This PR configures spec.reporting-operator.spec.authProxy
by default.
Like other PRs, we do this using the top-level spec.tls.enabled
key, which is set to true by default.
When you run a minimal meteringconfig CR (still need to specify some sort of storage), the ansible-operator will set authProxy.enabled: true
.
We check if a authProxy.cookie.secretName: reporting-operator-auth-proxy-cookie-seed
already exists. If it does, we pull the existing data out, and let ansible re-template/re-create that secret.
However, if that secret name doesn't exist, we generate a random 32-bit character string, and create the cookie seed secret using that value.
As a reminder, if you want to manually configure TLS/auth yourself, you would need to set spec.tls.enabled: false
in your meteringconfig CR.
Note: this would disable Presto TLS/auth, Presto to reporting-operator TLS/auth, and reporting-operator TLS/auth.
apiVersion: metering.openshift.io/v1alpha1
kind: MeteringConfig
metadata:
name: "operator-metering"
spec: {}
...
Again, you would need to fill in storage so the ansible-operator doesn't complain during the validation tasks.
Then we need to install:
./hack/openshift-install.sh
Once everything is up and running, we should see this:
NAME READY STATUS RESTARTS AGE
pod/hdfs-datanode-0 1/1 Running 0 1h
pod/hdfs-namenode-0 1/1 Running 0 1h
pod/hive-metastore-0 1/1 Running 0 1h
pod/hive-server-0 1/1 Running 0 1h
pod/presto-coordinator-0 1/1 Running 0 1h
pod/reporting-operator-6d6d446445-lshjj 2/2 Running 0 1h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/hdfs-datanode ClusterIP None <none> 9866/TCP,9864/TCP,9867/TCP,8082/TCP 4d
service/hdfs-datanode-web ClusterIP 172.30.22.246 <none> 9864/TCP 4d
service/hdfs-namenode ClusterIP None <none> 9820/TCP,9870/TCP,8082/TCP 4d
service/hdfs-namenode-web ClusterIP 172.30.182.188 <none> 9870/TCP 4d
service/hive-metastore ClusterIP 172.30.71.134 <none> 9083/TCP,8082/TCP,8443/TCP 4d
service/hive-server ClusterIP 172.30.172.37 <none> 10000/TCP,10002/TCP,8082/TCP 4d
service/presto ClusterIP 172.30.206.129 <none> 8080/TCP,8082/TCP 4d
service/presto-nodes ClusterIP None <none> 8080/TCP 4d
service/presto-worker ClusterIP 172.30.162.173 <none> 8080/TCP,8082/TCP 4d
service/reporting-operator ClusterIP 172.30.179.156 <none> 8080/TCP,8082/TCP 4d
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/reporting-operator 1 1 1 1 4d
NAME DESIRED CURRENT READY AGE
replicaset.apps/reporting-operator-6d6d446445 1 1 1 1h
NAME DESIRED CURRENT AGE
statefulset.apps/hdfs-datanode 1 1 4d
statefulset.apps/hdfs-namenode 1 1 4d
statefulset.apps/hive-metastore 1 1 4d
statefulset.apps/hive-server 1 1 4d
statefulset.apps/presto-coordinator 1 1 4d
statefulset.apps/presto-worker 0 0 4d
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/metering metering-metering-tflannag.apps.metering-ci-3.origin-gce.dev.openshift.com reporting-operator http reencrypt/Allow None
Notice that the reporting-operator deployment produces two containers (auth-proxy side-care container) and a route is created.
Set your metering namespace:
export METERING_NAMESPACE="..."
In order to verify this is working, you can view a report using the commands from the reporting-operator docs:
METERING_ROUTE_HOSTNAME=$(oc -n $METERING_NAMESPACE get route metering -o json | jq -r '.spec.host')
TOKEN=$(oc -n $METERING_NAMESPACE serviceaccounts get-token reporting-operator)
curl -H "Authorization: Bearer $TOKEN" -k "https://$METERING_ROUTE_HOSTNAME/api/v1/reports/get?name=cluster-memory-capacity-hourly&namespace=$METERING_NAMESPACE&format=tab"
In the command above, you would need to replace name=cluster-memory-capacity-hourly
with whatever report you want to run.
Verify that the command above produced report output.
We can then, repeat the same process as above, but change the value of the environment variable $TOKEN
.
For example, we can set the token value to use the presto service account token:
TOKEN=$(oc -n $METERING_NAMESPACE serviceaccounts get-token presto)
Re-run the curl command above, and verify that you get a block of html/css/etc returned, and not the report data.
apiVersion: metering.openshift.io/v1alpha1
kind: MeteringConfig
metadata:
name: "operator-metering"
spec:
reporting-operator:
spec:
authProxy:
# htpasswd.data can contain htpasswd file contents for allowing auth
# using a static list of usernames and their password hashes.
#
# username is 'testuser' password is 'password123'
# generated htpasswdData using: `htpasswd -nb -s testuser password123`
# htpasswd:
# data: |
# testuser:{SHA}y/2sYAj5yrQIN4TL0YdPdmGNKpc=
#
htpasswd:
data |
REPLACEME
I was using http://www.htaccesstools.com/htpasswd-generator/ to generate a username/password htpasswd combination.
Verify that the .data
section of the reporting-operator-auth-proxy-htpasswd
secret is non-empty:
oc get secrets reporting-operator-auth-proxy-htpasswd -o json
Verify that you can properly view reports:
METERING_ROUTE_HOSTNAME=$(oc -n $METERING_NAMESPACE get route metering -o json | jq -r '.spec.host')
curl -u testuser:password123 -k "https://$METERING_ROUTE_HOSTNAME/api/v1/reports/get?name=[Report Name]&namespace=$METERING_NAMESPACE&format=[Format]"
Replace testuser:password123
with a valid username/password combination specified in htpasswd.data
section.
Verify that you cannot view reports with an invalid username/password combination (you can just run the above command as testuser:password123 should be an invalid user/pass.)
apiVersion: metering.openshift.io/v1alpha1
kind: MeteringConfig
metadata:
name: "operator-metering"
spec:
tls:
enabled: false
reporting-operator:
spec:
authProxy:
enabled: true
cookie:
# cookieSeed is used to protect the cookie created if accessing the API
# via your browser.
#
# generate a 32 character random string using a command of your choice,
# for example: `openssl rand -base64 32 | head -c32; echo`
# seed: "RCFE+QpwGWL2bupP+wv4EIOnYlbaRmto"
seed: ""
htpasswd:
data |
REPLACEME
Verify that oauth-proxy still works (follow the same steps as previous cases, the process should be the same.)
your commnd
METERING_ROUTE_HOSTNAME=$(oc -n $METERING_NAMESPACE get routes metering -o json | jq '.status.ingress[].host')
returns a quoted metering route, I have this and it works$(oc -n $METERING_NAMESPACE get route metering -o json | jq -r '.spec.host')
without the double quotes