diff options
author | Micha? Jagie??o <michal.jagiello@t-mobile.pl> | 2024-12-12 07:44:14 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2024-12-12 07:44:14 +0000 |
commit | 5f8008ea8d1aa700a26b7ced5d43aacbcf23107a (patch) | |
tree | 0e1c0d350ee05aee622f90423d1db119b24bc280 /kubernetes/authentication | |
parent | 0741e1c181a0d3352f9efbe3e7f97006a908eed8 (diff) | |
parent | 644dd33c78dd4c7fe638f93414617686efea95ec (diff) |
Merge "[AUTHENTICATION] New Oslo version"
Diffstat (limited to 'kubernetes/authentication')
23 files changed, 580 insertions, 267 deletions
diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml index e8400aeb81..d178f38481 100644 --- a/kubernetes/authentication/Chart.yaml +++ b/kubernetes/authentication/Chart.yaml @@ -16,7 +16,7 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 14.0.1 +version: 15.0.0 description: ONAP Realm creation, Oauth2Proxy installation and configuration name: authentication sources: @@ -31,8 +31,8 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 5.12.0 + version: 6.1.6 repository: 'file://components/keycloak-config-cli' - name: onap-oauth2-proxy - version: 7.5.4 + version: 7.8.0 repository: 'file://components/oauth2-proxy' diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md index 306e2f9645..c2332b409a 100644 --- a/kubernetes/authentication/README.md +++ b/kubernetes/authentication/README.md @@ -27,20 +27,24 @@ This sections sets the realm general attributes shown in Keycloak realmSettings: - name: <Realm ID> - unique ID for a realm (e.g. "ONAP") displayName: <Display Name> - (optional) Keycloak Display Name (e.g. "ONAP Realm") + accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900) + registrationAllowed: - (optional) Enable/disable the registration page (default: false) + resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true) + sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external") themes: - (optional) Keycloak Theme settings login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base") admin: <admin theme> - (optional) Keycloak Theme for Admin UI (e.g. "base") account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base") email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base") - attributes: - frontendUrl: "<Keycloak URL>" - External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") + attributes: - (optional) + frontendUrl: "<Keycloak URL>" - (optional) External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") ``` ### CLIENT definitions In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana -possible "attribute" settings (maybe more): +- possible "attributes" settings (maybe more): - id.token.as.detached.signature: "false" - exclude.session.state.from.auth.response: "false" - tls.client.certificate.bound.access.tokens: "false" @@ -89,6 +93,7 @@ possible "attribute" settings (maybe more): serviceAccountsEnabled: "<false|true>" - (optional) serviceAccountsEnabled (default: false) frontchannelLogout: "<false|true>" - (optional) frontend channel logout (default: true) surrogateAuthRequired: "<false|true>" - (optional) surrogate Auth Required (default: false) + authorizationServicesEnabled: "<false|true>" - (optional) enable Authorization Services (RBAC) (default: false) publicClient: "<false|true>" - (optional) public Client (default: false) attributes: - (optional) attributes settings (see code) post.logout.redirect.uris: '<url>' - example @@ -117,32 +122,79 @@ possible "attribute" settings (maybe more): - "http://localhost/*" webOrigins: - "https://argocd-$PARAM_BASE_URL" - defaultClientScopes: - - "web-origins" + defaultClientScopes: - (optional) definition of default client scopes + - "web-origins" - if used, has to contain the full scope list - "profile" - "acr" - "email" - "roles" - "groups" + optionalClientScopes: - (optional) definition of optional client scopes + - ... - if used, has to contain the full scope list ``` -### CLIENT SCOPE definitions +#### Authorization settings within Client section (optional) -Here additional scopes besides the default scopes can be defined and set as default client scope +Information about the Keycloak Authorization Services can be found under: <https://www.keycloak.org/docs/latest/authorization_services/index.html> -default scopes: +To enable Authorization the setting shown above needs to be: + - authorizationServicesEnabled: true - - roles - - groups - - acr - - profile - - address - - web-origin - - phone - - email - - offline_access - - role_list - - microprofile-jwt +```yaml + authorizationSettings: + allowRemoteResourceManagement: "<false|true>" - (optional) managed remotely by the resource server? (default: true) + policyEnforcementMode: "<ENFORCING|PERMISSIVE|DISABLED>"- (optional) dictates how policies are enforced (default: ENFORCING) + decisionStrategy: "<UNANIMOUS|AFFIRMATIVE>" - (optional) dictates how permissions are evaluated (default: UNANIMOUS) + resources: - resources definitions + - name: "<resource name>" - unique name for this resource + displayName: "<display name>" - (optional) user-friendly name for the resource + type: "<type>" - Type can be used to group different resource instances with the same type + ownerManagedAccess: <true|false> - (optional) access can be managed by the resource owner? (default: false) + attributes: {} - (optional) The attributes associated wth the resource + uris: - Set of URIs which are protected by resource + - "/*" + - ... + scopes: - The scopes associated with this resource + - name: "<scope name1>" + - ... + icon_uri: "<uri>" - (optional) A URI pointing to an icon. + - ... + policies: - policy definitions + - name: "<policy name>" - unique name for this policy + description: "<description>" - (optional) A description for this policy + type: "<role|client|...>" - Choose the policy type + logic: "<POSITIVE|NEGATIVE>" - dictates how the policy decision should be made + roles: - Specifies the client roles allowed by this policy + - id: "<role name>" - points to an existing role + required: <true|false> - decide, whether role is required + ... + - ... + permissions: - policy definitions + - name: "<permission name>" - unique name for this permission + description: "<description>" - (optional) A description for this permission + type: "<scope|resource>" - Choose the permission type + decisionStrategy: "<UNANIMOUS|AFFIRMATIVE|CONSENSUS>" - dictates how the policies associated with a given permission are evaluated + resources: - Specifies that this permission must be applied to a specific resource instance + - "<resource name>" - points to an existing resource + - ... + scopes: - Specifies that this permission must be applied to one or more scopes + - "<scope name>" - points to an existing scope + - ... + applyPolicies: - Specifies all the policies that must be applied to the scopes defined by this permission + - "<policy-name>" - points to an existing policy + - ... + - ... + scopes: - scope definitions + - name: "<scope name>" - unique name for this scope + iconUri: "<uri>" - (optional) A URI pointing to an icon. + displayName: "<display name>" - (optional) user-friendly name for the resource + - ... +``` + +### CLIENT SCOPE definitions + +Here additional scopes besides the default scopes can be defined and set as defaul client scope +default scopes: roles, groups, acr, profile, address, web-origin, phone, email, offline_access, role_list, microprofile-jwt ```yaml defaultClientScopes: @@ -176,13 +228,7 @@ default scopes: ### Access control definitions In this section additional roles (assignableRoles) besides the default roles can be set. - -default roles: - - user - - admin - - offline_access - - uma_authorization - - default-roles-<realm> +default roles: user, admin, offline_access, uma_authorization, default-roles-<realm> (optional) accessRoles can be defined. These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services @@ -223,6 +269,8 @@ The access role is assigned to a realm client (e.g. oauth2_proxy) - type: password - (optional) initial password (<pwd>: encrypted password, <salt>: used salt) secretData: "{\"value\":\"<pwd>\",\"salt\":\"<salt>\"}" credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" + requiredActions: - (optional) action, the user has to execute + - <action> - e.g. "UPDATE_PASSWORD", "UPDATE_PROFILE",... attributes: - (optional) additional attributes sdc_user: - example attribute - "cs0008" @@ -290,16 +338,9 @@ The access role is assigned to a realm client (e.g. oauth2_proxy) user: "onapsupport" ``` -## Ingress Authentication settings +## Requirements -Activating the Ingress Authentication (enabled: true) will create AuthorizationPolicy resources for each defined "accessControl.accessRoles" in a REALM definition. +authentication needs the following ONAP projects to work: -``` -ingressAuthentication: - enabled: false - exceptions: - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}' - - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}' -``` +- common +- serviceAccount diff --git a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml index 80e5d27c9f..c196bcc6e2 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.12.0 -appVersion: 5.12.0 +version: 6.1.6 +appVersion: 6.1.6 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/authentication/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml index 46c67dd220..9574d148ec 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/values.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml @@ -23,7 +23,7 @@ nameOverride: "" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}-22.0.4" + tag: "{{ .Chart.AppVersion }}-25.0.6" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml index 3bcf687241..300ed0964b 100644 --- a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml @@ -1,7 +1,7 @@ name: onap-oauth2-proxy -version: 7.5.4 +version: 7.8.0 apiVersion: v2 -appVersion: 7.6.0 +appVersion: 7.7.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ description: A reverse proxy that provides authentication with Google, Github or other providers keywords: @@ -14,7 +14,7 @@ keywords: - redis dependencies: - name: redis - version: 19.1.0 + version: 20.3.0 repository: https://charts.bitnami.com/bitnami alias: redis condition: redis.enabled @@ -38,11 +38,11 @@ maintainers: email: joel.speed@hotmail.co.uk - name: pierluigilenoci email: pierluigi.lenoci@gmail.com -kubeVersion: ">=1.9.0-0" +kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Wait for redis script fixes for cluster and sentinel + - kind: added + description: allow templates in annotations links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/issues/205 + url: https://github.com/oauth2-proxy/manifests/pull/256 diff --git a/kubernetes/authentication/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md index 55a5e44429..0dc6c13962 100644 --- a/kubernetes/authentication/components/oauth2-proxy/README.md +++ b/kubernetes/authentication/components/oauth2-proxy/README.md @@ -1,6 +1,6 @@ # oauth2-proxy -[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group. ## TL;DR; @@ -21,7 +21,8 @@ To install the chart with the release name `my-release`: $ helm install my-release oauth2-proxy/oauth2-proxy ``` -The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. +The [configuration](#configuration) section lists the parameters that can be configured during installation. ## Uninstalling the Chart @@ -35,34 +36,37 @@ The command removes all the Kubernetes components associated with the chart and ## Upgrading an existing Release to a new major version -A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an -incompatible breaking change needing manual actions. +A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions. ### To 1.0.0 -This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade. +This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400). ### To 2.0.0 -Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. +Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation. +See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. -Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0. +Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0. ### To 3.0.0 -Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false` +Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. +This is a breaking change since the service account is enabled by default. +To disable this behaviour set `serviceAccount.enabled` to `false` ### To 4.0.0 Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. -Therefore the `ingress.extraPaths` parameter needs to be updated to the new format. +Therefore, the `ingress.extraPaths` parameter must be updated to the new format. See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. For the same reason `service.port` was renamed to `service.portNumber`. ### To 5.0.0 -Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent. +Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). +This is a breaking change because many labels of all resources need to be updated to stay consistent. In order to upgrade, delete the Deployment before upgrading: @@ -80,140 +84,157 @@ For users who don't want downtime, you can perform these actions: ### To 6.0.0 -Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. +Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. +You probably need to adjust your Redis configuration. +See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. + +### To 7.0.0 + +Version 7.0.0 introduces a new implementation to support multiple hostAliases. +You probably need to adjust your hostAliases config. +See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. ## Configuration The following table lists the configurable parameters of the oauth2-proxy chart and their default values. -Parameter | Description | Default ---- | --- | --- -`affinity` | node/pod affinities | None -`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false` -`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap` -`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` -`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""` -`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""` -`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` -`config.clientID` | oauth client ID | `""` -`config.clientSecret` | oauth client secret | `""` -`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` -`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` -`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` -`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` -`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` -`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false` -`alphaConfig.annotations` | Configmap annotations | `{}` -`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` -`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` -`alphaConfig.configData` | Arbitrary configuration data to append | `{}` -`alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` -`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` -`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` -`customLabels` | Custom labels to add into metadata | `{}` | -`config.google.adminEmail` | user impersonated by the google service account | `""` -`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` -`config.google.targetPrincipal` | service account to use/impersonate | `""` -`config.google.serviceAccountJson` | google service account json contents | `""` -`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` -`config.google.groups` | restrict logins to members of these google groups | `[]` -`containerPort` | used to customise port on the deployment | `""` -`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` -`extraContainers` | List of extra containers to be added to the pod | `[]` -`extraEnv` | key:value list of extra environment variables to give the binary | `[]` -`extraVolumes` | list of extra volumes | `[]` -`extraVolumeMounts` | list of extra volumeMounts | `[]` -`hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. -`htpasswdFile.enabled` | enable htpasswd-file option | `false` -`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}` -`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` -`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` -`image.pullPolicy` | Image pull policy | `IfNotPresent` -`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` -`image.tag` | Image tag | `""` (defaults to appVersion) -`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) -`ingress.enabled` | Enable Ingress | `false` -`ingress.className` | name referencing IngressClass | `nil` -`ingress.path` | Ingress accepted path | `/` -`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` -`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]` -`ingress.labels` | Ingress extra labels | `{}` -`ingress.annotations` | Ingress annotations | `nil` -`ingress.hosts` | Ingress accepted hostnames | `nil` -`ingress.tls` | Ingress TLS configuration | `nil` -`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true` -`initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` -`initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` -`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` -`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` -`initContainers.waitForRedis.timeout` | number of seconds | 180 -`initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` -`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` -`livenessProbe.initialDelaySeconds` | number of seconds | 0 -`livenessProbe.timeoutSeconds` | number of seconds | 1 -`namespaceOverride` | Override the deployment namespace | `""` -`nodeSelector` | node labels for pod assignment | `{}` -`deploymentAnnotations` | annotations to add to the deployment | `{}` -`podAnnotations` | annotations to add to each pod | `{}` -`podLabels` | additional labesl to add to each pod | `{}` -`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true -`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1 -`podSecurityContext` | Kubernetes security context to apply to pod | `{}` -`priorityClassName` | priorityClassName | `nil` -`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` -`readinessProbe.initialDelaySeconds` | number of seconds | 0 -`readinessProbe.timeoutSeconds` | number of seconds | 5 -`readinessProbe.periodSeconds` | number of seconds | 10 -`readinessProbe.successThreshold` | number of successes | 1 -`replicaCount` | desired number of pods | `1` -`resources` | pod resource requests & limits | `{}` -`revisionHistoryLimit` | maximum number of revisions maintained | 10 -`service.portNumber` | port number for the service | `80` -`service.appProtocol` | application protocol on the port of the service | `http` -`service.type` | type of service | `ClusterIP` -`service.clusterIP` | cluster ip address | `nil` -`service.loadBalancerIP` | ip of load balancer | `nil` -`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` -`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` -`serviceAccount.enabled` | create a service account | `true` -`serviceAccount.name` | the service account name | `` -`serviceAccount.annotations` | (optional) annotations for the service account | `{}` -`strategy` | configure deployment strategy | `{}` -`tolerations` | list of node taints to tolerate | `[]` -`securityContext.enabled` | enable Kubernetes security context on container | `true` -`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` -`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie` -`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` -`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil` -`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password` -`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` -`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""` -`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` -`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` -`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil` -`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password` -`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` -`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` -`topologySpreadConstraints` | List of pod topology spread constraints | `[]` -`redis.enabled` | Enable the redis subchart deployment | `false` -`checkDeprecation` | Enable deprecation checks | `true` -`metrics.enabled` | Enable Prometheus metrics endpoint | `true` -`metrics.port` | Serve Prometheus metrics on this port | `44180` -`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` -`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` -`metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` -`metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` -`metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` -`metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` -`metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` -`metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` -`metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.| `""` -`metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS.| `{}` -`metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file.| `""` -`metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster| `{}` -`metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion.| `[]` -`metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion.| `[]` -`extraObjects` | Extra K8s manifests to deploy | `[]` +| Parameter | Description | Default | +|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------| +| `affinity` | node/pod affinities | None | +| `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | +| `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | +| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | +| `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | +| `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | +| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | +| `config.clientID` | oauth client ID | `""` | +| `config.clientSecret` | oauth client secret | `""` | +| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | +| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | +| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | +| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | +| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | +| `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | +| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | +| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | +| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | +| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | +| `alphaConfig.annotations` | Configmap annotations | `{}` | +| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | +| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | +| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | +| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | +| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `customLabels` | Custom labels to add into metadata | `{}` | +| `config.google.adminEmail` | user impersonated by the Google service account | `""` | +| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | +| `config.google.targetPrincipal` | service account to use/impersonate | `""` | +| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | +| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | +| `config.google.groups` | restrict logins to members of these Google groups | `[]` | +| `containerPort` | used to customize port on the deployment | `""` | +| `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | +| `extraContainers` | List of extra containers to be added to the pod | `[]` | +| `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | +| `extraVolumes` | list of extra volumes | `[]` | +| `extraVolumeMounts` | list of extra volumeMounts | `[]` | +| `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | +| `htpasswdFile.enabled` | enable htpasswd-file option | `false` | +| `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | +| `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | +| `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.command` | Define command to be executed by container at startup | `[]` | +| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | +| `image.tag` | Image tag | `""` (defaults to appVersion) | +| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `ingress.enabled` | Enable Ingress | `false` | +| `ingress.className` | name referencing IngressClass | `nil` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | +| `ingress.labels` | Ingress extra labels | `{}` | +| `ingress.annotations` | Ingress annotations | `nil` | +| `ingress.hosts` | Ingress accepted hostnames | `nil` | +| `ingress.tls` | Ingress TLS configuration | `nil` | +| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | +| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | +| `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` | +| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` +| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `initContainers.waitForRedis.timeout` | number of seconds | 180 | +| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | +| `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `livenessProbe.initialDelaySeconds` | number of seconds | 0 | +| `livenessProbe.timeoutSeconds` | number of seconds | 1 | +| `namespaceOverride` | Override the deployment namespace | `""` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `deploymentAnnotations` | annotations to add to the deployment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `podLabels` | additional labels to add to each pod | `{}` | +| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | +| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | +| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | +| `priorityClassName` | priorityClassName | `nil` | +| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `readinessProbe.initialDelaySeconds` | number of seconds | 0 | +| `readinessProbe.timeoutSeconds` | number of seconds | 5 | +| `readinessProbe.periodSeconds` | number of seconds | 10 | +| `readinessProbe.successThreshold` | number of successes | 1 | +| `replicaCount` | desired number of pods | `1` | +| `resources` | pod resource requests & limits | `{}` | +| `revisionHistoryLimit` | maximum number of revisions maintained | 10 | +| `service.portNumber` | port number for the service | `80` | +| `service.appProtocol` | application protocol on the port of the service | `http` | +| `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.type` | type of service | `ClusterIP` | +| `service.clusterIP` | cluster ip address | `nil` | +| `service.loadBalancerIP` | ip of load balancer | `nil` | +| `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | +| `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | +| `serviceAccount.enabled` | create a service account | `true` | +| `serviceAccount.name` | the service account name | `` | +| `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | +| `strategy` | configure deployment strategy | `{}` | +| `tolerations` | list of node taints to tolerate | `[]` | +| `securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | +| `sessionStorage.type` | Session storage type which can be one of the following: cookie or Redis | `cookie` | +| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | +| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | +| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | +| `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | +| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | +| `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | +| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | +| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | +| `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | +| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | +| `redis.enabled` | Enable the Redis subchart deployment | `false` | +| `checkDeprecation` | Enable deprecation checks | `true` | +| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | +| `metrics.port` | Serve Prometheus metrics on this port | `44180` | +| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | +| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | +| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | +| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | +| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | +| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | +| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | +| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | +| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | +| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | +| `extraObjects` | Extra K8s manifests to deploy | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -232,7 +253,7 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml ## TLS Configuration -See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls). +See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). Use ```values.yaml``` like: ```yaml @@ -262,9 +283,8 @@ data: ``` ## Extra environment variable templating -The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template. -This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values - +The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template. +This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values. ```yaml ... @@ -315,13 +335,14 @@ extraObjects: </body> </html> ``` + ## Multi whitelist-domain configuration -For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section. +You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. -It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file. -In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/) +It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). +In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). -```yaml +``` config: ... clientID="$YOUR_GOOGLE_CLIENT_ID" @@ -332,7 +353,7 @@ config: email_domains = [ "*" ] upstreams = [ "file:///dev/null" ] cookie_secure = "false" - cookie_domains = [ ".domain.com", ".otherdomain.io" ] - whitelist_domains = [ ".domain.com", ".otherdomain.io"] + cookie_domains = [ ".domain.com", ".example.io" ] + whitelist_domains = [ ".domain.com", ".example.io"] provider = "google" ``` diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml new file mode 100644 index 0000000000..fd1a0060fe --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml @@ -0,0 +1,5 @@ +# Enables Horizontal Pod Autoscaler and removes replica count in deployment +autoscaling: + enabled: true + annotations: + test-annotations/test: "true" diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml index 65977d921b..d217653086 100644 --- a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml @@ -8,6 +8,8 @@ ingress: tls: - hosts: - "{{ $.Release.Name }}.local" + annotations: + test-annotations/test: "{{ $.Release.Name }}" oauth2-proxy: checkDeprecation: false config: @@ -19,3 +21,42 @@ pass_authorization_header: "true" extraArgs: pass-authorization-header: "{{ $.Values.pass_authorization_header }}" + +extraVolumes: + - name: "{{ $.Release.Name }}-secret" + secret: + secretName: "{{ .Release.Name }}-secret" + items: + - key: secret + path: secret + +authenticatedEmailsFile: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +config: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +deploymentAnnotations: + test-annotations/test: "{{ $.Release.Name }}" + +autoscaling: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +alphaConfig: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +service: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceAccount: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceMonitor: + annotations: + test-annotations/test: "{{ $.Release.Name }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh index 24e628f426..62dd9b684f 100644..100755 --- a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh +++ b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh @@ -24,7 +24,16 @@ check_redis() { # For parsing and checking connections parse_and_check() { url=$1 - clean_url=${url#redis://} + + # Strip either redis:// or rediss:// + if [ $url = "rediss://*" ]; then + clean_url=${url#rediss://} + echo "Using secure Rediss connection..." + else + clean_url=${url#redis://} + echo "Using standard Redis connection..." + fi + host=$(echo $clean_url | cut -d':' -f1) port=$(echo $clean_url | cut -d':' -f2) check_redis $host $port diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml index d9f9cffef7..68c9d76629 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -6,9 +6,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.authenticatedEmailsFile.annotations }} +{{- with .Values.authenticatedEmailsFile.annotations }} annotations: -{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist namespace: {{ template "oauth2-proxy.namespace" $ }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml index 94d7806d2e..0f164d230c 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml @@ -3,9 +3,9 @@ apiVersion: v1 kind: ConfigMap metadata: -{{- if .Values.config.annotations }} +{{- with .Values.config.annotations }} annotations: -{{ toYaml .Values.config.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml index 1a626d1ab8..bd5c2c923d 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml @@ -4,14 +4,16 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} - {{- if .Values.deploymentAnnotations }} + {{- with .Values.deploymentAnnotations }} annotations: -{{ toYaml .Values.deploymentAnnotations | indent 8 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} spec: + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- with .Values.strategy }} strategy: @@ -23,7 +25,9 @@ spec: template: metadata: annotations: + {{- if .Values.config.configFile }} checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} + {{- end }} {{- if .Values.alphaConfig.enabled }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} @@ -102,6 +106,12 @@ spec: image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.image.command }} + command: + {{- range .Values.image.command }} + - {{ . | quote }} + {{- end }} + {{- end }} args: {{- if .Values.alphaConfig.enabled }} - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml @@ -136,7 +146,7 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} {{- else }} - - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list + - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- end }} {{- with .Values.config.google }} @@ -333,7 +343,7 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} - path: authenticated-emails-list + path: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- if .Values.authenticatedEmailsFile.template }} secretName: {{ .Values.authenticatedEmailsFile.template }} @@ -367,7 +377,7 @@ spec: {{- end }} {{- end }} {{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} +{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} {{- end }} {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} - configMap: @@ -381,26 +391,28 @@ spec: {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} - path: authenticated-emails-list + path: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} name: configaccesslist {{- end }} - {{- if .Values.imagePullSecrets }} + {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }} imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} - {{- if .Values.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} affinity: -{{ toYaml .Values.affinity | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.nodeSelector }} + {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + {{ toYaml . | nindent 8 }} {{- end }} + {{- with .Values.tolerations }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- with .Values.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml new file mode 100644 index 0000000000..a6d7461797 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- with .Values.autoscaling.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 8 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "oauth2-proxy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml index 5323820487..8cc7953ee9 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml @@ -17,7 +17,7 @@ metadata: namespace: {{ template "oauth2-proxy.namespace" $ }} {{- with .Values.ingress.annotations }} annotations: -{{ toYaml . | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} spec: {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml index 15bb89338e..ba2c02d5aa 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml @@ -7,8 +7,9 @@ apiVersion: v1 kind: Secret metadata: -{{- if .Values.alphaConfig.annotations }} - annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} +{{- with .Values.alphaConfig.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml index 95f85a8006..9b607dd34a 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -7,9 +7,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.authenticatedEmailsFile.annotations }} +{{- with .Values.authenticatedEmailsFile.annotations }} annotations: -{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist namespace: {{ template "oauth2-proxy.namespace" $ }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml index f3364e95a9..a041843484 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Secret metadata: -{{- if .Values.config.annotations }} +{{- with .Values.config.annotations }} annotations: -{{ toYaml .Values.config.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml index d16120ee91..e8d02aeba8 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml @@ -6,9 +6,9 @@ metadata: {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} -{{- if .Values.service.annotations }} +{{- with .Values.service.annotations }} annotations: -{{ toYaml .Values.service.annotations | indent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} spec: {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} @@ -28,6 +28,12 @@ spec: {{- else }} type: {{ .Values.service.type }} {{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.service.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }} +{{- end }} ports: - port: {{ .Values.service.portNumber }} targetPort: {{ .Values.httpScheme }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml index 2a89c4b9e3..e38cd7a7a6 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ kind: ServiceAccount metadata: {{- with .Values.serviceAccount.annotations }} annotations: - {{- toYaml . | nindent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: app: {{ $name }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml index 3802666be0..99d62fd4ad 100644 --- a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml @@ -4,7 +4,7 @@ kind: ServiceMonitor metadata: {{- with .Values.metrics.serviceMonitor.annotations }} annotations: - {{- toYaml . | nindent 4 }} +{{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} {{- if .Values.metrics.serviceMonitor.namespace }} diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml index f49cb638fa..14ea469fa8 100644 --- a/kubernetes/authentication/components/oauth2-proxy/values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml @@ -83,6 +83,7 @@ image: # appVersion is used by default tag: "" pullPolicy: "IfNotPresent" + command: [] # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. @@ -153,6 +154,10 @@ service: appProtocol: http annotations: {} # foo.io/bar: "true" + # configure externalTrafficPolicy + externalTrafficPolicy: "" + # configure internalTrafficPolicy + internalTrafficPolicy: "" ## Create or use ServiceAccount serviceAccount: @@ -289,6 +294,16 @@ podDisruptionBudget: enabled: true minAvailable: 1 +## Horizontal Pod Autoscaling +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 +# targetMemoryUtilizationPercentage: 80 + annotations: {} + # Configure Kubernetes security context for pod # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl index 806f96164a..4606611159 100644 --- a/kubernetes/authentication/templates/_utils.tpl +++ b/kubernetes/authentication/templates/_utils.tpl @@ -25,9 +25,10 @@ Usage: realm: {{ $realm.name }} {{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} id: {{ $realm.name }} -accessTokenLifespan: 1900 -registrationAllowed: false -resetPasswordAllowed: true +accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }} +registrationAllowed: {{ default false $realm.registrationAllowed }} +resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }} +sslRequired: {{ default "external" $realm.sslRequired }} enabled: true {{ if $realm.themes }} {{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }} @@ -159,6 +160,7 @@ clients: baseUrl: {{ tpl $client.baseUrl $dot }} {{- end }} surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }} + authorizationServicesEnabled: {{ default false $client.authorizationServicesEnabled }} enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }} @@ -211,33 +213,136 @@ clients: {{ toYaml $mapper.config | nindent 10 }} {{- end }} {{- end }} + {{- if $client.defaultClientScopes }} defaultClientScopes: - {{- if $client.defaultClientScopes }} - {{- range $index2, $scope := $client.defaultClientScopes }} + {{- range $index2, $scope := $client.defaultClientScopes }} - {{ $scope }} - {{- end }} - {{- else }} - - web-origins - - profile - - acr - - email {{- end }} + {{- end }} + {{- if $client.optionalClientScopes }} optionalClientScopes: - {{- if $client.optionalClientScopes }} - {{- range $index2, $scope := $client.optionalClientScopes }} + {{- range $index2, $scope := $client.optionalClientScopes }} - {{ $scope }} + {{- end }} + {{- end }} + {{- if $client.authorizationSettings }} + authorizationSettings: {{ include "auth._authorizationSettings" (dict "dot" $client.authorizationSettings ) | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the authorizationSettings in the client section in a realm. +Usage: +{{ include "auth._authorizationSettings" ( dict "dot" .Values) }} +*/}} +{{- define "auth._authorizationSettings" -}} +{{- $dot := default . .dot -}} +allowRemoteResourceManagement: "{{ default true $dot.allowRemoteResourceManagement }}" +policyEnforcementMode: "{{ default "ENFORCING" $dot.policyEnforcementMode }}" +decisionStrategy: "{{ default "UNANIMOUS" $dot.decisionStrategy }}" +resources: + {{- range $index, $resource := $dot.resources }} + - name: {{ $resource.name }} + type: {{ (default "" $resource.type) | quote }} + displayName: {{ (default "" $resource.displayName) | quote }} + ownerManagedAccess: {{ default false $resource.ownerManagedAccess }} + {{- if $resource.attributes }} + attributes: + {{- range $key,$value := $resource.attributes }} + {{ $key }}: {{ $value }} {{- end }} - {{- else }} - - address - - phone - - offline_access - - microprofile-jwt + {{- end }} + {{- if $resource.uris }} + uris: + {{- range $index2, $url := $resource.uris }} + - {{ $url }} + {{- end }} + {{- end }} + {{- if $resource.scopes }} + scopes: + {{- range $index3, $scope := $resource.scopes }} + - {{ $scope | toYaml }} + {{- end }} + {{- end }} + icon_uri: {{ (default "" $resource.icon_uri) | quote }} + {{- end }} +policies: + {{- range $index4, $policy := $dot.policies }} + - name: {{ $policy.name }} + type: {{ (default "" $policy.type) | quote }} + description: {{ (default "" $policy.description) | quote }} + logic: {{ default "POSITIVE" $policy.logic }} + decisionStrategy: {{ default "UNANIMOUS" $dot.decisionStrategy }} + config: + roles: {{ include "auth._policyRoles" (dict "dot" $policy.roles) | toJson }} + {{- end }} + {{- range $index6, $permission := $dot.permissions }} + - name: {{ $permission.name }} + type: {{ (default "" $permission.type) | quote }} + description: {{ (default "" $permission.description) | quote }} + logic: {{ default "POSITIVE" $permission.logic }} + decisionStrategy: {{ default "UNANIMOUS" $permission.decisionStrategy }} + config: + {{- if $permission.resources }} + resources: {{ include "auth._permissionResources" (dict "dot" $permission.resources) | toJson }} + {{- end }} + {{- if $permission.scopes }} + scopes: {{ include "auth._permissionScopes" (dict "dot" $permission.scopes) | toJson }} + {{- end }} + {{- if $permission.applyPolicies }} + applyPolicies: {{ include "auth._permissionApplyPolicies" (dict "dot" $permission.applyPolicies) | toJson }} {{- end }} {{- end }} +scopes: + {{- range $index, $scope := $dot.scopes }} + - name: {{ $scope.name }} + iconUri: {{ (default "" $scope.icon_uri) | quote }} + displayName: {{ (default "" $scope.displayName) | quote }} + {{- end }} +{{- end }} + +{{/* +Renders the roles in a policy. +Usage: +{{ include "auth._policyRoles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._policyRoles" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$role := $dot }}{"id":"{{ $role.id }}","required":{{ $role.required }}}{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] {{- end }} {{/* -Renders the defaulDefaultClientScopes section in a realm. +Renders the resources in a permission. +Usage: +{{ include "auth._permissionResources" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionResources" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$resource := $dot }}"{{ $resource }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the scopes in a permission. +Usage: +{{ include "auth._permissionScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionScopes" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$scope := $dot }}"{{ $scope }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the applyPolicies in a permission. +Usage: +{{ include "auth._permissionApplyPolicies" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionApplyPolicies" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$policy := $dot }}"{{ $policy }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} +{{/* +Renders the defaultDefaultClientScopes section in a realm. Usage: {{ include "auth._defaultClientScopes" ( dict "dot" .Values) }} */}} @@ -262,15 +367,15 @@ clientScopes: {{- if $dot.additionalClientScopes }} {{- range $index, $scope := $dot.additionalClientScopes }} - name: {{ $scope.name }} - description: "{{ default "" $scope.description }}" + description: {{ (default "" $scope.description) | quote }} protocol: openid-connect attributes: include.in.token.scope: 'false' display.on.consent.screen: 'true' gui.order: '' consent.screen.text: "${rolesScopeConsentText}" + {{- if $scope.protocolMappers }} protocolMappers: - {{- if $scope.protocolMappers }} {{- range $index2, $mapper := $scope.protocolMappers }} - name: {{ $mapper.name }} protocol: "openid-connect" @@ -279,8 +384,7 @@ clientScopes: config: {{ toYaml $mapper.config | nindent 8 }} {{- end }} - {{- end }} - + {{- end }} {{- end }} {{- end }} - name: roles @@ -719,7 +823,14 @@ users: {{ toYaml $user.credentials | nindent 6 }} {{- end }} disableableCredentialTypes: [] + {{- if $user.requiredActions }} + requiredActions: + {{- range $index2, $action := $user.requiredActions }} + - "{{ $action }}" + {{- end }} + {{- else }} requiredActions: [] + {{- end }} {{- if $user.realmRoles }} realmRoles: {{- range $index2, $realmRole := $user.realmRoles }} @@ -805,7 +916,11 @@ Usage: {{- define "auth._attributes" -}} {{- $dot := default . .dot -}} {{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +{{- if $realm.attributes }} attributes: +{{- if $realm.attributes.frontendUrl }} frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }} +{{- end }} acr.loa.map: "{\"ABC\":\"5\"}" {{- end }} +{{- end }} diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml index ba99879e87..124bc18c8d 100644 --- a/kubernetes/authentication/values.yaml +++ b/kubernetes/authentication/values.yaml @@ -26,7 +26,7 @@ global: postaddr: "" keycloak: - intURL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/" + intURL: "http://keycloak-http.keycloak.svc.cluster.local/" relativePath: "auth/" ingressAuthentication: enabled: false @@ -38,12 +38,16 @@ ingressAuthentication: onap-keycloak-config-cli: image: + # "edge" is the latest build release and need to be replaced with a new version + # compatible with keycloak 26.x.y + tag: edge + #tag: "6.1.6-25.0.1" pullSecrets: - name: onap-docker-registry-key #existingSecret: "keycloak-keycloakx-admin-creds" env: # internal KC URL plus relative path - KEYCLOAK_URL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/" + KEYCLOAK_URL: "http://keycloak-http.keycloak.svc.cluster.local/auth/" KEYCLOAK_SSLVERIFY: "false" KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: @@ -71,6 +75,11 @@ onap-keycloak-config-cli: memory: 10Mi onap-oauth2-proxy: + + # Addition for oauth2-proxy deployment + imagePullSecrets: + - name: '{{ include "common.namespace" . }}-docker-registry-key' + securityContext: capabilities: drop: @@ -309,24 +318,24 @@ realmSettings: - name: "Client Host" protocolMapper: "oidc-usersessionmodel-note-mapper" config: - user.session.note : "clientHost" - id.token.claim : "true" - access.token.claim : "true" - claim.name : "clientHost" - jsonType.label : "String" + user.session.note: "clientHost" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientHost" + jsonType.label: "String" - name: "Client IP Address" protocolMapper: "oidc-usersessionmodel-note-mapper" config: - user.session.note : "clientAddress" - id.token.claim : "true" - access.token.claim : "true" - claim.name : "clientAddress" - jsonType.label : "String" + user.session.note: "clientAddress" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientAddress" + jsonType.label: "String" defaultClientScopes: - "onap_roles" additionalClientScopes: - name: onap_roles - description: OpenID Connect scope for add user onap roles to the access token + description: "OpenID Connect scope for add user onap roles to the access token" protocolMappers: - name: aud protocol: openid-connect |