Skip to content

Commit

Permalink
Merge pull request #404 from kinvolk/helm-oidc
Browse files Browse the repository at this point in the history 
chart: Add OIDC auth mode support to helm chart
  • Loading branch information
@yolossn
yolossn authored Jul 7, 2021
2 parents 1eb9677 + 60de814 commit 8fbbed3
Show file tree
Hide file tree
Showing 7 changed files with 103 additions and 13 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/helm-chart-lint-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
run: ct lint --config .github/ct.yaml

- name: Create kind cluster
uses: helm/kind-action@v1.0.0
uses: helm/kind-action@v1.2.0
if: steps.list-changed.outputs.changed == 'true'

- name: Run chart-testing (install)
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/helm-chart-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
helm repo add bitnami https://charts.bitnami.com/bitnami
- name: Run chart-releaser
uses: helm/[email protected].0
uses: helm/[email protected].1
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
Expand Down
4 changes: 2 additions & 2 deletions charts/nebraska/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ sources:
maintainers:
- name: kinvolk
url: https://kinvolk.io/
version: 0.1.4
appVersion: "2.3.5"
version: 0.1.5
appVersion: "2.4.0"

dependencies:
- name: postgresql
Expand Down
16 changes: 14 additions & 2 deletions charts/nebraska/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,15 +69,27 @@ $ helm install my-nebraska nebraska/nebraska
| `config.hostFlatcarPackages.persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` |
| `config.hostFlatcarPackages.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
| `config.hostFlatcarPackages.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` |
| `config.auth.mode` | Authentication mode, available modes: `noop`, `github` | `noop` |
| `config.auth.mode` | Authentication mode, available modes: `noop`, `github`, `oidc` | `noop` |
| `config.auth.github.clientID` | GitHub client ID used for authentication | `nil` |
| `config.auth.github.clientSecret` | GitHub client secret used for authentication | `nil` |
| `config.auth.github.sessionAuthKey` | Session secret used for authenticating sessions in cookies used for storing GitHub info , will be generated if none is passed | `nil` |
| `config.auth.github.sessionCryptKey` | Session key used for encrypting sessions in cookies used for storing GitHub info, will be generated if none is passed | `nil` |
| `config.auth.github.webhookSecret` | GitHub webhook secret used for validing webhook messages | `nil` |
| `config.auth.github.readWriteTeams` | comma-separated list of read-write GitHub teams in the org/team format | `nil` |
| `config.auth.github.readOnlyTeams` | comma-separated list of read-only GitHub teams in the org/team format | `nil` |
| `config.auth.github.enterpriseURL` | Base URL of the enterprise instance if using GHE | `nil` |
| `config.auth.github.enterpriseURL` | Base URL of the enterprise instance if using GHE | `nil` |
| `config.auth.oidc.clientID` | OIDC client ID used for authentication | `nil` |
| `config.auth.oidc.clientSecret` | OIDC client Secret used for authentication | `nil` |
| `config.auth.oidc.issuerURL` | OIDC issuer URL used for authentication | `nil` |
| `config.auth.oidc.validRedirectURLs` | comma-separated list of valid Redirect URLs | `nil` |
| `config.auth.oidc.managementURL` | OIDC management url for managing the account | `nil` |
| `config.auth.oidc.logoutURL` | URL to logout the user from current session | `nil` |
| `config.auth.oidc.adminRoles` | comma-separated list of accepted roles with admin access | `nil` |
| `config.auth.oidc.viewerRoles` | comma-separated list of accepted roles with viewer access | `nil` |
| `config.auth.oidc.rolesPath` | json path in which the roles array is present in the id token | `nil` |
| `config.auth.oidc.scopes` | comma-separated list of scopes to be used in OIDC | `nil` |
| `config.auth.oidc.sessionAuthKey` | Session secret used for authenticating sessions in cookies to store OIDC info , will be generated if none is passed | `nil` |
| `config.auth.oidc.sessionCryptKey` | Session key used for encrypting sessions in cookies to store OIDC info, will be generated if none is passed | `nil` |
| `config.database.host` | The host name of the database server | `""` (use postgresql from Bitnami subchart) |
| `config.database.port` | The port number the database server is listening on | `5432` |
| `config.database.dbname` | The database name | `{{ .Values.postgresql.postgresqlDatabase }}` (evaluated as a template) |
Expand Down
64 changes: 59 additions & 5 deletions charts/nebraska/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,39 @@ spec:
{{- if .Values.config.auth.mode }}
- "-auth-mode={{ .Values.config.auth.mode }}"
{{- end }}
{{- if and .Values.config.auth.github.readWriteTeams (not (eq .Values.config.auth.mode "noop")) }}
{{- if eq .Values.config.auth.mode "github" }}
{{- if .Values.config.auth.github.readWriteTeams }}
- "-gh-rw-teams={{ .Values.config.auth.github.readWriteTeams }}"
{{- end }}
{{- if and .Values.config.auth.github.readOnlyTeams (not (eq .Values.config.auth.mode "noop")) }}
{{- end }}
{{- if .Values.config.auth.github.readOnlyTeams }}
- "-gh-ro-teams={{ .Values.config.auth.github.readOnlyTeams }}"
{{- end }}
{{- end }}
{{- if eq .Values.config.auth.mode "oidc" }}
{{- with .Values.config.auth.oidc.issuerURL }}
- "-oidc-issuer-url={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.validRedirectURLs }}
- "-oidc-valid-redirect-urls={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.managementURL }}
- "-oidc-management-url={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.logoutURL }}
- "-oidc-logout-url"={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.adminRoles }}
- "-oidc-admin-roles={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.viewerRoles }}
- "-oidc-viewer-roles={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.rolesPath }}
- "-oidc-roles-path={{ . }}"
{{- end }}
{{- with .Values.config.auth.oidc.scopes }}
- "-oidc-scopes={{ . }}"
{{- end }}
{{- end }}
env:
- name: DB_PASSWORD
Expand All @@ -100,7 +128,7 @@ spec:
{{- end }}
- name: NEBRASKA_DB_URL
value: {{ printf "postgres://%s:$(DB_PASSWORD)@%s:%s/%s?sslmode=disable&connect_timeout=10" $user $host $port $db | quote }}
{{- if or (eq .Values.config.auth.mode "github") (not .Values.config.auth.mode) }}
{{- if eq .Values.config.auth.mode "github" }}
- name: "NEBRASKA_GITHUB_OAUTH_CLIENT_ID"
value: "{{ .Values.config.auth.github.clientID }}"
- name: "NEBRASKA_GITHUB_OAUTH_CLIENT_SECRET"
Expand Down Expand Up @@ -128,6 +156,32 @@ spec:
value: "{{ .Values.config.auth.github.enterpriseURL }}"
{{- end }}
{{- end }}
{{- if eq .Values.config.auth.mode "oidc" }}
- name: "NEBRASKA_OIDC_CLIENT_ID"
valueFrom:
secretKeyRef:
name: {{ include "nebraska.fullname" . }}
key: oidcClientID
- name: "NEBRASKA_OIDC_CLIENT_SECRET"
valueFrom:
secretKeyRef:
name: {{ include "nebraska.fullname" . }}
key: oidcClientSecret
{{- if .Values.config.auth.oidc.sessionAuthKey }}
- name: "NEBRASKA_OIDC_SESSION_SECRET"
valueFrom:
secretKeyRef:
name: {{ include "nebraska.fullname" . }}
key: oidcSessionAuthKey
{{- end }}
{{- if .Values.config.auth.oidc.sessionCryptKey }}
- name: "NEBRASKA_OIDC_SESSION_CRYPT_KEY"
valueFrom:
secretKeyRef:
name: {{ include "nebraska.fullname" . }}
key: oidcSessionCryptKey
{{- end }}
{{- end }}
{{- range $key, $value := .Values.extraEnvVars }}
- name: {{ $key }}
value: {{ $value | quote }}
Expand All @@ -154,7 +208,7 @@ spec:
{{- if .Values.config.hostFlatcarPackages.enabled }}
volumes:
- name: packages
{{- if .Values.config.hostFlatcarPackages.persistence.enabled}}
{{- if .Values.config.hostFlatcarPackages.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ include "nebraska.fullname" . }}-packages
{{- else }}
Expand Down
15 changes: 13 additions & 2 deletions charts/nebraska/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{- $useGhAuth := or (eq .Values.config.auth.mode "github") (not .Values.config.auth.mode) }}
{{- $useGhAuth := eq .Values.config.auth.mode "github" }}
{{- $useOidcAuth := eq .Values.config.auth.mode "oidc" }}
{{- $useDbPassword := not .Values.config.database.passwordExistingSecret.enabled }}
{{- if or $useDbPassword $useGhAuth }}
{{- if or $useDbPassword $useOidcAuth $useGhAuth }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -12,6 +13,16 @@ data:
{{- if $useDbPassword }}
dbPassword: {{ (tpl .Values.config.database.password .) | b64enc }}
{{- end }}
{{- if $useOidcAuth }}
oidcClientID: {{ required "A valid 'clientId' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }}
oidcClientSecret: {{ required "A valid 'clientSecret' is required when using oidc authentication" .Values.config.auth.oidc.clientSecret | toString | b64enc }}
{{- with .Values.config.auth.oidc.sessionAuthKey }}
oidcSessionAuthKey: {{ . | toString | b64enc }}
{{- end }}
{{- with .Values.config.auth.oidc.sessionCryptKey }}
oidcSessionCryptKey: {{ . | toString | b64enc }}
{{- end }}
{{- end }}
{{- if $useGhAuth }}
ghClientSecret: {{ required "A valid 'clientSecret' is required when using github authentication." .Values.config.auth.github.clientSecret | toString | b64enc }}
ghSessionAuthKey: {{ required "A valid 'sessionAuthKey' is required when using github authentication." .Values.config.auth.github.sessionAuthKey | toString | b64enc }}
Expand Down
13 changes: 13 additions & 0 deletions charts/nebraska/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,19 @@ config:

auth:
mode: noop
oidc:
clientID:
clientSecret:
issuerURL:
validRedirectURLs:
managementURL:
logoutURL:
adminRoles:
viewerRoles:
rolesPath:
scopes:
sessionAuthKey:
sessionCryptKey:
github:
clientID:
clientSecret:
Expand Down

0 comments on commit 8fbbed3

Please sign in to comment.