feat: add oidc

pluralsh · Apr 15, 2023 · 6de00cc · 6de00cc
1 parent 0cd778c
commit 6de00cc
Show file tree

Hide file tree

Showing 14 changed files with 205 additions and 7 deletions.
diff --git a/unleash/helm/unleash/Chart.lock b/unleash/helm/unleash/Chart.lock
@@ -5,5 +5,8 @@ dependencies:
 - name: unleash
   repository: https://docs.getunleash.io/helm-charts
   version: 2.8.0
-digest: sha256:552bc226be5e707e130af94d16402b37a8588fe3be7c7eca90dd275ffa3a2cd3
-generated: "2023-04-15T05:20:25.085317+02:00"
+- name: oidc-config
+  repository: https://pluralsh.github.io/module-library
+  version: 0.1.6
+digest: sha256:e72b181785ed4af17a09f15eb96d8ed5eb97de0017d026e0847f2fc521317e01
+generated: "2023-04-15T13:09:41.222634+02:00"
diff --git a/unleash/helm/unleash/Chart.yaml b/unleash/helm/unleash/Chart.yaml
@@ -10,4 +10,8 @@ dependencies:
   repository: https://pluralsh.github.io/module-library
 - name: unleash
   version: 2.8.0
-  repository: https://docs.getunleash.io/helm-charts
+  repository: https://docs.getunleash.io/helm-charts
+- name: oidc-config
+  version: 0.1.6
+  repository: https://pluralsh.github.io/module-library
+  condition: oidc-config.enabled
diff --git a/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz b/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz
diff --git a/unleash/helm/unleash/templates/ingress.yaml b/unleash/helm/unleash/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := index .Values "oidc-config" "service" "name" -}}
+{{- $svcPort := index .Values "oidc-config" "service" "webPort" -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "unleash-plural.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/unleash/helm/unleash/values.yaml b/unleash/helm/unleash/values.yaml
@@ -26,3 +26,17 @@ unleash:
       key: password
     ssl: '{\"rejectUnauthorized\": false}'
 
+oidc-config:
+  enabled: false
+  service:
+    name: unleash-oauth2-proxy
+    selector:
+      app.kubernetes.io/instance: unleash
+      app.kubernetes.io/name: unleash
+  secret:
+    upstream: http://localhost:4242
+    env:
+      OAUTH2_PROXY_UPSTREAM_TIMEOUT: '120s'
+
+ingress:
+  enabled: false
diff --git a/unleash/helm/unleash/values.yaml.tpl b/unleash/helm/unleash/values.yaml.tpl
@@ -1,4 +1,8 @@
 unleash:
+  {{- if .OIDC }}
+  ingress:
+    enabled: false
+  {{ else }}
   ingress:
     enabled: true
     className: "nginx"
@@ -14,10 +18,11 @@ unleash:
     - secretName: unleash-tls
       hosts:
         - {{ .Values.hostname }}
+  {{ end }}
   env:
     - name: UNLEASH_URL
       value: {{ .Values.hostname }}
-  {{ if .SMTP }}
+    {{ if .SMTP }}
     - name: EMAIL_SERVER_HOST
       value: {{ .SMTP.Server }}
     - name: EMAIL_SERVER_USER
@@ -28,4 +33,43 @@ unleash:
       value: {{ .SMTP.Port }}
     - name: EMAIL_FROM
       value: {{ .SMTP.Sender }}
-  {{ end }}
+    {{ end }}
+{{ if .OIDC }}
+    - name: AUTH_TYPE
+      value: none
+  podLabels:
+    security.plural.sh/inject-oauth-sidecar: "true"
+  podAnnotations:
+    security.plural.sh/oauth-env-secret: "unleash-proxy-config"
+  {{ if .Values.users }}
+    security.plural.sh/htpasswd-secret: httpaswd-users
+  {{ end }}
+{{ $prevSecret := dedupe . "unleash.oidc-config.cookieSecret" (randAlphaNum 32) }}
+oidc-config:
+  enabled: true
+  secret:
+    name: unleash-proxy-config
+    issuer: {{ .OIDC.Configuration.Issuer }}
+    clientID: {{ .OIDC.ClientId }}
+    clientSecret: {{ .OIDC.ClientSecret }}
+    cookieSecret: {{ dedupe . "unleash.oidc-config.secret.cookieSecret" $prevSecret }}
+  {{ if .Values.users }}
+  users:
+  {{ toYaml .Values.users | nindent 4 }}
+  {{ end }}
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: {{ .Values.hostname }}
+    paths:
+      - path: '/'
+        pathType: ImplementationSpecific
+  tls:
+  - secretName: unleash-tls
+    hosts:
+      - {{ .Values.hostname }}
+{{ end }}
diff --git a/unleash/plural/notes.tpl b/unleash/plural/notes.tpl
@@ -1,3 +1,8 @@
 Your unleash installation is available at https://{{ .Values.hostname }}
-The default login is admin/unleash4all.
-We strongly recommend you change it at https://{{ .Values.hostname }}/profile/change-password
+{{ if .OIDC }}
+Your directus has been configured with OAuth against your plural account!
+{{ else }}
+You are using standard username/password authentication, so user management will be manual.
+The default login is admin/unleash4all. We recommend to change it at https://{{ .Values.hostname }}/profile/change-password
+We strongly recommend that you consider installing with OIDC enabled.
+{{ end }}
diff --git a/unleash/plural/recipes/unleash-aws.yaml b/unleash/plural/recipes/unleash-aws.yaml
@@ -1,6 +1,10 @@
 name: unleash-aws
 description: Installs unleash on an aws eks cluster
 provider: AWS
+oidcSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
+  domainKey: hostname
 dependencies:
 - repo: bootstrap
   name: aws-k8s

diff --git a/unleash/plural/recipes/unleash-azure.yaml b/unleash/plural/recipes/unleash-azure.yaml
@@ -1,6 +1,10 @@
 name: unleash-azure
 description: Installs unleash on an azure aks cluster
 provider: AZURE
+oidcSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
+  domainKey: hostname
 dependencies:
 - repo: bootstrap
   name: azure-k8s

diff --git a/unleash/plural/recipes/unleash-gcp.yaml b/unleash/plural/recipes/unleash-gcp.yaml
@@ -1,6 +1,10 @@
 name: unleash-gcp
 description: Installs unleash on an gcp gke cluster
 provider: GCP
+oidcSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
+  domainKey: hostname
 dependencies:
 - repo: bootstrap
   name: gcp-k8s

diff --git a/unleash/repository.yaml b/unleash/repository.yaml
@@ -7,5 +7,8 @@ icon: plural/icons/unleash.png
 notes: plural/notes.tpl
 homepage: https://www.getunleash.io/
 gitUrl: https://github.com/Unleash/unleash
+oauthSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
 contributors:
 - [email protected]
diff --git a/unleash/terraform/aws/main.tf b/unleash/terraform/aws/main.tf
@@ -0,0 +1,30 @@
+resource "kubernetes_namespace" "unleash" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "unleash"
+      "platform.plural.sh/sync-target" = "pg"
+    }
+  }
+}
+
+
+data "aws_iam_role" "postgres" {
+  name = "${var.cluster_name}-postgres"
+}
+
+resource "kubernetes_service_account" "postgres" {
+  metadata {
+    name      = "postgres-pod"
+    namespace = var.namespace
+
+    annotations = {
+      "eks.amazonaws.com/role-arn" = data.aws_iam_role.postgres.arn
+    }
+  }
+
+  depends_on = [
+    kubernetes_namespace.unleash
+  ]
+}
diff --git a/unleash/terraform/azure/main.tf b/unleash/terraform/azure/main.tf
@@ -0,0 +1,11 @@
+resource "kubernetes_namespace" "unleash" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "unleash"
+      "platform.plural.sh/sync-target" = "pg"
+    }
+  }
+}
+
diff --git a/unleash/terraform/gcp/main.tf b/unleash/terraform/gcp/main.tf
@@ -0,0 +1,11 @@
+resource "kubernetes_namespace" "unleash" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "unleash"
+      "platform.plural.sh/sync-target" = "pg"
+    }
+  }
+}
+