tke-auth")
+ ok, err := apiclient.CheckDeployment(t.globalClient, t.namespace, "tke-auth-controller")
  if err != nil {
  return false, nil
  }

cmd/tke-installer/app/installer/manifests/tke-auth-api/tke-auth-api.yaml

@@ -0,0 +1,121 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+ name: tke-auth-api
+ namespace: tke
+spec:
+ selector:
+ app: tke-auth-api
+ ports:
+ - protocol: TCP
+ port: 443
+ targetPort: 9451
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ labels:
+ app: tke-auth-api
+ name: tke-auth-api
+ namespace: tke
+spec:
+ replicas: {{ .Replicas }}
+ selector:
+ matchLabels:
+ app: tke-auth-api
+ template:
+ metadata:
+ labels:
+ app: tke-auth-api
+ spec:
+ containers:
+ - name: tke-auth-api
+ image: {{ .Image }}
+ args:
+ - -C=/app/conf/tke-auth-api.toml
+ volumeMounts:
+ - name: certs-volume
+ mountPath: /app/certs
+ - name: tke-auth-api-volume
+ mountPath: /app/conf
+ ports:
+ - containerPort: 9451
+ readinessProbe:
+ httpGet:
+ port: 9451
+ path: /healthz/ping
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ livenessProbe:
+ httpGet:
+ port: 9451
+ path: /healthz
+ scheme: HTTPS
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ resources:
+ limits:
+ cpu: 500m
+ memory: 1Gi
+ requests:
+ cpu: 250m
+ memory: 256Mi
+ volumes:
+ - name: certs-volume
+ configMap:
+ name: certs
+ - name: tke-auth-api-volume
+ configMap:
+ name: tke-auth-api
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: tke-auth-api
+ namespace: tke
+data:
+ abac-policy.json: |
+ {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:*","namespace":"*", "resource":"*","apiGroup":"*", "group": "*"}}
+ tke-auth-api.toml: |
+ [secure_serving]
+ tls_cert_file = "/app/certs/server.crt"
+ tls_private_key_file = "/app/certs/server.key"
+
+ [etcd]
+ servers = [
+ "https://etcd:2379"
+ ]
+ cafile = "/app/certs/etcd-ca.crt"
+ certfile = "/app/certs/etcd.crt"
+ keyfile = "/app/certs/etcd.key"
+
+ [generic]
+ external_hostname = "tke-auth-api"
+ external_port = 443
+
+ [authorization]
+ policy_file="/app/conf/abac-policy.json"
+
+ [authentication]
+ token_auth_file = "/app/certs/token.csv"
+ client_ca_file = "/app/certs/ca.crt"
+
+ [authentication.requestheader]
+ client_ca_file = "/app/certs/ca.crt"
+ username_headers = "X-Remote-User"
+ extra_headers_prefix = "X-Remote-Extra-"
+
+ [auth]
+ assets_path = "/app/web/auth"
+ tenant_admin = "{{ .AdminUsername }}"
+ tenant_admin_secret = "{{ .AdminPassword }}"
+ init_client_id = "{{ .TenantID }}"
+ init_client_secret = "{{ .OIDCClientSecret }}"
+ init_client_redirect_uris = [
+{{- range $element := .RedirectHosts}}
+ {{ printf ` "http:https://%s/callback",` $element}}
+ {{ printf ` "https://%s/callback",` $element}}
+{{- end}}
+ ]