[WIP] Protect query frontend using oauth proxy

.chloggen/protect_query_frontend_oauthproxy.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack,tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Protect query-frontend using oauth-proxy on OpenShift
+
+# One or more tracking issues related to the change
+issues: [998]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

apis/tempo/v1alpha1/common_types.go

@@ -47,8 +47,8 @@ type ExtraConfigSpec struct {
 	Tempo apiextensionsv1.JSON `json:"tempo,omitempty"`
 }
 
-// JaegerQueryAuthenticationSpec defines options applied to proxy sidecar that controls the authentication of the jaeger UI.
-type JaegerQueryAuthenticationSpec struct {
+// OAuthAuthenticationSpec defines options applied to proxy sidecar that controls the authentication of the jaeger UI.
+type OAuthAuthenticationSpec struct {
 	// Defines if the authentication will be enabled for jaeger UI.
 	//
 	// +optional

apis/tempo/v1alpha1/tempomonolithic_defaults.go

@@ -59,8 +59,18 @@ func (r *TempoMonolithic) Default(ctrlConfig configv1alpha1.ProjectConfig) {
 			Enabled: true,
 		}
 	}
+
+	if r.Spec.Query != nil {
+		r.Spec.Query.Authentication = r.defaultAuthentication(r.Spec.Query.Authentication, ctrlConfig)
+	} else {
+		r.Spec.Query = &QuerySpec{}
+		r.Spec.Query.Authentication = r.defaultAuthentication(r.Spec.Query.Authentication, ctrlConfig)
+	}
+
 	if r.Spec.JaegerUI != nil && r.Spec.JaegerUI.Enabled {
 
+		r.Spec.JaegerUI.Authentication = r.defaultAuthentication(r.Spec.JaegerUI.Authentication, ctrlConfig)
+
 		if r.Spec.JaegerUI.Route != nil && r.Spec.JaegerUI.Route.Enabled {
 
 			if r.Spec.JaegerUI.Route.Termination == "" {
@@ -71,21 +81,28 @@ func (r *TempoMonolithic) Default(ctrlConfig configv1alpha1.ProjectConfig) {
 					r.Spec.JaegerUI.Route.Termination = TLSRouteTerminationTypeEdge
 				}
 			}
-
-			if r.Spec.JaegerUI.Authentication == nil {
-				r.Spec.JaegerUI.Authentication = &JaegerQueryAuthenticationSpec{
-					Enabled: ctrlConfig.Gates.OpenShift.OauthProxy.DefaultEnabled,
-				}
-			}
-
-			if len(strings.TrimSpace(r.Spec.JaegerUI.Authentication.SAR)) == 0 {
-				defaultSAR := fmt.Sprintf("{\"namespace\": \"%s\", \"resource\": \"pods\", \"verb\": \"get\"}", r.Namespace)
-				r.Spec.JaegerUI.Authentication.SAR = defaultSAR
-			}
 		}
 
 		if r.Spec.JaegerUI.ServicesQueryDuration == nil {
 			r.Spec.JaegerUI.ServicesQueryDuration = &defaultServicesDuration
 		}
 	}
 }
+
+func (r *TempoMonolithic) defaultAuthentication(spec *OAuthAuthenticationSpec, ctrlConfig configv1alpha1.ProjectConfig) *OAuthAuthenticationSpec {
+	newSpec := spec
+
+	if ctrlConfig.Gates.OpenShift.OauthProxy.DefaultEnabled {
+		if spec == nil {
+			newSpec = &OAuthAuthenticationSpec{
+				Enabled: true,
+			}
+		}
+	}
+
+	if newSpec != nil && newSpec.Enabled && len(strings.TrimSpace(newSpec.SAR)) == 0 {
+		newSpec.SAR = fmt.Sprintf("{\"namespace\": \"%s\", \"resource\": \"pods\", \"verb\": \"get\"}", r.Namespace)
+	}
+
+	return newSpec
+}

apis/tempo/v1alpha1/tempomonolithic_defaults_test.go

@@ -45,6 +45,7 @@ func TestMonolithicDefault(t *testing.T) {
 							},
 						},
 					},
+					Query:      &QuerySpec{},
 					Management: "Managed",
 				},
 			},
@@ -78,6 +79,7 @@ func TestMonolithicDefault(t *testing.T) {
 							},
 						},
 					},
+					Query:      &QuerySpec{},
 					Management: "Managed",
 				},
 			},
@@ -103,6 +105,7 @@ func TestMonolithicDefault(t *testing.T) {
 							},
 						},
 					},
+					Query:      &QuerySpec{},
 					Management: "Unmanaged",
 				},
 			},
@@ -124,12 +127,13 @@ func TestMonolithicDefault(t *testing.T) {
 							},
 						},
 					},
+					Query:      &QuerySpec{},
 					Management: "Unmanaged",
 				},
 			},
 		},
 		{
-			name: "enable jaeger ui oauth when feature gate is enabled",
+			name: "enable oauth when feature gate is enabled",
 			ctrlConfig: configv1alpha1.ProjectConfig{
 				Gates: configv1alpha1.FeatureGates{
 					OpenShift: configv1alpha1.OpenShiftFeatureGates{
@@ -187,12 +191,18 @@ func TestMonolithicDefault(t *testing.T) {
 							Enabled:     true,
 							Termination: TLSRouteTerminationTypeEdge,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: true,
 							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
 						},
 						ServicesQueryDuration: &defaultServicesDuration,
 					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: true,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
 					Management: "Managed",
 				},
 			},
@@ -225,7 +235,12 @@ func TestMonolithicDefault(t *testing.T) {
 						Route: &MonolithicJaegerUIRouteSpec{
 							Enabled: true,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: false,
+						},
+					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: false,
 						},
 					},
@@ -259,18 +274,22 @@ func TestMonolithicDefault(t *testing.T) {
 							Enabled:     true,
 							Termination: TLSRouteTerminationTypeEdge,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: false,
-							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
 						},
 						ServicesQueryDuration: &defaultServicesDuration,
 					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: false,
+						},
+					},
 					Management: "Managed",
 				},
 			},
 		},
 		{
-			name: "no touch jaeger ui oauth when feature gate is disabled (true case)",
+			name: "no touch oauth when feature gate is disabled (true case)",
 			input: &TempoMonolithic{
 				ObjectMeta: v1.ObjectMeta{
 					Name:      "test",
@@ -288,7 +307,13 @@ func TestMonolithicDefault(t *testing.T) {
 						Route: &MonolithicJaegerUIRouteSpec{
 							Enabled: true,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: true,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: true,
 							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
 						},
@@ -323,12 +348,18 @@ func TestMonolithicDefault(t *testing.T) {
 							Enabled:     true,
 							Termination: TLSRouteTerminationTypeEdge,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: true,
 							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
 						},
 						ServicesQueryDuration: &defaultServicesDuration,
 					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: true,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
 					Management: "Managed",
 				},
 			},
@@ -352,7 +383,12 @@ func TestMonolithicDefault(t *testing.T) {
 						Route: &MonolithicJaegerUIRouteSpec{
 							Enabled: true,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: false,
+						},
+					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: false,
 						},
 					},
@@ -386,12 +422,16 @@ func TestMonolithicDefault(t *testing.T) {
 							Enabled:     true,
 							Termination: TLSRouteTerminationTypeEdge,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
+						Authentication: &OAuthAuthenticationSpec{
 							Enabled: false,
-							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
 						},
 						ServicesQueryDuration: &defaultServicesDuration,
 					},
+					Query: &QuerySpec{
+						Authentication: &OAuthAuthenticationSpec{
+							Enabled: false,
+						},
+					},
 					Management: "Managed",
 				},
 			},
@@ -447,12 +487,9 @@ func TestMonolithicDefault(t *testing.T) {
 							Enabled:     true,
 							Termination: TLSRouteTerminationTypeEdge,
 						},
-						Authentication: &JaegerQueryAuthenticationSpec{
-							Enabled: false,
-							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
-						},
 						ServicesQueryDuration: &v1.Duration{Duration: time.Duration(100 * 100)},
 					},
+					Query:      &QuerySpec{},
 					Management: "Managed",
 				},
 			},

apis/tempo/v1alpha1/tempomonolithic_types.go

@@ -63,6 +63,12 @@ type TempoMonolithicSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Extra Configuration",xDescriptors="urn:alm:descriptor:com.tectonic.ui:advanced"
 	ExtraConfig *ExtraConfigSpec `json:"extraConfig,omitempty"`
 
+	// QuerySpec defines configurations for query path
+	//
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query",xDescriptors="urn:alm:descriptor:com.tectonic.ui:advanced"
+	Query *QuerySpec `json:"query,omitempty"`
+
 	MonolithicSchedulerSpec `json:",inline"`
 }
 
@@ -249,7 +255,7 @@ type MonolithicJaegerUISpec struct {
 	// +optional
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger UI authentication configuration",order=5
-	Authentication *JaegerQueryAuthenticationSpec `json:"authentication,omitempty"`
+	Authentication *OAuthAuthenticationSpec `json:"authentication,omitempty"`
 
 	// ServicesQueryDuration defines how long the services will be available in the services list
 	//
@@ -258,6 +264,16 @@ type MonolithicJaegerUISpec struct {
 	ServicesQueryDuration *metav1.Duration `json:"servicesQueryDuration,omitempty"`
 }
 
+// QuerySpec specific configuratitons for query frontend.
+type QuerySpec struct {
+	// Authentication defines the options for the oauth proxy used to protect jaeger UI
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger UI authentication configuration",order=5
+	Authentication *OAuthAuthenticationSpec `json:"authentication,omitempty"`
+}
+
 // MonolithicJaegerUIIngressSpec defines the settings for the Jaeger UI ingress.
 type MonolithicJaegerUIIngressSpec struct {
 	// Enabled defines if an Ingress object should be created for Jaeger UI.

apis/tempo/v1alpha1/tempostack_types.go

@@ -564,6 +564,13 @@ type TempoQueryFrontendSpec struct {
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger Query Settings"
 	JaegerQuery JaegerQuerySpec `json:"jaegerQuery"`
+
+	// Authentication defines the options for the oauth proxy used to protect query frontend
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query Frontend authentication configuration"
+	Authentication *OAuthAuthenticationSpec `json:"authentication,omitempty"`
 }
 
 // JaegerQuerySpec defines Jaeger Query options.
@@ -605,7 +612,7 @@ type JaegerQuerySpec struct {
 	// +optional
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger UI authentication configuration"
-	Authentication *JaegerQueryAuthenticationSpec `json:"authentication,omitempty"`
+	Authentication *OAuthAuthenticationSpec `json:"authentication,omitempty"`
 }
 
 // JaegerQueryMonitor defines configuration for the service monitoring tab in the Jaeger console.