@backstage/plugin-kubernetes-backend 0.14.1 → 0.14.2-next.0

package/CHANGELOG.md

@@ -1,5 +1,40 @@
 # @backstage/plugin-kubernetes-backend
 
+## 0.14.2-next.0
+
+### Patch Changes
+
+- 7233f57: Fixed an issue where a misleading error message would be logged when an
+  unsupported service locator method was specified.
+- a775596: Enabled a way to include custom auth metadata info on the clusters endpoint. If you want to implement a Kubernetes auth strategy which requires surfacing custom auth metadata to the frontend, use the new presentAuthMetadata method on the AuthenticationStrategy interface.
+- 7278d80: The purpose of this patch is to add a new login method which is `googleServiceAccount` configuring the kubernetes properties in the app-config.yaml file with authProvider key
+- daad576: Clusters configured with the `aws` authentication strategy can now customize the
+  `x-k8s-aws-id` header value used to generate tokens. This value can be specified
+  specified via the `kubernetes.io/x-k8s-aws-id` parameter (in
+  `metadata.annotations` for clusters in the catalog, or the `authMetadata` block
+  on clusters in the app-config). This is particularly helpful when a Backstage
+  instance contains multiple AWS clusters with the same name in different regions
+  -- using this new parameter, the clusters can be given different logical names
+  to distinguish them but still use the same ID for the purposes of generating
+  tokens.
+- f180cba: Enabling authentication to kubernetes clusters with mTLS x509 client certs
+- 7f6ff25: Custom per-cluster auth metadata (mainly for use with custom `AuthenticationStrategy` implementations) can now be specified in the `authMetadata` property of clusters in the app-config.
+- Updated dependencies
+  - @backstage/backend-common@0.21.0-next.0
+  - @backstage/plugin-kubernetes-node@0.1.4-next.0
+  - @backstage/catalog-client@1.6.0-next.0
+  - @backstage/plugin-kubernetes-common@0.7.4-next.0
+  - @backstage/plugin-auth-node@0.4.4-next.0
+  - @backstage/plugin-catalog-node@1.6.2-next.0
+  - @backstage/plugin-permission-node@0.7.21-next.0
+  - @backstage/backend-plugin-api@0.6.10-next.0
+  - @backstage/catalog-model@1.4.3
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/integration-aws-node@0.1.8
+  - @backstage/types@1.1.1
+  - @backstage/plugin-permission-common@0.7.12
+
 ## 0.14.1
 
 ### Patch Changes

package/alpha/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-kubernetes-backend",
-  "version": "0.14.1",
+  "version": "0.14.2-next.0",
   "main": "../dist/alpha.cjs.js",
   "types": "../dist/alpha.d.ts"
 }

package/config.d.ts

@@ -46,13 +46,16 @@ export interface Config {
             /** @visibility secret  */
             serviceAccountToken?: string;
             /** @visibility frontend */
-            authProvider:
+            authProvider?:
+              | 'aks'
               | 'aws'
-              | 'google'
-              | 'serviceAccount'
               | 'azure'
+              | 'google'
+              | 'googleServiceAccount'
               | 'oidc'
-              | 'googleServiceAccount';
+              | 'serviceAccount';
+            /** @visibility secret  */
+            authMetadata?: object;
             /** @visibility frontend */
             oidcTokenProvider?: string;
             /** @visibility frontend */
@@ -81,6 +84,8 @@ export interface Config {
           /** @visibility frontend */
           region?: string;
           /** @visibility frontend */
+          authProvider?: string;
+          /** @visibility frontend */
           skipTLSVerify?: boolean;
           /** @visibility frontend */
           skipMetricsLookup?: boolean;

package/dist/index.cjs.js

@@ -61,6 +61,9 @@ class AksStrategy {
   validateCluster() {
     return [];
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 class AnonymousStrategy {
@@ -70,6 +73,9 @@ class AnonymousStrategy {
   validateCluster() {
     return [];
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 var __defProp$b = Object.defineProperty;
@@ -85,10 +91,11 @@ class AwsIamStrategy {
     this.credsManager = integrationAwsNode.DefaultAwsCredentialsManager.fromConfig(opts.config);
   }
   async getCredential(clusterDetails) {
+    var _a;
     return {
       type: "bearer token",
       token: await this.getBearerToken(
-        clusterDetails.name,
+        (_a = clusterDetails.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AWS_CLUSTER_ID]) != null ? _a : clusterDetails.name,
         clusterDetails.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AWS_ASSUME_ROLE],
         clusterDetails.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AWS_EXTERNAL_ID]
       )
@@ -97,7 +104,7 @@ class AwsIamStrategy {
   validateCluster() {
     return [];
   }
-  async getBearerToken(clusterName, assumeRole, externalId) {
+  async getBearerToken(clusterId, assumeRole, externalId) {
     var _a, _b;
     const region = (_a = process.env.AWS_REGION) != null ? _a : defaultRegion;
     let credentials = (await this.credsManager.getCredentialProvider()).sdkCredentialProvider;
@@ -123,7 +130,7 @@ class AwsIamStrategy {
       {
         headers: {
           host: `sts.${region}.amazonaws.com`,
-          "x-k8s-aws-id": clusterName
+          "x-k8s-aws-id": clusterId
         },
         hostname: `sts.${region}.amazonaws.com`,
         method: "GET",
@@ -147,6 +154,9 @@ class AwsIamStrategy {
     const url = `https://${request.hostname}${request.path}?${query}`;
     return `k8s-aws-v1.${Buffer.from(url).toString("base64url")}`;
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 var __defProp$a = Object.defineProperty;
@@ -202,6 +212,9 @@ class AzureIdentityStrategy {
   tokenExpired() {
     return Date.now() >= this.accessToken.expiresOnTimestamp;
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 class GoogleStrategy {
@@ -217,6 +230,9 @@ class GoogleStrategy {
   validateCluster() {
     return [];
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 class GoogleServiceAccountStrategy {
@@ -233,6 +249,9 @@ class GoogleServiceAccountStrategy {
   validateCluster() {
     return [];
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 var __defProp$9 = Object.defineProperty;
@@ -267,6 +286,9 @@ class DispatchStrategy {
     }
     return strategy.validateCluster(authMetadata);
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 class ServiceAccountStrategy {
@@ -286,6 +308,9 @@ class ServiceAccountStrategy {
   validateCluster() {
     return [];
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 class OidcStrategy {
@@ -312,6 +337,9 @@ class OidcStrategy {
     }
     return [];
   }
+  presentAuthMetadata(_authMetadata) {
+    return {};
+  }
 }
 
 var __defProp$8 = Object.defineProperty;
@@ -328,18 +356,26 @@ class ConfigClusterLocator {
   static fromConfig(config, authStrategy) {
     return new ConfigClusterLocator(
       config.getConfigArray("clusters").map((c) => {
-        var _a, _b;
-        const authProvider = c.getString("authProvider");
+        var _a, _b, _c;
+        const authMetadataBlock = c.getOptional("authMetadata");
+        const name = c.getString("name");
+        const authProvider = (_a = authMetadataBlock == null ? void 0 : authMetadataBlock[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER]) != null ? _a : c.getOptionalString("authProvider");
+        if (!authProvider) {
+          throw new Error(
+            `cluster '${name}' has no auth provider configured; this must be specified via the 'authProvider' or 'authMetadata.${pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER}' parameter`
+          );
+        }
         const clusterDetails = {
-          name: c.getString("name"),
+          name,
           url: c.getString("url"),
-          skipTLSVerify: (_a = c.getOptionalBoolean("skipTLSVerify")) != null ? _a : false,
-          skipMetricsLookup: (_b = c.getOptionalBoolean("skipMetricsLookup")) != null ? _b : false,
+          skipTLSVerify: (_b = c.getOptionalBoolean("skipTLSVerify")) != null ? _b : false,
+          skipMetricsLookup: (_c = c.getOptionalBoolean("skipMetricsLookup")) != null ? _c : false,
           caData: c.getOptionalString("caData"),
           caFile: c.getOptionalString("caFile"),
           authMetadata: {
             [pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER]: authProvider,
-            ...ConfigClusterLocator.parseAuthMetadata(c)
+            ...ConfigClusterLocator.parseAuthMetadata(c),
+            ...authMetadataBlock
           }
         };
         const customResources = c.getOptionalConfigArray("customResources");
@@ -437,8 +473,10 @@ class GkeClusterLocator {
     const matchingResourceLabels = (_b = (_a = config.getOptionalConfigArray("matchingResourceLabels")) == null ? void 0 : _a.map((mrl) => {
       return { key: mrl.getString("key"), value: mrl.getString("value") };
     })) != null ? _b : [];
+    const storeAuthProviderString = config.getOptionalString("authProvider") === "googleServiceAccount" ? "googleServiceAccount" : "google";
     const options = {
       projectId: config.getString("projectId"),
+      authProvider: storeAuthProviderString,
       region: (_c = config.getOptionalString("region")) != null ? _c : "-",
       skipTLSVerify: (_d = config.getOptionalBoolean("skipTLSVerify")) != null ? _d : false,
       skipMetricsLookup: (_e = config.getOptionalBoolean("skipMetricsLookup")) != null ? _e : false,
@@ -474,6 +512,7 @@ class GkeClusterLocator {
     const {
       projectId,
       region,
+      authProvider,
       skipTLSVerify,
       skipMetricsLookup,
       exposeDashboard,
@@ -497,7 +536,7 @@ class GkeClusterLocator {
           // TODO filter out clusters which don't have name or endpoint
           name: (_a2 = r.name) != null ? _a2 : "unknown",
           url: `https://${(_b = r.endpoint) != null ? _b : ""}`,
-          authMetadata: { [pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER]: "google" },
+          authMetadata: { [pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER]: authProvider },
           skipTLSVerify,
           skipMetricsLookup,
           ...exposeDashboard ? {
@@ -1133,14 +1172,14 @@ class KubernetesClientBasedFetcher {
     let url;
     let requestInit;
     const authProvider = clusterDetails.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER];
-    if (authProvider === "serviceAccount" && !clusterDetails.authMetadata.serviceAccountToken && fs__default["default"].pathExistsSync(clientNode.Config.SERVICEACCOUNT_CA_PATH)) {
+    if (this.isServiceAccountAuthentication(authProvider, clusterDetails)) {
       [url, requestInit] = this.fetchArgsInCluster(credential);
-    } else if (credential.type === "bearer token" || authProvider === "localKubectlProxy") {
+    } else if (!this.isCredentialMissing(authProvider, credential)) {
       [url, requestInit] = this.fetchArgs(clusterDetails, credential);
     } else {
       return Promise.reject(
         new Error(
-          `no bearer token for cluster '${clusterDetails.name}' and not running in Kubernetes`
+          `no bearer token or client cert for cluster '${clusterDetails.name}' and not running in Kubernetes`
         )
       );
     }
@@ -1154,6 +1193,12 @@ class KubernetesClientBasedFetcher {
     }
     return fetch__default["default"](url, requestInit);
   }
+  isServiceAccountAuthentication(authProvider, clusterDetails) {
+    return authProvider === "serviceAccount" && !clusterDetails.authMetadata.serviceAccountToken && fs__default["default"].pathExistsSync(clientNode.Config.SERVICEACCOUNT_CA_PATH);
+  }
+  isCredentialMissing(authProvider, credential) {
+    return authProvider !== "localKubectlProxy" && credential.type === "anonymous";
+  }
   fetchArgs(clusterDetails, credential) {
     var _a;
     const requestInit = {
@@ -1173,7 +1218,11 @@ class KubernetesClientBasedFetcher {
           clusterDetails.caFile,
           clusterDetails.caData
         )) != null ? _a : void 0,
-        rejectUnauthorized: !clusterDetails.skipTLSVerify
+        rejectUnauthorized: !clusterDetails.skipTLSVerify,
+        ...credential.type === "x509 client certificate" && {
+          cert: credential.cert,
+          key: credential.key
+        }
       });
     }
     return [url, requestInit];
@@ -1237,20 +1286,6 @@ class KubernetesProxy {
         res.status(403).json({ error: new errors.NotAllowedError("Unauthorized") });
         return;
       }
-      const authHeader = req.header(HEADER_KUBERNETES_AUTH);
-      if (authHeader) {
-        req.headers.authorization = authHeader;
-      } else {
-        const authObj = KubernetesProxy.authHeadersToKubernetesRequestAuth(
-          req.headers
-        );
-        const credential = await this.getClusterForRequest(req).then((cd) => {
-          return this.authStrategy.getCredential(cd, authObj);
-        });
-        if (credential.type === "bearer token") {
-          req.headers.authorization = `Bearer ${credential.token}`;
-        }
-      }
       const middleware = await this.getMiddleware(req);
       if (((_a = req.header("connection")) == null ? void 0 : _a.toLowerCase()) === "upgrade" && ((_b = req.header("upgrade")) == null ? void 0 : _b.toLowerCase()) === "websocket") {
         middleware.upgrade(req, req.socket, void 0);
@@ -1284,7 +1319,7 @@ class KubernetesProxy {
           var _a;
           const cluster = await this.getClusterForRequest(req);
           const url = new URL(cluster.url);
-          return {
+          const target = {
             protocol: url.protocol,
             host: url.hostname,
             port: url.port,
@@ -1293,6 +1328,24 @@ class KubernetesProxy {
               cluster.caData
             )) == null ? void 0 : _a.toString()
           };
+          const authHeader = req.header(HEADER_KUBERNETES_AUTH);
+          if (authHeader) {
+            req.headers.authorization = authHeader;
+          } else {
+            const authObj = KubernetesProxy.authHeadersToKubernetesRequestAuth(
+              req.headers
+            );
+            const credential = await this.getClusterForRequest(req).then((cd) => {
+              return this.authStrategy.getCredential(cd, authObj);
+            });
+            if (credential.type === "bearer token") {
+              req.headers.authorization = `Bearer ${credential.token}`;
+            } else if (credential.type === "x509 client certificate") {
+              target.key = credential.key;
+              target.cert = credential.cert;
+            }
+          }
+          return target;
         },
         onError: (error, req, res) => {
           const wrappedError = new errors.ForwardedError(
@@ -1523,7 +1576,7 @@ class KubernetesBuilder {
         break;
       default:
         throw new Error(
-          `Unsupported kubernetes.clusterLocatorMethod "${method}"`
+          `Unsupported kubernetes.serviceLocatorMethod "${method}"`
         );
     }
     return this.serviceLocator;
@@ -1580,11 +1633,18 @@ class KubernetesBuilder {
       res.json({
         items: clusterDetails.map((cd) => {
           const oidcTokenProvider = cd.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_OIDC_TOKEN_PROVIDER];
+          const authProvider = cd.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER];
+          const strategy = this.getAuthStrategyMap()[authProvider];
+          let auth = {};
+          if (strategy) {
+            auth = strategy.presentAuthMetadata(cd.authMetadata);
+          }
           return {
             name: cd.name,
             dashboardUrl: cd.dashboardUrl,
-            authProvider: cd.authMetadata[pluginKubernetesCommon.ANNOTATION_KUBERNETES_AUTH_PROVIDER],
-            ...oidcTokenProvider && { oidcTokenProvider }
+            authProvider,
+            ...oidcTokenProvider && { oidcTokenProvider },
+            ...auth && Object.keys(auth).length !== 0 && { auth }
           };
         })
       });