Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated readme #21

Merged
merged 3 commits into from
Jan 6, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
201 changes: 142 additions & 59 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,93 +1,176 @@
# simpleauthenticator
// TODO(user): Add simple overview of use/purpose

## Description
Kind of an authentication offloader
## Getting Started
You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
**Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
# Simple Authenticator

## Introduction

The Simple Authenticator is a Kubernetes-based tool designed to streamline and enhance basic authentication within a cluster. It serves as a crucial component for managing microservices' security and performance efficiently.

### Purpose

In Kubernetes environments, effective authentication is essential, especially when dealing with internal traffic between microservices.
Comment on lines +7 to +9
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The purpose section remains brief. Consider expanding on how the Simple Authenticator specifically improves authentication in Kubernetes environments, as previously suggested.

### Features

- **NGINX Deployment:** Supports both sidecar and standalone deployment of NGINX for secure authentication.
- **Adaptive Scale Support:** Dynamically scales based on the number of pods in the targeted service, optimizing resource utilization.
- **Plain Username and Password Authentication:** Simplifies credential management by transforming secrets to NGINX preferences automatically.

The Simple Authenticator ensures that authentication between microservices is both secure and efficient, contributing to a robust and well-architected Kubernetes environment.

# Installation of Simple Authenticator
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed


## Using Makefile
Deploy Simple Authenticator using the Makefile:

```sh
make deploy
```

## Using Helm
Deploy Simple Authenticator using Helm:

```sh
helm upgrade --install simple-authenticator oci://ghcr.io/snapp-incubator/simple-authenticator/helm-charts/simple-authenticator --version v0.1.8
```

## Using OLM (Operator Lifecycle Manager)
All the operator releases are bundled and pushed to the [Snappcloud hub](https://github.com/snapp-incubator/snappcloud-hub) which is a hub for the catalog sources. Install using Operator Lifecycle Manager (OLM) by following these steps:
1. Install [snappcloud hub catalog-source](https://github.com/snapp-incubator/snappcloud-hub/blob/main/catalog-source.yml)
2. Apply the subscription manifest as shown below:
```yaml
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: simple-authenticator
namespace: operators
spec:
channel: stable-v1
installPlanApproval: Automatic
name: simple-authenticator
source: snappcloud-hub-catalog
sourceNamespace: openshift-marketplace
config:
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 1
memory: 1Gi
```
## Development

### Running on the cluster
1. Install Instances of Custom Resources:
### Run locally
1. Install the CRDs into the cluster:

```sh
kubectl apply -f config/samples/
make install
```

2. Build and push your image to the location specified by `IMG`:
2. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):

```sh
make docker-build docker-push IMG=<some-registry>/basicauthenticator:tag
make run
```

3. Deploy the controller to the cluster with the image specified by `IMG`:
### Building testing image

```sh
make deploy IMG=<some-registry>/basicauthenticator:tag
```shell
make docker-build IMG=<desired-image-tag>
```

### Uninstall CRDs
To delete the CRDs from the cluster:
### Building the helm chart

```sh
make uninstall
```
We use [helmify](https://github.com/arttor/helmify) to generate Helm chart from kustomize rendered manifests. To update
the chart run:

### Undeploy controller
UnDeploy the controller from the cluster:
```shell
make helm
```

```sh
make undeploy
## Usage


The Simple Authenticator operates through the `BasicAuthenticator` custom resource, providing a straightforward way to manage authentication credentials.

### Creating a Basic Authenticator

To create a `BasicAuthenticator`, apply a manifest with your customizations:

```yaml
apiVersion: authenticator.snappcloud.io/v1alpha1
kind: BasicAuthenticator
metadata:
name: example-basicauthenticator
namespace: simple-authenticator-test
spec:
type: "sidecar"
replicas: 2
selector:
matchLabels:
app: my-app
serviceType: "ClusterIP"
appPort: 8080
appService: "my-app-service"
adaptiveScale: false
authenticatorPort: 80
credentialsSecretRef: "my-credentials-secret"
```

## Contributing
// TODO(user): Add detailed information on how you would like others to contribute to this project
### Authentication Fields

### How it works
This project aims to follow the Kubernetes [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/).
- `type`: Sidecar or standalone deployment.
- `replicas`: Number of replicas (optional, used in deployment mode).
- `selector`: Selector for targeting specific labels (optional, used in sidecar mode).
- `serviceType`: Service type (optional).
- `appPort`: Port where the application is running (required).
- `appService`: Name of the application service (optional).
- `adaptiveScale`: Enable or disable adaptive scaling (optional, used in deployment mode).
- `authenticatorPort`: Port for the authenticator (required).
- `credentialsSecretRef`: Reference to the credentials secret (optional).

It uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/),
which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
### Authenticator Modes

### Test It Out
1. Install the CRDs into the cluster:
The Simple Authenticator offers two distinct operational modes to cater to different architectural needs in a Kubernetes environment: Deployment Mode and Sidecar Mode.

```sh
make install
```
#### Deployment Mode Configuration

2. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
- __Application Service and Port__: Target application's service and port.
- __Authenticator Port__: Port for NGINX deployment to listen to.
- __Adaptive Scaling__: Automatic scaling based on number of pods of targeted service.
- __Replicas__: Number of NGINX deployment replicas.

```sh
make run
```
#### Sidecar Mode Configuration

**NOTE:** You can also run this in one step by running: `make install run`
- __Application Port__: Application's port within the pod.
- __Authenticator Port__: Port for NGINX sidecar to listen to.
- __Selector__: Targets specific pod(s) for adding the NGINX sidecar.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a usage section. You can add use the user docs written in snappcloud docs and add them to Wiki pages.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

### Modifying the API definitions
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
#### Trade-offs Between Deployment and Sidecar Modes

```sh
make manifests
```
Deployment Mode is preferable for scenarios requiring clear separation between the authentication layer and application, and is more scalable for environments with many pods. Sidecar Mode, on the other hand, is suited for scenarios where simplicity, reduced latency, and tight integration between the application and the authentication layer are priorities, albeit at the cost of increased resource consumption per pod.

**NOTE:** Run `make --help` for more information on all potential `make` targets
### Credential Format

More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)
Secrets specified in `credentialsSecretRef` must contain `username` and `password` fields. If not correctly formatted, the secret will be rejected. Secrets must reside in `BasicAuthenticator`'s namespace.

## License
```yaml
apiVersion: v1
kind: Secret
metadata:
name: my-credentials-secret
namespace: simple-authenticator-test
type: Opaque
stringData:
username: <username>
password: <password>
```

Copyright 2023.
### Automatic Credential Generation

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
If no `credentialsSecretRef` is set, a secret with a random username and password will be automatically generated.

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
## Contributing
Contributions are warmly welcomed. Feel free to submit issues or pull requests.
Comment on lines +172 to +173
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The contributing section is brief. It would be beneficial to link to a contributing guide with more detailed instructions for potential contributors.


## License
This project is licensed under the [Apache License 2.0](https://github.com/snapp-incubator/s3-operator/blob/main/LICENSE).