Bump weave-gitops to latest v0.31.2 (#3265)

* Bump version of weave-gitops to latest

Signed-off-by: wge-build-bot <[email protected]>

* Adds support for noAuthentication user

* Adds session manager support

* Leave auth enabled by default

* Smoke tests should assert a session cookie exists

- Not id_token

---------

Signed-off-by: wge-build-bot <[email protected]>
Co-authored-by: wge-build-bot <[email protected]>
Co-authored-by: Simon Howe <[email protected]>

charts/mccp/templates/clusters-service/configmap.yaml

@@ -31,6 +31,7 @@ data:
   {{- if .Values.config.auth.tokenPassthrough.enabled -}}{{- $authMethods = append $authMethods "token-passthrough" -}}{{- end }}
   {{- if .Values.config.oidc.enabled -}}{{- $authMethods = append $authMethods "oidc"  -}}{{- end }}
   AUTH_METHODS: {{ join "," $authMethods | quote }}
+  INSECURE_NO_AUTHENTICATION_USER: {{ .Values.config.auth.noAuthentication.user | quote }}
   CAPI_ENABLED: {{ .Values.global.capiEnabled | quote }}
   {{- if not .Values.config.checkpoint.enabled }}
   CHECKPOINT_DISABLE: 1

charts/mccp/values.yaml

@@ -71,6 +71,8 @@ config:
     # customScopes: "groups,email,profile"
     customScopes: ""
   auth:
+    noAuthentication:
+      user: ""
     userAccount:
       enabled: true
     tokenPassthrough:

cmd/clusters-service/app/options.go

@@ -1,6 +1,7 @@
 package app
 
 import (
+	"github.com/alexedwards/scs/v2"
 	"github.com/go-logr/logr"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/weaveworks/weave-gitops-enterprise/pkg/metrics"
@@ -41,11 +42,12 @@ type Options struct {
 	HtmlRootPath              string
 	ClientGetter              kube.ClientGetter
 	AuthMethods               map[auth.AuthMethod]bool
+	NoAuthUser                string
+	SessionManager            auth.SessionManager
 	OIDC                      OIDCAuthenticationOptions
 	TLSCert                   string
 	TLSKey                    string
 	NoTLS                     bool
-	DevMode                   bool
 	ClustersManager           clustersmngr.ClustersManager
 	ChartsCache               *helm.HelmChartIndexer
 	KubernetesClientSet       kubernetes.Interface
@@ -174,10 +176,12 @@ func WithClientGetter(clientGetter kube.ClientGetter) Option {
 }
 
 // WithAuthConfig is used to set the auth configuration including OIDC
-func WithAuthConfig(authMethods map[auth.AuthMethod]bool, oidc OIDCAuthenticationOptions) Option {
+func WithAuthConfig(authMethods map[auth.AuthMethod]bool, oidc OIDCAuthenticationOptions, noAuthUser string, sessionManager *scs.SessionManager) Option {
 	return func(o *Options) {
 		o.AuthMethods = authMethods
 		o.OIDC = oidc
+		o.NoAuthUser = noAuthUser
+		o.SessionManager = sessionManager
 	}
 }
 
@@ -199,13 +203,6 @@ func WithCAPIEnabled(capiEnabled bool) Option {
 	}
 }
 
-// WithDevMode starts the server in development mode
-func WithDevMode(devMode bool) Option {
-	return func(o *Options) {
-		o.DevMode = devMode
-	}
-}
-
 // WithClustersManager defines the clusters manager that will be use for cross-cluster queries.
 func WithClustersManager(factory clustersmngr.ClustersManager) Option {
 	return func(o *Options) {

cmd/clusters-service/app/server.go

@@ -22,6 +22,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/alexedwards/scs/v2"
 	"github.com/weaveworks/weave-gitops-enterprise/pkg/metrics"
 
 	"github.com/weaveworks/weave-gitops-enterprise/pkg/query/configuration"
@@ -33,7 +34,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/pricing"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	flaggerv1beta1 "github.com/fluxcd/flagger/pkg/apis/flagger/v1beta1"
-	"github.com/fluxcd/pkg/runtime/logger"
+	flux_logger "github.com/fluxcd/pkg/runtime/logger"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/go-logr/logr"
 	grpc_runtime "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
@@ -71,6 +72,7 @@ import (
 	"github.com/weaveworks/weave-gitops/core/clustersmngr"
 	"github.com/weaveworks/weave-gitops/core/clustersmngr/cluster"
 	core_fetcher "github.com/weaveworks/weave-gitops/core/clustersmngr/fetcher"
+	"github.com/weaveworks/weave-gitops/core/logger"
 	"github.com/weaveworks/weave-gitops/core/nsaccess"
 	core_core "github.com/weaveworks/weave-gitops/core/server"
 	core_core_proto "github.com/weaveworks/weave-gitops/pkg/api/core"
@@ -146,7 +148,6 @@ type Params struct {
 	TLSCert                           string                    `mapstructure:"tls-cert"`
 	TLSKey                            string                    `mapstructure:"tls-key"`
 	NoTLS                             bool                      `mapstructure:"no-tls"`
-	DevMode                           bool                      `mapstructure:"dev-mode"`
 	Cluster                           string                    `mapstructure:"cluster-name"`
 	UseK8sCachedClients               bool                      `mapstructure:"use-k8s-cached-clients"`
 	UIConfig                          string                    `mapstructure:"ui-config"`
@@ -162,6 +163,7 @@ type Params struct {
 	MetricsEnabled                    bool                      `mapstructure:"metrics-enabled"`
 	MetricsBindAddress                string                    `mapstructure:"metrics-bind-address"`
 	EnableObjectCleaner               bool                      `mapstructure:"enable-object-cleaner"`
+	NoAuthUser                        string                    `mapstructure:"insecure-no-authentication-user"`
 }
 
 type OIDCAuthenticationOptions struct {
@@ -179,7 +181,7 @@ type OIDCAuthenticationOptions struct {
 
 func NewAPIServerCommand() *cobra.Command {
 	p := &Params{}
-	var logOptions logger.Options
+	var logOptions flux_logger.Options
 
 	cmd := &cobra.Command{
 		Use:          "capi-server",
@@ -247,7 +249,8 @@ func NewAPIServerCommand() *cobra.Command {
 	cmdFlags.String("oidc-username-prefix", "", "If provided, all usernames will be prefixed with this value to prevent conflicts with other authentication strategies")
 	cmdFlags.String("oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies")
 
-	cmdFlags.Bool("dev-mode", false, "starts the server in development mode")
+	cmdFlags.String("insecure-no-authentication-user", "", "A kubernetes user to impersonate for all requests, no authentication will be performed")
+
 	cmdFlags.Bool("use-k8s-cached-clients", true, "Enables the use of cached clients")
 	cmdFlags.String("ui-config", "", "UI configuration, JSON encoded")
 	cmdFlags.String("pipeline-controller-address", pipelines.DefaultPipelineControllerAddress, "Pipeline controller address")
@@ -344,8 +347,8 @@ func initializeConfig(cmd *cobra.Command) error {
 	return nil
 }
 
-func StartServer(ctx context.Context, p Params, logOptions logger.Options) error {
-	log := logger.NewLogger(logOptions)
+func StartServer(ctx context.Context, p Params, logOptions flux_logger.Options) error {
+	log := flux_logger.NewLogger(logOptions)
 
 	log.Info("Starting server", "log-options", logOptions)
 
@@ -531,6 +534,10 @@ func StartServer(ctx context.Context, p Params, logOptions logger.Options) error
 		return err
 	}
 
+	sessionManager := scs.New()
+	// TODO: Make this configurable
+	sessionManager.Lifetime = 24 * time.Hour
+
 	return RunInProcessGateway(ctx, "0.0.0.0:8000",
 		WithLog(log),
 		WithProfileHelmRepository(types.NamespacedName{Name: p.HelmRepoName, Namespace: p.HelmRepoNamespace}),
@@ -553,11 +560,10 @@ func StartServer(ctx context.Context, p Params, logOptions logger.Options) error
 		WithCAPIClustersNamespace(p.CAPIClustersNamespace),
 		WithHtmlRootPath(p.HtmlRootPath),
 		WithClientGetter(clientGetter),
-		WithAuthConfig(authMethods, p.OIDC),
+		WithAuthConfig(authMethods, p.OIDC, p.NoAuthUser, sessionManager),
 		WithTLSConfig(p.TLSCert, p.TLSKey, p.NoTLS),
 		WithCAPIEnabled(p.CAPIEnabled),
 		WithRuntimeNamespace(p.RuntimeNamespace),
-		WithDevMode(p.DevMode),
 		WithClustersManager(clustersManager),
 		WithChartsCache(chartsCache),
 		WithKubernetesClientSet(kubernetesClientSet),
@@ -598,6 +604,9 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 	if args.CoreServerConfig.ClustersManager == nil {
 		return errors.New("clusters manager is not set")
 	}
+	if args.SessionManager == nil {
+		return errors.New("session manager is not set")
+	}
 	// TokenDuration at least should be set
 	if args.OIDC.TokenDuration == 0 {
 		return errors.New("OIDC configuration is not set")
@@ -742,19 +751,25 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 		return fmt.Errorf("could not create HMAC token signer: %w", err)
 	}
 
+	authMethods := args.AuthMethods
+	if args.NoAuthUser != "" {
+		args.Log.V(logger.LogLevelWarn).Info("Anonymous mode enabled", "noAuthUser", args.NoAuthUser)
+		authMethods = map[auth.AuthMethod]bool{auth.Anonymous: true}
+	}
+
+	if len(authMethods) == 0 {
+		return errors.New("no authentication methods set")
+	}
+
 	// FIXME: Slightly awkward bit of logging..
 	authMethodsStrings := []string{}
-	for authMethod, enabled := range args.AuthMethods {
+	for authMethod, enabled := range authMethods {
 		if enabled {
 			authMethodsStrings = append(authMethodsStrings, authMethod.String())
 		}
 	}
 	args.Log.Info("setting enabled auth methods", "enabled", authMethodsStrings)
 
-	if args.DevMode {
-		tsv.SetDevMode(args.DevMode)
-	}
-
 	if len(args.OIDC.CustomScopes) != 0 {
 		args.Log.Info("setting custom OIDC scopes", "scopes", args.OIDC.CustomScopes)
 	}
@@ -778,7 +793,9 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 		args.KubernetesClient,
 		tsv,
 		args.RuntimeNamespace,
-		args.AuthMethods,
+		authMethods,
+		args.NoAuthUser,
+		args.SessionManager,
 	)
 	if err != nil {
 		return fmt.Errorf("could not create auth server: %w", err)
@@ -797,7 +814,7 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 	}
 
 	// Secure `/v1` and `/gitops/api` API routes
-	grpcHttpHandler = auth.WithAPIAuth(grpcHttpHandler, srv, EnterprisePublicRoutes())
+	grpcHttpHandler = auth.WithAPIAuth(grpcHttpHandler, srv, EnterprisePublicRoutes(), args.SessionManager)
 
 	var metricsServer *http.Server
 
@@ -831,9 +848,12 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 
 	mux.Handle("/", staticAssetsWithGz)
 
+	handler := http.Handler(mux)
+	handler = args.SessionManager.LoadAndSave(handler)
+
 	s := &http.Server{
 		Addr:    addr,
-		Handler: mux,
+		Handler: handler,
 	}
 
 	factoryStopCh := make(chan struct{})

cmd/clusters-service/app/server_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/alexedwards/scs/v2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/go-logr/logr"
 	grpc_runtime "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
@@ -210,6 +211,8 @@ func runServer(t *testing.T, ctx context.Context, k client.Client, ns string, ad
 			app.WithAuthConfig(
 				map[server_auth.AuthMethod]bool{server_auth.UserAccount: true},
 				app.OIDCAuthenticationOptions{TokenDuration: time.Hour},
+				"",
+				scs.New(),
 			),
 			app.WithKubernetesClientSet(clientSet),
 			app.WithClustersManager(grpctesting.MakeClustersManager(k)),

go.mod

@@ -15,13 +15,13 @@ require (
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.2
-	github.com/weaveworks/weave-gitops v0.30.0
+	github.com/weaveworks/weave-gitops v0.31.2
 	github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2
 	github.com/weaveworks/weave-gitops-enterprise/common v0.0.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.27.3
 	k8s.io/apimachinery v0.27.3
-	k8s.io/cli-runtime v0.26.3
+	k8s.io/cli-runtime v0.26.8
 	k8s.io/client-go v1.5.2
 	sigs.k8s.io/controller-runtime v0.15.0
 )
@@ -34,6 +34,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ProtonMail/gopenpgp/v2 v2.6.0
 	github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38
+	github.com/alexedwards/scs/v2 v2.5.1
 	github.com/aws/aws-sdk-go-v2 v1.16.16
 	github.com/aws/aws-sdk-go-v2/config v1.17.8
 	github.com/aws/aws-sdk-go-v2/service/pricing v1.17.1
@@ -403,7 +404,7 @@ require (
 	k8s.io/component-base v0.27.3 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/kubectl v0.26.3
+	k8s.io/kubectl v0.26.8
 	k8s.io/utils v0.0.0-20230505201702-9f6742963106
 	oras.land/oras-go v1.2.2 // indirect
 	sigs.k8s.io/cli-utils v0.34.0 // indirect

go.sum

@@ -154,6 +154,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alexedwards/scs/v2 v2.5.1 h1:EhAz3Kb3OSQzD8T+Ub23fKsiuvE0GzbF5Lgn0uTwM3Y=
+github.com/alexedwards/scs/v2 v2.5.1/go.mod h1:ToaROZxyKukJKT/xLcVQAChi5k6+Pn1Gvmdl7h3RRj8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -1273,8 +1275,8 @@ github.com/weaveworks/templates-controller v0.2.0 h1:7pWLCoHasLyk1qgDH6N9XVgozZv
 github.com/weaveworks/templates-controller v0.2.0/go.mod h1:qO/4Eeqas5kjLCacboFKcisszFMjCjIUMxhtqxYlMUw=
 github.com/weaveworks/tf-controller/api v0.0.0-20230416092146-4a7dfa5b6cc4 h1:+IkLtnXzCkhJzojbadPd+UxwaTa6K/Eb2grY6LcYfeo=
 github.com/weaveworks/tf-controller/api v0.0.0-20230416092146-4a7dfa5b6cc4/go.mod h1:LUBkwqS7FHz/QTNuYzvWj6svehhh1djnV0Gj3OTc87E=
-github.com/weaveworks/weave-gitops v0.30.0 h1:pKs73uC1LbFlZM1yWB6ItwmEb0Pq6bruaCS9dCSfhCU=
-github.com/weaveworks/weave-gitops v0.30.0/go.mod h1:ybp9Ojv0A5eT27RSuzSYsZg+9MSmPkGYM9N7NDRVSrA=
+github.com/weaveworks/weave-gitops v0.31.2 h1:U/yqSePWSml+rXDqguV4jkRI2R8SpcW7OLesun+jwVE=
+github.com/weaveworks/weave-gitops v0.31.2/go.mod h1:2YgGGQJAs2JA/MCD4/toPKBxSBWbVvLzBMcVX3M3Wm4=
 github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 h1:7jeiQehqmI4ds6YIq8TW1Vqhlb6V7G2BVRJ8VM3r99I=
 github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2/go.mod h1:6PMYg+VtSNePnP7EXyNG+/hNRNZ3r0mQtolIZU4s/J0=
 github.com/xanzy/go-gitlab v0.83.0 h1:37p0MpTPNbsTMKX/JnmJtY8Ch1sFiJzVF342+RvZEGw=

test/acceptance/test/utils_gitops.go

@@ -102,14 +102,14 @@ func checkClusterService(endpointURL string) {
 			),
 			ASSERTION_1MINUTE_TIME_OUT,
 		)
-		g.Expect(stdOut).To(gomega.MatchRegexp(`id_token\s*(.*)`), "Failed to fetch cookie/Cluster Service is not healthy")
+		g.Expect(stdOut).To(gomega.MatchRegexp(`session\s*(.*)`), "Failed to fetch cookie/Cluster Service is not healthy")
 
-		re := regexp.MustCompile(`id_token\s*(.*)`)
+		re := regexp.MustCompile(`session\s*(.*)`)
 		match := re.FindAllStringSubmatch(stdOut, -1)
 		cookie := match[0][1]
 		stdOut, stdErr := runCommandAndReturnStringOutput(
 			fmt.Sprintf(
-				`curl --insecure --silent --cookie "id_token=%s" -v --output /dev/null --write-out %%{http_code} %s/v1/templates`,
+				`curl --insecure --silent --cookie "session=%s" -v --output /dev/null --write-out %%{http_code} %s/v1/templates`,
 				cookie, endpointURL,
 			),
 			ASSERTION_1MINUTE_TIME_OUT,

tools/dev-values.yaml

@@ -8,6 +8,10 @@ policy-agent:
 
 config:
   logLevel: debug
+  # un-comment to disable auth
+  # auth:
+  #   noAuthentication:
+  #     user: "wego-admin"
 
 tls:
   enabled: false
@@ -29,8 +33,6 @@ extraEnvVars:
     value: "false"
   - name: BITBUCKET_SERVER_HOSTNAME
     value: "bitbucket.yiannis.net"
-  - name: DEV_MODE
-    value: "true"
   - name: WEAVE_GITOPS_ENABLE_PROFILING
     value: "true"
 

ui-cra/package.json

@@ -25,7 +25,7 @@
     "@types/styled-components": "^5.1.9",
     "@types/urijs": "^1.19.19",
     "@weaveworks/progressive-delivery": "0.0.0-rc13",
-    "@weaveworks/weave-gitops": "npm:@weaveworks/[email protected]",
+    "@weaveworks/weave-gitops": "0.31.2",
     "classnames": "^2.3.1",
     "d3-scale": "4.0.0",
     "d3-time": "^3.0.0",