Merge pull request #34 from okteto/jpf-okteto/plat-351

Initialize v0.12.5-okteto branch (PLAT-351)
okteto · Feb 19, 2024 · 2e4461e · 2e4461e
2 parents bac3f2b + 8aaa190
commit 2e4461e
Show file tree

Hide file tree

Showing 117 changed files with 19,937 additions and 5 deletions.
diff --git a/.stignore b/.stignore
@@ -0,0 +1,18 @@
+.git
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# vendor folders
+vendor
+
+# Test binary, built with go test -c
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# dlv binary
+__debug_bin
diff --git a/auth/auth.go b/auth/auth.go
@@ -0,0 +1,79 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+)
+
+var (
+	errMissingMetadata = status.Errorf(codes.InvalidArgument, "missing metadata")
+	errInvalidToken    = status.Errorf(codes.Unauthenticated, "invalid okteto token, run `okteto login` and try again")
+)
+
+// Service is the service buildkit can use to authenticate
+type Service struct {
+	endpoint string
+	client   *http.Client
+}
+
+// NewService returns an AuthService configured to use endpoint
+func NewService(endpoint string) *Service {
+	return &Service{
+		endpoint: endpoint,
+		client:   &http.Client{},
+	}
+}
+
+// EnsureValidToken validates that the context includes authentication metadata
+// and that it's valild
+func (s *Service) EnsureValidToken(ctx context.Context) (context.Context, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return ctx, errMissingMetadata
+	}
+
+	if !s.valid(md["authorization"]) {
+		return ctx, errInvalidToken
+	}
+
+	return ctx, nil
+}
+
+func (s *Service) valid(authorization []string) bool {
+	if len(authorization) < 1 {
+		logrus.Error("request didn't contain an authorization header")
+		return false
+	}
+
+	req, err := http.NewRequest("POST", s.endpoint, nil)
+	if err != nil {
+		logrus.Errorf("couldn't create request: %s", err)
+		return false
+	}
+
+	// TODO: the OKTETO CLI should not be sending a bearer token, but just the plain token
+	a := strings.TrimPrefix(authorization[0], "Bearer")
+	a = "Bearer " + a
+
+	req.Header.Add("Authorization", a)
+	resp, err := s.client.Do(req)
+	if err != nil {
+		logrus.Errorf("authentication request failed: %s", err)
+		return false
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		logrus.Errorf("authentication request failed due to a bad token: %d", resp.StatusCode)
+		return false
+	}
+
+	return true
+}
diff --git a/client/client.go b/client/client.go
@@ -14,6 +14,7 @@ import (
 	"github.com/containerd/containerd/defaults"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client/connhelper"
+	"github.com/moby/buildkit/okteto"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/grpchijack"
 	"github.com/moby/buildkit/util/appdefaults"
@@ -82,6 +83,9 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error
 		if sd, ok := o.(*withSessionDialer); ok {
 			sessionDialer = sd.dialer
 		}
+		if rpc, ok := o.(*withRPCCreds); ok {
+			gopts = append(gopts, grpc.WithPerRPCCredentials(rpc.creds))
+		}
 		if opt, ok := o.(*withGRPCDialOption); ok {
 			customDialOptions = append(customDialOptions, opt.opt)
 		}
@@ -148,6 +152,8 @@ func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error
 	gopts = append(gopts, grpc.WithChainStreamInterceptor(stream...))
 	gopts = append(gopts, customDialOptions...)
 
+	gopts = append(gopts, grpc.WithKeepaliveParams(okteto.LoadKeepaliveClientParams()))
+
 	conn, err := grpc.DialContext(ctx, address, gopts...)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to dial %q . make sure buildkitd is running", address)
@@ -306,6 +312,16 @@ func WithServerConfigSystem(serverName string) ClientOpt {
 	}
 }
 
+// WithCAAndSystemRoot is similar to WithServerConfig but it also enables
+// the system's certificate pool.
+func WithCAAndSystemRoot(serverName, caCert string) ClientOpt {
+	return &withCredentials{
+		serverName:   serverName,
+		caCert:       caCert,
+		caCertSystem: true,
+	}
+}
+
 func loadCredentials(opts *withCredentials) (grpc.DialOption, error) {
 	cfg := &tls.Config{}
 
@@ -378,6 +394,16 @@ type withSessionDialer struct {
 
 func (w *withSessionDialer) isClientOpt() {}
 
+type withRPCCreds struct {
+	creds credentials.PerRPCCredentials
+}
+
+func (*withRPCCreds) isClientOpt() {}
+
+func WithRPCCreds(c credentials.PerRPCCredentials) ClientOpt {
+	return &withRPCCreds{c}
+}
+
 func resolveDialer(address string) (func(context.Context, string) (net.Conn, error), error) {
 	ch, err := connhelper.GetConnectionHelper(address)
 	if err != nil {

diff --git a/cmd/buildctl/common/common.go b/cmd/buildctl/common/common.go
@@ -16,6 +16,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/oauth2"
+	"grpc.go4.org/credentials/oauth"
 )
 
 // ResolveClient resolves a client from CLI args
@@ -89,6 +91,13 @@ func ResolveClient(c *cli.Context) (*client.Client, error) {
 		opts = append(opts, client.WithCredentials(cert, key))
 	}
 
+	if at := c.GlobalString("authorization-token"); at != "" {
+		oauthToken := &oauth2.Token{
+			AccessToken: at,
+		}
+		opts = append(opts, client.WithRPCCreds(oauth.NewOauthAccess(oauthToken)))
+	}
+
 	timeout := time.Duration(c.GlobalInt("timeout"))
 	if timeout > 0 {
 		ctx2, cancel := context.WithTimeout(ctx, timeout*time.Second)

diff --git a/cmd/buildctl/main.go b/cmd/buildctl/main.go
@@ -91,6 +91,11 @@ func main() {
 			Name:  "wait",
 			Usage: "block RPCs until the connection becomes available",
 		},
+		cli.StringFlag{
+			Name:  "authorization-token",
+			Usage: "authorization token (optional)",
+			Value: "",
+		},
 	}
 
 	app.Commands = []cli.Command{

diff --git a/cmd/buildkitd/config/config.go b/cmd/buildkitd/config/config.go
@@ -27,6 +27,8 @@ type Config struct {
 	DNS *DNSConfig `toml:"dns"`
 
 	History *HistoryConfig `toml:"history"`
+
+	AuthorizationEndpoint string `tolm:"authorization-endpoint"`
 }
 
 type GRPCConfig struct {

diff --git a/cmd/buildkitd/main.go b/cmd/buildkitd/main.go
@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"net"
+	"net/http"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -22,6 +23,8 @@ import (
 	"github.com/docker/docker/pkg/reexec"
 	"github.com/gofrs/flock"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
+	"github.com/moby/buildkit/auth"
 	"github.com/moby/buildkit/cache/remotecache"
 	"github.com/moby/buildkit/cache/remotecache/azblob"
 	"github.com/moby/buildkit/cache/remotecache/gha"
@@ -37,6 +40,7 @@ import (
 	dockerfile "github.com/moby/buildkit/frontend/dockerfile/builder"
 	"github.com/moby/buildkit/frontend/gateway"
 	"github.com/moby/buildkit/frontend/gateway/forwarder"
+	"github.com/moby/buildkit/okteto"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
 	"github.com/moby/buildkit/solver/bboltcachestorage"
@@ -57,6 +61,7 @@ import (
 	"github.com/moby/buildkit/worker"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 	"go.etcd.io/bbolt"
@@ -200,6 +205,11 @@ func main() {
 			Name:  "allow-insecure-entitlement",
 			Usage: "allows insecure entitlements e.g. network.host, security.insecure",
 		},
+		cli.StringFlag{
+			Name:  "authorization-endpoint",
+			Usage: "authorization endpoint (optional)",
+			Value: "",
+		},
 	)
 	app.Flags = append(app.Flags, appFlags...)
 	app.Flags = append(app.Flags, serviceFlags()...)
@@ -244,10 +254,29 @@ func main() {
 
 		streamTracer := otelgrpc.StreamServerInterceptor(otelgrpc.WithTracerProvider(tp), otelgrpc.WithPropagators(propagators))
 
-		unary := grpc_middleware.ChainUnaryServer(unaryInterceptor(ctx, tp), grpcerrors.UnaryServerInterceptor)
-		stream := grpc_middleware.ChainStreamServer(streamTracer, grpcerrors.StreamServerInterceptor)
+		var unary grpc.UnaryServerInterceptor
+		var stream grpc.StreamServerInterceptor
+
+		if cfg.AuthorizationEndpoint == "" {
+			logrus.Fatal("no authorization endpoint was provided, this is required for this fork of buildkitd")
+			unary = grpc_middleware.ChainUnaryServer(unaryInterceptor(ctx, tp), grpcerrors.UnaryServerInterceptor)
+			stream = grpc_middleware.ChainStreamServer(streamTracer, grpcerrors.StreamServerInterceptor)
+		} else {
+			logrus.Info("buildkitd is running with auth required")
+			svc := auth.NewService(cfg.AuthorizationEndpoint)
+			unaryAuthorizer := grpc_auth.UnaryServerInterceptor(svc.EnsureValidToken)
+			streamAuthorizer := grpc_auth.StreamServerInterceptor(svc.EnsureValidToken)
+
+			unary = grpc_middleware.ChainUnaryServer(unaryInterceptor(ctx, tp), unaryAuthorizer, grpcerrors.UnaryServerInterceptor)
+			stream = grpc_middleware.ChainStreamServer(streamTracer, streamAuthorizer, grpcerrors.StreamServerInterceptor)
+		}
 
 		opts := []grpc.ServerOption{grpc.UnaryInterceptor(unary), grpc.StreamInterceptor(stream)}
+
+		opts = append(opts, grpc.KeepaliveEnforcementPolicy(okteto.LoadKeepaliveEnforcementPolicy()))
+
+		opts = append(opts, grpc.KeepaliveParams(okteto.LoadKeepaliveServerParams()))
+
 		server := grpc.NewServer(opts...)
 
 		// relative path does not work with nightlyone/lockfile
@@ -318,6 +347,12 @@ func main() {
 			return err
 		}
 
+		http.Handle("/metrics", promhttp.Handler())
+		go func() {
+			logrus.Info("running metrics server on :2112")
+			http.ListenAndServe(":2112", nil)
+		}()
+
 		select {
 		case serverErr := <-errCh:
 			err = serverErr
@@ -502,6 +537,10 @@ func applyMainFlags(c *cli.Context, cfg *config.Config) error {
 		cfg.GRPC.GID = &gid
 	}
 
+	if authEndpoint := c.String("authorization-endpoint"); authEndpoint != "" {
+		cfg.AuthorizationEndpoint = authEndpoint
+	}
+
 	if tlscert := c.String("tlscert"); tlscert != "" {
 		cfg.GRPC.TLS.Cert = tlscert
 	}

diff --git a/go.mod b/go.mod
@@ -58,6 +58,7 @@ require (
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/profile v1.5.0
+	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/procfs v0.9.0
 	github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
 	github.com/sirupsen/logrus v1.9.0
@@ -83,16 +84,20 @@ require (
 	go.opentelemetry.io/proto/otlp v0.19.0
 	golang.org/x/crypto v0.2.0
 	golang.org/x/net v0.8.0
+	golang.org/x/oauth2 v0.6.0
 	golang.org/x/sync v0.1.0
 	golang.org/x/sys v0.7.0
 	golang.org/x/time v0.3.0
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4
 	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.30.0
+	grpc.go4.org v0.0.0-20170609214715-11d0a25b4919
 	kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
 )
 
 require (
+	cloud.google.com/go/compute v1.18.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.0 // indirect
@@ -145,7 +150,6 @@ require (
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -158,6 +162,7 @@ require (
 	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/tools v0.7.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	kernel.org/pub/linux/libs/security/libcap/psx v1.2.67 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -21,15 +21,16 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV
 cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
 cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/compute v1.18.0 h1:FEigFqoDbys2cvFkZ9Fjq4gnHBP55anJ0yQyau2f9oY=
+cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
@@ -1439,6 +1440,7 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1682,6 +1684,7 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -1810,6 +1813,7 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+grpc.go4.org v0.0.0-20170609214715-11d0a25b4919 h1:tmXTu+dfa+d9Evp8NpJdgOy6+rt8/x4yG7qPBrtNfLY=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20180920025451-e3ad64cb4ed3/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=