configure MBS to use Kerberos for authentication

This change deploys a KDC using the c3i-library (https://pagure.io/c3i-library) and configures MBS
to require Kerberos authentication for submitting builds to the frontend.

openshift/integration/koji/containers/jenkins-slave/Dockerfile

@@ -37,7 +37,7 @@ RUN ${DNF_CMD} install -y \
     # Jenkins pipeline 'sh' steps seem to require ps
     procps-ng \
     # Tools to interface with our test instances
-    koji && \
+    koji krb5-workstation && \
     ${DNF_CMD} clean all
 
 # CA Certs

openshift/integration/koji/pipelines/templates/mbs-integration-test-template.yaml

@@ -39,6 +39,16 @@ parameters:
   displayName: The UMB container image to be tested
   description: This field must be in repo:tag or repo@sha256 format
   value: docker-registry.upshift.redhat.com/factory2/umb:latest
+- name: USE_KRB5
+  displayName: Deploy a Kerberos KDC and configure the MBS frontend to require Kerberos authentication.
+  description: If not set to "true", no KDC will be deployed and MBS will allow anonymous access.
+  required: true
+  value: "true"
+- name: KRB5_IMAGE
+  displayName: Kerberos 5 KDC image
+  description: The image used to deploy a Kerberos 5 KDC, if configured to do so.
+  required: false
+  value: quay.io/factory2/krb5-fedora:latest
 - name: TEST_IMAGES
   displayName: Images being tested
   description: >-
@@ -121,6 +131,10 @@ objects:
           value: "${KOJI_IMAGE}"
         - name: UMB_IMAGE
           value: "${UMB_IMAGE}"
+        - name: USE_KRB5
+          value: "${USE_KRB5}"
+        - name: KRB5_IMAGE
+          value: "${KRB5_IMAGE}"
         - name: TEST_IMAGES
           value: "${TEST_IMAGES}"
         - name: IMAGE_IS_SCRATCH

openshift/integration/koji/pipelines/templates/mbs-integration-test.Jenkinsfile

@@ -75,7 +75,7 @@ pipeline {
           openshift.withCluster() {
             openshift.withProject() {
               // Cleanup all test environments that were created 1 hour ago in case of failures of previous cleanups.
-              c3i.cleanup(script: this, 'umb', 'koji', 'mbs')
+              c3i.cleanup(script: this, 'krb5', 'umb', 'koji', 'mbs')
             }
           }
         }
@@ -113,6 +113,46 @@ pipeline {
         }
       }
     }
+    stage('Deploy KDC') {
+      when {
+        expression {
+          return params.USE_KRB5 == 'true'
+        }
+      }
+      steps {
+        script {
+          env.KRB5_DOMAIN = env.ROUTE_SUFFIX.split('\\.', 2).last()
+          env.KRB5_REALM = env.KRB5_DOMAIN.toUpperCase()
+          env.KRB5_ADMIN_PASSWORD = UUID.randomUUID().toString().take(12)
+          openshift.withCluster() {
+            openshift.withProject(params.TEST_NAMESPACE) {
+              def deployed = krb5.deploy(script: this, test_id: env.TEST_ID,
+                                         realm: env.KRB5_REALM, domain: env.KRB5_DOMAIN,
+                                         admin_password: env.KRB5_ADMIN_PASSWORD)
+              // Wait for the KDC to become available, to allow creation of
+              // principals and keytabs for subsequent deployments.
+              c3i.waitForDeployment(script: this, objs: deployed)
+              def ports = openshift.selector('service', "kerberos-${TEST_ID}").object().spec.ports
+              def kdcPort = ports.find { it.name == 'kdc-udp' }.nodePort
+              def adminPort = ports.find { it.name == 'admin' }.nodePort
+              def kpasswdPort = ports.find { it.name == 'kpasswd-udp' }.nodePort
+              def krb5Host = "krb5-${TEST_ID}-${env.ROUTE_SUFFIX}"
+              env.KRB5_KDC_HOST = "${krb5Host}:${kdcPort}"
+              env.KRB5_ADMIN_HOST = "${krb5Host}:${adminPort}"
+              env.KRB5_KPASSWD_HOST = "${krb5Host}:${kpasswdPort}"
+            }
+          }
+        }
+      }
+      post {
+        success {
+          echo "KDC deployed: REALM: ${env.KRB5_REALM} KDC: ${env.KRB5_KDC_HOST}"
+        }
+        failure {
+          echo "KDC deployment FAILED"
+        }
+      }
+    }
     stage('Deploy UMB') {
       steps {
         script {
@@ -185,6 +225,17 @@ pipeline {
           def cabundle = ca.get_ca_cert().cert + digicertca
           def msgcert = ca.get_ssl_cert("mbs-${TEST_ID}-msg")
           def kojicert = ca.get_ssl_cert(env.KOJI_ADMIN)
+          if (params.USE_KRB5 == 'true') {
+            def krbAdmin = krb5.adminClient()
+            def krbsvc = "HTTP/${env.MBS_SSL_HOST}"
+            krbAdmin.addService(krbsvc)
+            env.MBS_FRONTEND_KEYTAB = krbAdmin.getKeytab(krbsvc)
+            // Usernames between MBS and Koji need to be consistent,
+            // so use the Koji admin as the MBS user.
+            env.KRB5_PRINCIPAL = env.KOJI_ADMIN
+            env.KRB5_PASSWORD = UUID.randomUUID().toString().take(12)
+            krbAdmin.addPrincipal(env.KRB5_PRINCIPAL, env.KRB5_PASSWORD)
+          }
           openshift.withCluster() {
             openshift.withProject(params.TEST_NAMESPACE) {
               def deployed = mbs.deploy(script: this, test_id: env.TEST_ID,
@@ -192,6 +243,9 @@ pipeline {
                                         brokercert: msgcert,
                                         frontendcert: frontendcert, frontendca: ca.get_ca_cert(),
                                         cacerts: cabundle,
+                                        frontend_keytab: params.USE_KRB5 == 'true' ? env.MBS_FRONTEND_KEYTAB : '',
+                                        krb5_conf_configmap: params.USE_KRB5 == 'true' ? "krb5-${TEST_ID}-config" : '',
+                                        krb5_user: params.USE_KRB5 == 'true' ? env.KRB5_PRINCIPAL : '',
                                         kojiurl: "https://${env.KOJI_SSL_HOST}",
                                         stompuri: "${env.UMB_HOST}:${env.UMB_STOMP_SSL_PORT}",
                                         backend_image: params.MBS_BACKEND_IMAGE,