Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Add support for configuring UI auth #712

Open
ElanHasson opened this issue Apr 24, 2024 · 0 comments
Open

Feature: Add support for configuring UI auth #712

ElanHasson opened this issue Apr 24, 2024 · 0 comments
Labels
good first issue Good for newcomers help wanted Extra attention is needed improvement

Comments

@ElanHasson
Copy link

ElanHasson commented Apr 24, 2024
edited
Loading

Currently app UI config for auth has to done via environment vars.

It would be great if it could be exposed easily.
Perhaps with common configuration: Google, Microsoft, GitHub authentication packages up as a template where you just have to add your client secret and key and it'll just work.

Should also have Keycloak config as it's pretty popular.

Here is a very large spec.

apiVersion: temporal.io/v1beta1
kind: TemporalCluster
metadata:
  name: temporal
spec:
  admintools:
    enabled: true
    image: temporalio/admin-tools
    resources: {}
  authorization:
    # Uncomment once claims are setup in keycloak
    # authorizer: default
    # claimMapper: default
    jwtKeyProvider:
      keySourceURIs:
        - CHANGE_ME
      refreshInterval: 30m0s
    permissionsClaimName: permissions
  image: temporalio/server
  jobResources: {}
  jobTtlSecondsAfterFinished: 300
  log:
    development: false
    format: json
    level: info
    outputFile: ""
    stdout: true
  mTLS:
    certificatesDuration:
      clientCertificates: 17520h0m0s
      frontendCertificate: 17520h0m0s
      intermediateCAsCertificates: 17520h0m0s
      internodeCertificate: 17520h0m0s
      rootCACertificate: 27520h0m0s
    frontend:
      enabled: true
    internode:
      enabled: true
    provider: cert-manager
    refreshInterval: 72h0m0s # I do not think these are being considered properly.
    renewBefore: 1h10m0s # This too
  metrics:
    enabled: true
    prometheus:
      listenAddress: ""
      listenPort: 9090
      scrapeConfig:
        annotations: false
        serviceMonitor:
          enabled: true
  numHistoryShards: 1
  persistence:
    defaultStore:
      name: default
      passwordSecretRef:
        key: password
        name: temporal-postgres-app
      skipCreate: false
      sql:
        connectAddr: temporal-postgres-rw:5432
        connectProtocol: tcp
        databaseName: temporal
        maxConnLifetime: 0s
        maxConns: 0
        maxIdleConns: 0
        pluginName: postgres
        taskScanPartitions: 0
        user: temporal
    visibilityStore:
      name: visibility
      passwordSecretRef:
        key: password
        name: temporal-postgres-app
      skipCreate: false
      sql:
        connectAddr: temporal-postgres-rw:5432
        connectProtocol: tcp
        databaseName: temporal_visibility
        maxConnLifetime: 0s
        maxConns: 0
        maxIdleConns: 0
        pluginName: postgres
        taskScanPartitions: 0
        user: temporal
  services:
    frontend:
      overrides:
        deployment:
          spec:
            template:
              spec:
                containers:
                  - name: service
                    args: ["--allow-no-auth"]
      httpPort: 7243
      membershipPort: 6933
      port: 7233
      replicas: 1
      resources: {}
    history:
      httpPort: 0
      membershipPort: 6934
      port: 7234
      replicas: 1
      resources: {}
    matching:
      httpPort: 0
      membershipPort: 6935
      port: 7235
      replicas: 1
      resources: {}
    worker:
      httpPort: 0
      membershipPort: 6939
      port: 7239
      replicas: 1
      resources: {}
  ui:
    enabled: true
    image: temporalio/ui
    ingress:
      annotations:
        external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" # this will need to be true when we are out of the basement
        cert-manager.io/issuer: letsencrypt-prod
        nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
      hosts:
        - CHANGEME
      tls:
        - hosts:
            - CHANGEME
          secretName: temporal-ingress-cert
    overrides:
      deployment:
        spec:
          template:
            spec:
              containers:
                - env:
                    - name: TEMPORAL_AUTH_ENABLED
                      value: "true"
                    - name: TEMPORAL_AUTH_SCOPES
                      value: openid email profile
                  name: ui
                  resources: {}
                  envFrom:
                    - secretRef:
                        name: temporal-oidc-client
    replicas: 1
    resources:
      limits:
        cpu: "1"
        memory: 256Mi
      requests:
        cpu: 10m
        memory: 20Mi
    version: 2.26.1
  version: 1.22.7
@alexandrevilain alexandrevilain added help wanted Extra attention is needed good first issue Good for newcomers improvement labels Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers help wanted Extra attention is needed improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ElanHasson @alexandrevilain