profile
viewpoint
Gonzalo Gabriel Jiménez Fuentes mendrugory Málaga, Spain www.mendrugory.com "Siempre por las nubes"

mendrugory/conejo 14

Conejo is a library based on pma/amqp which will help you to define your AMQP/RabbitMQ publishers and consumers in an easier way.

mendrugory/Airports 11

The app will locate you and will return your current location, with a given accurate, on a LeafLet's map with the 10 closest airports.

mendrugory/cartografo 4

CLI tool to generate Kubernetes ConfigMaps or Secrets with a lot of data entries from files.

mendrugory/barenboim 2

Barenboim is prepared to tackle with data streaming dependencies in concurrent flows

mendrugory/comiccon 2

Download the comics that make you happy

mendrugory/autopush 1

Python Web Push Server used by Mozilla

mendrugory/Blockchain-Developer-Resources 1

List of opininated links to resources useful to blockchain and bitcoin developers

mendrugory/docker-awscli 1

Dockerfile for awscli

push eventmendrugory/blog

Gonzalo Gabriel Jiménez Fuentes

commit sha 322a64e10c9359e904493dea57fbe45817e3caf5

update

view details

push time in 4 days

push eventmendrugory/blog

Gonzalo Gabriel Jiménez Fuentes

commit sha 4c27b6f3604154fa6a7c7e35f81c2ab696ba5ca2

update

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha 2e7dc23738b6d4098f8ef20d82b1eed42f520a73

update

view details

push time in 4 days

startedAzure/aad-pod-identity

started time in a month

PullRequestReviewEvent

pull request commentclastix/capsule

release(fix) : duplicate release for helm chart

Thanks @viveksyngh for your contribution !!

viveksyngh

comment created time in a month

PullRequestReviewEvent

Pull request review commentclastix/capsule

Container Registry enforcement requires FQCI

 func (r registry) Tag() string {  func NewRegistry(value string) Registry { 	reg := make(registry)-	r := regexp.MustCompile(`(((?P<registry>[a-zA-Z0-9-._]+)\/)?((?P<repository>[a-zA-Z0-9-._]+)\/))?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)+	r := regexp.MustCompile(`((?P<registry>[a-zA-Z0-9-._]+)/)?((?P<repository>[a-zA-Z0-9-._]+)/)?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)

about having more than one "repository section", was just a question.

About the especial characters, they can have them, but I think that they can't begin with.

They were just some comments. It looks good to me.

prometherion

comment created time in a month

PullRequestReviewEvent

Pull request review commentclastix/capsule

Container Registry enforcement requires FQCI

 func (r registry) Tag() string {  func NewRegistry(value string) Registry { 	reg := make(registry)-	r := regexp.MustCompile(`(((?P<registry>[a-zA-Z0-9-._]+)\/)?((?P<repository>[a-zA-Z0-9-._]+)\/))?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)+	r := regexp.MustCompile(`((?P<registry>[a-zA-Z0-9-._]+)/)?((?P<repository>[a-zA-Z0-9-._]+)/)?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)

A concern about this regex is that names could begin by non-allowed characters like . or _ I know that it is an edge case which should be forced by the user.

prometherion

comment created time in a month

Pull request review commentclastix/capsule

Container Registry enforcement requires FQCI

 func (r registry) Tag() string {  func NewRegistry(value string) Registry { 	reg := make(registry)-	r := regexp.MustCompile(`(((?P<registry>[a-zA-Z0-9-._]+)\/)?((?P<repository>[a-zA-Z0-9-._]+)\/))?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)+	r := regexp.MustCompile(`((?P<registry>[a-zA-Z0-9-._]+)/)?((?P<repository>[a-zA-Z0-9-._]+)/)?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)

Could it have problems without escaping the backslash?

prometherion

comment created time in a month

PullRequestReviewEvent

Pull request review commentclastix/capsule

Container Registry enforcement requires FQCI

 func (r registry) Tag() string {  func NewRegistry(value string) Registry { 	reg := make(registry)-	r := regexp.MustCompile(`(((?P<registry>[a-zA-Z0-9-._]+)\/)?((?P<repository>[a-zA-Z0-9-._]+)\/))?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)+	r := regexp.MustCompile(`((?P<registry>[a-zA-Z0-9-._]+)/)?((?P<repository>[a-zA-Z0-9-._]+)/)?(?P<image>[a-zA-Z0-9-._]+)(:(?P<tag>[a-zA-Z0-9-._]+))?`)

Is it allowed to have more than one "repository" section (i.e. myregistry/section2/department4/user56/myimage:latest)?

prometherion

comment created time in a month

PullRequestReviewEvent

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha a1ba0e8b81cce211c82bb4a05138f0663f34c659

Allowing http with bearer token authentication (#169)

view details

push time in a month

delete branch clastix/capsule-proxy

delete branch : gonzalo/allowing_http

delete time in a month

PR merged clastix/capsule-proxy

Reviewers
Allowing http with bearer token authentication

it closes #168

+361 -77

13 comments

47 changed files

mendrugory

pr closed time in a month

issue closedclastix/capsule-proxy

capsule-proxy should support working with ingress controller with tls-termination

It is a quite common scheme for many enterprises to use TLS-termination on an ingress side because it simplifies certificates management.

Mostly these setups use capsule-proxy with bearer token authentication, so after #162 was merged it is now impossible to support them and that becomes a backward-incompatible change.

We need to figure a way, how we can support it without compromising overall capsule-proxy security.

closed time in a month

MaxFedotov

pull request commentclastix/capsule-proxy

Allowing http with bearer token authentication

Here scenarios we tested

1. Direct access to api server with OIDC integration >>> No issues

2. Access to api server with OIDC integration and capsule-proxy with TLS enabled >>> No issues

3. Access to api server through capsule-proxy with TLS disabled >>> It is being designed to work with http clients always using Bearer Token. With this configuration it works. If no Bearer Token is provided, then 403 code is returned.

Installation Install capsule-proxy in http mode (no certs) and expose the port 9002 from lab

Tests

* Log in as pepe

* curl
  
  1. Get the token for pepe
  2. use curl to retrieve data with a right token: `curl -k -H "Authorization: Bearer $TOKEN" http://capsule-proxy:9002/api/v1/namespaces/tenant1-pepe2/pods`
  3. use curl to retrieve data with wrong token: `curl -k -H "Authorization: Bearer asdf" http://capsule-proxy:9002/api/v1/namespaces/tenant1-pepe2/pods`
  4. use curl to retrieve data with no authorization header: `curl -k  http://capsule-proxy:9002/api/v1/namespaces/tenant1-pepe2/pods`
  5. use curl to retrieve data from forbidden place: `curl -k -H "Authorization: Bearer $TOKEN" http://capsule-proxy:9002/api/v1/namespaces/kube-system/pods`

* kubectl
  
  1. Adapt kubeconfig to work against a cluster whose server is: `http://capsule-proxy:9002`
  2. run kubectl with verbosity: kubectl get ns -v 10
  3. Using `kubectl` could provoke a bad UX. It does not send any sensitive data when it works against http


1. Access to api server (with OIDC integration) through Ingress Controller (HAProxy) in TLS pass-through mode and capsule-proxy with TLS enabled >>> No issues
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app.kubernetes.io/name: capsule-proxy
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
  name: capsule-proxy
  namespace: capsule-system
spec:
  rules:
  - host: capsule-proxy
    http:
      paths:
      - backend:
          service:
            name: capsule-proxy
            port:
              number: 9001
        path: /
        pathType: Prefix
1. Access to api server (with OIDC integration) through Ingress Controller (HAProxy) in TLS termination mode and capsule-proxy with TLS disabled >>> No issues
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app.kubernetes.io/name: capsule-proxy
  annotations:
    #ingress.kubernetes.io/ssl-passthrough: "true"
  name: capsule-proxy
  namespace: capsule-system
spec:
  rules:
  - host: capsule-proxy
    http:
      paths:
      - backend:
          service:
            name: capsule-proxy
            port:
              number: 9001
        path: /
        pathType: Prefix

@mendrugory thanks!

@bsctl That is a good text to be included, in some way, as documentation. What do you think?

mendrugory

comment created time in a month

startedAzureAD/microsoft-authentication-library-for-go

started time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha 83c4635b80bfdd90d51d7acc6d11ba961aea67c4

fix!: allowing http with bearer token authentication

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha b580f34b9aa4ef22de4126ad9f62b3eabaa27a06

docs: http support

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha 8b57ae382499c0e3e015e4e175ea58c113ecdc94

feat!(e2e): e2e tests to support http mode

view details

push time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha 71c4fdcd0b69162e47fe394034cef11c2892a6c4

wip

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha fb34ce7dda8404e2681c9cb8743b7f6e8db81ad0

docs: http support

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha 439fcbd2f50267046752af0d68c9d6d668706e26

feat!(e2e): e2e tests to support http mode

view details

push time in a month

Pull request review commentclastix/capsule-proxy

Allowing http with bearer token authentication

 func CheckAuthorization(client client.Client, log logr.Logger) mux.MiddlewareFun 				errors.HandleUnauthorized(writer, err, "authorization header does not contain valid data.") 			} -			if !isCertificates && !isBearerToken {+			if tls && (!isCertificates && !isBearerToken) { 				errors.HandleUnauthorized(writer, err, "cannot determinate the current user due to no cert-based authentication nor valid JWT token.") 			} +			if !tls && !isBearerToken {+				errors.HandleUnauthorized(writer, err, "cannot determinate the current user, no cert-based authentication is available when TLS is disabled and no JWT token is detected.")

@bsctl Response will not show anything else that the forbidden access.

mendrugory

comment created time in a month

PullRequestReviewEvent

pull request commentclastix/capsule-proxy

Allowing http with bearer token authentication

@mendrugory not sure if related to this commit and not sure if as expected. From logs I can see checking the Bearer Token twice:

{"level":"Level(-4)","ts":"2021-10-26T11:33:43.056Z","logger":"proxy","msg":"Checking Bearer token","value":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5ZlROT2ZPNlYyVmdSMVgxdloxWFo5M1ludmNpb1R5RGtHWDBnUkJfVndNIn0.eyJleHAiOjE2MzUyNDgzMTEsImlhdCI6MTYzNTI0ODAxMSwiYXV0aF90aW1lIjoxNjM1MjEwODU5LCJqdGkiOiIyMTYwOTc2MC0zZjkwLTQwNWUtOTM1OS0zMmQ0ZDU2ZjgwMWUiLCJpc3MiOiJodHRwczovL3Nzby5jbGFzdGl4LmlvL2F1dGgvcmVhbG1zL2NhYXMiLCJhdWQiOlsia3ViZWN0bCIsImt1YmVybmV0ZXMiXSwic3ViIjoiNjkzOWYyNjgtMWZlNS00YzNlLWEzYTQtMTE1ZmEyZGYzYjFmIiwidHlwIjoiSUQiLCJhenAiOiJrdWJlY3RsIiwic2Vzc2lvbl9zdGF0ZSI6IjQ3MWUyNWQ4LTE4NDAtNDIzYy05OGU5LTNiYWQyYTQxMDgwOSIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJQZXBlIiwiZ3JvdXBzIjpbImNhcHN1bGUuY2xhc3RpeC5pbyJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwZXBlIiwiZ2l2ZW5fbmFtZSI6IlBlcGUiLCJlbWFpbCI6InBlcGVAY2xhc3RpeC5pbyJ9.iV6uGJgi5WkTP1JkreeTMJOeRXR8VuiEzCkd06i4LpoocQAspU-VWu9QKa5Jxz_NODfgEdwIa1Q0zN0CU6BR8RngfCyslvydk2nmD3kFisF9HIwDyZyP1D53vakcHi__YbYUJHcaX7vYyHWM0AsYCjAKlrteav5D8JLrKqnZ9zCCjs5dP9HKKgRsNFJ2cnTdeteoO_6QMN24aauZCy8Be40gA2Oa0rL5h5BtUJEZVSOXmJuFBAWrQ_zFyu5JWseK-ZW9oznr-5oaXvbbOAs9c6PVy3kD81lSqrbq2yL6klhHJX9rmJqxm-YhWGxBVWLIkuj7XyqdVk-5_LPpCEhItw"}
{"level":"Level(-4)","ts":"2021-10-26T11:33:43.063Z","logger":"proxy","msg":"Checking Bearer token","value":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5ZlROT2ZPNlYyVmdSMVgxdloxWFo5M1ludmNpb1R5RGtHWDBnUkJfVndNIn0.eyJleHAiOjE2MzUyNDgzMTEsImlhdCI6MTYzNTI0ODAxMSwiYXV0aF90aW1lIjoxNjM1MjEwODU5LCJqdGkiOiIyMTYwOTc2MC0zZjkwLTQwNWUtOTM1OS0zMmQ0ZDU2ZjgwMWUiLCJpc3MiOiJodHRwczovL3Nzby5jbGFzdGl4LmlvL2F1dGgvcmVhbG1zL2NhYXMiLCJhdWQiOlsia3ViZWN0bCIsImt1YmVybmV0ZXMiXSwic3ViIjoiNjkzOWYyNjgtMWZlNS00YzNlLWEzYTQtMTE1ZmEyZGYzYjFmIiwidHlwIjoiSUQiLCJhenAiOiJrdWJlY3RsIiwic2Vzc2lvbl9zdGF0ZSI6IjQ3MWUyNWQ4LTE4NDAtNDIzYy05OGU5LTNiYWQyYTQxMDgwOSIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJQZXBlIiwiZ3JvdXBzIjpbImNhcHN1bGUuY2xhc3RpeC5pbyJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwZXBlIiwiZ2l2ZW5fbmFtZSI6IlBlcGUiLCJlbWFpbCI6InBlcGVAY2xhc3RpeC5pbyJ9.iV6uGJgi5WkTP1JkreeTMJOeRXR8VuiEzCkd06i4LpoocQAspU-VWu9QKa5Jxz_NODfgEdwIa1Q0zN0CU6BR8RngfCyslvydk2nmD3kFisF9HIwDyZyP1D53vakcHi__YbYUJHcaX7vYyHWM0AsYCjAKlrteav5D8JLrKqnZ9zCCjs5dP9HKKgRsNFJ2cnTdeteoO_6QMN24aauZCy8Be40gA2Oa0rL5h5BtUJEZVSOXmJuFBAWrQ_zFyu5JWseK-ZW9oznr-5oaXvbbOAs9c6PVy3kD81lSqrbq2yL6klhHJX9rmJqxm-YhWGxBVWLIkuj7XyqdVk-5_LPpCEhItw"}

Could you please cross-check? Thanks

That is a very old log. I will remove it.

mendrugory

comment created time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha 2ab03297f5b69d334b39a8af2ecd3d43a84c7205

fix!: allowing http with bearer token authentication

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha b0f8ecc3649ce61dbb1b9a89f705c061e9bc060e

docs: http support

view details

Gonzalo Gabriel Jiménez Fuentes

commit sha 4e342500a5781df7a1432d17e3292d6ea28ee584

feat!(e2e): e2e tests to support http mode

view details

push time in a month

pull request commentclastix/capsule-proxy

Allowing http with bearer token authentication

Most challenging part has been to support new kind of e2e tests defined by client: kubectl or curl, and capsule-proxy-mode: http or https.

@bsctl You can check that kubectl-http test tries to avoid the issue described by #156 Currently, no many tests have been added, but the mechanism is in place.

mendrugory

comment created time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha 86cfa27eb1ecadfd425601ae9fa4e5b0d247daee

feat!(e2e): e2e tests to support http mode

view details

push time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha b90e66c3c15301883ea53b5030e1f3d45dfdacc5

feat!(e2e): e2e tests to support http mode

view details

push time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha 109af48ce0deb8580cc4d1f7ae5f1815ae569f59

feat(e2e): e2e tests to support http mode

view details

push time in a month

push eventclastix/capsule-proxy

Gonzalo Gabriel Jiménez Fuentes

commit sha a91d2cf852293b527d71510127aa40ed38663e46

feat(e2e): e2e tests to support http mode

view details

push time in a month

more