diff --git a/cluster-resources/policies/auth-sidecar-injector.yaml b/cluster-resources/policies/auth-sidecar-injector.yaml index 2445a8c..1eb9e2e 100644 --- a/cluster-resources/policies/auth-sidecar-injector.yaml +++ b/cluster-resources/policies/auth-sidecar-injector.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- - Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". Supports three auth modes controlled by the policies.forteapps.io/auth-type annotation: "token" (default), "oidc", and "mcp". In token mode the sidecar reads credentials from a mounted Secret volume. In OIDC mode the sidecar uses OpenID Connect with authority and client-id provided via required annotations (policies.forteapps.io/auth-oidc-authority and policies.forteapps.io/auth-oidc-client-id) and secrets from an auth-oidc Secret. In MCP mode the sidecar implements OAuth 2.0 for MCP servers per RFC 9728 (Protected Resource Metadata) and RFC 7591 (Dynamic Client Registration), configured via policies.forteapps.io/auth-mcp-resource and policies.forteapps.io/auth-mcp-authority annotations. A NetworkPolicy is generated to restrict ingress to the sidecar port only. + Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". Supports three auth modes controlled by the policies.forteapps.io/auth-type annotation: "token" (default), "oidc", and "mcp". In token mode the sidecar reads credentials from a mounted Secret volume. In OIDC mode the sidecar uses OpenID Connect with authority and client-id provided via required annotations (policies.forteapps.io/auth-oidc-authority and policies.forteapps.io/auth-oidc-client-id) and secrets from an auth-oidc Secret. In MCP mode the sidecar implements OAuth 2.0 for MCP servers per RFC 9728 (Protected Resource Metadata) and RFC 7591 (Dynamic Client Registration), configured via policies.forteapps.io/auth-mcp-resource and policies.forteapps.io/auth-mcp-authority annotations. The sidecar port defaults to 8080 and can be overridden via the policies.forteapps.io/auth-sidecar-port annotation. A NetworkPolicy is generated to restrict ingress to the sidecar port only. spec: background: false rules: @@ -119,6 +119,9 @@ spec: - name: appPort variable: jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` + - name: sidecarPort + variable: + jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') mutate: patchStrategicMerge: spec: @@ -126,12 +129,12 @@ spec: - name: authn image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/fortedigital/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}" ports: - - containerPort: 8080 + - containerPort: "{{ sidecarPort }}" name: auth protocol: TCP env: - name: AUTH_LISTEN_ADDR - value: ":8080" + value: ":{{ sidecarPort }}" - name: AUTH_UPSTREAM_URL value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}" - name: AUTH_PUBLIC_PATHS @@ -154,13 +157,13 @@ spec: readinessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 2 periodSeconds: 5 livenessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 5 periodSeconds: 10 securityContext: @@ -197,6 +200,9 @@ spec: - name: appPort variable: jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` + - name: sidecarPort + variable: + jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') mutate: patchStrategicMerge: spec: @@ -205,14 +211,14 @@ spec: image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/fortedigital/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}" imagePullPolicy: Always ports: - - containerPort: 8080 + - containerPort: "{{ sidecarPort }}" name: auth protocol: TCP env: - name: AUTH_MODE value: "oidc" - name: AUTH_LISTEN_ADDR - value: ":8080" + value: ":{{ sidecarPort }}" - name: AUTH_LOG_LEVEL value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}" - name: AUTH_UPSTREAM_URL @@ -249,13 +255,13 @@ spec: readinessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 2 periodSeconds: 5 livenessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 5 periodSeconds: 10 securityContext: @@ -287,6 +293,9 @@ spec: - name: appPort variable: jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` + - name: sidecarPort + variable: + jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') mutate: patchStrategicMerge: spec: @@ -295,14 +304,14 @@ spec: image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/fortedigital/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}" imagePullPolicy: Always ports: - - containerPort: 8080 + - containerPort: "{{ sidecarPort }}" name: auth protocol: TCP env: - name: AUTH_MODE value: "mcp" - name: AUTH_LISTEN_ADDR - value: ":8080" + value: ":{{ sidecarPort }}" - name: AUTH_LOG_LEVEL value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}" - name: AUTH_UPSTREAM_URL @@ -325,13 +334,13 @@ spec: readinessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 2 periodSeconds: 5 livenessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 5 periodSeconds: 10 securityContext: @@ -363,6 +372,9 @@ spec: - name: appPort variable: jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` + - name: sidecarPort + variable: + jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') mutate: patchStrategicMerge: spec: @@ -371,14 +383,14 @@ spec: image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/fortedigital/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}" imagePullPolicy: Always ports: - - containerPort: 8080 + - containerPort: "{{ sidecarPort }}" name: auth protocol: TCP env: - name: AUTH_MODE value: "oauth" - name: AUTH_LISTEN_ADDR - value: ":8080" + value: ":{{ sidecarPort }}" - name: AUTH_LOG_LEVEL value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}" - name: AUTH_UPSTREAM_URL @@ -415,13 +427,13 @@ spec: readinessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 2 periodSeconds: 5 livenessProbe: httpGet: path: /healthz - port: 8080 + port: "{{ sidecarPort }}" initialDelaySeconds: 5 periodSeconds: 10 securityContext: @@ -454,6 +466,10 @@ spec: operator: In value: - CREATE + context: + - name: sidecarPort + variable: + jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') generate: synchronize: false apiVersion: networking.k8s.io/v1 @@ -472,5 +488,5 @@ spec: - Ingress ingress: - ports: - - port: 8080 + - port: "{{ sidecarPort }}" protocol: TCP