aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordemskeq8 <alexander.dehn@highstreet-technologies.com>2021-02-12 15:43:48 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-04-02 12:25:41 +0000
commitb43e92cc48e97622a3bdcb0cc385ae5bf894b1b5 (patch)
tree6b5055d50aafd8ea3661b3b2b01f9e007c3cc4a3
parent20079a297aee94db6f5690a60a27fc34a72d0b35 (diff)
[SDNC] Enable SDNC to use external oauth provider
- add additional environment variables - add config file for external oauth-providers Issue-ID: OOM-2675 Signed-off-by: demskeq8 <alexander.dehn@highstreet-technologies.com> Change-Id: I235d3f46f5d109a1e82bdaa3c9de97508116fbe3 [Improve secretes handling] Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
-rw-r--r--kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml5
-rw-r--r--kubernetes/sdnc/components/sdnc-web/values.yaml4
-rw-r--r--kubernetes/sdnc/resources/config/conf/oauth-provider.config.json8
-rw-r--r--kubernetes/sdnc/templates/statefulset.yaml17
-rw-r--r--kubernetes/sdnc/values.yaml38
5 files changed, 66 insertions, 6 deletions
diff --git a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml
index a2e3a48e25..7b04773ec5 100644
--- a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml
+++ b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml
@@ -85,7 +85,10 @@ spec:
- name: TILEURL
value: {{ .Values.config.topologyserver.tileserverUrl }}
{{ end }}
-
+ - name: ENABLE_OAUTH
+ value: "{{ .Values.config.oauth.enabled | default "false" }}"
+ - name: ENABLE_ODLUX_RBAC
+ value: "{{ .Values.config.oauth.odluxRbac.enabled | default "false" }}"
volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
- mountPath: /etc/localtime
name: localtime
diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml
index 8648ac4dcc..95756eb01c 100644
--- a/kubernetes/sdnc/components/sdnc-web/values.yaml
+++ b/kubernetes/sdnc/components/sdnc-web/values.yaml
@@ -36,6 +36,10 @@ config:
sslCertDir: "/opt/app/osaaf/local/certs"
sslCertiticate: "cert.pem"
sslCertKey: "key.pem"
+ oauth:
+ enabled: false
+ odluxRbac:
+ enabled: false
transportpce:
enabled: false
transportpceUrl: http://transportpce.transportpce:8181
diff --git a/kubernetes/sdnc/resources/config/conf/oauth-provider.config.json b/kubernetes/sdnc/resources/config/conf/oauth-provider.config.json
new file mode 100644
index 0000000000..8d3c106bb9
--- /dev/null
+++ b/kubernetes/sdnc/resources/config/conf/oauth-provider.config.json
@@ -0,0 +1,8 @@
+{
+ "tokenSecret": "${OAUTH_TOKEN_SECRET}",
+ "tokenIssuer": {{ .Values.config.sdnr.oauth.tokenIssuer | quote }},
+ "publicUrl": {{ .Values.config.sdnr.oauth.publicUrl | quote }},
+ "redirectUri": "{{ .Values.config.sdnr.oauth.redirectUri | quote | default "null" }}",
+ "supportOdlUsers": "{{ .Values.config.sdnr.oauth.supportOdlUsers | default "true" }}",
+ "providers": {{ .Values.config.sdnr.oauth.providers | toJson }}
+} \ No newline at end of file
diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index 48776c9961..bb3948efe2 100644
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -73,6 +73,15 @@ spec:
- name: DMAAP_HTTP_PROXY_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }}
{{- end }}
+ {{ if .Values.config.sdnr.oauth.enabled }}
+ - name: OAUTH_TOKEN_SECRET
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oauth-token-secret" "key" "password") | indent 10 }}
+ - name: KEYCLOAK_SECRET
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keycloak-secret" "key" "password") | indent 10 }}
+
+ - name: ENABLE_ODLUX_RBAC
+ value: "{{ .Values.config.sdnr.oauth.odluxRbac.enabled | default "true" }}"
+ {{ end }}
volumeMounts:
@@ -210,7 +219,8 @@ spec:
- name: ODL_CERT_DIR
value: {{ (mustFirst (.Values.certificates)).mountPath }}
{{- end }}
-
+ - name: ENABLE_OAUTH
+ value: "{{ .Values.config.sdnr.oauth.enabled | default "false" }}"
volumeMounts:
{{ include "common.certInitializer.volumeMount" . | indent 10 }}
{{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
@@ -278,6 +288,11 @@ spec:
- mountPath: {{ .Values.config.odl.etcDir }}/org.opendaylight.daexim.cfg
name: properties
subPath: org.opendaylight.daexim.cfg
+ {{- if .Values.config.sdnr.oauth.enabled }}
+ - mountPath: {{ .Values.config.odl.etcDir }}/oauth-provider.config.json
+ name: properties
+ subPath: oauth-provider.config.json
+ {{ end }}
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index 802722f400..d20c3645c1 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -117,6 +117,17 @@ secrets:
login: '{{ .Values.config.scaleoutUser }}'
password: '{{ .Values.config.scaleoutPassword }}'
passwordPolicy: required
+ - uid: oauth-token-secret
+ type: password
+ externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.tokenExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
+ password: '{{ .Values.config.sdnr.oauth.tokenSecret }}'
+ passwordPolicy: required
+ - uid: keycloak-secret
+ type: password
+ externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.providersSecrets.keycloakExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
+ password: '{{ .Values.config.sdnr.oauth.providersSecrets.keycloak }}'
+ passwordPolicy: required
+
#################################################################
# Certificates
#################################################################
@@ -231,6 +242,7 @@ config:
sdnrdbTrustAllCerts: true
mountpointRegistrarEnabled: false
mountpointStateProviderEnabled: false
+ #
# enable and set dmaap-proxy for mountpointRegistrar
dmaapProxy:
enabled: false
@@ -238,10 +250,28 @@ config:
user: addUserHere
password: addPasswordHere
url: addProxyUrlHere
-
-
-
-
+ oauth:
+ enabled: false
+ tokenIssuer: ONAP SDNC
+ tokenSecret: secret
+ supportOdlusers: true
+ redirectUri: null
+ publicUrl: none
+ odluxRbac:
+ enabled: true
+ # example definition for a oauth provider
+ providersSecrets:
+ keycloak: d8d7ed52-0691-4353-9ac6-5383e72e9c46
+ providers:
+ - id: keycloak
+ type: KEYCLOAK
+ host: http://keycloak:8080
+ clientId: odlux.app
+ secret: ${KEYCLOAK_SECRET}
+ scope: openid
+ title: ONAP Keycloak Provider
+ roleMapping:
+ mykeycloak: admin
# dependency / sub-chart configuration
certInitializer: