fix enterprise cors (#592 )

TRA-4147 simpler kratos password policy (#590 )
Fixed standalone config, small refactor (#589 )
2026-02-24 14:53:56 +00:00 · 2022-01-06 12:39:03 +02:00 · 2022-01-06 12:15:46 +02:00 · 2022-01-06 12:04:58 +02:00
10 changed files with 37 additions and 23 deletions
--- a/agent/kratos/Dockerfile
+++ b/agent/kratos/Dockerfile
@@ -1,4 +1,4 @@
-FROM oryd/kratos:v0.8.0-sqlite
+FROM gcr.io/up9-docker-hub/mizu-kratos-base/simple-password-policy:latest

 USER root

--- a/agent/pkg/controllers/config_controller.go
+++ b/agent/pkg/controllers/config_controller.go
@@ -50,7 +50,9 @@ func PostTapConfig(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, err)
 		return
 	}
+
 	ctx, cancel := context.WithCancel(context.Background())
+
 	if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{}, tapApi.TrafficFilteringOptions{}, false); err != nil {
 		c.JSON(http.StatusInternalServerError, err)
 		cancel()
@@ -69,25 +71,27 @@ func GetTapConfig(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, err)
 		return
 	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
+
 	namespaces, err := kubernetesProvider.ListAllNamespaces(ctx)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, err)
 		return
 	}

+	tappedNamespaces := make(map[string]bool)
 	for _, namespace := range namespaces {
 		if namespace.Name == config.Config.MizuResourcesNamespace {
 			continue
 		}

-		if _, ok := globalTapConfig.TappedNamespaces[namespace.Name]; !ok {
-			globalTapConfig.TappedNamespaces[namespace.Name] = false
-		}
+		tappedNamespaces[namespace.Name] = globalTapConfig.TappedNamespaces[namespace.Name]
 	}

-	c.JSON(http.StatusOK, globalTapConfig)
+	tapConfig := models.TapConfig{TappedNamespaces: tappedNamespaces}
+	c.JSON(http.StatusOK, tapConfig)
 }

 func startMizuTapperSyncer(ctx context.Context, provider *kubernetes.Provider, targetNamespaces []string, podFilterRegex regexp.Regexp, ignoredUserAgents []string, mizuApiFilteringOptions tapApi.TrafficFilteringOptions, istio bool) (*kubernetes.MizuTapperSyncer, error) {
--- a/agent/pkg/middlewares/cors.go
+++ b/agent/pkg/middlewares/cors.go
@@ -6,7 +6,7 @@ func CORSMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
 		c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
-		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With")
+		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With, x-session-token")
 		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT")

 		if c.Request.Method == "OPTIONS" {
--- a/agent/pkg/routes/config_routes.go
+++ b/agent/pkg/routes/config_routes.go
@@ -3,10 +3,12 @@ package routes
 import (
 	"github.com/gin-gonic/gin"
 	"mizuserver/pkg/controllers"
+	"mizuserver/pkg/middlewares"
 )

 func ConfigRoutes(ginApp *gin.Engine) {
 	routeGroup := ginApp.Group("/config")
+	routeGroup.Use(middlewares.RequiresAuth())

 	routeGroup.POST("/tapConfig", controllers.PostTapConfig)
 	routeGroup.GET("/tapConfig", controllers.GetTapConfig)
--- a/cli/cmd/install.go
+++ b/cli/cmd/install.go
@@ -1,7 +1,9 @@
 package cmd

 import (
+	"fmt"
 	"github.com/spf13/cobra"
+	"github.com/up9inc/mizu/cli/config"
 	"github.com/up9inc/mizu/cli/telemetry"
 )

@@ -13,6 +15,13 @@ var installCmd = &cobra.Command{
 		runMizuInstall()
 		return nil
 	},
+	PreRunE: func(cmd *cobra.Command, args []string) error {
+		if config.Config.IsNsRestrictedMode() {
+			return fmt.Errorf("install is not supported in restricted namespace mode")
+		}
+
+		return nil
+	},
 }

 func init() {
--- a/cli/cmd/installRunner.go
+++ b/cli/cmd/installRunner.go
@@ -22,10 +22,6 @@ func runMizuInstall() {
 		return
 	}

-	if config.Config.IsNsRestrictedMode() {
-		logger.Log.Error("install is not supported in restricted namespace mode")
-	}
-
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel() // cancel will be called when this function exits

--- a/cli/cmd/tapRunner.go
+++ b/cli/cmd/tapRunner.go
@@ -125,7 +125,6 @@ func RunMizuTap() {

 	logger.Log.Infof("Waiting for Mizu Agent to start...")
 	if state.mizuServiceAccountExists, err = resources.CreateTapMizuResources(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(), config.Config.MizuResourcesNamespace, config.Config.AgentImage, getSyncEntriesConfig(), config.Config.Tap.MaxEntriesDBSizeBytes(), config.Config.Tap.ApiServerResources, config.Config.ImagePullPolicy(), config.Config.LogLevel()); err != nil {
-		logger.Log.Errorf("error %v", err)
 		var statusError *k8serrors.StatusError
 		if errors.As(err, &statusError) {
 			if statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists {
--- a/cli/resources/createResources.go
+++ b/cli/resources/createResources.go
@@ -66,25 +66,29 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes.
 }

 func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, serializedValidationRules string, serializedContract string, serializedMizuConfig string, isNsRestrictedMode bool, mizuResourcesNamespace string, agentImage string, syncEntriesConfig *shared.SyncEntriesConfig, maxEntriesDBSizeBytes int64, apiServerResources shared.Resources, imagePullPolicy core.PullPolicy, logLevel logging.Level, noPersistentVolumeClaim bool) error {
-	if !isNsRestrictedMode {
-		if err := createMizuNamespace(ctx, kubernetesProvider, mizuResourcesNamespace); err != nil {
-			return err
-		}
+	if err := createMizuNamespace(ctx, kubernetesProvider, mizuResourcesNamespace); err != nil {
+		return err
 	}
+	logger.Log.Infof("namespace/%v created", mizuResourcesNamespace)

 	if err := createMizuConfigmap(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, mizuResourcesNamespace); err != nil {
 		return err
 	}
-	logger.Log.Infof("Created config map")
+	logger.Log.Infof("configmap/%v created", kubernetes.ConfigMapName)

 	_, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints", "namespaces"})
 	if err != nil {
 		return err
 	}
+	logger.Log.Infof("serviceaccount/%v created", kubernetes.ServiceAccountName)
+	logger.Log.Infof("clusterrole.rbac.authorization.k8s.io/%v created", kubernetes.ClusterRoleName)
+	logger.Log.Infof("clusterrolebinding.rbac.authorization.k8s.io/%v created", kubernetes.ClusterRoleBindingName)
+
 	if err := kubernetesProvider.CreateDaemonsetRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.DaemonRoleName, kubernetes.DaemonRoleBindingName, mizu.RBACVersion); err != nil {
 		return err
 	}
-	logger.Log.Infof("Created RBAC")
+	logger.Log.Infof("role.rbac.authorization.k8s.io/%v created", kubernetes.DaemonRoleName)
+	logger.Log.Infof("rolebinding.rbac.authorization.k8s.io/%v created", kubernetes.DaemonRoleBindingName)

 	serviceAccountName := kubernetes.ServiceAccountName
 	opts := &kubernetes.ApiServerOptions{
@@ -103,13 +107,13 @@ func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kuberne
 	if err := createMizuApiServerDeployment(ctx, kubernetesProvider, opts, noPersistentVolumeClaim); err != nil {
 		return err
 	}
-	logger.Log.Infof("Created Api Server deployment")
+	logger.Log.Infof("deployment.apps/%v created", kubernetes.ApiServerPodName)

 	_, err = kubernetesProvider.CreateService(ctx, mizuResourcesNamespace, kubernetes.ApiServerPodName, kubernetes.ApiServerPodName)
 	if err != nil {
 		return err
 	}
-	logger.Log.Infof("Created Api Server service")
+	logger.Log.Infof("service/%v created",  kubernetes.ApiServerPodName)

 	return nil
 }
--- a/shared/kubernetes/consts.go
+++ b/shared/kubernetes/consts.go
@@ -4,9 +4,9 @@ const (
 	MizuResourcesPrefix        = "mizu-"
 	ApiServerPodName           = MizuResourcesPrefix + "api-server"
 	ClusterRoleBindingName     = MizuResourcesPrefix + "cluster-role-binding"
-	DaemonRoleBindingName      = MizuResourcesPrefix + "cluster-role-binding-daemon"
+	DaemonRoleBindingName      = MizuResourcesPrefix + "role-binding-daemon"
 	ClusterRoleName            = MizuResourcesPrefix + "cluster-role"
-	DaemonRoleName             = MizuResourcesPrefix + "cluster-role-daemon"
+	DaemonRoleName             = MizuResourcesPrefix + "role-daemon"
 	K8sAllNamespaces           = ""
 	RoleBindingName            = MizuResourcesPrefix + "role-binding"
 	RoleName                   = MizuResourcesPrefix + "role"
--- a/ui/src/components/InstallPage.tsx
+++ b/ui/src/components/InstallPage.tsx
@@ -17,8 +17,8 @@ export const InstallPage: React.FC = () => {
    const {setPage} = useContext(MizuContext);

    const onFormSubmit = async () => {
-        if (password.length < 8) {
-            toast.error("Password must be at least 8 characters long");
+        if (password.length < 4) {
+            toast.error("Password must be at least 4 characters long");
            return;
        } else if (password !== passwordConfirm) {
            toast.error("Passwords do not match");
Author	SHA1	Message	Date
RamiBerm	5d36d9184d	fix enterprise cors (#592 )	2022-01-06 12:39:03 +02:00
RamiBerm	63122cb0a7	TRA-4147 simpler kratos password policy (#590 )	2022-01-06 12:15:46 +02:00
RoyUP9	b88bdb90f6	Fixed standalone config, small refactor (#589 )	2022-01-06 12:04:58 +02:00