RHINENG-19161: setup Kessel service client

Author: Dugowitch

base/utils/config.go

@@ -93,6 +93,7 @@ type coreConfig struct {
 	KesselAuthClientID     string
 	KesselAuthClientSecret string
 	KesselAuthOIDCIssuer   string
+	RbacURL                string
 
 	// prometheus pushgateway
 	PrometheusPushGateway string
@@ -266,6 +267,8 @@ func initServicesFromClowder() {
 			}
 		case "rbac":
 			CoreCfg.RbacAddress = (*Endpoint)(&endpoint).buildURL()
+		case "rbac-service":
+			CoreCfg.RbacURL = (*Endpoint)(&endpoint).buildURL()
 		}
 	}
 
@@ -337,13 +340,14 @@ func initLoggerFromEnv() {
 }
 
 func initKesselFromEnv() {
-	CoreCfg.KesselEnabled = GetBoolEnvOrDefault("KESSEL_ENABLED", false)
-	CoreCfg.KesselURL = Getenv("KESSEL_URL", "")
-	CoreCfg.KesselAuthEnabled = GetBoolEnvOrDefault("KESSEL_AUTH_ENABLED", false)
-	CoreCfg.KesselInsecure = GetBoolEnvOrDefault("KESSEL_INSECURE", true)
-	CoreCfg.KesselAuthClientID = Getenv("KESSEL_AUTH_CLIENT_ID", "")
-	CoreCfg.KesselAuthClientSecret = Getenv("KESSEL_AUTH_CLIENT_SECRET", "")
-	CoreCfg.KesselAuthOIDCIssuer = Getenv("KESSEL_AUTH_OIDC_ISSUER", "")
+	CoreCfg.KesselEnabled = GetBoolEnvOrDefault("KESSEL_ENABLED", CoreCfg.KesselEnabled)
+	CoreCfg.KesselURL = Getenv("KESSEL_URL", CoreCfg.KesselURL)
+	CoreCfg.KesselAuthEnabled = GetBoolEnvOrDefault("KESSEL_AUTH_ENABLED", CoreCfg.KesselAuthEnabled)
+	CoreCfg.KesselInsecure = GetBoolEnvOrDefault("KESSEL_INSECURE", CoreCfg.KesselInsecure)
+	CoreCfg.KesselAuthClientID = Getenv("KESSEL_AUTH_CLIENT_ID", CoreCfg.KesselAuthClientID)
+	CoreCfg.KesselAuthClientSecret = Getenv("KESSEL_AUTH_CLIENT_SECRET", CoreCfg.KesselAuthClientSecret)
+	CoreCfg.KesselAuthOIDCIssuer = Getenv("KESSEL_AUTH_OIDC_ISSUER", CoreCfg.KesselAuthOIDCIssuer)
+	CoreCfg.RbacURL = Getenv("RBAC_URL", CoreCfg.RbacURL)
 }
 
 // PrintClowderParams Print Clowder params to export environment variables.

conf/test.env

@@ -13,3 +13,4 @@ LIMIT_PAGE_SIZE=false
 POD_CONFIG=label=upload;vmaas_call_max_retries=100;baseline_change_eval=false;update_users;update_db_config;use_testing_db
 
 KESSEL_URL=platform:9005
+KESSEL_INSECURE=true

deploy/clowdapp.yaml

@@ -107,6 +107,13 @@ objects:
         - {name: RATELIMIT, value: '${RATELIMIT}'}
         - {name: LIMIT_PAGE_SIZE, value: '${LIMIT_PAGE_SIZE}'}
         - {name: POD_CONFIG, value: '${MANAGER_CONFIG}'}
+        - {name: KESSEL_ENABLED, value: '${KESSEL_ENABLED}'}
+        - {name: KESSEL_URL, value: '${KESSEL_URL}'}
+        - {name: KESSEL_AUTH_ENABLED, value: '${KESSEL_AUTH_ENABLED}'}
+        - {name: KESSEL_AUTH_OIDC_ISSUER, value: '${KESSEL_AUTH_OIDC_ISSUER}'}
+        - {name: KESSEL_INSECURE, value: '${KESSEL_INSECURE}'}
+        - {name: KESSEL_AUTH_CLIENT_ID, valueFrom: {secretKeyRef: {name: kessel-service-client, key: id}}}
+        - {name: KESSEL_AUTH_CLIENT_SECRET, valueFrom: {secretKeyRef: {name: kessel-service-client, key: secret}}}
 
         resources:
           limits: {cpu: '${CPU_LIMIT_MANAGER}', memory: '${MEM_LIMIT_MANAGER}'}
@@ -728,3 +735,10 @@ parameters:
 - {name: MEM_REQUEST_FLOORIST, value: 2Gi}
 - {name: CPU_LIMIT_FLOORIST, value: 500m}
 - {name: MEM_LIMIT_FLOORIST, value: 4Gi}
+
+# Kessel
+- {name: KESSEL_ENABLED, value: 'false'}
+- name: KESSEL_URL
+- name: KESSEL_AUTH_ENABLED
+- name: KESSEL_AUTH_OIDC_ISSUER
+- name: KESSEL_INSECURE

manager/middlewares/kessel.go

@@ -21,11 +21,17 @@ import (
 type ListObjectStreamingClient = grpc.ServerStreamingClient[kesselAPIv2.StreamedListObjectsResponse]
 
 func setupClient() (*kesselClientV2.InventoryClient, error) {
-	// TODO: use secure credentials
 	options := []func(*kesselClientCommon.Config){
 		kesselClientCommon.WithgRPCUrl(utils.CoreCfg.KesselURL),
 		kesselClientCommon.WithTLSInsecure(utils.CoreCfg.KesselInsecure),
 	}
+
+	if utils.CoreCfg.KesselAuthEnabled {
+		options = append(options, kesselClientCommon.WithAuthEnabled(
+			utils.CoreCfg.KesselAuthClientID, utils.CoreCfg.KesselAuthClientSecret, utils.CoreCfg.KesselAuthOIDCIssuer,
+		))
+	}
+
 	return kesselClientV2.New(kesselClientCommon.NewConfig(options...))
 }
 

manager/middlewares/kessel_test.go

@@ -16,8 +16,45 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestSetupClient(_ *testing.T) {
-	// TODO: implement test after client setup is added
+func TestSetupClient(t *testing.T) {
+	originalKesselInsecure := utils.CoreCfg.KesselInsecure
+	originalKesselAuthEnabled := utils.CoreCfg.KesselAuthEnabled
+	originalKesselAuthClientID := utils.CoreCfg.KesselAuthClientID
+	originalKesselAuthClientSecret := utils.CoreCfg.KesselAuthClientSecret
+
+	// insecure TLS and no auth
+	utils.CoreCfg.KesselInsecure = true
+	utils.CoreCfg.KesselAuthEnabled = false
+	client, err := setupClient()
+	assert.NoError(t, err)
+	assert.NotNil(t, client)
+
+	// secure TLS and no auth
+	utils.CoreCfg.KesselInsecure = false
+	client, err = setupClient()
+	assert.NoError(t, err)
+	assert.NotNil(t, client)
+
+	// insecure TLS and auth
+	utils.CoreCfg.KesselInsecure = true
+	utils.CoreCfg.KesselAuthEnabled = true
+	utils.CoreCfg.KesselAuthClientID = "test-client-id"
+	utils.CoreCfg.KesselAuthClientSecret = "test-client-secret"
+	client, err = setupClient()
+	assert.NoError(t, err)
+	assert.NotNil(t, client)
+
+	// secure TLS and auth
+	utils.CoreCfg.KesselInsecure = false
+	client, err = setupClient()
+	assert.NoError(t, err)
+	assert.NotNil(t, client)
+
+	// cleanup
+	utils.CoreCfg.KesselInsecure = originalKesselInsecure
+	utils.CoreCfg.KesselAuthEnabled = originalKesselAuthEnabled
+	utils.CoreCfg.KesselAuthClientID = originalKesselAuthClientID
+	utils.CoreCfg.KesselAuthClientSecret = originalKesselAuthClientSecret
 }
 
 func TestBuildRequest(t *testing.T) {