From 6de00cc5e59bf01eb2a7a3d5e9d68f2fb2f27427 Mon Sep 17 00:00:00 2001
From: Walkoss <walkoss@pm.me>
Date: Sat, 15 Apr 2023 14:16:24 +0200
Subject: [PATCH] feat: add oidc

---
 unleash/helm/unleash/Chart.lock               |   7 +-
 unleash/helm/unleash/Chart.yaml               |   6 +-
 .../helm/unleash/charts/oidc-config-0.1.6.tgz | Bin 0 -> 2137 bytes
 unleash/helm/unleash/templates/ingress.yaml   |  61 ++++++++++++++++++
 unleash/helm/unleash/values.yaml              |  14 ++++
 unleash/helm/unleash/values.yaml.tpl          |  48 +++++++++++++-
 unleash/plural/notes.tpl                      |   9 ++-
 unleash/plural/recipes/unleash-aws.yaml       |   4 ++
 unleash/plural/recipes/unleash-azure.yaml     |   4 ++
 unleash/plural/recipes/unleash-gcp.yaml       |   4 ++
 unleash/repository.yaml                       |   3 +
 unleash/terraform/aws/main.tf                 |  30 +++++++++
 unleash/terraform/azure/main.tf               |  11 ++++
 unleash/terraform/gcp/main.tf                 |  11 ++++
 14 files changed, 205 insertions(+), 7 deletions(-)
 create mode 100644 unleash/helm/unleash/charts/oidc-config-0.1.6.tgz
 create mode 100644 unleash/helm/unleash/templates/ingress.yaml
 create mode 100644 unleash/terraform/aws/main.tf
 create mode 100644 unleash/terraform/azure/main.tf
 create mode 100644 unleash/terraform/gcp/main.tf

diff --git a/unleash/helm/unleash/Chart.lock b/unleash/helm/unleash/Chart.lock
index 4a5f09bb2..f0a335fb7 100644
--- a/unleash/helm/unleash/Chart.lock
+++ b/unleash/helm/unleash/Chart.lock
@@ -5,5 +5,8 @@ dependencies:
 - name: unleash
   repository: https://docs.getunleash.io/helm-charts
   version: 2.8.0
-digest: sha256:552bc226be5e707e130af94d16402b37a8588fe3be7c7eca90dd275ffa3a2cd3
-generated: "2023-04-15T05:20:25.085317+02:00"
+- name: oidc-config
+  repository: https://pluralsh.github.io/module-library
+  version: 0.1.6
+digest: sha256:e72b181785ed4af17a09f15eb96d8ed5eb97de0017d026e0847f2fc521317e01
+generated: "2023-04-15T13:09:41.222634+02:00"
diff --git a/unleash/helm/unleash/Chart.yaml b/unleash/helm/unleash/Chart.yaml
index cab5a7b3a..1c47b01d9 100644
--- a/unleash/helm/unleash/Chart.yaml
+++ b/unleash/helm/unleash/Chart.yaml
@@ -10,4 +10,8 @@ dependencies:
   repository: https://pluralsh.github.io/module-library
 - name: unleash
   version: 2.8.0
-  repository: https://docs.getunleash.io/helm-charts
\ No newline at end of file
+  repository: https://docs.getunleash.io/helm-charts
+- name: oidc-config
+  version: 0.1.6
+  repository: https://pluralsh.github.io/module-library
+  condition: oidc-config.enabled
\ No newline at end of file
diff --git a/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz b/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..6369d78af562f537ba91e856ba6af44a7aa7bfca
GIT binary patch
literal 2137
zcmV-f2&VTRiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI?Ca~e6)&+GXV{orgp8($c(vB}m{-3tz8%T#RRV{kUPH<XxZ
zK(UY}k_Ox7<UaeAqyZ1(AtV)_Q+sEniU_IIYW1I=T8#xw;(9Fjl+GI6Ig#4GB@6cA
zQCqXwY_^Y%?ElSXv;2Sa@c8J(!O`JCtJOSiw+>!34_d9`gBQ?zTrsL!rZkZ+nm@c(
z`EY-dMpF6?rJ{ldusrlgny$Yd_y=vj=_ROQNmFgdE<~C!qEW$wC>nzxnVug)D#gt$
zI5&c+kdP^aYpUmvvP=^8|7t}^`A3YkkRB%s44~kCp1w^n0FtJR#>8yrEmxv6{R6-4
z{cK(RH@0H@FA2*~Jw5>JivM==pdA10X6rfrpQ7zS52qw!8l3fQ^cI}L_x4~krwXV7
z0v|eOr}e3j3!*h9Fr^F)K@Vd_B*KzNN+t{yXaN(1lqiJ>P_6~sicEsWMQY*0_Y}qw
zb>IO!L;?V+RE9Eui_=awJQ<w!!l4I{rAkXAivZ?Yr$M8^L`>LRC>{LP^Z;T;k?Vf1
zyv~hBZpZSR5LXnd=a4T0xclOH3gwc<XrxuhEP&aGweSYq>J|k(fNPvw2&n@&I<R6b
zP)i!Ce9R7dnL?=ykDqM+V*IbI(-_Z@r6`rJ(?@`U9r52fYPC!8fBfe8{(qWwch}hW
z!kd)v1oRxOKZBUser)qWZ@=;7i+6WdhXkjTBh-rUVCZX5zo)QR;=5Gx+%WUsxogEx
z4wfh-O%OhVmKl$s-LhS}h_dOF-axHhgPa%g#B@C?VOJv22xPs(G-K=*K4pZ_DaFL3
z4OVvF`vV<sORvoi<{Szp7!#A0D6v3zn@v!1G>MEo@suJ<6c`X=bU_WcX#v^*->;Kf
ztBu}yWN0a$fl4uc<$L`pNMuM<uC`ckO(<7Rac+!ixTcI5G|UVZ5(A?~_*~krD%a3$
zDws~!`dm$}b()iGo&Oe{GqvXP(#jwF_1lelFXLJhj)^~XYI18=a&8QMr*NsHTu-6)
zi>m*kY9(H7({FdN>h6Z)6)b8ZB~MI^HLX>17jaaKOpxuctfjm+Yxy`uO}l=cmBVL{
zm@*P0)c#U~+PL=pp(GXy!JU-q>ry%zC*~a4!dLT#l{|pEJD@yfSyFv4-)&t@v${f0
zbM}70bMoVM*6$EAN7B^4T1Tu;MPvOkxVx)Z@)<s5LSyOp54kJ|Co@dylUv7V<wcRZ
z?km+7<-&iH0?Q|@SBl|sh;7<(0N_`jfO4e?k8xA}VwhEVa~bIK^ae;Ai;QaneVM{t
zN3&}>ZpryJl-eZoV<$lAy7;y7;P>d~zuLx+7f)KihZW~q-l=^Pg9jM!vv24Be5=m?
zTyp+cFTox8-{J9t`p<E@*?i9bo}z8ke-6AW%98-xYsg!mCJE8x{*h)tW*tY?MON|S
ziZ_Fle9F*MT2emi<x2;h%hAc<_+mJC|G|8|>-WN;d+?QKPe!AQai`ZChEWti)3^VE
z{28@Dc@~a_{cco2Tt(d-4Bqy`arpkCKMVsn`fa|2Vi^8D45O0(4v)5xL}B;RFsW&o
zVQmZ1dFLz)VC;%s<JH5kl3nL4jQXQ607h=gG~rpNe>(0B&N}_`D1h4jgZ&2mUU%G&
zqRVhNz8s!bnaI7RjgiW>=tR-D)9r>)G#(A!hUeQ36?F#}=ENdJP7_F_FfadyWZ`IR
zz7K}|e{@Fu!TI<k>{wfGVH=Ld@6Et4{QG4XjkeOg?O&`NXZ*Lz(P*$$)XR%#Gz>du
zQI#fE^@9psTt?w=-0zLMr=9*;0JtEOJ+RnmKRh3e`@JgOtJ*^a?|fYpc8B3;`&t)u
zRqNM|w{3l)hT+!V-GL;0hVb$VZ(qa9C1EC&FReqqw0E|pH<a+@i{)?WR}=YNX#0hm
z-BvIvq&*oKzxty${=I)12GBqqH(V9CG1n<k>N@fDjo#qBg>$`L_r4FH=Gts=ozyLl
zuc1;=mH<9`07b2t<*(sodYu&2<^*#Zv(zglZh@n}pS?ev>-}u3uWH-wf14ydQUb86
z{`;nR{Gk4G^yc~ge~PvxysY_mB>>JxRv7@~FQUM@Kk_6Ml<T}Udblo*n#ibEzjWC8
zJ@^?o<q2{PM~1aZF*a;dA+_aSx7`5jO%I@noS}C0)d~sodh9APQz^8F1q)!*y|5$q
z*ipCA7Is*r6FWC46nS@Tl#{OaT9=epz)|MCA}|kp@qsK@NkKng|F6dXLU5{u{81R#
z75~TWa{Rw(wV!|gd6HI)|J>Y^&-_?O6v~gqqESYLGe@-n4#mj-{_x)T6(vWCdhUYt
zT&Oh$tbirQ0m?PXC1C*^D;IP`&jV=WG3JJB%$B3h?5R=`W3&-|3!>xsxtVj{>kld`
zc9D}?JzRQPP{lSF{Mkk?v|{}Gb7TuT<3i%2?y)oeTjls~9k-v~|4-8P;DTt4lH1>G
zo$=v%jvOW#WeMdoNJ)G}W~kOb1*<HzH!-L=G6pjyCeHUMpS=c&jA*(<8;ON+!V_-~
zIL_?fcEGQx#3{YO#QmMf|Gn~Iz}YPbZdV$SAVmp`a`ZjF7mXt=Bzk+07qH)TBS@%J
zo<F0yVLzSto<I4gY}n7$z<ky)AFHow$s6~KCM3SfQu|}J^7egooqGHJgj{+1zFwHV
zkaXtl|I6EhcSKT=Dd_h?<@u=;A2HURPZJ~!M=r%j&tIxoB-r>LC?7tz=l0zG#O>b!
P009602f{X!04e|gp#VP9

literal 0
HcmV?d00001

diff --git a/unleash/helm/unleash/templates/ingress.yaml b/unleash/helm/unleash/templates/ingress.yaml
new file mode 100644
index 000000000..8a13fb344
--- /dev/null
+++ b/unleash/helm/unleash/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := index .Values "oidc-config" "service" "name" -}}
+{{- $svcPort := index .Values "oidc-config" "service" "webPort" -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "unleash-plural.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/unleash/helm/unleash/values.yaml b/unleash/helm/unleash/values.yaml
index b5c0e4a2e..3978eb6fb 100644
--- a/unleash/helm/unleash/values.yaml
+++ b/unleash/helm/unleash/values.yaml
@@ -26,3 +26,17 @@ unleash:
       key: password
     ssl: '{\"rejectUnauthorized\": false}'
 
+oidc-config:
+  enabled: false
+  service:
+    name: unleash-oauth2-proxy
+    selector:
+      app.kubernetes.io/instance: unleash
+      app.kubernetes.io/name: unleash
+  secret:
+    upstream: http://localhost:4242
+    env:
+      OAUTH2_PROXY_UPSTREAM_TIMEOUT: '120s'
+
+ingress:
+  enabled: false
\ No newline at end of file
diff --git a/unleash/helm/unleash/values.yaml.tpl b/unleash/helm/unleash/values.yaml.tpl
index 546f9b309..0a2dcf593 100644
--- a/unleash/helm/unleash/values.yaml.tpl
+++ b/unleash/helm/unleash/values.yaml.tpl
@@ -1,4 +1,8 @@
 unleash:
+  {{- if .OIDC }}
+  ingress:
+    enabled: false
+  {{ else }}
   ingress:
     enabled: true
     className: "nginx"
@@ -14,10 +18,11 @@ unleash:
     - secretName: unleash-tls
       hosts:
         - {{ .Values.hostname }}
+  {{ end }}
   env:
     - name: UNLEASH_URL
       value: {{ .Values.hostname }}
-  {{ if .SMTP }}
+    {{ if .SMTP }}
     - name: EMAIL_SERVER_HOST
       value: {{ .SMTP.Server }}
     - name: EMAIL_SERVER_USER
@@ -28,4 +33,43 @@ unleash:
       value: {{ .SMTP.Port }}
     - name: EMAIL_FROM
       value: {{ .SMTP.Sender }}
-  {{ end }}
\ No newline at end of file
+    {{ end }}
+{{ if .OIDC }}
+    - name: AUTH_TYPE
+      value: none
+  podLabels:
+    security.plural.sh/inject-oauth-sidecar: "true"
+  podAnnotations:
+    security.plural.sh/oauth-env-secret: "unleash-proxy-config"
+  {{ if .Values.users }}
+    security.plural.sh/htpasswd-secret: httpaswd-users
+  {{ end }}
+{{ $prevSecret := dedupe . "unleash.oidc-config.cookieSecret" (randAlphaNum 32) }}
+oidc-config:
+  enabled: true
+  secret:
+    name: unleash-proxy-config
+    issuer: {{ .OIDC.Configuration.Issuer }}
+    clientID: {{ .OIDC.ClientId }}
+    clientSecret: {{ .OIDC.ClientSecret }}
+    cookieSecret: {{ dedupe . "unleash.oidc-config.secret.cookieSecret" $prevSecret }}
+  {{ if .Values.users }}
+  users:
+  {{ toYaml .Values.users | nindent 4 }}
+  {{ end }}
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: {{ .Values.hostname }}
+    paths:
+      - path: '/'
+        pathType: ImplementationSpecific
+  tls:
+  - secretName: unleash-tls
+    hosts:
+      - {{ .Values.hostname }}
+{{ end }}
\ No newline at end of file
diff --git a/unleash/plural/notes.tpl b/unleash/plural/notes.tpl
index 100e842a3..ebb0f52e9 100644
--- a/unleash/plural/notes.tpl
+++ b/unleash/plural/notes.tpl
@@ -1,3 +1,8 @@
 Your unleash installation is available at https://{{ .Values.hostname }}
-The default login is admin/unleash4all.
-We strongly recommend you change it at https://{{ .Values.hostname }}/profile/change-password
\ No newline at end of file
+{{ if .OIDC }}
+Your directus has been configured with OAuth against your plural account!
+{{ else }}
+You are using standard username/password authentication, so user management will be manual.
+The default login is admin/unleash4all. We recommend to change it at https://{{ .Values.hostname }}/profile/change-password
+We strongly recommend that you consider installing with OIDC enabled.
+{{ end }}
diff --git a/unleash/plural/recipes/unleash-aws.yaml b/unleash/plural/recipes/unleash-aws.yaml
index 72137ee71..204e5ffce 100644
--- a/unleash/plural/recipes/unleash-aws.yaml
+++ b/unleash/plural/recipes/unleash-aws.yaml
@@ -1,6 +1,10 @@
 name: unleash-aws
 description: Installs unleash on an aws eks cluster
 provider: AWS
+oidcSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
+  domainKey: hostname
 dependencies:
 - repo: bootstrap
   name: aws-k8s
diff --git a/unleash/plural/recipes/unleash-azure.yaml b/unleash/plural/recipes/unleash-azure.yaml
index 6d1e5bf28..7a5bc36f0 100644
--- a/unleash/plural/recipes/unleash-azure.yaml
+++ b/unleash/plural/recipes/unleash-azure.yaml
@@ -1,6 +1,10 @@
 name: unleash-azure
 description: Installs unleash on an azure aks cluster
 provider: AZURE
+oidcSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
+  domainKey: hostname
 dependencies:
 - repo: bootstrap
   name: azure-k8s
diff --git a/unleash/plural/recipes/unleash-gcp.yaml b/unleash/plural/recipes/unleash-gcp.yaml
index b4574fe7d..0d892630e 100644
--- a/unleash/plural/recipes/unleash-gcp.yaml
+++ b/unleash/plural/recipes/unleash-gcp.yaml
@@ -1,6 +1,10 @@
 name: unleash-gcp
 description: Installs unleash on an gcp gke cluster
 provider: GCP
+oidcSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
+  domainKey: hostname
 dependencies:
 - repo: bootstrap
   name: gcp-k8s
diff --git a/unleash/repository.yaml b/unleash/repository.yaml
index eb7755924..c1b9cdf16 100644
--- a/unleash/repository.yaml
+++ b/unleash/repository.yaml
@@ -7,5 +7,8 @@ icon: plural/icons/unleash.png
 notes: plural/notes.tpl
 homepage: https://www.getunleash.io/
 gitUrl: https://github.com/Unleash/unleash
+oauthSettings:
+  uriFormat: https://{domain}/oauth2/callback
+  authMethod: POST
 contributors:
 - walkoss@pm.me
diff --git a/unleash/terraform/aws/main.tf b/unleash/terraform/aws/main.tf
new file mode 100644
index 000000000..c85c76396
--- /dev/null
+++ b/unleash/terraform/aws/main.tf
@@ -0,0 +1,30 @@
+resource "kubernetes_namespace" "unleash" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "unleash"
+      "platform.plural.sh/sync-target" = "pg"
+    }
+  }
+}
+
+
+data "aws_iam_role" "postgres" {
+  name = "${var.cluster_name}-postgres"
+}
+
+resource "kubernetes_service_account" "postgres" {
+  metadata {
+    name      = "postgres-pod"
+    namespace = var.namespace
+
+    annotations = {
+      "eks.amazonaws.com/role-arn" = data.aws_iam_role.postgres.arn
+    }
+  }
+
+  depends_on = [
+    kubernetes_namespace.unleash
+  ]
+}
diff --git a/unleash/terraform/azure/main.tf b/unleash/terraform/azure/main.tf
new file mode 100644
index 000000000..75893355d
--- /dev/null
+++ b/unleash/terraform/azure/main.tf
@@ -0,0 +1,11 @@
+resource "kubernetes_namespace" "unleash" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "unleash"
+      "platform.plural.sh/sync-target" = "pg"
+    }
+  }
+}
+
diff --git a/unleash/terraform/gcp/main.tf b/unleash/terraform/gcp/main.tf
new file mode 100644
index 000000000..75893355d
--- /dev/null
+++ b/unleash/terraform/gcp/main.tf
@@ -0,0 +1,11 @@
+resource "kubernetes_namespace" "unleash" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "unleash"
+      "platform.plural.sh/sync-target" = "pg"
+    }
+  }
+}
+