feat: permissions without keycloak

helm/modelix/templates/_helpers.tpl

@@ -81,17 +81,10 @@ https://{{ .Values.ingress.hostname }}{{ if .Values.ingress.port }}:{{ .Values.i
 http://{{ include "modelix.fullname" . }}-keycloak:8080/
 {{- end }}
 
-{{- define "modelix.keycloakEnv" -}}
-- name: KEYCLOAK_CLIENT_SECRET
-  valueFrom:
-    secretKeyRef:
-      key: keycloak-client-secret
-      name: "{{ include "modelix.fullname" . }}-keycloak-client-secret"
-- name: KEYCLOAK_CLIENT_ID
-  value: "{{ .Values.keycloak.clientId }}"
-- name: KEYCLOAK_REALM
-  value: "{{ .Values.keycloak.realm }}"
-- name: KEYCLOAK_BASE_URL
-  value: "{{ include "modelix.internalKeycloakUrl" . }}"
+{{- define "modelix.authorizationConfig" -}}
+- name: MODELIX_JWK_URI_KEYCLOAK
+  value: "{{ include "modelix.internalKeycloakUrl" . }}realms/{{ .Values.keycloak.realm }}/protocol/openid-connect/certs"
+- name: MODELIX_PERMISSION_CHECKS_ENABLED
+  value: "{{ .Values.authorization.enabled }}"
 {{- end }}
 

helm/modelix/templates/common/instances-manager-deployment.yaml

@@ -40,7 +40,11 @@ spec:
             value: "{{ include "modelix.fullname" . }}-wsclt-"
           - name: WORKSPACE_CLIENT_IMAGE
             value: "modelix/modelix-workspace-client:{{ .Values.imageTags.wsClient | default .Chart.AppVersion }}"
-          {{- include "modelix.keycloakEnv" . | nindent 10 }}
+          - name: "MODELIX_JWK_FILE"
+            value: /secrets/jwk/
+          - name: MODELIX_WORKSPACE_SERVER
+            value: http://{{ include "modelix.fullname" . }}-workspace-manager:28104/
+          {{- include "modelix.authorizationConfig" . | nindent 10 }}
         ports:
         - containerPort: 33332
         - containerPort: 5005
@@ -65,6 +69,17 @@ spec:
           initialDelaySeconds: 60
           periodSeconds: 15
           timeoutSeconds: 10
+        volumeMounts:
+          - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+            mountPath: /secrets/jwk/wsmanager
+            readOnly: true
       restartPolicy: Always
+      volumes:
+        - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+          secret:
+            secretName: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+            items:
+              - key: private
+                path: private.pem
       {{- include "modelix.pullSecret" . | nindent 6 }}
 {{- end -}}

helm/modelix/templates/common/instances-manager-rsa-keys.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+type: Opaque
+data:
+  {{ $cert := genSelfSignedCert "instances-manager" nil nil 36524 -}}
+  public: {{ $cert.Cert | b64enc }}
+  private: {{ $cert.Key | b64enc }}

helm/modelix/templates/common/model-deployment.yaml

@@ -27,7 +27,9 @@ spec:
         - env:
             - name: jdbc_url
               value: jdbc:postgresql://{{ include "modelix.fullname" . }}-db:5432/
-            {{- include "modelix.keycloakEnv" . | nindent 12 }}
+            - name: "MODELIX_JWK_FILE"
+              value: /secrets/jwk/
+            {{- include "modelix.authorizationConfig" . | nindent 12 }}
           image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-model:{{ .Values.imageTags.model | default .Values.versions.modelix.core }}"
           imagePullPolicy: IfNotPresent
           name: model
@@ -56,5 +58,25 @@ spec:
             initialDelaySeconds: 60
             periodSeconds: 15
             timeoutSeconds: 10
+          volumeMounts:
+            - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+              mountPath: /secrets/jwk/wsmanager
+              readOnly: true
+            - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+              mountPath: /secrets/jwk/instancesmanager
+              readOnly: true
       restartPolicy: Always
+      volumes:
+        - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+          secret:
+            secretName: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+            items:
+              - key: public
+                path: workspace-manager-public.pem
+        - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+          secret:
+            secretName: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+            items:
+              - key: public
+                path: instances-manager-public.pem
       {{- include "modelix.pullSecret" . | nindent 6 }}

helm/modelix/templates/common/oauth-deployment.yaml

@@ -81,7 +81,7 @@ spec:
             - --silence-ping-logging=true
             - --upstream=http://{{ include "modelix.fullname" . }}-proxy/
             - --skip-auth-regex=\/(resources|admin|js|realms|keycloak)\/.* # keycloak
-            - --skip-auth-regex=\/model\/.* # Model server checks there bearer token itself. Model client needs the 401.
+            - --skip-auth-regex=\/model\/.* # Model server checks the bearer token itself. Model client needs the 401.
             - --skip-auth-regex=^\/$
             - --skip-auth-regex=\/public\/.*
             - --skip-jwt-bearer-tokens=true

helm/modelix/templates/common/workspace-config-persistentvolumeclaim.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.workspaces.enabled  -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    component: workspace-uploads
+    {{- include "modelix.labels" . | nindent 4 }}
+  name: "{{ include "modelix.fullname" . }}-workspace-config"
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+{{- end -}}

helm/modelix/templates/common/workspace-manager-deployment.yaml

@@ -39,7 +39,9 @@ spec:
             value: "{{ include "modelix.fullname" . }}-"
           - name: MODELIX_MAX_BODY_SIZE
             value: "{{ .Values.maxBodySize }}"
-          {{- include "modelix.keycloakEnv" . | nindent 10 }}
+          - name: "MODELIX_JWK_FILE"
+            value: /secrets/jwk/
+          {{- include "modelix.authorizationConfig" . | nindent 10 }}
         image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-workspace-manager:{{ .Values.imageTags.wsManager | default .Values.versions.modelix.workspaces }}"
         imagePullPolicy: IfNotPresent
         name: workspace-manager
@@ -71,19 +73,42 @@ spec:
         volumeMounts:
           - mountPath: "/workspace-manager/modelix-workspaces/uploads"
             name: "{{ include "modelix.fullname" . }}-workspace-uploads"
+          - mountPath: "/workspace-manager/config"
+            name: "{{ include "modelix.fullname" . }}-workspace-config"
           - name: "{{ include "modelix.fullname" . }}-workspace-secret"
             mountPath: /secrets/workspacesecret
             readOnly: true
+          - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+            mountPath: /secrets/jwk/wsmanager
+            readOnly: true
+          - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+            mountPath: /secrets/jwk/instancesmanager
+            readOnly: true
       restartPolicy: Always
       volumes:
         - name: "{{ include "modelix.fullname" . }}-workspace-uploads"
           persistentVolumeClaim:
             claimName: "{{ include "modelix.fullname" . }}-workspace-uploads"
+        - name: "{{ include "modelix.fullname" . }}-workspace-config"
+          persistentVolumeClaim:
+            claimName: "{{ include "modelix.fullname" . }}-workspace-config"
         - name: "{{ include "modelix.fullname" . }}-workspace-secret"
           secret:
             secretName: "{{ include "modelix.fullname" . }}-workspace-secret"
             items:
               - key: workspace-secret
                 path: workspace-credentials-key.txt
+        - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+          secret:
+            secretName: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+            items:
+              - key: private
+                path: private.pem
+        - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+          secret:
+            secretName: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys"
+            items:
+              - key: public
+                path: instances-manager-public.pem
       {{- include "modelix.pullSecret" . | nindent 6 }}
 {{- end -}}

helm/modelix/templates/common/workspace-manager-rsa-keys.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys"
+type: Opaque
+data:
+  {{ $cert := genSelfSignedCert "workspace-manager" nil nil 36524 -}}
+  public: {{ $cert.Cert | b64enc }}
+  private: {{ $cert.Key | b64enc }}

helm/modelix/values.yaml

@@ -4,10 +4,10 @@ fullnameOverride: ""
 
 versions:
   modelix:
-    workspaces: "0.3.2"
-    core: "4.11.5"
-    kubernetes: "0.1.2-dirty"
-    vncBaseImage: "0.6.0"
+    workspaces: "0.4.4-pr194-655a1216"
+    core: "10.1.0-pr1190-c6ab4b78"
+    kubernetes: "0.3.1"
+    vncBaseImage: "0.7.0"
 
 imageTags:
   db: ""
@@ -75,3 +75,6 @@ dockerProxy:
   secret64: ""
 
 serviceAccount: ""
+
+authorization:
+  enabled: true

versions.properties

@@ -1,4 +1,4 @@
 # Modelix core version.
-modelixCoreVersion=4.11.5
+modelixCoreVersion=10.1.0-pr1190-c6ab4b78
 # Modelix Workspaces versions
-modelixWorkspacesVersion=0.3.4
+modelixWorkspacesVersion=0.4.4-pr194-655a1216