initial implementation in nodejs

Author: Shogan

.dockerignore

@@ -0,0 +1,5 @@
+env_var_requirements.txt
+/node_modules
+.gitignore
+README.md
+*.log

.gitignore

@@ -0,0 +1,5 @@
+/node_modules/
+*.log
+*.env*
+*.pem
+

README.md

@@ -0,0 +1,42 @@
+# node-kubernetes-github-authn
+
+Kubernetes Webhook RBAC authentication service written in NodeJS to run as a daemon set across cluster master nodes.
+
+- Handles RBAC authentication requests from K8s by checking if the user (token) is valid and exists for a user in Github with the username associated against any relevant Kubernetes rolebindings or clusterrolebinding mappings.
+
+## Install and run local dev
+
+- npm install (to install required npm packages)
+- npm install -g nodemon (to install nodemon)
+- nodemon (from the repo directory to launch node and invoke server.js) - this is better for local dev iteration than running ```node server.js``` as it will restart the app every time you make changes to files
+
+## Docker image building
+
+From the root directory of the project (i.e. where the .dockerignore file is, as well as server.js), run:
+
+- docker build -t node-kubernetes-github-authn:{VERSION TAG} -f .\docker\Dockerfile .
+
+This will build the Dockerfile in the context of the root project folder, so that the COPY command in the Dockerfile copies in the files from this level (locally).
+
+## Docker run local dev
+
+docker run node-kubernetes-github-authn:{VERSION TAG}/latest
+
+## Pull image down from the public Docker registry
+
+Pull the image down using: shoganator/kubernetes-github-authn-node
+
+## AWS ECR push Docker images
+
+If you want to build and push up to ECR (e.g. for private K8s clusters that don't have access to public docker registry) you can use the following:
+
+- Invoke-Expression -Command (aws ecr get-login --no-include-email --region us-east-1)
+- docker build -t node-kubernetes-github-authn -f .\docker\Dockerfile .
+- docker tag node-kubernetes-github-authn:latest yourawsaccountnumber.dkr.ecr.us-east-1.amazonaws.com/node-kubernetes-github-authn:latest
+- docker tag node-kubernetes-github-authn:{VERSION TAG} yourawsaccountnumber.dkr.ecr.us-east-1.amazonaws.com/node-kubernetes-github-authn:{VERSION TAG}
+- docker push yourawsaccountnumber.dkr.ecr.us-east-1.amazonaws.com/node-kubernetes-github-authn:latest
+- docker push yourawsaccountnumber.dkr.ecr.us-east-1.amazonaws.com/node-kubernetes-github-authn:{VERSION TAG}
+
+## Container logging
+
+Winston is configured to write logs to both the console of the container as well as to a rolling log file under /logs. Please ensure your docker container build includes the /logs directory.

docker/Dockerfile

@@ -0,0 +1,13 @@
+FROM node:9.5.0-alpine
+
+RUN mkdir -p /usr/src/node-kubernetes-github-authn
+WORKDIR /usr/src/node-kubernetes-github-authn
+COPY . /usr/src/node-kubernetes-github-authn
+
+# If you have native dependencies, you'll need extra tools
+# RUN apk add --no-cache make gcc g++ python
+
+RUN npm install --production
+EXPOSE 3000
+
+CMD ["node", "server.js"]

k8s-artifacts/daemonset.yaml

@@ -0,0 +1,32 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: github-authn-node
+  name: github-authn-node
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: github-authn-node
+  template:
+    metadata:
+      labels:
+        k8s-app: github-authn-node
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      containers:
+      - image: shoganator/kubernetes-github-authn-node
+        name: kubernetes-github-authn-node
+        ports:
+        - containerPort: 3000
+          hostPort: 3000
+          protocol: TCP
+      hostNetwork: true
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      restartPolicy: Always

k8s-artifacts/webhook-configuration.json

@@ -0,0 +1,31 @@
+{
+    "kind": "Config",
+    "apiVersion": "v1",
+    "preferences": {},
+    "clusters": [
+        {
+            "name": "github-authn-node",
+            "cluster": {
+                "server": "http://localhost:3000/authenticate"
+            }
+        }
+    ],
+    "users": [
+        {
+            "name": "authn-apiserver",
+            "user": {
+                "token": "secret"
+            }
+        }
+    ],
+    "contexts": [
+        {
+            "name": "webhook",
+            "context": {
+                "cluster": "github-authn-node",
+                "user": "authn-apiserver"
+            }
+        }
+    ],
+    "current-context": "webhook"
+}

logs/winston-logs-go-here.txt

@@ -0,0 +1,25 @@
+var winston = require('winston')
+require('winston-daily-rotate-file')
+
+var consoleTransport = new winston.transports.Console({
+  timestamp: true,
+  colorize: true
+})
+
+var dailyRotateTransport = new (winston.transports.DailyRotateFile)({
+  filename: './logs/node-kubernetes-github-authn.log',
+  datePattern: 'yyyy-MM-dd.',
+  localTime: false,
+  prepend: true,
+  maxDays: 180,
+  level: 'info'
+})
+
+var logger = new (winston.Logger)({
+  transports: [
+    consoleTransport,
+    dailyRotateTransport
+  ]
+})
+
+module.exports = logger

modules/logger.js

@@ -0,0 +1,24 @@
+{
+  "name": "node-kubernetes-github-authn",
+  "version": "1.0.0",
+  "description": "",
+  "main": "server.js",
+  "dependencies": {
+    "body-parser": "^1.18.2",
+    "chump": "^1.2.0",
+    "express": "^4.16.2",
+    "express-validator": "^4.3.0",
+    "kubernetes-client": "^4.0.0",
+    "octonode": "0.9.2",
+    "request": "^2.87.0",
+    "winston": "^2.4.0",
+    "winston-daily-rotate-file": "^1.7.2"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "start": "node server.js"
+  },
+  "author": "Sean Duffy",
+  "license": "ISC"
+}

package.json

@@ -0,0 +1,85 @@
+"use strict";
+
+const express = require("express")
+const bodyParser = require('body-parser')
+const expressValidator = require('express-validator')
+const github = require('octonode')
+const logger = require('./modules/logger')
+const port = 3000
+
+let app = express();
+
+// Setup various middlewares
+app.use(bodyParser.urlencoded({ extended: false}))
+app.use(bodyParser.json())
+app.use(expressValidator({
+  errorFormatter: function(param, msg, value) {
+    var namespace = param.split('.')
+    , root = namespace.shift()
+    , formParam = root
+
+    while(namespace.length) {
+      formParam += '[' + namespace.shift() + ']'
+    }
+    return {
+      param : formParam,
+      msg : msg,
+      value: value
+    }
+  }
+}))
+
+// Setup application routes
+app.get('/', (req, res) => {
+  logger.info('ping')
+  res.sendStatus(200)
+})
+
+app.post('/authenticate', (req, res) => {
+  let postData = req.body
+  if (postData === null || postData === 'undefined') {
+    let responseJson = {
+      'apiVersion': 'authentication.k8s.io/v1beta1',
+      'kind': 'TokenReview',
+      'status': {
+        'Authenticated': false
+      }
+    }
+    res.status(401).send(responseJson)
+  } else {
+    
+    let token = postData.spec.token
+    let client = github.client(token)
+    client.get('/user', {}, function (err, status, body, headers) {
+      if (err) {
+        logger.error('could not retrieve user with the token passed in.', err)
+        let responseJson = {
+          'apiVersion': 'authentication.k8s.io/v1beta1',
+          'kind': 'TokenReview',
+          'status': {
+            'Authenticated': false
+          }
+        }
+        res.status(401).send(responseJson)
+      } else {
+        logger.info('authenticated OK with github for user: ' + body.login)
+        let responseJson = {
+          'apiVersion': 'authentication.k8s.io/v1beta1',
+          'kind': 'TokenReview',
+          'status': {
+            'Authenticated': true,
+            'User': {
+              'Username': body.login,
+              'UID': body.login
+              // Potentially in the future get user team membership from github, and pass into Groups[] here...
+            }
+          }
+        }
+        res.status(200).send(responseJson)
+      }
+    })
+  }
+})
+
+app.listen(port);
+logger.info('Application started and listening on port ' + port)