commit 38437413eba53f256dda7522f93866e2e306c223
author Amit Wankhede <amit.wankhede@gslab.com> Mon Nov 22 11:11:07 2021 -0600
committer Amit Wankhede <amit.wankhede@gslab.com> Tue Nov 23 10:34:16 2021 -0600
tree 387fecc4623d97a258b7b06e3cc99ba0f5dd0730
parent 5ec43dce23f51c4322f1f92546505a9278579d4d

AETHER-2611,AETHER-2329 Subscriber proxy auth support

Change-Id: I6b71fb6de100d39c797a79e4f6630706eb7c1dfb

subscriber-proxy/templates/_helpers.tpl

diff --git a/subscriber-proxy/templates/_helpers.tpl b/subscriber-proxy/templates/_helpers.tpl
index ba0078e..6f324dd 100644
--- a/subscriber-proxy/templates/_helpers.tpl
+++ b/subscriber-proxy/templates/_helpers.tpl
@@ -54,3 +54,16 @@
 app.kubernetes.io/name: {{ include "subscriber-proxy.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "aether-roc-gui.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "subscriber-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+

subscriber-proxy/templates/deployment.yaml

diff --git a/subscriber-proxy/templates/deployment.yaml b/subscriber-proxy/templates/deployment.yaml
index 2cbccc7..b18e635 100644
--- a/subscriber-proxy/templates/deployment.yaml
+++ b/subscriber-proxy/templates/deployment.yaml
@@ -20,6 +20,7 @@
         name: {{ template "subscriber-proxy.fullname" . }}
         {{- include "subscriber-proxy.selectorLabels" . | nindent 8 }}
     spec:
+      serviceAccountName: subscriber-proxy
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 6 }}
@@ -43,26 +44,28 @@
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: OIDC_SERVER_URL
+              value: {{ .Values.config.openidc.issuer }}
           args:
             - "/usr/local/bin/subscriber-proxy"
-            - "-bind_port=:{{ .Values.ports.port }}"
+            - "-bind_port=:{{ .Values.config.port }}"
             - "-client_key=/etc/subscriber-proxy/certs/tls.key"
             - "-client_crt=/etc/subscriber-proxy/certs/tls.crt"
             - "-ca_crt=/etc/subscriber-proxy/certs/tls.cacert"
             - "-alsologtostderr"
             - "-hostCheckDisabled"
-            - "-webconsole_url=http://{{ .Values.ports.webui_endpt.addr}}:{{ .Values.ports.webui_endpt.port}}"
-            - "-onos_config_url={{ .Values.ports.aether_config_endpt.addr}}:{{ .Values.ports.aether_config_endpt.port}}"
+            - "-webconsole_url=http://{{ .Values.config.webui_endpt.addr}}:{{ .Values.config.webui_endpt.port}}"
+            - "-onos_config_url={{ .Values.config.aether_config_endpt.addr}}:{{ .Values.config.aether_config_endpt.port}}"
           ports:
-            - containerPort: {{.Values.ports.port}}
+            - containerPort: {{.Values.config.port}}
           readinessProbe:
             tcpSocket:
-              port: {{ .Values.ports.port }}
+              port: {{ .Values.config.port }}
             initialDelaySeconds: 5
             periodSeconds: 10
           livenessProbe:
             tcpSocket:
-              port: {{ .Values.ports.port }}
+              port: {{ .Values.config.port }}
             initialDelaySeconds: 15
             periodSeconds: 20
           volumeMounts:

subscriber-proxy/templates/role.yaml

diff --git a/subscriber-proxy/templates/role.yaml b/subscriber-proxy/templates/role.yaml
new file mode 100644
index 0000000..19aa2b4
--- /dev/null
+++ b/subscriber-proxy/templates/role.yaml
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "subscriber-proxy.fullname" . }}-secret-reader-role
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]

subscriber-proxy/templates/rolebinding.yaml

diff --git a/subscriber-proxy/templates/rolebinding.yaml b/subscriber-proxy/templates/rolebinding.yaml
new file mode 100644
index 0000000..f325597
--- /dev/null
+++ b/subscriber-proxy/templates/rolebinding.yaml
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "subscriber-proxy.fullname" . }}-secret-reader
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: subscriber-proxy 
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "subscriber-proxy.fullname" . }}-secret-reader-role
+  apiGroup: rbac.authorization.k8s.io

subscriber-proxy/templates/secret.yaml

diff --git a/subscriber-proxy/templates/secret.yaml b/subscriber-proxy/templates/secret.yaml
index 445c6bf..73cc3fe 100644
--- a/subscriber-proxy/templates/secret.yaml
+++ b/subscriber-proxy/templates/secret.yaml
@@ -16,3 +16,16 @@
   {{ base $path }}: '{{ $root.Files.Get $path | b64enc }}'
   {{ end }}
 type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "subscriber-proxy.fullname" . }}-keycloak-secret
+  labels:
+     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+     release: "{{ .Release.Name }}"
+     heritage: "{{ .Release.Service }}"
+data:
+  username: "{{ .Values.config.openidc.credentials.username }}"
+  password: "{{ .Values.config.openidc.credentials.password }}"
+type: Opaque

subscriber-proxy/templates/service.yaml

diff --git a/subscriber-proxy/templates/service.yaml b/subscriber-proxy/templates/service.yaml
index 91e173c..409d289 100644
--- a/subscriber-proxy/templates/service.yaml
+++ b/subscriber-proxy/templates/service.yaml
@@ -19,6 +19,6 @@
     name: {{ template "subscriber-proxy.fullname" . }}
   ports:
     - name: sub-proxy
-      port: {{.Values.ports.port}}
+      port: {{.Values.config.port}}
       protocol: TCP
 

subscriber-proxy/templates/serviceaccount.yaml

diff --git a/subscriber-proxy/templates/serviceaccount.yaml b/subscriber-proxy/templates/serviceaccount.yaml
new file mode 100644
index 0000000..726cfd7
--- /dev/null
+++ b/subscriber-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: subscriber-proxy
+  namespace: {{ .Release.Namespace }}