diff options
-rw-r--r-- | docs/sections/resources/yaml/keycloak-server-values.yaml | 4 | ||||
-rw-r--r-- | kubernetes/authentication/.helmignore (renamed from kubernetes/platform/components/keycloak-init/.helmignore) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/Chart.yaml (renamed from kubernetes/platform/components/keycloak-init/Chart.yaml) | 13 | ||||
-rw-r--r-- | kubernetes/authentication/Makefile (renamed from kubernetes/platform/components/oauth2-proxy/Makefile) | 2 | ||||
-rw-r--r-- | kubernetes/authentication/README.md | 54 | ||||
-rw-r--r-- | kubernetes/authentication/components/Makefile (renamed from kubernetes/platform/components/keycloak-init/components/Makefile) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/.helmignore (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/Chart.yaml (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml) | 4 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/keycloak-config-cli/values.yaml (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml) | 4 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/.helmignore (renamed from kubernetes/platform/components/oauth2-proxy/.helmignore) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/Chart.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml) | 13 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/README.md (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md) | 41 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml) | 3 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml | 18 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh | 52 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt | 3 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl) | 53 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml | 13 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml) | 91 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml) | 0 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml) | 6 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml | 20 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml) | 3 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml) | 5 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/service.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml) | 1 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml | 60 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml | 57 | ||||
-rw-r--r-- | kubernetes/authentication/components/oauth2-proxy/values.yaml (renamed from kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml) | 150 | ||||
-rw-r--r-- | kubernetes/authentication/resources/oauth2_proxy.cfg | 38 | ||||
-rw-r--r-- | kubernetes/authentication/templates/_utils.tpl | 813 | ||||
-rw-r--r-- | kubernetes/authentication/templates/authorizationpolicy.yaml | 90 | ||||
-rw-r--r-- | kubernetes/authentication/templates/configmap.yaml | 23 | ||||
-rw-r--r-- | kubernetes/authentication/templates/requestauthentication.yaml | 36 | ||||
-rw-r--r-- | kubernetes/authentication/templates/secret.yaml (renamed from kubernetes/platform/components/keycloak-init/templates/secret.yaml) | 9 | ||||
-rw-r--r-- | kubernetes/authentication/values.yaml | 585 | ||||
-rw-r--r-- | kubernetes/onap/Chart.yaml | 4 | ||||
-rw-r--r-- | kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml | 2 | ||||
-rw-r--r-- | kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml | 2 | ||||
-rw-r--r-- | kubernetes/onap/resources/overrides/onap-all.yaml | 2 | ||||
-rwxr-xr-x | kubernetes/onap/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/platform/Chart.yaml | 9 | ||||
-rw-r--r-- | kubernetes/platform/components/keycloak-init/Makefile | 60 | ||||
-rw-r--r-- | kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json | 426 | ||||
-rw-r--r-- | kubernetes/platform/components/keycloak-init/values.yaml | 41 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/Chart.yaml | 34 | ||||
-rwxr-xr-x | kubernetes/platform/components/oauth2-proxy/components/Makefile | 58 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore | 23 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml | 4 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt | 3 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml | 32 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml | 14 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml | 31 | ||||
-rw-r--r-- | kubernetes/platform/components/oauth2-proxy/values.yaml | 74 | ||||
-rw-r--r-- | kubernetes/platform/values.yaml | 6 |
75 files changed, 2214 insertions, 883 deletions
diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml index 0160ce86e8..516a26a76b 100644 --- a/docs/sections/resources/yaml/keycloak-server-values.yaml +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -46,3 +46,7 @@ secrets: stringData: user: admin password: secret + +http: + # For backwards compatibility reasons we set this to the value used by previous Keycloak versions. + relativePath: "/" # "/auth" diff --git a/kubernetes/platform/components/keycloak-init/.helmignore b/kubernetes/authentication/.helmignore index cf02291a2a..cf02291a2a 100644 --- a/kubernetes/platform/components/keycloak-init/.helmignore +++ b/kubernetes/authentication/.helmignore diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/authentication/Chart.yaml index 44ac9f5213..a3ac43c4e7 100644 --- a/kubernetes/platform/components/keycloak-init/Chart.yaml +++ b/kubernetes/authentication/Chart.yaml @@ -1,6 +1,6 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright © 2022 Deutsche Telekom +# Copyright © 2024 Deutsche Telekom # ================================================================================ # Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,9 +16,9 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 13.0.1 -description: ONAP Realm creation and configuration -name: keycloak-init +version: 14.0.0 +description: ONAP Realm creation, Oauth2Proxy installation and configuration +name: authentication sources: - https://github.com/adorsys/keycloak-config-cli @@ -31,5 +31,8 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 5.10.0 + version: 5.12.0 repository: 'file://components/keycloak-config-cli' + - name: onap-oauth2-proxy + version: 7.5.4 + repository: 'file://components/oauth2-proxy' diff --git a/kubernetes/platform/components/oauth2-proxy/Makefile b/kubernetes/authentication/Makefile index 5970a97115..f47666e135 100644 --- a/kubernetes/platform/components/oauth2-proxy/Makefile +++ b/kubernetes/authentication/Makefile @@ -18,7 +18,7 @@ OUTPUT_DIR := $(ROOT_DIR)/../../dist PACKAGE_DIR := $(OUTPUT_DIR)/packages SECRET_DIR := $(OUTPUT_DIR)/secrets -EXCLUDES := +EXCLUDES := dist resources templates charts HELM_BIN := helm ifneq ($(SKIP_LINT),TRUE) HELM_LINT_CMD := $(HELM_BIN) lint diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md new file mode 100644 index 0000000000..75d8f05ebd --- /dev/null +++ b/kubernetes/authentication/README.md @@ -0,0 +1,54 @@ +TBD: Description about settings... + + +``` +realmSettings: + - name: <Realm ID> - unique ID for a realm (e.g. "ONAP") + displayName: <Display Name> - (optional) Keycloak Display Name (e.g. "ONAP Realm") + themes: - (optional) Keycloak Theme settings + login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base") + admin: <admin theme> - (optional) Keycloak Theme for Admin UI (e.g. "base") + account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base") + email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base") + groups: - (optional) Group definitions + - name: <group name> - Group name + path: /path> - Group URL path + realmRoles: [ <role>,... ] - (optional) List of Realm roles + initialUsers: - (optional) List of initial users + - username: <user name> - Name of the User + password: <password> - Initial Password + email: <email> - Email Address + firstName: <first name> - (optional) First Name + lastName: <last name> - (optional) Last Name + groups: - (optional) group membership + - <group name> +``` + +``` + clients: + oauth2_proxy: + clientId: "oauth2-proxy-onap" + name: "Oauth2 Proxy" + secret: 5YSOkJz99WHv8enDZPknzJuGqVSerELp + protocol: openid-connect + portal_app: + clientId: "portal-app" + redirectUris: + - "https://portal-$PARAM_BASE_URL/*" + - "http://localhost/*" + protocol: openid-connect +``` + +``` + accessControl: + assignableRoles: + - name: onap-operator-read + description: "Allows to perform GET operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ] + + accessRoles: + "oauth2_proxy": + - name: dmaap-bc-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-bc-api +```
\ No newline at end of file diff --git a/kubernetes/platform/components/keycloak-init/components/Makefile b/kubernetes/authentication/components/Makefile index 4ecfbc53cc..4ecfbc53cc 100644 --- a/kubernetes/platform/components/keycloak-init/components/Makefile +++ b/kubernetes/authentication/components/Makefile diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore b/kubernetes/authentication/components/keycloak-config-cli/.helmignore index 0e8a0eb36f..0e8a0eb36f 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore +++ b/kubernetes/authentication/components/keycloak-config-cli/.helmignore diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml index abcf889834..80e5d27c9f 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.10.0 -appVersion: 5.10.0 +version: 5.12.0 +appVersion: 5.12.0 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl b/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl index cc1ad7ad8d..cc1ad7ad8d 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml index 322db2b7a1..322db2b7a1 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml index fa9363e9d0..fa9363e9d0 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml index 94505289e6..94505289e6 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml index 5f8d4a3fd5..46c67dd220 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml @@ -47,10 +47,10 @@ labels: {} resources: {} # limits: # cpu: "100m" - # memory: "1Gi" + # memory: "1024Mi" # requests: # cpu: "100m" -# memory: "1Gi" +# memory: "1024Mi" env: KEYCLOAK_URL: http://keycloak:8080 diff --git a/kubernetes/platform/components/oauth2-proxy/.helmignore b/kubernetes/authentication/components/oauth2-proxy/.helmignore index 825c007791..825c007791 100644 --- a/kubernetes/platform/components/oauth2-proxy/.helmignore +++ b/kubernetes/authentication/components/oauth2-proxy/.helmignore diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml index b31b35f46d..3bcf687241 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml @@ -1,7 +1,7 @@ name: onap-oauth2-proxy -version: 6.10.1 +version: 7.5.4 apiVersion: v2 -appVersion: 7.4.0 +appVersion: 7.6.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ description: A reverse proxy that provides authentication with Google, Github or other providers keywords: @@ -14,7 +14,7 @@ keywords: - redis dependencies: - name: redis - version: ~16.13.2 + version: 19.1.0 repository: https://charts.bitnami.com/bitnami alias: redis condition: redis.enabled @@ -39,3 +39,10 @@ maintainers: - name: pierluigilenoci email: pierluigi.lenoci@gmail.com kubeVersion: ">=1.9.0-0" +annotations: + artifacthub.io/changes: | + - kind: changed + description: Wait for redis script fixes for cluster and sentinel + links: + - name: Github PR + url: https://github.com/oauth2-proxy/manifests/issues/205 diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md index 9e18388501..55a5e44429 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md +++ b/kubernetes/authentication/components/oauth2-proxy/README.md @@ -98,7 +98,7 @@ Parameter | Description | Default `config.clientID` | oauth client ID | `""` `config.clientSecret` | oauth client secret | `""` `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` -`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret.yaml) for the required values | `nil` +`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` @@ -107,7 +107,9 @@ Parameter | Description | Default `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` `alphaConfig.configData` | Arbitrary configuration data to append | `{}` -`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil` +`alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` +`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` +`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` `customLabels` | Custom labels to add into metadata | `{}` | `config.google.adminEmail` | user impersonated by the google service account | `""` `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` @@ -121,9 +123,7 @@ Parameter | Description | Default `extraEnv` | key:value list of extra environment variables to give the binary | `[]` `extraVolumes` | list of extra volumes | `[]` `extraVolumeMounts` | list of extra volumeMounts | `[]` -`hostAlias.enabled` | provide extra ip:hostname alias for network name resolution. -`hostAlias.ip` | `ip` address `hostAliases.hostname` should resolve to. -`hostAlias.hostname` | `hostname` associated to `hostAliases.ip`. +`hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. `htpasswdFile.enabled` | enable htpasswd-file option | `false` `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}` `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` @@ -137,12 +137,21 @@ Parameter | Description | Default `ingress.path` | Ingress accepted path | `/` `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]` +`ingress.labels` | Ingress extra labels | `{}` `ingress.annotations` | Ingress annotations | `nil` `ingress.hosts` | Ingress accepted hostnames | `nil` `ingress.tls` | Ingress TLS configuration | `nil` +`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true` +`initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` +`initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` +`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` +`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` +`initContainers.waitForRedis.timeout` | number of seconds | 180 +`initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` `livenessProbe.initialDelaySeconds` | number of seconds | 0 `livenessProbe.timeoutSeconds` | number of seconds | 1 +`namespaceOverride` | Override the deployment namespace | `""` `nodeSelector` | node labels for pod assignment | `{}` `deploymentAnnotations` | annotations to add to the deployment | `{}` `podAnnotations` | annotations to add to each pod | `{}` @@ -169,9 +178,9 @@ Parameter | Description | Default `serviceAccount.enabled` | create a service account | `true` `serviceAccount.name` | the service account name | `` `serviceAccount.annotations` | (optional) annotations for the service account | `{}` +`strategy` | configure deployment strategy | `{}` `tolerations` | list of node taints to tolerate | `[]` -`securityContext.enabled` | enable Kubernetes security context on container | `false` -`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true` +`securityContext.enabled` | enable Kubernetes security context on container | `true` `proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` `sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie` `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` @@ -192,12 +201,18 @@ Parameter | Description | Default `metrics.port` | Serve Prometheus metrics on this port | `44180` `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` -`metrics.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` -`metrics.servicemonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` -`metrics.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` -`metrics.servicemonitor.interval` | Prometheus scrape interval | `60s` -`metrics.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` -`metrics.servicemonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` +`metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` +`metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` +`metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` +`metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` +`metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` +`metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` +`metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.| `""` +`metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS.| `{}` +`metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file.| `""` +`metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster| `{}` +`metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion.| `[]` +`metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion.| `[]` `extraObjects` | Extra K8s manifests to deploy | `[]` Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml index fc2ba605ad..fc2ba605ad 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml index 92dc451807..92dc451807 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml index 5f47a5f479..5f47a5f479 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml index 357dba9153..357dba9153 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml index e74a393db0..e74a393db0 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml index 25b16272a7..25b16272a7 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml index b7c8cea546..b7c8cea546 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml index e3418c39fa..e58c32cf0c 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml @@ -10,3 +10,6 @@ redis: global: redis: password: "foo" +initContainers: + waitForRedis: + enabled: true diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml new file mode 100644 index 0000000000..0c232bf5c1 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml @@ -0,0 +1,18 @@ +metrics: + enabled: true + serviceMonitor: + enabled: true + annotations: + key: value + metricRelabelings: + - action: keep + regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + sourceLabels: [__name__] + + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + separator: ; + regex: ^(.*)$ + targetLabel: nodename + replacement: $1 + action: replace diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml index 65977d921b..65977d921b 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh new file mode 100644 index 0000000000..24e628f426 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh @@ -0,0 +1,52 @@ +#!/bin/sh + +RETRY_INTERVAL=5 # Interval between retries in seconds +elapsed=0 # Elapsed time + +check_redis() { + host=$1 + port=$2 + while [ $elapsed -lt $TOTAL_RETRY_TIME ]; do + echo "Checking Redis at $host:$port... Elapsed time: ${elapsed}s" + if nc -z -w1 $TIMEOUT $host $port > /dev/null 2>&1; then + echo "Redis is up at $host:$port!" + return 0 + else + echo "Redis is down at $host:$port. Retrying in $RETRY_INTERVAL seconds." + sleep $RETRY_INTERVAL + elapsed=$((elapsed + RETRY_INTERVAL)) + fi + done + echo "Failed to connect to Redis at $host:$port after $TOTAL_RETRY_TIME seconds." + return 1 +} + +# For parsing and checking connections +parse_and_check() { + url=$1 + clean_url=${url#redis://} + host=$(echo $clean_url | cut -d':' -f1) + port=$(echo $clean_url | cut -d':' -f2) + check_redis $host $port +} + +# Main +if [ -n "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" ]; then + echo "Checking Redis in cluster mode..." + echo "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do + parse_and_check $addr || exit 1 + done +elif [ -n "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" ]; then + echo "Checking Redis in sentinel mode..." + echo "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do + parse_and_check $addr || exit 1 + done +elif [ -n "$OAUTH2_PROXY_REDIS_CONNECTION_URL" ]; then + echo "Checking standalone Redis..." + parse_and_check "$OAUTH2_PROXY_REDIS_CONNECTION_URL" || exit 1 +else + echo "Redis configuration not specified." + exit 1 +fi + +echo "Redis check completed." diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt new file mode 100644 index 0000000000..36ded35867 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that oauth2-proxy has started, run: + + kubectl --namespace={{ template "oauth2-proxy.namespace" $ }} get pods -l "app={{ template "oauth2-proxy.name" . }}" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl index f959f10e49..f959f10e49 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl +++ b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl index 87c64493b7..6a9bbb320d 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl +++ b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl @@ -79,6 +79,17 @@ Create the name of the service account to use {{- end -}} {{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "oauth2-proxy.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* Redis subcharts fullname */}} {{- define "oauth2-proxy.redis.fullname" -}} @@ -106,5 +117,45 @@ Compute the redis url if not set explicitly. Returns the version */}} {{- define "oauth2-proxy.version" -}} -{{ trimPrefix "v" (lower (.Values.image.tag | default (printf "v%s" .Chart.AppVersion))) }} +{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }} +{{- end -}} + +{{/* +Returns the kubectl version +Workaround for EKS https://github.com/aws/eks-distro/issues/1128 +*/}} +{{- define "kubectl.version" -}} +{{- if .Values.initContainers.waitForRedis.kubectlVersion -}} +{{ .Values.initContainers.waitForRedis.kubectlVersion }} +{{- else -}} +{{- printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "") -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.alpha-config" -}} +--- +server: + BindAddress: '0.0.0.0:4180' +{{- if .Values.alphaConfig.serverConfigData }} +{{- toYaml .Values.alphaConfig.serverConfigData | nindent 2 }} +{{- end }} +{{- if .Values.metrics.enabled }} +metricsServer: + BindAddress: '0.0.0.0:44180' +{{- if .Values.alphaConfig.metricsConfigData }} +{{- toYaml .Values.alphaConfig.metricsConfigData | nindent 2 }} +{{- end }} +{{- end }} +{{- if .Values.alphaConfig.configData }} +{{- toYaml .Values.alphaConfig.configData | nindent 0 }} +{{- end }} +{{- if .Values.alphaConfig.configFile }} +{{- tpl .Values.alphaConfig.configFile $ | nindent 0 }} +{{- end }} +{{- end -}} + +{{- define "oauth2-proxy.secrets" -}} +cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} +client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} +client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} {{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl index f4a3cad0e4..f4a3cad0e4 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl +++ b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml index cf4e77eaaa..d9f9cffef7 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -11,6 +11,7 @@ metadata: {{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist + namespace: {{ template "oauth2-proxy.namespace" $ }} data: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }} {{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml new file mode 100644 index 0000000000..721048d786 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + check-redis.sh: | +{{ .Files.Get "scripts/check-redis.sh" | indent 4 }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml index 8a19ccb943..94d7806d2e 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml @@ -11,6 +11,7 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} data: oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} {{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml index 4523591231..1a626d1ab8 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml @@ -9,10 +9,13 @@ metadata: {{ toYaml .Values.deploymentAnnotations | indent 8 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} spec: replicas: {{ .Values.replicaCount }} - {{- if .Values.revisionHistoryLimit }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- with .Values.strategy }} + strategy: + {{ toYaml . | nindent 4 }} {{- end }} selector: matchLabels: @@ -20,16 +23,18 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} {{- if .Values.alphaConfig.enabled }} - checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }} + checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} + {{- if .Values.authenticatedEmailsFile.enabled }} checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} + checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }} checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} {{- if .Values.htpasswdFile.enabled }} - checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }} + checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }} {{- end }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} @@ -49,17 +54,53 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} - automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }} - {{- if .Values.hostAlias.enabled }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} + {{- if .Values.hostAliases }} hostAliases: - - ip: {{ .Values.hostAlias.ip }} - hostnames: - - {{ .Values.hostAlias.hostname }} + {{ toYaml .Values.hostAliases | nindent 8}} + {{- end }} + {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} + initContainers: + - name: wait-for-redis + #image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" + image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" + imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }} + command: ["/bin/sh", "-c", "/scripts/check-redis.sh"] + env: + - name: TOTAL_RETRY_TIME + value: "{{ .Values.initContainers.waitForRedis.timeout }}" + {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} + - name: OAUTH2_PROXY_REDIS_CONNECTION_URL + value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} + - name: OAUTH2_PROXY_REDIS_USE_CLUSTER + value: "true" + - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} + - name: OAUTH2_PROXY_REDIS_USE_SENTINEL + value: "true" + - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} + {{- end }} + {{- if .Values.initContainers.waitForRedis.securityContext.enabled }} + {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }} + securityContext: + {{- toYaml $securityContext | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }} + volumeMounts: + - name: redis-script + mountPath: /scripts + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- end }} containers: - name: {{ .Chart.Name }} - image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}" - #image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}" + image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" + #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: {{- if .Values.alphaConfig.enabled }} @@ -76,7 +117,7 @@ spec: {{- end }} {{- if kindIs "map" .Values.extraArgs }} {{- range $key, $value := .Values.extraArgs }} - {{- if $value }} + {{- if not (kindIs "invalid" $value) }} - --{{ $key }}={{ tpl ($value | toString) $ }} {{- else }} - --{{ $key }} @@ -119,6 +160,10 @@ spec: {{- if .Values.htpasswdFile.enabled }} - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt {{- end }} +{{- if .Values.lifecycle }} + lifecycle: +{{ toYaml .Values.lifecycle | indent 10 }} +{{- end }} env: {{- if .Values.proxyVarsAsSecrets }} - name: OAUTH2_PROXY_CLIENT_ID @@ -184,6 +229,10 @@ spec: {{- if .Values.extraEnv }} {{ tpl (toYaml .Values.extraEnv) . | indent 8 }} {{- end }} + {{- if .Values.envFrom }} + envFrom: +{{ tpl (toYaml .Values.envFrom) . | indent 8 }} + {{- end }} ports: {{- if .Values.containerPort }} - containerPort: {{ .Values.containerPort }} @@ -292,7 +341,12 @@ spec: secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- end }} - +{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} + - name: redis-script + configMap: + name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis + defaultMode: 0775 +{{- end }} {{- if or .Values.config.existingConfig .Values.config.configFile }} - configMap: defaultMode: 420 @@ -300,10 +354,17 @@ spec: name: configmain {{- end }} {{- if .Values.alphaConfig.enabled }} +{{- if .Values.alphaConfig.existingConfig }} - configMap: defaultMode: 420 - name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: {{ .Values.alphaConfig.existingConfig }} name: configalpha +{{- else }} + - secret: + defaultMode: 420 + secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: configalpha +{{- end }} {{- end }} {{- if ne (len .Values.extraVolumes) 0 }} {{ toYaml .Values.extraVolumes | indent 6 }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml index 126d3e7a18..126d3e7a18 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml index a9bb3b6ba8..a9bb3b6ba8 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml index 5703273d93..30a9ae1bb6 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml @@ -6,6 +6,7 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }}-google + namespace: {{ template "oauth2-proxy.namespace" $ }} type: Opaque data: service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml index 73fd758d16..5323820487 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml @@ -9,8 +9,12 @@ kind: Ingress metadata: labels: app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.ingress.labels }} +{{ toYaml .Values.ingress.labels | indent 4 }} +{{- end }} name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} {{- with .Values.ingress.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml index 7cdbbbeabb..1fc8ecc005 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml @@ -6,6 +6,7 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} spec: selector: matchLabels: diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml index 7a1555d8b3..202e9243e3 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml @@ -10,6 +10,7 @@ metadata: app: {{ $name }} {{- $labels | indent 4 }} name: {{ $fullName }}-redis-access + namespace: {{ template "oauth2-proxy.namespace" $ }} type: Opaque data: {{- if and .redis.password (not .redis.existingSecret) }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml new file mode 100644 index 0000000000..15bb89338e --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml @@ -0,0 +1,20 @@ +{{- + if and + .Values.alphaConfig.enabled + (not .Values.alphaConfig.existingConfig) + (not .Values.alphaConfig.existingSecret) +}} +apiVersion: v1 +kind: Secret +metadata: +{{- if .Values.alphaConfig.annotations }} + annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-alpha + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml index ce79db1dce..95f85a8006 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -12,6 +12,7 @@ metadata: {{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist + namespace: {{ template "oauth2-proxy.namespace" $ }} data: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }} {{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml index 44fe67e96a..c5ea330ff7 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml @@ -6,10 +6,11 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + namespace: {{ template "oauth2-proxy.namespace" $ }} type: Opaque stringData: users.txt: |- {{- range $entries := .Values.htpasswdFile.entries }} {{ $entries }} {{- end -}} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml index c9b3791f89..f3364e95a9 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml @@ -10,9 +10,8 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} type: Opaque data: - cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} - client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} - client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} +{{- include "oauth2-proxy.secrets" . | nindent 2 }} {{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml index d9563ac283..d16120ee91 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml @@ -5,6 +5,7 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} {{- if .Values.service.annotations }} annotations: {{ toYaml .Values.service.annotations | indent 4 }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000000..2a89c4b9e3 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml @@ -0,0 +1,60 @@ +{{- if or .Values.serviceAccount.enabled -}} +{{- $fullName := include "oauth2-proxy.fullname" . -}} +{{- $saName := include "oauth2-proxy.serviceAccountName" . -}} +{{- $name := include "oauth2-proxy.name" . -}} +{{- $namespace := include "oauth2-proxy.namespace" $ -}} +{{- $labels := include "oauth2-proxy.labels" . -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ $name }} +{{- $labels | indent 4 }} + name: {{ $saName }} + namespace: {{ $namespace }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $fullName }}-watch-redis + namespace: {{ $namespace }} + labels: + app: {{ $name }} + {{- $labels | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + resourceNames: + - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0" + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $saName }}-watch-redis + namespace: {{ $namespace }} + labels: + app: {{ $name }} + {{- $labels | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ $saName }} + apiGroup: "" +roleRef: + kind: Role + name: {{ $fullName }}-watch-redis + apiGroup: "" +{{- end -}} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml new file mode 100644 index 0000000000..3802666be0 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + {{- with .Values.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} +{{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} +{{- else }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +{{- end }} + labels: + prometheus: {{ .Values.metrics.serviceMonitor.prometheusInstance }} + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.metrics.serviceMonitor.labels }} +{{ toYaml .Values.metrics.serviceMonitor.labels | indent 4}} +{{- end }} +spec: + jobLabel: {{ template "oauth2-proxy.fullname" . }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + namespaceSelector: + matchNames: + - {{ template "oauth2-proxy.namespace" $ }} + endpoints: + - port: metrics + path: "/metrics" + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .| nindent 6 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml index 8f81e15d03..f49cb638fa 100644 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml @@ -1,5 +1,17 @@ global: quayRepository: quay.io + dockerHubRepository: docker.io + # Additions for Redis **************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* + +## Override the deployment namespace +## +namespaceOverride: "" # Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). # This is especially useful for `helm template` as capabilities are always empty @@ -57,8 +69,13 @@ alphaConfig: metricsConfigData: {} # Arbitrary configuration data to append configData: {} - # Use an existing config map (see configmap-alpha.yaml for required fields) + # Arbitrary configuration to append + # This is treated as a Go template and rendered with the root context + configFile: "" + # Use an existing config map (see secret-alpha.yaml for required fields) existingConfig: ~ + # Use an existing secret + existingSecret: ~ image: #repository: "quay.io/oauth2-proxy/oauth2-proxy" @@ -81,6 +98,19 @@ image: extraArgs: {} extraEnv: [] +envFrom: [] +# Load environment variables from a ConfigMap(s) and/or Secret(s) +# that already exists (created and managed by you). +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables +# +# PS: Changes in these ConfigMaps or Secrets will not be automatically +# detected and you must manually restart the relevant Pods after changes. +# +# - configMapRef: +# name: special-config +# - secretRef: +# name: special-config-secret + # -- Custom labels to add into metadata customLabels: {} @@ -153,6 +183,7 @@ ingress: # name: ssl-redirect # port: # name: use-annotation + labels: {} # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" @@ -164,11 +195,11 @@ ingress: resources: {} # limits: - # cpu: "100m" - # memory: "300Mi" + # cpu: 100m + # memory: 300Mi # requests: - # cpu: "100m" - # memory: "300Mi" + # cpu: 100m + # memory: 300Mi extraVolumes: [] # - name: ca-bundle-cert @@ -186,11 +217,15 @@ extraContainers: [] priorityClassName: "" -# Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts. -hostAlias: - enabled: false - # ip: "10.xxx.xxx.xxx" - # hostname: "auth.example.com" +# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution +hostAliases: [] +# - ip: "10.xxx.xxx.xxx" +# hostnames: +# - "auth.example.com" +# - ip: 127.0.0.1 +# hostnames: +# - chart-example.local +# - example.local # [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. # Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling @@ -229,16 +264,24 @@ readinessProbe: # Configure Kubernetes security context for container # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: - enabled: false + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - # allowPrivilegeEscalation: false - # runAsUser: 2000 + runAsUser: 2000 + runAsGroup: 2000 + seccompProfile: + type: RuntimeDefault deploymentAnnotations: {} podAnnotations: {} podLabels: {} replicaCount: 1 revisionHistoryLimit: 10 +strategy: {} ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ @@ -253,12 +296,47 @@ podSecurityContext: {} # whether to use http or https httpScheme: http +initContainers: + # if the redis sub-chart is enabled, wait for it to be ready + # before starting the proxy + # creates a role binding to get, list, watch, the redis master pod + # if service account is enabled + waitForRedis: + enabled: true + image: + repository: "alpine" + tag: "latest" + pullPolicy: "IfNotPresent" + # uses the kubernetes version of the cluster + # the chart is deployed on, if not set + kubectlVersion: "" + securityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + timeout: 180 + resources: {} + # limits: + # cpu: 100m + # memory: 300Mi + # requests: + # cpu: 100m + # memory: 300Mi + # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. # Alternatively supply an existing secret which contains the required information. htpasswdFile: enabled: false existingSecret: "" - entries: {} + entries: [] # One row for each user # example: # entries: @@ -302,13 +380,18 @@ redis: # Redis specific helm chart settings, please see: # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters # redisPort: 6379 - # cluster: - # enabled: false - # slaveCount: 1 + # architecture: standalone # Enables apiVersion deprecation checks checkDeprecation: true +# Allows graceful shutdown +# terminationGracePeriodSeconds: 65 +# lifecycle: +# preStop: +# exec: +# command: [ "sh", "-c", "sleep 60" ] + metrics: # Enable Prometheus metrics endpoint enabled: true @@ -319,7 +402,7 @@ metrics: # Protocol set on the service for the metrics port service: appProtocol: http - servicemonitor: + serviceMonitor: # Enable Prometheus Operator ServiceMonitor enabled: false # Define the namespace where to deploy the ServiceMonitor resource @@ -333,6 +416,37 @@ metrics: # Add custom labels to the ServiceMonitor resource labels: {} + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + tlsConfig: {} + + ## bearerTokenFile: Path to bearer token file. + bearerTokenFile: "" + + ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + annotations: {} + + ## Metric relabel configs to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Relabel configs to apply to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + # Extra K8s manifests to deploy extraObjects: [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 diff --git a/kubernetes/authentication/resources/oauth2_proxy.cfg b/kubernetes/authentication/resources/oauth2_proxy.cfg new file mode 100644 index 0000000000..60aaad4b52 --- /dev/null +++ b/kubernetes/authentication/resources/oauth2_proxy.cfg @@ -0,0 +1,38 @@ +provider = "oidc" +provider_display_name = "ONAPKeycloakID" +client_id = "{{ index .Values "onap-oauth2-proxy" "config" "clientId" }}" +client_secret = "{{ index .Values "onap-oauth2-proxy" "config" "clientSecret" }}" +oidc_issuer_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap' +oidc_jwks_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/certs' +profile_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' +validate_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' +redeem_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/token' +scope = "openid email profile groups onap_roles" +skip_oidc_discovery = true +cookie_secure = false +cookie_secret = "{{ index .Values "onap-oauth2-proxy" "config" "cookieSecret" }}" +email_domains = [ "*" ] +auth_logging = true +request_logging = true +standard_logging = true +show_debug_on_error = true +cookie_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}" +cookie_samesite = "lax" +whitelist_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}" +login_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/auth' +pass_access_token = true +pass_authorization_header = true +pass_host_header = true +pass_user_headers = true +http_address = "0.0.0.0:4180" +oidc_email_claim = "email" +oidc_groups_claim = "groups" +insecure_oidc_skip_issuer_verification = true +insecure_oidc_allow_unverified_email = true +silence_ping_logging = true +upstreams = "static://200" +set_xauthrequest = true +set_authorization_header = true +skip_provider_button = true +skip_jwt_bearer_tokens = true +cookie_expire = "30m" diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl new file mode 100644 index 0000000000..0cdcd7955a --- /dev/null +++ b/kubernetes/authentication/templates/_utils.tpl @@ -0,0 +1,813 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "auth.realm" ( dict "dot" . "realm" .Values.path.to.realm) }} +*/}} +{{- define "auth.realm" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +realm: {{ $realm.name }} +{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} +id: {{ $realm.name }} +accessTokenLifespan: 1900 +registrationAllowed: false +resetPasswordAllowed: true +enabled: true +{{ if $realm.themes }} +{{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }} +{{ if $realm.themes.admin }}adminTheme: {{ $realm.themes.admin }}{{ end }} +{{ if $realm.themes.account }}accountTheme: {{ $realm.themes.account }}{{ end }} +{{ if $realm.themes.email }}emailTheme: {{ $realm.themes.email }}{{ end }} +{{- end }} +{{- if $realm.accessControl }} +{{ include "auth._roles" $realm }} +{{- end }} +{{ include "auth._clients" (dict "dot" $dot "realm" $realm) }} +{{ include "auth._clientScopes" $realm }} +{{ include "auth._defaultClientScopes" $realm }} +{{ include "auth._groups" $realm }} +{{ include "auth._users" $realm }} +{{ include "auth._identity" $realm }} +{{ include "auth._identityMapper" $realm }} +{{ include "auth._attributes" (dict "dot" $dot "realm" $realm) }} +{{- end -}} + +{{/* +Renders the roles section in a realm. +Usage: +{{ include "auth._roles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._roles" -}} +{{- $realm := default . .dot -}} +roles: + realm: + {{- range $index, $role := $realm.accessControl.assignableRoles }} + - name: "{{ $role.name }}" + description: "{{ $role.description }}" + {{- if $role.associatedAccessRoles }} + composite: true + composites: + client: + {{- range $key, $accessRole := $realm.accessControl.accessRoles }} + {{ $client := index $realm.clients $key -}} + {{ $client.clientId }}: + {{- range $index2, $associatedRole := $role.associatedAccessRoles }} + - {{ $associatedRole }} + {{- end }} + {{- end }} + {{- else }} + composite: false + {{- end }} + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + {{- end }} + - name: "user" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "admin" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "offline_access" + description: "${role_offline-access}" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "uma_authorization" + description: "${role_uma_authorization}" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "default-roles-{{ $realm.name }}" + description: "${role_default-roles}" + composite: true + composites: + realm: + - "offline_access" + - "uma_authorization" + client: + account: + - "view-profile" + - "manage-account" + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + {{- if $realm.accessControl.accessRoles }} + client: + {{- range $key, $accessRole := $realm.accessControl.accessRoles }} + {{ $client := index $realm.clients $key -}} + {{ $client.clientId }}: + {{- range $index, $role := get $realm.accessControl.accessRoles $key }} + - name: "{{ $role.name }}" + description: "Allows to perform {{ $role.methodsAllowed }} operations for {{ $role.name }} component" + composite: false + clientRole: false + containerId: "{{ $client.clientId }}" + attributes: {} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the clients section in a realm. +Usage: +{{ include "auth._clients" ( dict "dot" . "realm" $realm ) }} +*/}} +{{- define "auth._clients" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +clients: + {{- range $index, $client := $realm.clients }} + - clientId: "{{ $client.clientId }}" + name: "{{ $client.name }}" + description: "{{ default "" $client.description }}" + {{- if $client.rootUrl }} + rootUrl: {{ tpl $client.rootUrl $dot }} + {{- else }} + rootUrl: "" + {{- end }} + {{- if $client.adminUrl }} + adminUrl: {{ tpl $client.adminUrl $dot }} + {{- else }} + adminUrl: "" + {{- end }} + {{- if $client.baseUrl }} + baseUrl: {{ tpl $client.baseUrl $dot }} + {{- else }} + baseUrl: "" + {{- end }} + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: "client-secret" + secret: "{{ default "" $client.secret }}" + redirectUris: + {{- if $client.redirectUris }} + {{- range $index2, $url := $client.redirectUris }} + - {{ tpl $url $dot }} + {{- end }} + {{- else }} + - "*" + {{- end }} + {{- if $client.webOrigins }} + webOrigins: + {{- range $index3, $web := $client.webOrigins }} + - {{ $web }} + {{- end }} + {{- else }} + webOrigins: [] + {{- end }} + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: true + protocol: "{{ $client.protocol }}" + attributes: + id.token.as.detached.signature: "false" + saml.assertion.signature: "false" + saml.force.post.binding: "false" + saml.multivalued.roles: "false" + saml.encrypt: "false" + saml.server.signature: "false" + saml.server.signature.keyinfo.ext: "false" + exclude.session.state.from.auth.response: "false" + saml.artifact.binding: "false" + saml_force_name_id_format: "false" + saml.client.signature: "false" + saml.authnstatement: "false" + saml.onetimeuse.condition: "false" + tls-client-certificate-bound-access-tokens: "false" + oidc.ciba.grant.enabled: "false" + backchannel.logout.session.required: "true" + client_credentials.use_refresh_token: "false" + acr.loa.map: "{}" + require.pushed.authorization.requests: "false" + oauth2.device.authorization.grant.enabled: "false" + display.on.consent.screen: "false" + backchannel.logout.revoke.offline.tokens: "false" + token.response.type.bearer.lower-case: "false" + use.refresh.tokens: "true" + {{- if $client.additionalAttributes }} + {{- range $key,$value := $client.additionalAttributes }} + {{ $key }}: {{ tpl $value $dot }} + {{- end }} + {{- end }} + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + protocolMappers: + {{- if $client.protocolMappers }} + {{- range $index2, $mapper := $client.protocolMappers }} + - name: {{ $mapper.name }} + protocol: "openid-connect" + protocolMapper: {{ $mapper.protocolMapper }} + consentRequired: false + config: + {{ toYaml $mapper.config | nindent 10 }} + {{- end }} + {{- end }} + defaultClientScopes: + - web-origins + - acr + - profile + - email + {{- if $client.additionalDefaultScopes }} + {{- range $index2, $scope := $client.additionalDefaultScopes }} + - {{ $scope }} + {{- end }} + {{- end }} + optionalClientScopes: + - address + - phone + - offline_access + - groups + - microprofile-jwt + {{- end }} +{{- end }} + +{{/* +Renders the defaulDefaultClientScopes section in a realm. +Usage: +{{ include "auth._defaultClientScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._defaultClientScopes" -}} +{{- $dot := default . .dot -}} +{{- if $dot.defaultClientScopes }} +defaultDefaultClientScopes: + {{- range $index, $scope := $dot.defaultClientScopes }} + - {{ $scope }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the clientScopes section in a realm. +Usage: +{{ include "auth._clientScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._clientScopes" -}} +{{- $dot := default . .dot -}} +clientScopes: +{{- if $dot.additionalClientScopes }} +{{- range $index, $scope := $dot.additionalClientScopes }} +- name: {{ $scope.name }} + description: "{{ default "" $scope.description }}" + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'true' + gui.order: '' + consent.screen.text: "${rolesScopeConsentText}" + protocolMappers: + {{- if $scope.protocolMappers }} + {{- range $index2, $mapper := $scope.protocolMappers }} + - name: {{ $mapper.name }} + protocol: "openid-connect" + protocolMapper: {{ $mapper.protocolMapper }} + consentRequired: false + config: + {{ toYaml $mapper.config | nindent 8 }} + {{- end }} + {{- end }} + +{{- end }} +{{- end }} +- name: roles + description: OpenID Connect scope for add user roles to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'true' + consent.screen.text: "${rolesScopeConsentText}" + protocolMappers: + - name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: {} + - name: realm roles + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: 'true' + claim.name: realm_access.roles + jsonType.label: String + multivalued: 'true' + - name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: 'true' + claim.name: resource_access.${client_id}.roles + jsonType.label: String + multivalued: 'true' +- name: groups + description: Membership to a group + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + gui.order: '' + consent.screen.text: '' + protocolMappers: + - name: groups + protocol: openid-connect + protocolMapper: oidc-group-membership-mapper + consentRequired: false + config: + full.path: 'false' + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + userinfo.token.claim: 'true' +- name: acr + description: OpenID Connect scope for add acr (authentication context class reference) + to the token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + protocolMappers: + - name: acr loa level + protocol: openid-connect + protocolMapper: oidc-acr-mapper + consentRequired: false + config: + id.token.claim: 'true' + access.token.claim: 'true' +- name: profile + description: 'OpenID Connect built-in scope: profile' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${profileScopeConsentText}" + protocolMappers: + - name: profile + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: profile + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: profile + jsonType.label: String + - name: given name + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: firstName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: given_name + jsonType.label: String + - name: website + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: website + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: website + jsonType.label: String + - name: zoneinfo + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: zoneinfo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: zoneinfo + jsonType.label: String + - name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: locale + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: locale + jsonType.label: String + - name: gender + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: gender + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: gender + jsonType.label: String + - name: family name + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: lastName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: family_name + jsonType.label: String + - name: username + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: preferred_username + jsonType.label: String + - name: middle name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: middleName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: middle_name + jsonType.label: String + - name: birthdate + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: birthdate + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: birthdate + jsonType.label: String + - name: updated at + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: updatedAt + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: updated_at + jsonType.label: long + - name: full name + protocol: openid-connect + protocolMapper: oidc-full-name-mapper + consentRequired: false + config: + id.token.claim: 'true' + access.token.claim: 'true' + userinfo.token.claim: 'true' + - name: nickname + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: nickname + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: nickname + jsonType.label: String + - name: picture + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: picture + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: picture + jsonType.label: String +- name: address + description: 'OpenID Connect built-in scope: address' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${addressScopeConsentText}" + protocolMappers: + - name: address + protocol: openid-connect + protocolMapper: oidc-address-mapper + consentRequired: false + config: + user.attribute.formatted: formatted + user.attribute.country: country + user.attribute.postal_code: postal_code + userinfo.token.claim: 'true' + user.attribute.street: street + id.token.claim: 'true' + user.attribute.region: region + access.token.claim: 'true' + user.attribute.locality: locality +- name: web-origins + description: OpenID Connect scope for add allowed web origins to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + consent.screen.text: '' + protocolMappers: + - name: allowed web origins + protocol: openid-connect + protocolMapper: oidc-allowed-origins-mapper + consentRequired: false + config: {} +- name: phone + description: 'OpenID Connect built-in scope: phone' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${phoneScopeConsentText}" + protocolMappers: + - name: phone number verified + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: phoneNumberVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number_verified + jsonType.label: boolean + - name: phone number + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: phoneNumber + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number + jsonType.label: String +- name: offline_access + description: 'OpenID Connect built-in scope: offline_access' + protocol: openid-connect + attributes: + consent.screen.text: "${offlineAccessScopeConsentText}" + display.on.consent.screen: 'true' +- name: role_list + description: SAML role list + protocol: saml + attributes: + consent.screen.text: "${samlRoleListScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - name: role list + protocol: saml + protocolMapper: saml-role-list-mapper + consentRequired: false + config: + single: 'false' + attribute.nameformat: Basic + attribute.name: Role +- name: microprofile-jwt + description: Microprofile - JWT built-in scope + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'false' + protocolMappers: + - name: upn + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: upn + jsonType.label: String + - name: groups + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + multivalued: 'true' + user.attribute: foo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + jsonType.label: String +- name: email + description: 'OpenID Connect built-in scope: email' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${emailScopeConsentText}" + protocolMappers: + - name: email + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: email + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email + jsonType.label: String + - name: email verified + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: emailVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email_verified + jsonType.label: boolean +{{- end }} + +{{/* +Renders the groups section in a realm. +Usage: +{{ include "auth._groups" ( dict "dot" .Values) }} +*/}} +{{- define "auth._groups" -}} +{{- $dot := default . .dot -}} +{{- if $dot.groups }} +groups: +{{- range $index, $group := $dot.groups }} + - name: "{{ $group.name }}" + path: "{{ $group.path }}" + attributes: {} + {{- if $group.roles }} + realmRoles: + {{- range $index2, $groupRole := $group.roles }} + - "{{ $groupRole }}" + {{- end }} + {{- else }} + realmRoles: [] + {{- end }} + clientRoles: {} + subGroups: [] +{{- end }} +{{- else }} +groups: [] +{{- end }} +{{- end }} + +{{/* +Renders the users section in a realm. +Usage: +{{ include "auth._users" ( dict "dot" .Values) }} +*/}} +{{- define "auth._users" -}} +{{- $dot := default . .dot -}} +{{- if $dot.initialUsers }} +users: + {{- range $index, $user := $dot.initialUsers }} + - username: "{{ $user.username }}" + enabled: true + totp: false + email: "{{ default "" $user.email }}" + emailVerified: true + {{- if $user.attributes }} + attributes: + {{ toYaml $user.attributes | nindent 6 }} + {{- else }} + attributes: {} + {{- end }} + {{- if $user.password }} + credentials: + - type: "password" + temporary: false + value: "{{ $user.password }}" + {{- end }} + {{- if $user.credentials }} + credentials: + {{ toYaml $user.credentials | nindent 6 }} + {{- end }} + disableableCredentialTypes: [] + requiredActions: [] + {{- if $user.realmRoles }} + realmRoles: + {{- range $index2, $realmRole := $user.realmRoles }} + - "{{ $realmRole }}" + {{- end }} + {{- else }} + realmRoles: [ "default-roles-{{ $dot.name }}" ] + {{- end }} + {{- if $user.clientRoles }} + clientRoles: + {{ toYaml $user.clientRoles | nindent 6 }} + {{- end }} + notBefore: 0 + groups: {{ $user.groups | toJson }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the identityProviders section in a realm. +Usage: +{{ include "auth._identity" ( dict "dot" .Values) }} +*/}} +{{- define "auth._identity" -}} +{{- $dot := default . .dot -}} +{{- if $dot.identityProviders }} +identityProviders: +{{- range $index, $provider := $dot.identityProviders }} + - alias: {{ $provider.name }} + displayName: {{ $provider.displayName }} + providerId: oidc + enabled: true + updateProfileFirstLoginMode: "on" + trustEmail: true + storeToken: true + addReadTokenRoleOnCreate: true + authenticateByDefault: false + linkOnly: false + firstBrokerLoginFlowAlias: "first broker login" + config: + {{ toYaml $provider.config | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the identityProviderMappers section in a realm. +Usage: +{{ include "auth._identityMapper" ( dict "dot" .Values) }} +*/}} +{{- define "auth._identityMapper" -}} +{{- $dot := default . .dot -}} +{{- if $dot.identityProviderMappers }} +identityProviderMappers: +{{- range $index, $mapper := $dot.identityProviderMappers }} + - name: {{ $mapper.name }} + identityProviderAlias: {{ $mapper.identityProviderAlias }} + identityProviderMapper: {{ $mapper.identityProviderMapper }} + config: + {{ toYaml $mapper.config | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the attributes section in a realm. +Usage: +{{ include "auth._attributes" ( dict "dot" . "realm" $realm ) }} +*/}} +{{- define "auth._attributes" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +attributes: + frontentUrl: {{ tpl $realm.attributes.frontendUrl $dot }} + acr.loa.map: "{\"ABC\":\"5\"}" +{{- end }} diff --git a/kubernetes/authentication/templates/authorizationpolicy.yaml b/kubernetes/authentication/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..f4857bdbac --- /dev/null +++ b/kubernetes/authentication/templates/authorizationpolicy.yaml @@ -0,0 +1,90 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.ingressAuthentication.enabled }} +--- +{{- $dot := . }} +{{- range $index, $realm := .Values.realmSettings }} +{{- range $key, $accessRole := $realm.accessControl.accessRoles }} +{{- range $index, $role := get $realm.accessControl.accessRoles $key }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ $key }}-{{ $role.name }}-jwt + namespace: istio-ingress +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $role.servicePrefix) }} + methods: + {{- range $role.methodsAllowed }} + - {{ . }} + {{- end }} + when: + - key: request.auth.claims[onap_roles] + values: + - {{ $role.name }} + selector: + matchLabels: + istio: ingress +--- +{{- end }} +{{- end }} +{{- end }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-custom-action + namespace: istio-ingress +spec: + action: CUSTOM + provider: + name: oauth2-proxy + rules: + - to: + - operation: + notHosts: + {{- if .Values.ingressAuthentication.exceptions }} + {{- range $index, $url := .Values.ingressAuthentication.exceptions }} + - {{ tpl $url $dot }} + {{- end }} + {{- end }} + selector: + matchLabels: + istio: ingress +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-allowed-exceptions + namespace: istio-ingress +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: + {{- if .Values.ingressAuthentication.exceptions }} + {{- range $index, $url := .Values.ingressAuthentication.exceptions }} + - {{ tpl $url $dot }} + {{- end }} + {{- end }} + selector: + matchLabels: + istio: ingress +{{- end }}
\ No newline at end of file diff --git a/kubernetes/authentication/templates/configmap.yaml b/kubernetes/authentication/templates/configmap.yaml new file mode 100644 index 0000000000..f373754379 --- /dev/null +++ b/kubernetes/authentication/templates/configmap.yaml @@ -0,0 +1,23 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: oauth2-onap-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/oauth2_proxy.cfg").AsConfig . | indent 2 }} diff --git a/kubernetes/authentication/templates/requestauthentication.yaml b/kubernetes/authentication/templates/requestauthentication.yaml new file mode 100644 index 0000000000..036680d7cb --- /dev/null +++ b/kubernetes/authentication/templates/requestauthentication.yaml @@ -0,0 +1,36 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.ingressAuthentication.enabled }} +--- +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: {{ .Release.Name }}-request-auth + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingress + jwtRules: + {{- $dot := . }} + {{- range $index, $realm := .Values.realmSettings }} + - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ $dot.Values.keycloak.relativePath }}realms/{{ $realm.name }}" + jwksUri: {{ $dot.Values.keycloak.intURL }}realms/{{ $realm.name }}/protocol/openid-connect/certs + {{- end }} + - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}realms/master" + jwksUri: {{ .Values.keycloak.intURL }}realms/master/protocol/openid-connect/certs + forwardOriginalToken: true +{{- end }}
\ No newline at end of file diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/authentication/templates/secret.yaml index 0d9b387dfa..1488be6969 100644 --- a/kubernetes/platform/components/keycloak-init/templates/secret.yaml +++ b/kubernetes/authentication/templates/secret.yaml @@ -9,9 +9,8 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} -{{- with .Files.Glob "resources/realms/*json" }} data: -{{- range $path, $bytes := . }} - {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }} -{{- end }} -{{- end }} +{{- $dot := . }} +{{- range $realm := .Values.realmSettings }} + {{ $realm.name }}: {{ include "auth.realm" (dict "dot" $dot "realm" $realm) | fromYaml | toPrettyJson | indent 2 | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml new file mode 100644 index 0000000000..94e9f7031c --- /dev/null +++ b/kubernetes/authentication/values.yaml @@ -0,0 +1,585 @@ +# Copyright © 2024, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + # Global ingress configuration + ingress: + enabled: false + virtualhost: + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + +keycloak: + intURL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/" + relativePath: "auth/" +ingressAuthentication: + enabled: false + exceptions: + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}' + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}' + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}' + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}' + +onap-keycloak-config-cli: + image: + pullSecrets: + - name: onap-docker-registry-key + #existingSecret: "keycloak-keycloakx-admin-creds" + env: + # internal KC URL plus relative path + KEYCLOAK_URL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/" + KEYCLOAK_SSLVERIFY: "false" + KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" + secrets: + KEYCLOAK_PASSWORD: secret + existingConfigSecret: "keycloak-config-cli-config-realms" + +onap-oauth2-proxy: + # Oauth client configuration specifics + config: + # Create a new secret with the following command + # openssl rand -base64 32 | head -c 32 | base64 + cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA=" + clientID: &clientID "oauth2-proxy-onap" + # To be set in helmfile + clientSecret: &clientSecret "5YSOkJz99WHv8enDZPknzJuGqVSerELp" + # To be set in helmfile + cookieName: "onap-cookie" + # settings see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md + existingConfig: "oauth2-onap-config" + + # Configure the session storage type, between cookie and redis + sessionStorage: + # Can be one of the supported session storage cookie|redis + type: redis + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "onap-authentication-redis" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "sentinel" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-password" + # Redis sentinel master name + masterName: "mymaster" + # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: "redis://onap-authentication-redis-node-0.onap-authentication-redis-headless.onap:26379,redis://onap-authentication-redis-node-1.onap-authentication-redis-headless.onap:26379,redis://onap-authentication-redis-node-2.onap-authentication-redis-headless.onap:26379" + + # Enables and configure the automatic deployment of the redis subchart + redis: + # provision an instance of the redis sub-chart + enabled: true + sentinel: + enabled: true + +serviceAccount: + nameOverride: keycloak-init + roles: + - read + +realmSettings: + - name: onap + displayName: "ONAP Realm" + attributes: + frontendUrl: 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}' + themes: + login: "base" + admin: "base" + account: "base" + email: "base" + groups: + - name: admins + path: /admins + roles: [ "platform-all-full" ] + - name: contributors + path: /contributors + roles: [ "platform-all-write" ] + - name: readers + path: /readers + roles: [ "platform-all-read" ] + initialUsers: + - username: "onap-admin" + credentials: + - type: password + secretData: "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}" + credentialData : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + attributes: + sdc_user: + - "cs0008" + realmRoles: + - default-roles-onap + - portal_admin + groups: [] + - username: "onap-designer" + credentials: [] + attributes: + sdc_user: + - "cs0008" + realmRoles: + - default-roles-onap + - portal_designer + groups: [] + - username: "onap-operator" + credentials: [] + attributes: + sdc_user: + - "cs0008" + realmRoles: + - default-roles-onap + - portal_operator + groups: [] + - username: "service-account-portal-bff" + serviceAccountClientId: "portal-bff" + credentials: [] + clientRoles: + realm-management: + - manage-realm + - manage-users + groups: [] + - username: adminek + password: Adminek + email: "onap-admin@amartus.com" + groups: + - admins + - username: onapadmin + password: ONAPAdmin + email: "onap-admin1@amartus.com" + groups: + - admins + - username: contributor + password: Contributor + email: "onap-contributor@amartus.com" + groups: + - contributors + - username: reader + password: Reader + email: "onap-reader@amartus.com" + groups: + - readers + clients: + oauth2_proxy: + clientId: *clientID + name: "Oauth2 Proxy" + secret: *clientSecret + protocol: openid-connect + protocolMappers: + - name: "Audience for Oauth2Proxy" + protocolMapper: "oidc-audience-mapper" + config: + included.client.audience: "oauth2-proxy-onap" + id.token.claim: "false" + access.token.claim: "true" + included.custom.audience: "oauth2-proxy-onap" + - name: "SDC-User" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + multivalued: "false" + userinfo.token.claim: "true" + user.attribute: "sdc_user" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "sdc_user" + jsonType.label: "String" + additionalDefaultScopes: + - "onap_roles" + portal_app: + clientId: "portal-app" + redirectUris: + - 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ng-ui") }}/*' + - 'http://localhost/*' + protocol: openid-connect + additionalAttributes: + post.logout.redirect.uris: 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ng-ui") }}/*' + protocolMappers: + - name: "User-Roles" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + userinfo.token.claim: "true" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "roles" + multivalued: "true" + - name: "SDC-User" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + userinfo.token.claim: "true" + user.attribute: "sdc_user" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "sdc_user" + jsonType.label: "String" + portal_bff: + clientId: "portal-bff" + protocol: openid-connect + secret : pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr + protocolMappers: + - name: "Client Host" + protocolMapper: "oidc-usersessionmodel-note-mapper" + config: + user.session.note : "clientHost" + id.token.claim : "true" + access.token.claim : "true" + claim.name : "clientHost" + jsonType.label : "String" + - name: "Client IP Address" + protocolMapper: "oidc-usersessionmodel-note-mapper" + config: + user.session.note : "clientAddress" + id.token.claim : "true" + access.token.claim : "true" + claim.name : "clientAddress" + jsonType.label : "String" + defaultClientScopes: + - "onap_roles" + additionalClientScopes: + - name: onap_roles + description: OpenID Connect scope for add user onap roles to the access token + protocolMappers: + - name: aud + protocol: openid-connect + protocolMapper: oidc-audience-mapper + consentRequired: false + config: + included.client.audience: oauth2-proxy + id.token.claim: 'false' + access.token.claim: 'true' + - name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + multivalued: 'true' + userinfo.token.claim: 'false' + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: onap_roles + jsonType.label: String + usermodel.clientRoleMapping.clientId: oauth2-proxy + accessControl: + assignableRoles: + - name: portal_admin + description: "User role for administration tasks in the portal." + - name: portal_designer + description: "User role for designer tasks in the portal." + - name: portal_operator + description: "User role for operator tasks in the portal." + - name: onap-operator-read + description: "Allows to perform GET operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ] + - name: onap-operator-write + description: "Allows to perform GET, POST, PUT, PATCH operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-write", "dmaap-dr-node-api-write", "dmaap-dr-prov-api-write", "dmaap-mr-api-write", "msb-consul-api-write", "msb-discovery-api-write", "msb-eag-ui-write", "msb-iag-ui-write", "nbi-api-write", "aai-api-write", "aai-babel-api-write", "aai-sparkybe-api-write", "cds-blueprintsprocessor-api-write", "cds-ui-write", "cps-core-api-write", "cps-ncmp-dmi-plugin-api-write", "cps-temporal-api-write", "reaper-dc1-write", "sdc-be-api-write", "sdc-fe-ui-write", "sdc-wfd-be-api-write", "sdc-wfd-fe-ui-write", "so-admin-cockpit-ui-write", "so-api-write", "usecase-ui-write", "uui-server-write" ] + - name: onap-operator-full + description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-full", "dmaap-dr-node-api-full", "dmaap-dr-prov-api-full", "dmaap-mr-api-full", "msb-consul-api-full", "msb-discovery-api-full", "msb-eag-ui-full", "msb-iag-ui-full", "nbi-api-full", "aai-api-full", "aai-babel-api-full", "aai-sparkybe-api-full", "cds-blueprintsprocessor-api-full", "cds-ui-full", "cps-core-api-full", "cps-ncmp-dmi-plugin-api-full", "cps-temporal-api-full", "reaper-dc1-full", "sdc-be-api-full", "sdc-fe-ui-full", "sdc-wfd-be-api-full", "sdc-wfd-fe-ui-full", "so-admin-cockpit-ui-full", "so-api-full", "usecase-ui-full", "uui-server-full" ] + - name: platform-operator-read + description: "Allows to perform GET operations for all ONAP components" + associatedAccessRoles: [ "grafana-read", "kibana-read" ] + - name: platform-operator-write + description: "Allows to perform GET, POST, PUT, PATCH operations for all ONAP components" + associatedAccessRoles: [ "grafana-write", "kibana-write" ] + - name: platform-operator-full + description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all ONAP components" + associatedAccessRoles: [ "grafana-full", "kibana-full" ] + - name: platform-all-read + description: "Allows to perform GET operations for all PLATFORM components" + associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "grafana-read", "kibana-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ] + - name: platform-all-write + description: "Allows to perform GET, POST, PUT, PATCH operations for all PLATFORM components" + associatedAccessRoles: [ "dmaap-bc-api-write", "dmaap-dr-node-api-write", "dmaap-dr-prov-api-write", "dmaap-mr-api-write", "msb-consul-api-write", "msb-discovery-api-write", "msb-eag-ui-write", "msb-iag-ui-write", "nbi-api-write", "aai-api-write", "aai-babel-api-write", "aai-sparkybe-api-write", "cds-blueprintsprocessor-api-write", "cds-ui-write", "cps-core-api-write", "cps-ncmp-dmi-plugin-api-write", "cps-temporal-api-write", "grafana-write", "kibana-write", "reaper-dc1-write", "sdc-be-api-write", "sdc-fe-ui-write", "sdc-wfd-be-api-write", "sdc-wfd-fe-ui-write", "so-admin-cockpit-ui-write", "so-api-write", "usecase-ui-write", "uui-server-write" ] + - name: platform-all-full + description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all PLATFORM components" + associatedAccessRoles: [ "dmaap-bc-api-full", "dmaap-dr-node-api-full", "dmaap-dr-prov-api-full", "dmaap-mr-api-full", "msb-consul-api-full", "msb-discovery-api-full", "msb-eag-ui-full", "msb-iag-ui-full", "nbi-api-full", "aai-api-full", "aai-babel-api-full", "aai-sparkybe-api-full", "cds-blueprintsprocessor-api-full", "cds-ui-full", "cps-core-api-full", "cps-ncmp-dmi-plugin-api-full", "cps-temporal-api-full", "grafana-full", "kibana-full", "reaper-dc1-full", "sdc-be-api-full", "sdc-fe-ui-full", "sdc-wfd-be-api-full", "sdc-wfd-fe-ui-full", "so-admin-cockpit-ui-full", "so-api-full", "usecase-ui-full", "uui-server-full" ] + accessRoles: + "oauth2_proxy": + - name: dmaap-bc-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-bc-api + - name: dmaap-bc-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-bc-api + - name: dmaap-bc-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-bc-api + - name: dmaap-dr-node-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-dr-node-api + - name: dmaap-dr-node-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-dr-node-api + - name: dmaap-dr-node-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-dr-node-api + - name: dmaap-dr-prov-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-dr-prov-api + - name: dmaap-dr-prov-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-dr-prov-api + - name: dmaap-dr-prov-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-dr-prov-api + - name: dmaap-mr-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-mr-api + - name: dmaap-mr-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-mr-api + - name: dmaap-mr-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-mr-api + - name: msb-consul-api-read + methodsAllowed: ["GET"] + servicePrefix: msb-consul-api + - name: msb-consul-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-consul-api + - name: msb-consul-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-consul-api + - name: msb-discovery-api-read + methodsAllowed: ["GET"] + servicePrefix: msb-discovery-api + - name: msb-discovery-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-discovery-api + - name: msb-discovery-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-discovery-api + - name: msb-eag-ui-read + methodsAllowed: ["GET"] + servicePrefix: msb-eag-ui + - name: msb-eag-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-eag-ui + - name: msb-eag-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-eag-ui + - name: msb-iag-ui-read + methodsAllowed: ["GET"] + servicePrefix: msb-iag-ui + - name: msb-iag-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-iag-ui + - name: msb-iag-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-iag-ui + - name: nbi-api-read + methodsAllowed: ["GET"] + servicePrefix: nbi-api + - name: nbi-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: nbi-api + - name: nbi-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: nbi-api + - name: aai-api-read + methodsAllowed: ["GET"] + servicePrefix: aai-api + - name: aai-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: aai-api + - name: aai-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: aai-api + - name: aai-babel-api-read + methodsAllowed: ["GET"] + servicePrefix: aai-babel-api + - name: aai-babel-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: aai-babel-api + - name: aai-babel-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: aai-babel-api + - name: aai-sparkybe-api-read + methodsAllowed: ["GET"] + servicePrefix: aai-sparkybe-api + - name: aai-sparkybe-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: aai-sparkybe-api + - name: aai-sparkybe-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: aai-sparkybe-api + - name: cds-blueprintsprocessor-api-read + methodsAllowed: ["GET"] + servicePrefix: cds-blueprintsprocessor-api + - name: cds-blueprintsprocessor-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cds-blueprintsprocessor-api + - name: cds-blueprintsprocessor-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cds-blueprintsprocessor-api + - name: cds-ui-read + methodsAllowed: ["GET"] + servicePrefix: cds-ui + - name: cds-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cds-ui + - name: cds-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cds-ui + - name: cps-core-api-read + methodsAllowed: ["GET"] + servicePrefix: cps-core-api + - name: cps-core-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cps-core-api + - name: cps-core-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cps-core-api + - name: cps-ncmp-dmi-plugin-api-read + methodsAllowed: ["GET"] + servicePrefix: cps-ncmp-dmi-plugin-api + - name: cps-ncmp-dmi-plugin-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cps-ncmp-dmi-plugin-api + - name: cps-ncmp-dmi-plugin-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cps-ncmp-dmi-plugin-api + - name: cps-temporal-api-read + methodsAllowed: ["GET"] + servicePrefix: cps-temporal-api + - name: cps-temporal-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cps-temporal-api + - name: cps-temporal-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cps-temporal-api + - name: grafana-read + methodsAllowed: ["GET"] + servicePrefix: grafana + - name: grafana-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: grafana + - name: grafana-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: grafana + - name: kibana-read + methodsAllowed: ["GET"] + servicePrefix: kibana + - name: kibana-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: kibana + - name: kibana-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: kibana + - name: minio-read + methodsAllowed: ["GET"] + servicePrefix: minio-console + - name: minio-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: minio-console + - name: minio-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: minio-console + - name: reaper-dc1-read + methodsAllowed: ["GET"] + servicePrefix: reaper-dc1 + - name: reaper-dc1-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: reaper-dc1 + - name: reaper-dc1-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: reaper-dc1 + - name: sdc-be-api-read + methodsAllowed: ["GET"] + servicePrefix: sdc-be-api + - name: sdc-be-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-be-api + - name: sdc-be-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-be-api + - name: sdc-fe-ui-read + methodsAllowed: ["GET"] + servicePrefix: sdc-fe-ui + - name: sdc-fe-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-fe-ui + - name: sdc-fe-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-fe-ui + - name: sdc-wfd-be-api-read + methodsAllowed: ["GET"] + servicePrefix: sdc-wfd-be-api + - name: sdc-wfd-be-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-wfd-be-api + - name: sdc-wfd-be-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-wfd-be-api + - name: sdc-wfd-fe-ui-read + methodsAllowed: ["GET"] + servicePrefix: sdc-wfd-fe-ui + - name: sdc-wfd-fe-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-wfd-fe-ui + - name: sdc-wfd-fe-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-wfd-fe-ui + - name: so-admin-cockpit-ui-read + methodsAllowed: ["GET"] + servicePrefix: so-admin-cockpit-ui + - name: so-admin-cockpit-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: so-admin-cockpit-ui + - name: so-admin-cockpit-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: so-admin-cockpit-ui + - name: so-api-read + methodsAllowed: ["GET"] + servicePrefix: so-api + - name: so-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: so-api + - name: so-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: so-api + - name: usecase-ui-read + methodsAllowed: ["GET"] + servicePrefix: usecase-ui + - name: usecase-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: usecase-ui + - name: usecase-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: usecase-ui + - name: uui-server-read + methodsAllowed: ["GET"] + servicePrefix: uui-server + - name: uui-server-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: uui-server + - name: uui-server-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: uui-server diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml index 45d8da170b..bb3d95c69f 100644 --- a/kubernetes/onap/Chart.yaml +++ b/kubernetes/onap/Chart.yaml @@ -25,6 +25,10 @@ icon: https://wiki.onap.org/download/thumbnails/1015829/onap_704x271%20copy.png? kubeVersion: ">=1.19.11-0" dependencies: + - name: authentication + version: ~14.x-0 + repository: '@local' + condition: authentication:enabled - name: aai version: ~13.x-0 repository: '@local' diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml index ba7b50e53c..1b47045e84 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml @@ -62,6 +62,8 @@ mariadb-galera: enabled: true postgres: enabled: true +authentication: + enabled: true aai: enabled: true cds: diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml index cc830424e2..8f69a08b2a 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -63,6 +63,8 @@ mariadb-galera: enabled: true postgres: enabled: true +authentication: + enabled: true aai: enabled: true cds: diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index 027f8b3225..afb7e6b720 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -25,6 +25,8 @@ mariadb-galera: enabled: true postgres: enabled: true +authentication: + enabled: true aai: enabled: true cds: diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 5f48a5e2ed..c37b0fcdbc 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -297,6 +297,8 @@ global: # to customize the ONAP deployment. ################################################################# +authentication: + enabled: false aai: enabled: false cassandra: diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml index aec56cf9a1..c3f776803e 100644 --- a/kubernetes/platform/Chart.yaml +++ b/kubernetes/platform/Chart.yaml @@ -3,6 +3,7 @@ # Modifications Copyright © 2020 Nokia # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,11 +35,3 @@ dependencies: version: ~13.x-0 repository: '@local' condition: chartmuseum.enabled - - name: keycloak-init - version: ~13.x-0 - repository: '@local' - condition: keycloak-init.enabled - - name: oauth2-proxy - version: ~13.x-0 - repository: '@local' - condition: oauth2-proxy.enabled diff --git a/kubernetes/platform/components/keycloak-init/Makefile b/kubernetes/platform/components/keycloak-init/Makefile deleted file mode 100644 index 5970a97115..0000000000 --- a/kubernetes/platform/components/keycloak-init/Makefile +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Modifications Copyright © 2020 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json deleted file mode 100644 index d845c60cfb..0000000000 --- a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json +++ /dev/null @@ -1,426 +0,0 @@ -{ - "id": "ONAP", - "realm": "ONAP", - "enabled": true, - "roles": { - "realm": [ - { - "name": "onap_admin", - "description": "User role for administration tasks in the portal.", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "user", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "admin", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "onap_designer", - "description": "User role for designer tasks in the portal.", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "onap_operator", - "description": "User role for operator tasks in the portal.", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "default-roles-onap", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization" - ], - "client": { - "account": [ - "view-profile", - "manage-account" - ] - } - }, - "clientRole": false, - "containerId": "onap", - "attributes": {} - } - ] - }, - "groups": [ - { - "name": "admins", - "path": "/admins", - "attributes": {}, - "realmRoles": [], - "clientRoles": {}, - "subGroups": [] - } - ], - "clients": [ - { - "clientId": "oauth2-proxy", - "name": "Oauth2 Proxy", - "description": "", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp", - "redirectUris": [ - "*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "tls-client-certificate-bound-access-tokens": "false", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "acr.loa.map": "{}", - "require.pushed.authorization.requests": "false", - "oauth2.device.authorization.grant.enabled": "false", - "display.on.consent.screen": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "token.response.type.bearer.lower-case": "false", - "use.refresh.tokens": "true" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "SDC-User", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "multivalued": "false", - "userinfo.token.claim": "true", - "user.attribute": "sdc_user", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "sdc_user", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "groups", - "microprofile-jwt" - ] - }, - { - "clientId": "portal-app", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "{{ .Values.portalUrl }}/*", - "http://localhost/*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "{{ .Values.portalUrl }}/*", - "oauth2.device.authorization.grant.enabled": "false", - "display.on.consent.screen": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "User-Roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "roles", - "multivalued": "true", - "userinfo.token.claim": "true" - } - }, - { - "name": "SDC-User", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "sdc_user", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "sdc_user", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId" : "portal-bff", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : false, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : true, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "frontchannel.logout.session.required" : "false", - "oauth2.device.authorization.grant.enabled" : "false", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "use.refresh.tokens" : "true", - "oidc.ciba.grant.enabled" : "false", - "backchannel.logout.session.required" : "true", - "client_credentials.use_refresh_token" : "false", - "require.pushed.authorization.requests" : "false", - "saml.client.signature" : "false", - "saml.allow.ecp.flow" : "false", - "id.token.as.detached.signature" : "false", - "saml.assertion.signature" : "false", - "client.secret.creation.time" : "1665048112", - "saml.encrypt" : "false", - "saml.server.signature" : "false", - "exclude.session.state.from.auth.response" : "false", - "saml.artifact.binding" : "false", - "saml_force_name_id_format" : "false", - "acr.loa.map" : "{}", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "token.response.type.bearer.lower-case" : "false", - "saml.onetimeuse.condition" : "false" - }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "protocolMappers" : [ { - "name" : "Client Host", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usersessionmodel-note-mapper", - "consentRequired" : false, - "config" : { - "user.session.note" : "clientHost", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "clientHost", - "jsonType.label" : "String" - } - }, { - "name" : "Client IP Address", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usersessionmodel-note-mapper", - "consentRequired" : false, - "config" : { - "user.session.note" : "clientAddress", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "clientAddress", - "jsonType.label" : "String" - } - } ], - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - } - ], - "users": [ - { - "createdTimestamp" : 1664965113698, - "username" : "onap-admin", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "attributes" : { - "sdc_user" : [ "cs0008" ] - }, - "credentials" : [ { - "type" : "password", - "createdDate" : 1664965134586, - "secretData" : "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap", "onap_admin" ], - "notBefore" : 0, - "groups" : [ ] - }, { - "createdTimestamp" : 1665048354760, - "username" : "onap-designer", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "attributes" : { - "sec_user" : [ "cs0008" ] - }, - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap", "onap_designer" ], - "notBefore" : 0, - "groups" : [ ] - }, { - "createdTimestamp" : 1665048547054, - "username" : "onap-operator", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "attributes" : { - "sdc_user" : [ "cs0008" ] - }, - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap", "onap_operator" ], - "notBefore" : 0, - "groups" : [ ] - }, { - "createdTimestamp" : 1665048112458, - "username" : "service-account-portal-bff", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "serviceAccountClientId" : "portal-bff", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap" ], - "clientRoles" : { - "realm-management" : [ "manage-realm", "manage-users" ] - }, - "notBefore" : 0, - "groups" : [ ] - } - ], - "clientScopes": [ - { - "name": "groups", - "description": "Membership to a group", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "gui.order": "", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "false", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - } - ] - } - ], - "attributes": { - "frontendUrl": "{{ .Values.KEYCLOAK_URL }}", - "acr.loa.map": "{\"ABC\":\"5\"}" - } -} diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml deleted file mode 100644 index a33ef2c932..0000000000 --- a/kubernetes/platform/components/keycloak-init/values.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright © 2022, Deutsche Telekom -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - # Global ingress configuration - ingress: - enabled: false - virtualhost: - baseurl: "simpledemo.onap.org" - -KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" -PORTAL_URL: "https://portal-ui.simpledemo.onap.org" - -onap-keycloak-config-cli: - image: - pullSecrets: - - name: onap-docker-registry-key - #existingSecret: "keycloak-keycloakx-admin-creds" - env: - KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/ - KEYCLOAK_SSLVERIFY: "false" - KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" - secrets: - KEYCLOAK_PASSWORD: secret - existingConfigSecret: "keycloak-config-cli-config-realms" - -serviceAccount: - nameOverride: keycloak-init - roles: - - read diff --git a/kubernetes/platform/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/Chart.yaml deleted file mode 100644 index 13da57793c..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright © 2022 Deutsche Telekom -# ================================================================================ -# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -apiVersion: v2 -version: 13.0.0 -description: ONAP Oauth2-proxy -name: oauth2-proxy -sources: -- https://github.com/oauth2-proxy/manifests - -dependencies: - - name: common - version: ~13.x-0 - repository: '@local' - - name: serviceAccount - version: ~13.x-0 - repository: '@local' - - name: onap-oauth2-proxy - version: 6.10.1 - repository: 'file://components/oauth2-proxy'
\ No newline at end of file diff --git a/kubernetes/platform/components/oauth2-proxy/components/Makefile b/kubernetes/platform/components/oauth2-proxy/components/Makefile deleted file mode 100755 index 9544d70f33..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore deleted file mode 100644 index 825c007791..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj - -OWNERS diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml deleted file mode 100644 index 9d31c28541..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -metrics: - enabled: true - serviceMonitor: - enabled: true diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt deleted file mode 100644 index aa749e0b9d..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -To verify that oauth2-proxy has started, run: - - kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.name" . }}" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml deleted file mode 100644 index 7ba0273ab2..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.alphaConfig.enabled }} -{{- if not .Values.alphaConfig.existingConfig }} -apiVersion: v1 -kind: ConfigMap -metadata: -{{- if .Values.alphaConfig.annotations }} - annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} -{{- end }} - labels: - app: {{ template "oauth2-proxy.name" . }} - {{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-alpha -data: - oauth2_proxy.yml: | - --- - server: - BindAddress: '0.0.0.0:4180' - {{- if .Values.alphaConfig.serverConfigData }} - {{- toYaml .Values.alphaConfig.serverConfigData | nindent 6 }} - {{- end }} - {{- if .Values.metrics.enabled }} - metricsServer: - BindAddress: '0.0.0.0:44180' - {{- if .Values.alphaConfig.metricsConfigData }} - {{- toYaml .Values.alphaConfig.metricsConfigData | nindent 6 }} - {{- end }} - {{- end }} - {{- if .Values.alphaConfig.configData }} - {{- toYaml .Values.alphaConfig.configData | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml deleted file mode 100644 index 6d0a9d7c59..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if or .Values.serviceAccount.enabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.serviceAccountName" . }} -automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml deleted file mode 100644 index 9c29d1bfd1..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.servicemonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "oauth2-proxy.fullname" . }} -{{- if .Values.metrics.servicemonitor.namespace }} - namespace: {{ .Values.metrics.servicemonitor.namespace }} -{{- else }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} - labels: - prometheus: {{ .Values.metrics.servicemonitor.prometheusInstance }} - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.metrics.servicemonitor.labels }} -{{ toYaml .Values.metrics.servicemonitor.labels | indent 4}} -{{- end }} -spec: - jobLabel: {{ template "oauth2-proxy.fullname" . }} - selector: - matchLabels: - {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: metrics - path: "/metrics" - interval: {{ .Values.metrics.servicemonitor.interval }} - scrapeTimeout: {{ .Values.metrics.servicemonitor.scrapeTimeout }} -{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/values.yaml deleted file mode 100644 index 81a9986d3d..0000000000 --- a/kubernetes/platform/components/oauth2-proxy/values.yaml +++ /dev/null @@ -1,74 +0,0 @@ -onap-oauth2-proxy: - # Oauth client configuration specifics - config: - cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA=" - configFile: |- - email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email - - alphaConfig: - enabled: true - configData: - providers: - - clientID: "oauth2-proxy" - clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp" - id: oidc-istio - provider: oidc # We use the generic 'oidc' provider - loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth - #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token - redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token - profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo - validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo - scope: "openid email profile groups" - #allowedGroups: - # - admins # List all groups managed at our your IdP which should be allowed access - # - infrateam - # - anothergroup - oidcConfig: - emailClaim: email # Name of the clain in JWT containing the E-Mail - groupsClaim: groups # Name of the claim in JWT containing the Groups - userIDClaim: email # Name of the claim in JWT containing the User ID - audienceClaims: ["aud"] - insecureAllowUnverifiedEmail: true - insecureSkipIssuerVerification: true - skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it - issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP - jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs - upstreamConfig: - upstreams: - - id: static_200 - path: / - static: true - staticCode: 200 - # Headers that should be added to responses from the proxy - injectResponseHeaders: # Send this headers in responses from oauth2-proxy - - name: X-Auth-Request-Preferred-Username - values: - - claim: preferred_username - - name: X-Auth-Request-Email - values: - - claim: email - - extraArgs: - cookie-secure: "false" - cookie-domain: ".simpledemo.onap.org" # Replace with your base domain - cookie-samesite: lax - cookie-expire: 12h # How long our Cookie is valid - auth-logging: true # Enable / Disable auth logs - request-logging: true # Enable / Disable request logs - standard-logging: true # Enable / Disable the standart logs - show-debug-on-error: true # Disable in production setups - skip-provider-button: true # We only have one provider configured (Keycloak) - silence-ping-logging: true # Keeps our logs clean - whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain - - # Enables and configure the automatic deployment of the redis subchart - redis: - # provision an instance of the redis sub-chart - enabled: false - - -serviceAccount: - nameOverride: oauth2-proxy - roles: - - read - diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml index 5cc7612473..95c98f6eb4 100644 --- a/kubernetes/platform/values.yaml +++ b/kubernetes/platform/values.yaml @@ -34,15 +34,11 @@ global: # Control deployment of Platform services at ONAP installation time chartmuseum: - enabled: true + enabled: false cmpv2-cert-provider: enabled: true oom-cert-service: enabled: true -keycloak-init: - enabled: false -oauth2-proxy: - enabled: false flavor: small # default number of instances |