CLOUDP-59109: Configure SCRAM (#78)

Author: chatton

deploy/crds/mongodb.com_v1_mongodb_scram_cr.yaml

@@ -0,0 +1,12 @@
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: example-scram-mongodb
+spec:
+  members: 3
+  type: ReplicaSet
+  version: "4.2.6"
+  security:
+    authentication:
+      enabled: true
+      modes: ["SCRAM"]

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/golang/protobuf v1.3.5 // indirect
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/imdario/mergo v0.3.9
+	github.com/imdario/mergo v0.3.9 // indirect
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/klauspost/compress v1.9.8 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect

pkg/apis/mongodb/v1/mongodb_types.go

@@ -37,12 +37,14 @@ type MongoDBSpec struct {
 	// +optional
 	FeatureCompatibilityVersion string `json:"featureCompatibilityVersion,omitempty"`
 
-	// Security configures security features, such as TLS, for a deployment
+	// Security configures security features, such as TLS, and authentication settings for a deployment
 	// +optional
 	Security Security `json:"security"`
 }
 
 type Security struct {
+	// +optional
+	Authentication Authentication `json:"authentication"`
 	// TLS configuration for both client-server and server-server communication
 	// +optional
 	TLS TLS `json:"tls"`
@@ -67,6 +69,17 @@ type TLS struct {
 	CAConfigMapName string `json:"caConfigMapName"`
 }
 
+type Authentication struct {
+	// Enabled specifies if authentication should be enabled
+	Enabled bool `json:"enabled"`
+
+	// Modes is an array specifying which authentication methods should be enabled
+	Modes []AuthMode `json:"modes"`
+}
+
+// +kubebuilder:validation:Enum=SCRAM
+type AuthMode string
+
 // MongoDBStatus defines the observed state of MongoDB
 type MongoDBStatus struct {
 	MongoURI string `json:"mongoUri"`
@@ -129,6 +142,10 @@ func (m MongoDB) NamespacedName() types.NamespacedName {
 	return types.NamespacedName{Name: m.Name, Namespace: m.Namespace}
 }
 
+func (m *MongoDB) ScramCredentialsNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: "agent-scram-credentials", Namespace: m.Namespace}
+}
+
 // GetFCV returns the feature compatibility version. If no FeatureCompatibilityVersion is specified.
 // It uses the major and minor version for whichever version of MongoDB is configured.
 func (m MongoDB) GetFCV() string {

pkg/authentication/scram/scram.go

@@ -0,0 +1,56 @@
+package scram
+
+import (
+	"fmt"
+
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/automationconfig"
+
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/secret"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/generate"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// EnsureAgentSecret make sure that the agent password and keyfile exist in the secret and returns
+// the scram authEnabler configured with this values
+func EnsureAgentSecret(getUpdateCreator secret.GetUpdateCreator, secretNsName types.NamespacedName) (automationconfig.AuthEnabler, error) {
+	generatedPassword, err := generate.RandomFixedLengthStringOfSize(20)
+	if err != nil {
+		return authEnabler{}, fmt.Errorf("error generating password: %s", err)
+	}
+
+	generatedContents, err := generate.KeyFileContents()
+	if err != nil {
+		return authEnabler{}, fmt.Errorf("error generating keyfile contents: %s", err)
+	}
+
+	agentSecret, err := getUpdateCreator.GetSecret(secretNsName)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			s := secret.Builder().
+				SetNamespace(secretNsName.Namespace).
+				SetName(secretNsName.Name).
+				SetField(AgentPasswordKey, generatedPassword).
+				SetField(AgentKeyfileKey, generatedContents).
+				Build()
+			return authEnabler{
+				agentPassword: generatedPassword,
+				agentKeyFile:  generatedContents,
+			}, getUpdateCreator.CreateSecret(s)
+		}
+		return authEnabler{}, err
+	}
+
+	if _, ok := agentSecret.Data[AgentPasswordKey]; !ok {
+		agentSecret.Data[AgentPasswordKey] = []byte(generatedPassword)
+	}
+
+	if _, ok := agentSecret.Data[AgentKeyfileKey]; !ok {
+		agentSecret.Data[AgentKeyfileKey] = []byte(generatedContents)
+	}
+
+	return authEnabler{
+		agentPassword: string(agentSecret.Data[AgentPasswordKey]),
+		agentKeyFile:  string(agentSecret.Data[AgentKeyfileKey]),
+	}, getUpdateCreator.UpdateSecret(agentSecret)
+}

pkg/authentication/scram/scram_enabler.go

@@ -0,0 +1,56 @@
+package scram
+
+import (
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/automationconfig"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/contains"
+)
+
+const (
+	scram256                              = "SCRAM-SHA-256"
+	automationAgentKeyFilePathInContainer = "/var/lib/mongodb-mms-automation/authentication/keyfile"
+	automationAgentWindowsKeyFilePath     = "%SystemDrive%\\MMSAutomation\\versions\\keyfile"
+	AgentName                             = "mms-automation"
+	AgentPasswordKey                      = "password"
+	AgentKeyfileKey                       = "keyfile"
+)
+
+type authEnabler struct {
+	agentPassword string
+	agentKeyFile  string
+}
+
+func (s authEnabler) EnableAuth(auth automationconfig.Auth) automationconfig.Auth {
+	enableAgentAuthentication(&auth, s.agentPassword, s.agentKeyFile)
+	enableDeploymentMechanisms(&auth)
+	return auth
+}
+
+func enableAgentAuthentication(auth *automationconfig.Auth, agentPassword, agentKeyFileContents string) {
+	auth.Disabled = false
+	auth.AuthoritativeSet = true
+	auth.KeyFile = automationAgentKeyFilePathInContainer
+
+	// windows file is specified to pass validation, this will never be used
+	auth.KeyFileWindows = automationAgentWindowsKeyFilePath
+	auth.AutoAuthMechanisms = []string{scram256}
+
+	// the username of the MongoDB Agent
+	auth.AutoUser = AgentName
+
+	// the mechanism used by the Agent
+	auth.AutoAuthMechanism = scram256
+
+	// the password for the Agent user
+	auth.AutoPwd = agentPassword
+
+	// the contents the keyfile should have, this file is owned and managed
+	// by the agent
+	auth.Key = agentKeyFileContents
+}
+
+func enableDeploymentMechanisms(auth *automationconfig.Auth) {
+	if contains.String(auth.DeploymentAuthMechanisms, scram256) {
+		return
+	}
+	auth.DeploymentAuthMechanisms = append(auth.DeploymentAuthMechanisms, scram256)
+}

pkg/authentication/scram/scram_enabler_test.go

@@ -0,0 +1,34 @@
+package scram
+
+import (
+	"testing"
+
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/automationconfig"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestScramEnabler(t *testing.T) {
+	enabler := authEnabler{
+		agentPassword: "password",
+		agentKeyFile:  "keyfilecontents",
+	}
+	auth := enabler.EnableAuth(automationconfig.Auth{})
+	t.Run("Authentication is correctly configured", func(t *testing.T) {
+		assert.Equal(t, AgentName, auth.AutoUser)
+		assert.Equal(t, "keyfilecontents", auth.Key)
+		assert.Equal(t, "password", auth.AutoPwd)
+		assert.Equal(t, scram256, auth.AutoAuthMechanism)
+		assert.Len(t, auth.DeploymentAuthMechanisms, 1)
+		assert.Len(t, auth.AutoAuthMechanisms, 1)
+		assert.Equal(t, []string{scram256}, auth.DeploymentAuthMechanisms)
+		assert.Equal(t, []string{scram256}, auth.AutoAuthMechanisms)
+		assert.Equal(t, automationAgentKeyFilePathInContainer, auth.KeyFile)
+		assert.Equal(t, automationAgentWindowsKeyFilePath, auth.KeyFileWindows)
+	})
+
+	t.Run("Subsequent configuration doesn't add to deployment auth mechanisms", func(t *testing.T) {
+		auth = enabler.EnableAuth(auth)
+		assert.Equal(t, []string{scram256}, auth.DeploymentAuthMechanisms)
+	})
+
+}

pkg/automationconfig/automation_config.go

@@ -38,7 +38,7 @@ type Auth struct {
 	AutoPwd string `json:"autoPwd,omitempty"`
 }
 
-func DisabledAuth() Auth {
+func disabledAuth() Auth {
 	return Auth{
 		Users:                    make([]MongoDBUser, 0),
 		AutoAuthMechanisms:       make([]string, 0),

pkg/automationconfig/automation_config_builder.go

@@ -12,7 +12,13 @@ const (
 	ReplicaSetTopology Topology = "ReplicaSet"
 )
 
+// AuthEnabler is an interface which can configure authentication settings
+type AuthEnabler interface {
+	EnableAuth(auth Auth) Auth
+}
+
 type Builder struct {
+	enabler           AuthEnabler
 	processes         []Process
 	replicaSets       []ReplicaSet
 	members           int
@@ -38,6 +44,11 @@ func NewBuilder() *Builder {
 	}
 }
 
+func (b *Builder) SetAuthEnabler(enabler AuthEnabler) *Builder {
+	b.enabler = enabler
+	return b
+}
+
 func (b *Builder) SetTopology(topology Topology) *Builder {
 	b.topology = topology
 	return b
@@ -121,6 +132,11 @@ func (b *Builder) Build() (AutomationConfig, error) {
 		members[i] = newReplicaSetMember(process, i)
 	}
 
+	auth := disabledAuth()
+	if b.enabler != nil {
+		auth = b.enabler.EnableAuth(auth)
+	}
+
 	currentAc := AutomationConfig{
 		Version:   b.previousAC.Version,
 		Processes: processes,
@@ -134,7 +150,7 @@ func (b *Builder) Build() (AutomationConfig, error) {
 		Versions:     b.versions,
 		ToolsVersion: b.toolsVersion,
 		Options:      Options{DownloadBase: "/var/lib/mongodb-mms-automation"},
-		Auth:         DisabledAuth(),
+		Auth:         auth,
 		TLS: TLS{
 			ClientCertificateMode: ClientCertificateModeOptional,
 		},

pkg/controller/mongodb/mongodb_authentication.go

@@ -0,0 +1,60 @@
+package mongodb
+
+import (
+	mdbv1 "github.com/mongodb/mongodb-kubernetes-operator/pkg/apis/mongodb/v1"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/authentication/scram"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/automationconfig"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/podtemplatespec"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/secret"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/statefulset"
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/contains"
+)
+
+const (
+	scramShaOption = "SCRAM"
+)
+
+// noOpAuthEnabler performs no changes, leaving authentication settings untouched
+type noOpAuthEnabler struct{}
+
+func (n noOpAuthEnabler) EnableAuth(auth automationconfig.Auth) automationconfig.Auth {
+	return auth
+}
+
+// getAuthenticationEnabler returns a type that is able to configure the automation config's
+// authentication settings
+func getAuthenticationEnabler(getUpdateCreator secret.GetUpdateCreator, mdb mdbv1.MongoDB) (automationconfig.AuthEnabler, error) {
+	if !mdb.Spec.Security.Authentication.Enabled {
+		return noOpAuthEnabler{}, nil
+	}
+
+	// currently, just enable auth if it's in the list as there is only one option
+	if contains.AuthMode(mdb.Spec.Security.Authentication.Modes, scramShaOption) {
+		enabler, err := scram.EnsureAgentSecret(getUpdateCreator, mdb.ScramCredentialsNamespacedName())
+		if err != nil {
+			return noOpAuthEnabler{}, err
+		}
+		return enabler, nil
+	}
+	return noOpAuthEnabler{}, nil
+}
+
+// buildScramPodSpecModification will add the keyfile volume to the podTemplateSpec
+// the keyfile is owned by the agent, and is required to have 0600 permissions.
+func buildScramPodSpecModification(mdb mdbv1.MongoDB) podtemplatespec.Modification {
+	if !mdb.Spec.Security.Authentication.Enabled {
+		return podtemplatespec.NOOP()
+	}
+
+	mode := int32(0600)
+	scramSecretNsName := mdb.ScramCredentialsNamespacedName()
+	keyFileVolume := statefulset.CreateVolumeFromSecret(scramSecretNsName.Name, scramSecretNsName.Name, statefulset.WithSecretDefaultMode(&mode))
+	keyFileVolumeVolumeMount := statefulset.CreateVolumeMount(keyFileVolume.Name, "/var/lib/mongodb-mms-automation/authentication", statefulset.WithReadOnly(false))
+	keyFileVolumeVolumeMountMongod := statefulset.CreateVolumeMount(keyFileVolume.Name, "/var/lib/mongodb-mms-automation/authentication", statefulset.WithReadOnly(false))
+
+	return podtemplatespec.Apply(
+		podtemplatespec.WithVolume(keyFileVolume),
+		podtemplatespec.WithVolumeMounts(agentName, keyFileVolumeVolumeMount),
+		podtemplatespec.WithVolumeMounts(mongodbName, keyFileVolumeVolumeMountMongod),
+	)
+}