diff --git a/Dockerfile b/Dockerfile index 8cea51e..e2646ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,7 @@ RUN apt-get update && \ # Create non-root user RUN useradd -r -u 1000 -s /bin/false barycenter && \ - mkdir -p /app/data /app/config && \ + mkdir -p /app/data /app/config /app/policies && \ chown -R barycenter:barycenter /app WORKDIR /app @@ -47,8 +47,8 @@ RUN chown -R barycenter:barycenter /app # Switch to non-root user USER barycenter -# Expose default port -EXPOSE 8080 +# Expose default ports (OIDC, admin GraphQL, authz API) +EXPOSE 8080 8081 8082 # Health check HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ diff --git a/deploy/helm/barycenter/templates/authz-networkpolicy.yaml b/deploy/helm/barycenter/templates/authz-networkpolicy.yaml new file mode 100644 index 0000000..f829969 --- /dev/null +++ b/deploy/helm/barycenter/templates/authz-networkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.config.authz.enabled .Values.authz.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "barycenter.fullname" . }}-authz + labels: + {{- include "barycenter.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "barycenter.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + # Allow unrestricted access to the OIDC HTTP port + - ports: + - port: http + protocol: TCP + # Restrict authz port to same-namespace pods only + - from: + - podSelector: {} + ports: + - port: authz + protocol: TCP +{{- end }} diff --git a/deploy/helm/barycenter/templates/authz-policies-configmap.yaml b/deploy/helm/barycenter/templates/authz-policies-configmap.yaml new file mode 100644 index 0000000..9ec0524 --- /dev/null +++ b/deploy/helm/barycenter/templates/authz-policies-configmap.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.config.authz.enabled (not .Values.authz.existingConfigMap) .Values.authz.policies }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "barycenter.fullname" . }}-authz-policies + labels: + {{- include "barycenter.labels" . | nindent 4 }} +data: + {{- range $filename, $content := .Values.authz.policies }} + {{ $filename }}: | + {{- $content | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/helm/barycenter/templates/configmap.yaml b/deploy/helm/barycenter/templates/configmap.yaml index 89d72d8..296a3df 100644 --- a/deploy/helm/barycenter/templates/configmap.yaml +++ b/deploy/helm/barycenter/templates/configmap.yaml @@ -23,3 +23,12 @@ data: [federation] trust_anchors = {{ .Values.config.federation.trustAnchors | toJson }} + {{- if .Values.config.authz.enabled }} + + [authz] + enabled = true + {{- if .Values.config.authz.port }} + port = {{ .Values.config.authz.port }} + {{- end }} + policies_dir = {{ .Values.config.authz.policiesDir | quote }} + {{- end }} diff --git a/deploy/helm/barycenter/templates/deployment.yaml b/deploy/helm/barycenter/templates/deployment.yaml index 6350a68..1fb1c69 100644 --- a/deploy/helm/barycenter/templates/deployment.yaml +++ b/deploy/helm/barycenter/templates/deployment.yaml @@ -17,6 +17,9 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if and .Values.config.authz.enabled (not .Values.authz.existingConfigMap) .Values.authz.policies }} + checksum/authz-policies: {{ include (print $.Template.BasePath "/authz-policies-configmap.yaml") . | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -75,6 +78,11 @@ spec: - name: http containerPort: {{ .Values.config.server.port }} protocol: TCP + {{- if .Values.config.authz.enabled }} + - name: authz + containerPort: {{ .Values.config.authz.port | default (add .Values.config.server.port 2) }} + protocol: TCP + {{- end }} {{- if .Values.env }} env: {{- toYaml .Values.env | nindent 8 }} @@ -87,6 +95,11 @@ spec: - name: data mountPath: /app/data {{- end }} + {{- if .Values.config.authz.enabled }} + - name: authz-policies + mountPath: {{ .Values.config.authz.policiesDir }} + readOnly: true + {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 10 }} readinessProbe: @@ -110,6 +123,11 @@ spec: secret: secretName: {{ .Values.userSync.existingSecret }} {{- end }} + {{- if .Values.config.authz.enabled }} + - name: authz-policies + configMap: + name: {{ if .Values.authz.existingConfigMap }}{{ .Values.authz.existingConfigMap }}{{ else }}{{ include "barycenter.fullname" . }}-authz-policies{{ end }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/deploy/helm/barycenter/templates/service.yaml b/deploy/helm/barycenter/templates/service.yaml index 8dfeaad..1e90e03 100644 --- a/deploy/helm/barycenter/templates/service.yaml +++ b/deploy/helm/barycenter/templates/service.yaml @@ -15,5 +15,11 @@ spec: targetPort: http protocol: TCP name: http + {{- if .Values.config.authz.enabled }} + - port: {{ .Values.config.authz.port | default (add .Values.config.server.port 2) }} + targetPort: authz + protocol: TCP + name: authz + {{- end }} selector: {{- include "barycenter.selectorLabels" . | nindent 4 }} diff --git a/deploy/helm/barycenter/values.yaml b/deploy/helm/barycenter/values.yaml index 92d4172..9592c60 100644 --- a/deploy/helm/barycenter/values.yaml +++ b/deploy/helm/barycenter/values.yaml @@ -118,6 +118,27 @@ config: federation: trustAnchors: [] + authz: + enabled: false + # port defaults to server.port + 2 if not set + # port: 8082 + policiesDir: "/app/policies" + +# Authorization policy service +authz: + # Inline KDL policy files (rendered into a ConfigMap) + # Each key is a filename, value is the KDL policy content + policies: {} + # vm_policy.kdl: | + # resource "vm" { ... } + + # OR reference an existing ConfigMap containing .kdl files + existingConfigMap: "" + + # NetworkPolicy restricting authz port to same-namespace pods only + networkPolicy: + enabled: true + # Environment variables for main container # Supports full Kubernetes env var specification including valueFrom env: