path: root/kubernetes/platform/components/oauth2-proxy/values.yaml
diff options
authorAndreas Geissler <andreas-geissler@telekom.de>2022-08-25 12:28:38 +0200
committerAndreas Geissler <andreas-geissler@telekom.de>2023-04-17 12:55:48 +0000
commit784322d219b6b64dde22847fe8dc8fb4fce1f639 (patch)
tree7fb8334bd537fd1464c65f8584e58175b1f8d7c0 /kubernetes/platform/components/oauth2-proxy/values.yaml
parent094f8fdb59ab3b0f8d94b4609a110e44f7521770 (diff)
[PLATFORM] Add OAuth2-Proxy to ONAP
As part of the ServiceMesh solution OAuth2-proxy will be used to enable a central authentication and authorization for ONAP Service Access. This patch delivers the function based on oauth2-proxy helmcharts: https://github.com/oauth2-proxy/manifests/tree/main/helm/oauth2-proxy Issue-ID: OOM-2489 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de> Change-Id: Iafa82813a7b9494cf13d77d47a39fc6030cb919b
Diffstat (limited to 'kubernetes/platform/components/oauth2-proxy/values.yaml')
1 files changed, 74 insertions, 0 deletions
diff --git a/kubernetes/platform/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/values.yaml
new file mode 100644
index 0000000000..81a9986d3d
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/values.yaml
@@ -0,0 +1,74 @@
+ # Oauth client configuration specifics
+ config:
+ cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA="
+ configFile: |-
+ email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email
+ alphaConfig:
+ enabled: true
+ configData:
+ providers:
+ - clientID: "oauth2-proxy"
+ clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp"
+ id: oidc-istio
+ provider: oidc # We use the generic 'oidc' provider
+ loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth
+ #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token
+ redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token
+ profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
+ validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
+ scope: "openid email profile groups"
+ #allowedGroups:
+ # - admins # List all groups managed at our your IdP which should be allowed access
+ # - infrateam
+ # - anothergroup
+ oidcConfig:
+ emailClaim: email # Name of the clain in JWT containing the E-Mail
+ groupsClaim: groups # Name of the claim in JWT containing the Groups
+ userIDClaim: email # Name of the claim in JWT containing the User ID
+ audienceClaims: ["aud"]
+ insecureAllowUnverifiedEmail: true
+ insecureSkipIssuerVerification: true
+ skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it
+ issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP
+ jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs
+ upstreamConfig:
+ upstreams:
+ - id: static_200
+ path: /
+ static: true
+ staticCode: 200
+ # Headers that should be added to responses from the proxy
+ injectResponseHeaders: # Send this headers in responses from oauth2-proxy
+ - name: X-Auth-Request-Preferred-Username
+ values:
+ - claim: preferred_username
+ - name: X-Auth-Request-Email
+ values:
+ - claim: email
+ extraArgs:
+ cookie-secure: "false"
+ cookie-domain: ".simpledemo.onap.org" # Replace with your base domain
+ cookie-samesite: lax
+ cookie-expire: 12h # How long our Cookie is valid
+ auth-logging: true # Enable / Disable auth logs
+ request-logging: true # Enable / Disable request logs
+ standard-logging: true # Enable / Disable the standart logs
+ show-debug-on-error: true # Disable in production setups
+ skip-provider-button: true # We only have one provider configured (Keycloak)
+ silence-ping-logging: true # Keeps our logs clean
+ whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain
+ # Enables and configure the automatic deployment of the redis subchart
+ redis:
+ # provision an instance of the redis sub-chart
+ enabled: false
+ nameOverride: oauth2-proxy
+ roles:
+ - read