Add terminal auth secret (labring#5170)

* Add terminal auth secret, do not allow direct access from internal network. Signed-off-by: zzjin <[email protected]> * Do not reconcile when terminal CR spec not changed. Signed-off-by: zzjin <[email protected]> --------- Signed-off-by: zzjin <[email protected]>
HUAHUAI23 · Oct 24, 2024 · b57e851 · b57e851
1 parent 4f2b768
commit b57e851
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 15 deletions.
diff --git a/controllers/terminal/api/v1/terminal_types.go b/controllers/terminal/api/v1/terminal_types.go
@@ -56,6 +56,7 @@ type TerminalSpec struct {
 type TerminalStatus struct {
 	AvailableReplicas int32  `json:"availableReplicas"`
 	ServiceName       string `json:"serviceName"`
+	SecretHeader      string `json:"secretHeader"`
 	Domain            string `json:"domain"`
 }
 
@@ -64,7 +65,6 @@ type TerminalStatus struct {
 //+kubebuilder:printcolumn:name="User",type=string,JSONPath=".spec.user"
 //+kubebuilder:printcolumn:name="Keepalived",type=string,JSONPath=".spec.keepalived"
 //+kubebuilder:printcolumn:name="Domain",type=string,JSONPath=".status.domain"
-//+kubebuilder:printcolumn:name="APIServer",priority=1,type=string,JSONPath=".spec.apiServer"
 //+kubebuilder:printcolumn:name="LastUpdateTime",priority=1,type=string,JSONPath=".metadata.annotations.lastUpdateTime"
 //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 

diff --git a/controllers/terminal/config/crd/bases/terminal.sealos.io_terminals.yaml b/controllers/terminal/config/crd/bases/terminal.sealos.io_terminals.yaml
@@ -38,10 +38,6 @@ spec:
     - jsonPath: .status.domain
       name: Domain
       type: string
-    - jsonPath: .spec.apiServer
-      name: APIServer
-      priority: 1
-      type: string
     - jsonPath: .metadata.annotations.lastUpdateTime
       name: LastUpdateTime
       priority: 1
@@ -107,11 +103,14 @@ spec:
                 type: integer
               domain:
                 type: string
+              secretHeader:
+                type: string
               serviceName:
                 type: string
             required:
             - availableReplicas
             - domain
+            - secretHeader
             - serviceName
             type: object
         type: object

diff --git a/controllers/terminal/controllers/ingress.go b/controllers/terminal/controllers/ingress.go
@@ -37,6 +37,15 @@ if ($flag = '02'){ return 403; }`
 func (r *TerminalReconciler) createNginxIngress(terminal *terminalv1.Terminal, host string) *networkingv1.Ingress {
 	cors := fmt.Sprintf("https://%s,https://*.%s", r.CtrConfig.Global.CloudDomain+r.getPort(), r.CtrConfig.Global.CloudDomain+r.getPort())
 
+	secretHeader := terminal.Status.SecretHeader
+	configurationSnippet := safeConfigurationSnippet + `
+proxy_set_header Authorization "";
+proxy_set_header ` + secretHeader + ` "1";`
+
+	higressReqHeaderUpdate := `
+Authorization ""
+` + secretHeader + ` "1"`
+
 	objectMeta := metav1.ObjectMeta{
 		Name:      terminal.Name,
 		Namespace: terminal.Namespace,
@@ -50,7 +59,8 @@ func (r *TerminalReconciler) createNginxIngress(terminal *terminalv1.Terminal, h
 			"nginx.ingress.kubernetes.io/cors-allow-origin":      cors,
 			"nginx.ingress.kubernetes.io/cors-allow-methods":     "PUT, GET, POST, PATCH, OPTIONS",
 			"nginx.ingress.kubernetes.io/cors-allow-credentials": "false",
-			"nginx.ingress.kubernetes.io/configuration-snippet":  safeConfigurationSnippet,
+			"nginx.ingress.kubernetes.io/configuration-snippet":  configurationSnippet,
+			"higress.io/request-header-control-update":           higressReqHeaderUpdate,
 		},
 	}
 

diff --git a/controllers/terminal/controllers/terminal_controller.go b/controllers/terminal/controllers/terminal_controller.go
@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"context"
+	"strings"
 	"time"
 
 	"github.com/jaevor/go-nanoid"
@@ -32,9 +33,11 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	"github.com/labring/sealos/controllers/pkg/utils/label"
 	terminalv1 "github.com/labring/sealos/controllers/terminal/api/v1"
@@ -65,6 +68,10 @@ const (
 	MemoryLimit   = "256Mi"
 )
 
+const (
+	SecretHeaderPrefix = "X-SEALOS-"
+)
+
 // TerminalReconciler reconciles a Terminal object
 type TerminalReconciler struct {
 	client.Client
@@ -123,6 +130,13 @@ func (r *TerminalReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		}
 	}
 
+	if terminal.Status.SecretHeader == "" {
+		terminal.Status.SecretHeader = r.generateSecretHeader()
+		if err := r.Status().Update(ctx, terminal); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	recLabels := label.RecommendedLabels(&label.Recommended{
 		Name:      terminal.Name,
 		ManagedBy: label.DefaultManagedBy,
@@ -262,6 +276,8 @@ func (r *TerminalReconciler) syncDeployment(ctx context.Context, terminal *termi
 		{Name: "USER_TOKEN", Value: terminal.Spec.Token},
 		{Name: "NAMESPACE", Value: terminal.Namespace},
 		{Name: "USER_NAME", Value: terminal.Spec.User},
+		// Add secret header
+		{Name: "AUTH_HEADER", Value: terminal.Status.SecretHeader},
 	}
 
 	containers = []corev1.Container{
@@ -377,12 +393,18 @@ func (r *TerminalReconciler) getPort() string {
 	return ":" + r.CtrConfig.Global.CloudPort
 }
 
+func (r *TerminalReconciler) generateSecretHeader() string {
+	return SecretHeaderPrefix + strings.ToUpper(rand.String(5))
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *TerminalReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	r.recorder = mgr.GetEventRecorderFor("sealos-terminal-controller")
 	r.Config = mgr.GetConfig()
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&terminalv1.Terminal{}).
-		Owns(&appsv1.Deployment{}).Owns(&corev1.Service{}).Owns(&networkingv1.Ingress{}).
+		For(&terminalv1.Terminal{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
+		Owns(&appsv1.Deployment{}, builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).
+		Owns(&corev1.Service{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
+		Owns(&networkingv1.Ingress{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
 		Complete(r)
 }
diff --git a/controllers/terminal/deploy/manifests/deploy.yaml.tmpl b/controllers/terminal/deploy/manifests/deploy.yaml.tmpl
@@ -31,10 +31,6 @@ spec:
     - jsonPath: .status.domain
       name: Domain
       type: string
-    - jsonPath: .spec.apiServer
-      name: APIServer
-      priority: 1
-      type: string
     - jsonPath: .metadata.annotations.lastUpdateTime
       name: LastUpdateTime
       priority: 1
@@ -91,11 +87,14 @@ spec:
                 type: integer
               domain:
                 type: string
+              secretHeader:
+                type: string
               serviceName:
                 type: string
             required:
             - availableReplicas
             - domain
+            - secretHeader
             - serviceName
             type: object
         type: object

diff --git a/frontend/providers/terminal/.env.template b/frontend/providers/terminal/.env.template
@@ -1,4 +1,4 @@
 NEXT_PUBLIC_MOCK_KUBECONFIG=""
 SITE="cloud.sealos.io"
-TTYD_IMAGE="docker.io/labring4docker/terminal:1.20.4-6"
+TTYD_IMAGE="docker.io/labring4docker/terminal:1.23.2-1"
 KEEPALIVED="30m"
diff --git a/frontend/providers/terminal/deploy/Kubefile b/frontend/providers/terminal/deploy/Kubefile
@@ -8,7 +8,7 @@ COPY manifests manifests
 ENV certSecretName="wildcard-cert"
 ENV cloudDomain="127.0.0.1.nip.io"
 ENV cloudPort=""
-ENV ttydImage="docker.io/labring4docker/terminal:1.20.4-6"
+ENV ttydImage="docker.io/labring4docker/terminal:1.23.2-1"
 ENV keepalived="30m"
 
 

diff --git a/frontend/providers/terminal/deploy/images/shim/imagelist b/frontend/providers/terminal/deploy/images/shim/imagelist
@@ -1 +1 @@
-docker.io/labring4docker/terminal:1.20.4-6
+docker.io/labring4docker/terminal:1.23.2-1
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		docker.io/labring4docker/terminal:1.20.4-6
		docker.io/labring4docker/terminal:1.23.2-1