Hello community, here is the log from the commit of package velum for openSUSE:Factory checked in at 2018-02-09 15:51:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/velum (Old) and /work/SRC/openSUSE:Factory/.velum.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "velum" Fri Feb 9 15:51:13 2018 rev:5 rq:574233 version:3.0.0+dev+git_r644_b0361e81be2d64b10de6b8c676dce394044f164a Changes: -------- --- /work/SRC/openSUSE:Factory/velum/velum.changes 2018-02-02 22:23:26.734616949 +0100 +++ /work/SRC/openSUSE:Factory/.velum.new/velum.changes 2018-02-09 15:51:17.803309230 +0100 @@ -1,0 +2,47 @@ +Thu Feb 8 12:28:28 UTC 2018 - containers-bugowner@suse.de + +- Commit b12fdf4 by Kiall Mac Innes kiall@macinnes.ie + Add manual kubeconfig setup instructions + + Add instructions for manually adding a cluster to a pre-existing kubeconfig + file. + + +------------------------------------------------------------------- +Wed Feb 7 17:25:39 UTC 2018 - containers-bugowner@suse.de + +- Commit 2db24eb by Kiall Mac Innes kiall@macinnes.ie + Use separate Dex clients for each actual client + + Previously Velum, CaaSP CLI, and Kubernetes all shared a single Dex client. + From a security perspective, this was far from ideal. + + Update Velum to: + + * Generate a unique secret for the Velum and Kubernetes client during setup + * Add a migration to generate secrets during upgrade + * Use the Velum client to auth with Dex + * Request a token from Dex which is valid for the kubernetes client + + +------------------------------------------------------------------- +Tue Feb 6 17:55:27 UTC 2018 - containers-bugowner@suse.de + +- Commit 48188f1 by Chris Olstrom chris@olstrom.com + Add fallback link to fetch kubeconfig if redirect fails + + +------------------------------------------------------------------- +Tue Feb 6 17:03:32 UTC 2018 - containers-bugowner@suse.de + +- Commit 01453e3 by James Mason jmason@suse.com + Update login feature spec + + I had issues with a failing test that used inconsitent access to the 'Log in' + button, so I've updated it to match the rest of the spec. + + Additionally, the descriptions didn't make sense in documentation format so I + reworded them. + + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ velum.spec ++++++ --- /var/tmp/diff_new_pack.fsQMng/_old 2018-02-09 15:51:18.727276045 +0100 +++ /var/tmp/diff_new_pack.fsQMng/_new 2018-02-09 15:51:18.731275901 +0100 @@ -23,7 +23,7 @@ # Version: 1.0.0 # %%define branch 1.0.0 -Version: 3.0.0+dev+git_r636_348aa62ece758fd9933ade7f585ec04e8d8d32a4 +Version: 3.0.0+dev+git_r644_b0361e81be2d64b10de6b8c676dce394044f164a Release: 0 %define branch master Summary: Dashboard for CaasP @@ -96,7 +96,7 @@ %description velum is the dashboard for CaasP to manage and deploy kubernetes clusters on top of MicroOS -This package has been built with commit 348aa62ece758fd9933ade7f585ec04e8d8d32a4 from branch master on date Fri, 02 Feb 2018 11:59:01 +0000 +This package has been built with commit b0361e81be2d64b10de6b8c676dce394044f164a from branch master on date Thu, 08 Feb 2018 12:27:49 +0000 %prep %setup -q -n velum-%{branch} ++++++ master.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/app/controllers/oidc_controller.rb new/velum-master/app/controllers/oidc_controller.rb --- old/velum-master/app/controllers/oidc_controller.rb 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/app/controllers/oidc_controller.rb 2018-02-08 13:27:18.000000000 +0100 @@ -30,7 +30,11 @@ end def client_id - "caasp-cli" + "velum" + end + + def client_secret + Pillar.value(pillar: :dex_client_secrets_velum) end def index @@ -57,24 +61,27 @@ id_token.verify!( issuer: issuer, client_id: client_id, - nonce: stored_nonce + nonce: stored_nonce, + audience: "kubernetes" ) - email = id_token.raw_attributes["email"] - client_id = access_token.client.identifier - client_secret = access_token.client.secret - idp_issuer_url = id_token.iss - refresh_token = access_token.refresh_token - - @redirect_target = oidc_kubeconfig_url email: email, - client_id: client_id, - client_secret: client_secret, - id_token: access_token.id_token, - idp_issuer_url: idp_issuer_url, - refresh_token: refresh_token + @email = id_token.raw_attributes["email"] + @client_id = access_token.client.identifier + @client_secret = access_token.client.secret + @id_token = access_token.id_token + @idp_issuer_url = id_token.iss + @refresh_token = access_token.refresh_token + + lookup_config + + @redirect_target = oidc_kubeconfig_url email: @email, + client_id: @client_id, + client_secret: @client_secret, + id_token: @id_token, + idp_issuer_url: @idp_issuer_url, + refresh_token: @refresh_token rescue OpenIDConnect::ResponseObject::IdToken::InvalidNonce => e - redirect_to root_path, - alert: e.message + redirect_to root_path, alert: e.message end def kubeconfig @@ -94,6 +101,8 @@ def lookup_config kubeconfig = Velum::Kubernetes.kubeconfig + # TODO: Allow cluster_name to be set in pillar during bootstrap + @cluster_name = "caasp" @apiserver_host = kubeconfig.host @ca_crt = kubeconfig.ca_crt @client_crt = kubeconfig.client_crt @@ -106,7 +115,14 @@ response_type: :code, nonce: nonce, state: nonce, - scope: [:openid, :profile, :email, :offline_access, :groups].collect(&:to_s) + scope: [ + :openid, + :profile, + :email, + :offline_access, + :groups, + "audience:server:client_id:kubernetes" + ].collect(&:to_s) ) end @@ -120,7 +136,7 @@ @client ||= OpenIDConnect::Client.new( identifier: client_id, - secret: "swac7qakes7AvucH8bRucucH", + secret: client_secret, scopes_supported: config.scopes_supported, jwks_uri: config.jwks_uri, authorization_endpoint: config.authorization_endpoint, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/app/controllers/setup_controller.rb new/velum-master/app/controllers/setup_controller.rb --- old/velum-master/app/controllers/setup_controller.rb 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/app/controllers/setup_controller.rb 2018-02-08 13:27:18.000000000 +0100 @@ -107,6 +107,12 @@ settings["no_proxy"] = "" end + settings["dex_client_secrets_kubernetes"] = \ + Pillar.value(pillar: :dex_client_secrets_kubernetes) \ + || SecureRandom.uuid + settings["dex_client_secrets_velum"] = Pillar.value(pillar: :dex_client_secrets_velum) \ + || SecureRandom.uuid + Velum::LDAP.ldap_pillar_settings!(settings) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/app/models/pillar.rb new/velum-master/app/models/pillar.rb --- old/velum-master/app/models/pillar.rb 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/app/models/pillar.rb 2018-02-08 13:27:18.000000000 +0100 @@ -14,34 +14,36 @@ def all_pillars { - dashboard: "dashboard", - dashboard_external_fqdn: "dashboard_external_fqdn", - apiserver: "api:server:external_fqdn", - cluster_cidr: "cluster_cidr", - cluster_cidr_min: "cluster_cidr_min", - cluster_cidr_max: "cluster_cidr_max", - cluster_cidr_len: "cluster_cidr_len", - services_cidr: "services_cidr", - api_cluster_ip: "api:cluster_ip", - dns_cluster_ip: "dns:cluster_ip", - proxy_systemwide: "proxy:systemwide", - http_proxy: "proxy:http", - https_proxy: "proxy:https", - no_proxy: "proxy:no_proxy", - tiller: "addons:tiller", - ldap_host: "ldap:host", - ldap_port: "ldap:port", - ldap_bind_dn: "ldap:bind_dn", - ldap_bind_pw: "ldap:bind_pw", - ldap_domain: "ldap:domain", - ldap_group_dn: "ldap:group_dn", - ldap_people_dn: "ldap:people_dn", - ldap_base_dn: "ldap:base_dn", - ldap_admin_group_dn: "ldap:admin_group_dn", - ldap_admin_group_name: "ldap:admin_group_name", - ldap_tls_method: "ldap:tls_method", - ldap_mail_attribute: "ldap:mail_attribute", - cloud_framework: "cloud:framework" + dashboard: "dashboard", + dashboard_external_fqdn: "dashboard_external_fqdn", + apiserver: "api:server:external_fqdn", + cluster_cidr: "cluster_cidr", + cluster_cidr_min: "cluster_cidr_min", + cluster_cidr_max: "cluster_cidr_max", + cluster_cidr_len: "cluster_cidr_len", + services_cidr: "services_cidr", + api_cluster_ip: "api:cluster_ip", + dns_cluster_ip: "dns:cluster_ip", + proxy_systemwide: "proxy:systemwide", + http_proxy: "proxy:http", + https_proxy: "proxy:https", + no_proxy: "proxy:no_proxy", + tiller: "addons:tiller", + ldap_host: "ldap:host", + ldap_port: "ldap:port", + ldap_bind_dn: "ldap:bind_dn", + ldap_bind_pw: "ldap:bind_pw", + ldap_domain: "ldap:domain", + ldap_group_dn: "ldap:group_dn", + ldap_people_dn: "ldap:people_dn", + ldap_base_dn: "ldap:base_dn", + ldap_admin_group_dn: "ldap:admin_group_dn", + ldap_admin_group_name: "ldap:admin_group_name", + ldap_tls_method: "ldap:tls_method", + ldap_mail_attribute: "ldap:mail_attribute", + cloud_framework: "cloud:framework", + dex_client_secrets_kubernetes: "dex:client_secrets:kubernetes", + dex_client_secrets_velum: "dex:client_secrets:velum" } end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/app/views/oidc/done.html.slim new/velum-master/app/views/oidc/done.html.slim --- old/velum-master/app/views/oidc/done.html.slim 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/app/views/oidc/done.html.slim 2018-02-08 13:27:18.000000000 +0100 @@ -1,4 +1,8 @@ -h1 Download your kubeconfig file +h1 Authenticate with Kubernetes + +p= link_to "You can return to the dashboard once you have prepared your kubeconfig file", root_path + +h2 Option 1: Download your kubeconfig file p | You will see a download dialog that will allow you to download your kubeconfig file. Please, @@ -9,10 +13,38 @@ | like <strong>KUBECONFIG=~/Downloads/kubeconfig kubectl get nodes</strong>. p - | You can also save it to your home in `~/.kube/config`, `kubectl` will automatically read this - | file without the need to specify the <strong>KUBECONFIG</strong> environment variable. + | Alternatively, you can also save it to your home in `~/.kube/config`, `kubectl` will automatically + | read this file without the need to specify the <strong>KUBECONFIG</strong> environment variable. + +p= link_to "Click here if the download has not started automatically.", @redirect_target + +h2 Option 2: Manually configure kubeconfig file + +p + | You can manually configure a client by running these commands: + +pre + | # Create a file containing the Kubernetes API CA Certificate + echo "#{Base64.strict_encode64 @ca_crt}" \ + | base64 -d > ~/.kube/#{@cluster_name}-ca.crt + + # Create the Cluster entry in the ~/.kube/config file + kubectl config set-cluster #{@cluster_name} \ + --server=https://#{@apiserver_host}:6443 \ + --certificate-authority=$(readlink -f ~/.kube/#{@cluster_name}-ca.crt) + + # Create the User entry in the ~/.kube/config file + kubectl config set-credentials "#{@email}" \ + --auth-provider=oidc \ + --auth-provider-arg=client-id="#{@client_id}" \ + --auth-provider-arg=client-secret="#{@client_secret}" \ + --auth-provider-arg=id-token="#{@id_token}" \ + --auth-provider-arg=refresh-token="#{@refresh_token}" \ + --auth-provider-arg=idp-issuer-url="#{@idp_issuer_url}" -p= link_to "You can navigate to the dashboard now, once you have downloaded your kubeconfig file", root_path + # Create and use the cluster context + kubectl config set-context "#{@cluster_name}-#{@email}" --cluster #{@cluster_name} --user="#{@email}" + kubectl config use-context "#{@cluster_name}-#{@email}" = content_for :page_javascript do javascript: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/app/views/oidc/kubeconfig.erb new/velum-master/app/views/oidc/kubeconfig.erb --- old/velum-master/app/views/oidc/kubeconfig.erb 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/app/views/oidc/kubeconfig.erb 2018-02-08 13:27:18.000000000 +0100 @@ -1,7 +1,7 @@ apiVersion: v1 kind: Config clusters: -- name: local +- name: <%= @cluster_name %> cluster: server: https://<%= @apiserver_host %>:6443 certificate-authority-data: <%= Base64.strict_encode64 @ca_crt %> @@ -19,6 +19,8 @@ idp-issuer-url: <%= @idp_issuer_url %> refresh-token: <%= @refresh_token %> contexts: -- context: - cluster: local +- name: <%= @cluster_name %>-<%= @email %> + context: + cluster: <%= @cluster_name %> user: <%= @email %> +current-context: <%= @cluster_name %>-<%= @email %> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb new/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb --- old/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb 2018-02-08 13:27:18.000000000 +0100 @@ -0,0 +1,17 @@ +require 'securerandom' + +class GenerateDexSecrets < ActiveRecord::Migration + def up + Pillar.find_or_create_by pillar: "dex:client_secrets:kubernetes" do |pillar| + pillar.value = SecureRandom.uuid + end + Pillar.find_or_create_by pillar: "dex:client_secrets:velum" do |pillar| + pillar.value = SecureRandom.uuid + end + end + + def down + Pillar.where(pillar: "dex:client_secrets:kubernetes").destroy_all + Pillar.where(pillar: "dex:client_secrets:velum").destroy_all + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/db/schema.rb new/velum-master/db/schema.rb --- old/velum-master/db/schema.rb 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/db/schema.rb 2018-02-08 13:27:18.000000000 +0100 @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20180118103201) do +ActiveRecord::Schema.define(version: 20180206150021) do create_table "certificate_services", force: :cascade do |t| t.integer "certificate_id", limit: 4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/spec/features/auth/login_feature_spec.rb new/velum-master/spec/features/auth/login_feature_spec.rb --- old/velum-master/spec/features/auth/login_feature_spec.rb 2018-02-02 13:00:11.000000000 +0100 +++ new/velum-master/spec/features/auth/login_feature_spec.rb 2018-02-08 13:27:18.000000000 +0100 @@ -1,6 +1,6 @@ require "rails_helper" -describe "Login feature" do +describe "Feature: login dialog" do let!(:user) { create(:user) } before do @@ -12,7 +12,7 @@ expect(page).not_to have_content("You need to sign in or sign up before continuing.") end - it "Existing user is able using his login and password to login into velum" do + it "allows a existing user to login into velum with valid credentials" do # We don't use Capybara's `login_as` method on purpose, because we are # testing the UI for logging in. fill_in "user_email", with: user.email @@ -22,26 +22,26 @@ expect(page).to have_content("Configuration") end - it "Wrong password results in an error message" do - pending("fix the validations") + it "shows an error message when using invalid credentials" do + # pending("fix the validations") fill_in "user_email", with: "foo" fill_in "user_password", with: "bar" - find("input[type=submit]", match: :first).click + click_button("Log in") expect(page).to have_content("Invalid Email or password") end - it "When guest tries to access dashboard - he is redirected to the login page" do + it "redirects to the login plage when a guest tries to access dashboard" do visit root_path expect(page).to have_content("Log in") end - it "User is redirected to the login page when trying to access a protected page" do + it "redirects to the login page when trying to access a protected page" do visit setup_path expect(page).to have_content("You need to sign in or sign up before continuing.") end - it "Successful login when trying to access a page redirects back the guest" do + it "redirects back to a protected page after successful login" do visit setup_path fill_in "user_email", with: user.email