Make principals dynamic in Profiles Controller (#7310)

* Make principals dynamic in Profiles Controller Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Use dynamic principal of IGW in KFAM Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Add env vars to manifests Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Add pipelines-ui principal Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * Update golang to 1.19 for unit tests to succeed Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Include KFP UI principle in profiles/kfam Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> --------- Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com>
2023-10-12 22:52:22 +03:00 · 2023-10-12 22:52:22 +03:00 · 51becc735f
--- a/.github/workflows/prof_controller_unit_test.yaml
+++ b/.github/workflows/prof_controller_unit_test.yaml
@ -14,7 +14,7 @@ jobs:
    - name: Install Go
      uses: actions/setup-go@v3
      with:
-        go-version: '1.17'
+        go-version: '1.19'
        check-latest: true

    - name: Run unit tests
--- a/components/access-management/kfam/bindings.go
+++ b/components/access-management/kfam/bindings.go
@ -77,6 +77,14 @@ func getBindingName(binding *Binding) (string, error) {
 }

 func getAuthorizationPolicy(binding *Binding, userIdHeader string, userIdPrefix string) istioSecurity.AuthorizationPolicy {
+	istioIGWPrincipal := GetEnvDefault(
+		"ISTIO_INGRESS_GATEWAY_PRINCIPAL",
+		"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account")
+
+	kfpUIPrincipal := GetEnvDefault(
+		"KFP_UI_PRINCIPAL",
+		"cluster.local/ns/kubeflow/sa/ml-pipeline-ui")
+
 	return istioSecurity.AuthorizationPolicy{
 		Rules: []*istioSecurity.Rule{
 			{
@ -91,7 +99,8 @@ func getAuthorizationPolicy(binding *Binding, userIdHeader string, userIdPrefix
 				From: []*istioSecurity.Rule_From{{
 					Source: &istioSecurity.Source{
 						Principals: []string{
-							"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
+							istioIGWPrincipal,
+							kfpUIPrincipal,
 						},
 					},
 				}},
--- a/components/access-management/kfam/utils.go
+++ b/components/access-management/kfam/utils.go
@ -13,3 +13,13 @@
 // limitations under the License.

 package kfam
+
+import "os"
+
+func GetEnvDefault(variable string, defaultVal string) string {
+	envVar := os.Getenv(variable)
+	if len(envVar) == 0 {
+		return defaultVal
+	}
+	return envVar
+}
--- a/components/profile-controller/config/manager/kustomization.yaml
+++ b/components/profile-controller/config/manager/kustomization.yaml
@ -8,4 +8,7 @@ configMapGenerator:
  - WORKLOAD_IDENTITY=
  - USERID_HEADER="kubeflow-userid"
  - USERID_PREFIX=
-  name: config
+  - ISTIO_INGRESS_GATEWAY_PRINCIPAL="cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account")
+  - NOTEBOOK_CONTROLLER_PRINCIPAL="cluster.local/ns/kubeflow/sa/notebook-controller-service-account")
+  - KFP_UI_PRINCIPAL="cluster.local/ns/kubeflow/sa/ml-pipeline-ui"
+  name: config
--- a/components/profile-controller/controllers/profile_controller.go
+++ b/components/profile-controller/controllers/profile_controller.go
@ -417,12 +417,17 @@ func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error {
 }

 func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile) istioSecurity.AuthorizationPolicy {
+	nbControllerPrincipal := GetEnvDefault(
+		"NOTEBOOK_CONTROLLER_PRINCIPAL",
+		"cluster.local/ns/kubeflow/sa/notebook-controller-service-account")

-	clusterDomain := "cluster.local"
-	if clusterDomainFromEnv, ok := os.LookupEnv("CLUSTER_DOMAIN"); ok {
-		clusterDomain = clusterDomainFromEnv
-	}
-	principals := fmt.Sprintf("%s/ns/kubeflow/sa/notebook-controller-service-account", clusterDomain)
+	istioIGWPrincipal := GetEnvDefault(
+		"ISTIO_INGRESS_GATEWAY_PRINCIPAL",
+		"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account")
+
+	kfpUIPrincipal := GetEnvDefault(
+		"KFP_UI_PRINCIPAL",
+		"cluster.local/ns/kubeflow/sa/ml-pipeline-ui")

 	return istioSecurity.AuthorizationPolicy{
 		Action: istioSecurity.AuthorizationPolicy_ALLOW,
@ -443,7 +448,8 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile
 				From: []*istioSecurity.Rule_From{{
 					Source: &istioSecurity.Source{
 						Principals: []string{
-							"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
+							istioIGWPrincipal,
+							kfpUIPrincipal,
 						},
 					},
 				}},
@ -480,7 +486,7 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile
 				From: []*istioSecurity.Rule_From{
 					{
 						Source: &istioSecurity.Source{
-							Principals: []string{principals},
+							Principals: []string{nbControllerPrincipal},
 						},
 					},
 				},
@ -782,3 +788,11 @@ func (r *ProfileReconciler) readDefaultLabelsFromFile(path string) map[string]st
 	}
 	return labels
 }
+
+func GetEnvDefault(variable string, defaultVal string) string {
+	envVar := os.Getenv(variable)
+	if len(envVar) == 0 {
+		return defaultVal
+	}
+	return envVar
+}