[server] Load auth-pki into server config (#17214)

Author: easyCZ

components/server/src/config.ts

@@ -29,6 +29,7 @@ export type Config = Omit<
     | "linkedInSecretsFile"
     | "licenseFile"
     | "patSigningKeyFile"
+    | "auth"
 > & {
     hostUrl: GitpodHostUrl;
     workspaceDefaults: WorkspaceDefaults;
@@ -44,6 +45,20 @@ export type Config = Omit<
         // Absolute file path pointing to a file which contains admin credentials, encoded as JSON.
         credentialsPath: string;
     };
+
+    auth: {
+        // Public/Private key for signing authenticated sessions
+        pki: {
+            signing: {
+                privateKey: string;
+                publicKey: string;
+            };
+            validating: {
+                privateKey: string;
+                publicKey: string;
+            }[];
+        };
+    };
 };
 
 export interface WorkspaceDefaults {
@@ -244,6 +259,20 @@ export interface ConfigSerialized {
      * This is the same signing key used by Public API
      */
     patSigningKeyFile?: string;
+
+    auth: {
+        pki: AuthPKIConfig;
+    };
+}
+
+export interface AuthPKIConfig {
+    signing: KeyPair;
+    validating?: KeyPair[];
+}
+
+export interface KeyPair {
+    publicKeyPath: string;
+    privateKeyPath: string;
 }
 
 export namespace ConfigFile {
@@ -346,6 +375,18 @@ export namespace ConfigFile {
             }
         }
 
+        const authPKI: Config["auth"]["pki"] = {
+            signing: {
+                privateKey: fs.readFileSync(filePathTelepresenceAware(config.auth.pki.signing.privateKeyPath), "utf-8"),
+                publicKey: fs.readFileSync(filePathTelepresenceAware(config.auth.pki.signing.publicKeyPath), "utf-8"),
+            },
+            validating:
+                config.auth.pki.validating?.map((keypair) => ({
+                    privateKey: fs.readFileSync(filePathTelepresenceAware(keypair.privateKeyPath), "utf-8"),
+                    publicKey: fs.readFileSync(filePathTelepresenceAware(keypair.publicKeyPath), "utf-8"),
+                })) || [],
+        };
+
         return {
             ...config,
             hostUrl,
@@ -368,6 +409,9 @@ export namespace ConfigFile {
                 ...config.admin,
                 credentialsPath: config.admin.credentialsPath,
             },
+            auth: {
+                pki: authPKI,
+            },
         };
     }
 }

install/installer/pkg/components/server/authpki.go

@@ -7,12 +7,14 @@ package server
 import (
 	"fmt"
 	"math"
+	"path"
 	"time"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -56,3 +58,36 @@ func authPKI(ctx *common.RenderContext) ([]runtime.Object, error) {
 		},
 	}, nil
 }
+
+func getAuthPKI() ([]corev1.Volume, []corev1.VolumeMount, AuthPKIConfig) {
+
+	dir := "/secrets/auth-pki"
+	signingDir := path.Join(dir, "signing")
+
+	volumes := []corev1.Volume{
+		{
+			Name: "auth-pki-signing",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: AuthPKISecretName,
+				},
+			},
+		},
+	}
+
+	mounts := []corev1.VolumeMount{
+		{
+			Name:      "auth-pki-signing",
+			MountPath: signingDir,
+			ReadOnly:  true,
+		},
+	}
+
+	cfg := AuthPKIConfig{
+		Signing: KeyPair{
+			PrivateKeyPath: path.Join(signingDir, "tls.key"),
+			PublicKeyPath:  path.Join(signingDir, "tls.crt"),
+		},
+	}
+	return volumes, mounts, cfg
+}

install/installer/pkg/components/server/configmap.go

@@ -196,6 +196,8 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	_, _, adminCredentialsPath := getAdminCredentials()
 
+	_, _, authPKI := getAuthPKI()
+
 	// todo(sje): all these values are configurable
 	scfg := ConfigSerialized{
 		Version:               ctx.VersionManifest.Version,
@@ -297,6 +299,9 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			CredentialsPath:         adminCredentialsPath,
 		},
 		ShowSetupModal: showSetupModal,
+		Auth: AuthConfig{
+			PKI: authPKI,
+		},
 	}
 
 	fc, err := common.ToJSONString(scfg)

install/installer/pkg/components/server/configmap_test.go

@@ -30,6 +30,7 @@ func TestConfigMap(t *testing.T) {
 		JWTSecret                         string
 		SessionSecret                     string
 		GitHubApp                         experimental.GithubApp
+		Auth                              AuthConfig
 	}
 
 	expectation := Expectation{
@@ -52,6 +53,14 @@ func TestConfigMap(t *testing.T) {
 			WebhookSecret:   "some-webhook-secret",
 			CertSecretName:  "some-cert-secret-name",
 		},
+		Auth: AuthConfig{
+			PKI: AuthPKIConfig{
+				Signing: KeyPair{
+					PrivateKeyPath: "/secrets/auth-pki/signing/tls.key",
+					PublicKeyPath:  "/secrets/auth-pki/signing/tls.crt",
+				},
+			},
+		},
 	}
 
 	ctx, err := common.NewRenderContext(config.Config{
@@ -122,6 +131,7 @@ func TestConfigMap(t *testing.T) {
 			WebhookSecret:   config.GitHubApp.WebhookSecret,
 			CertSecretName:  config.GitHubApp.CertSecretName,
 		},
+		Auth: config.Auth,
 	}
 
 	assert.Equal(t, expectation, actual)

install/installer/pkg/components/server/deployment.go

@@ -281,6 +281,10 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 	volumes = append(volumes, adminCredentialsVolume)
 	volumeMounts = append(volumeMounts, adminCredentialsMount)
 
+	authPKIVolumes, authPKIMounts, _ := getAuthPKI()
+	volumes = append(volumes, authPKIVolumes...)
+	volumeMounts = append(volumeMounts, authPKIMounts...)
+
 	return []runtime.Object{
 		&appsv1.Deployment{
 			TypeMeta: common.TypeMetaDeployment,

install/installer/pkg/components/server/types.go

@@ -13,32 +13,33 @@ import (
 
 // ConfigSerialized interface from components/server/src/config.ts
 type ConfigSerialized struct {
-	Version                           string   `json:"version"`
-	HostURL                           string   `json:"hostUrl"`
-	InstallationShortname             string   `json:"installationShortname"`
-	DevBranch                         string   `json:"devBranch"`
-	InsecureNoDomain                  bool     `json:"insecureNoDomain"`
-	License                           string   `json:"license"`
-	DefinitelyGpDisabled              bool     `json:"definitelyGpDisabled"`
-	EnableLocalApp                    bool     `json:"enableLocalApp"`
-	DisableDynamicAuthProviderLogin   bool     `json:"disableDynamicAuthProviderLogin"`
-	MaxEnvvarPerUserCount             int32    `json:"maxEnvvarPerUserCount"`
-	MaxConcurrentPrebuildsPerRef      int32    `json:"maxConcurrentPrebuildsPerRef"`
-	MakeNewUsersAdmin                 bool     `json:"makeNewUsersAdmin"`
-	DefaultBaseImageRegistryWhitelist []string `json:"defaultBaseImageRegistryWhitelist"`
-	RunDbDeleter                      bool     `json:"runDbDeleter"`
-	ContentServiceAddr                string   `json:"contentServiceAddr"`
-	UsageServiceAddr                  string   `json:"usageServiceAddr"`
-	IDEServiceAddr                    string   `json:"ideServiceAddr"`
-	MaximumEventLoopLag               float64  `json:"maximumEventLoopLag"`
-	VSXRegistryUrl                    string   `json:"vsxRegistryUrl"`
-	ChargebeeProviderOptionsFile      string   `json:"chargebeeProviderOptionsFile"`
-	StripeSecretsFile                 string   `json:"stripeSecretsFile"`
-	StripeConfigFile                  string   `json:"stripeConfigFile"`
-	EnablePayment                     bool     `json:"enablePayment"`
-	LinkedInSecretsFile               string   `json:"linkedInSecretsFile"`
-	PATSigningKeyFile                 string   `json:"patSigningKeyFile"`
-	ShowSetupModal                    bool     `json:"showSetupModal"`
+	Version                           string     `json:"version"`
+	HostURL                           string     `json:"hostUrl"`
+	InstallationShortname             string     `json:"installationShortname"`
+	DevBranch                         string     `json:"devBranch"`
+	InsecureNoDomain                  bool       `json:"insecureNoDomain"`
+	License                           string     `json:"license"`
+	DefinitelyGpDisabled              bool       `json:"definitelyGpDisabled"`
+	EnableLocalApp                    bool       `json:"enableLocalApp"`
+	DisableDynamicAuthProviderLogin   bool       `json:"disableDynamicAuthProviderLogin"`
+	MaxEnvvarPerUserCount             int32      `json:"maxEnvvarPerUserCount"`
+	MaxConcurrentPrebuildsPerRef      int32      `json:"maxConcurrentPrebuildsPerRef"`
+	MakeNewUsersAdmin                 bool       `json:"makeNewUsersAdmin"`
+	DefaultBaseImageRegistryWhitelist []string   `json:"defaultBaseImageRegistryWhitelist"`
+	RunDbDeleter                      bool       `json:"runDbDeleter"`
+	ContentServiceAddr                string     `json:"contentServiceAddr"`
+	UsageServiceAddr                  string     `json:"usageServiceAddr"`
+	IDEServiceAddr                    string     `json:"ideServiceAddr"`
+	MaximumEventLoopLag               float64    `json:"maximumEventLoopLag"`
+	VSXRegistryUrl                    string     `json:"vsxRegistryUrl"`
+	ChargebeeProviderOptionsFile      string     `json:"chargebeeProviderOptionsFile"`
+	StripeSecretsFile                 string     `json:"stripeSecretsFile"`
+	StripeConfigFile                  string     `json:"stripeConfigFile"`
+	EnablePayment                     bool       `json:"enablePayment"`
+	LinkedInSecretsFile               string     `json:"linkedInSecretsFile"`
+	PATSigningKeyFile                 string     `json:"patSigningKeyFile"`
+	ShowSetupModal                    bool       `json:"showSetupModal"`
+	Auth                              AuthConfig `json:"auth"`
 
 	WorkspaceHeartbeat         WorkspaceHeartbeat         `json:"workspaceHeartbeat"`
 	WorkspaceDefaults          WorkspaceDefaults          `json:"workspaceDefaults"`
@@ -65,6 +66,23 @@ type CodeSyncResources struct {
 	RevLimit int32 `json:"revLimit"`
 }
 
+type AuthConfig struct {
+	PKI AuthPKIConfig `json:"pki"`
+}
+
+type AuthPKIConfig struct {
+	// Signing KeyPair is always used to issue new auth tokens
+	Signing KeyPair `json:"signing"`
+
+	// Validating KeyPairs are used for checking validity only
+	Validating []KeyPair `json:"validating,omitempty"`
+}
+
+type KeyPair struct {
+	PrivateKeyPath string `json:"privateKeyPath"`
+	PublicKeyPath  string `json:"publicKeyPath"`
+}
+
 type CodeSync struct {
 	RevLimit     int32                        `json:"revLimit"`
 	ContentLimit int32                        `json:"contentLimit"`