From 8cfaced2b5cf7c7e83a4182bcec4672918054aee Mon Sep 17 00:00:00 2001 From: vvondruska Date: Thu, 27 Jun 2024 09:20:05 +0200 Subject: [PATCH 1/6] Adding default config --- helm/auth-bundle/templates/_helpers.tpl | 54 +++++++++++++++++++++++++ helm/auth-bundle/templates/apps.yaml | 20 +++++++-- helm/auth-bundle/values.yaml | 2 +- 3 files changed, 71 insertions(+), 5 deletions(-) diff --git a/helm/auth-bundle/templates/_helpers.tpl b/helm/auth-bundle/templates/_helpers.tpl index c564ff2..9abfe09 100644 --- a/helm/auth-bundle/templates/_helpers.tpl +++ b/helm/auth-bundle/templates/_helpers.tpl @@ -45,3 +45,57 @@ giantswarm.io/service-type: managed application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} helm.sh/chart: {{ include "chart" . | quote }} {{- end -}} + +{{- define "default.config.oidc.connectors" -}} + connectors: + {{- range $connector := .connectors }} + - id: {{ $connector.id }} + connectorName: {{ $connector.connectorName }} + connectorType: {{ $connector.connectorType }} + connectorConfig: |- + {{- (merge (fromYaml $connector.connectorConfig) (dict "redirectURI" (printf "https://dex.%s/callback" $.baseDomain))) | toYaml | nindent 6 }} + {{- end }} +{{- end -}} + +{{- define "default.config" -}} +{{- if .Values.defaultConfig -}} +dex-app: + userConfig: + configMap: + values: | + isWorkloadCluster: {{ ne .Values.managementCluster .Values.clusterID }} + deployDexK8SAuthenticator: {{ eq .Values.defaultConfig.deployDexK8SAuthenticator true }} + {{ if .Values.defaultConfig.oidc.expiry -}} + oidc: + expiry: + {{- .Values.defaultConfig.oidc.expiry | toYaml | nindent 12 -}} + {{- end }} + secret: + values: | + oidc: +{{- if .Values.defaultConfig.oidc.customer }} + customer: + {{- (include "default.config.oidc.connectors" (dict "connectors" .Values.defaultConfig.oidc.customer.connectors "baseDomain" .Values.baseDomain)) | nindent 12 }} +{{ end -}} +{{- if .Values.defaultConfig.oidc.giantswarm }} + giantswarm: + {{- (include "default.config.oidc.connectors" (dict "connectors" .Values.defaultConfig.oidc.giantswarm.connectors "baseDomain" .Values.baseDomain)) | nindent 12 }} +{{ end -}} +athena: + userConfig: + configMap: + values: |- + managementCluster: + name: {{ .Values.managementCluster }} +ingress-nginx: + enabled: true +rbac-bootstrap: + userConfig: + configMap: + values: | + bindings: + {{- .Values.defaultConfig.rbac | toYaml | nindent 8 }} +{{- else -}} +{} +{{- end -}} +{{- end -}} diff --git a/helm/auth-bundle/templates/apps.yaml b/helm/auth-bundle/templates/apps.yaml index 8dcd547..069a479 100644 --- a/helm/auth-bundle/templates/apps.yaml +++ b/helm/auth-bundle/templates/apps.yaml @@ -1,4 +1,5 @@ -{{- range $key, $value := .Values.apps }} +{{ $defaultConfig := fromYaml (include "default.config" .) -}} +{{- range $key, $value := (merge .Values.apps $defaultConfig) }} {{- $appName := include "app.name" (dict "app" .appName "cluster" $.Values.clusterID "ns" $.Release.Namespace) }} {{- if .enabled }} --- @@ -38,7 +39,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- end }} + {{- end }} kubeConfig: {{- if eq $.Release.Namespace "giantswarm" }} ## Vintage MCs do not have a kubeconfig secret inCluster: true @@ -78,6 +79,7 @@ spec: {{- end }} {{- end }} {{- if .userConfig }} +{{- $appDefaultConfig := index $defaultConfig $appName -}} {{- if .userConfig.configMap }} --- apiVersion: v1 @@ -89,7 +91,12 @@ metadata: name: {{ $appName }}-user-values namespace: {{ $.Release.Namespace }} data: - {{- (tpl (.userConfig.configMap | toYaml | toString) $) | nindent 2 }} + values: | + {{- if $appDefaultConfig.userConfig.configMap.values -}} + {{- (merge (fromYaml .userConfig.configMap.values) (fromYaml (toString $appDefaultConfig.userConfig.configMap.values))) | toYaml | nindent 4 }} + {{- else -}} + {{- (fromYaml .userConfig.configMap.values) | toYaml | nindent 4 }} + {{- end -}} {{- end }} {{- if .userConfig.secret }} --- @@ -102,7 +109,12 @@ metadata: name: {{ $appName }}-user-secrets namespace: {{ $.Release.Namespace }} stringData: - {{- (tpl (.userConfig.secret | toYaml | toString) $) | nindent 2 }} + values: | + {{- if $appDefaultConfig.userConfig.secret.values -}} + {{- (merge (fromYaml .userConfig.secret.values) (fromYaml (toString $appDefaultConfig.userConfig.secret.values))) | toYaml | nindent 4 }} + {{- else -}} + {{- (fromYaml .userConfig.secret.values) | toYaml | nindent 4 }} + {{- end -}} {{- end }} {{- end }} {{- end }} diff --git a/helm/auth-bundle/values.yaml b/helm/auth-bundle/values.yaml index 549f7f2..6afde5f 100644 --- a/helm/auth-bundle/values.yaml +++ b/helm/auth-bundle/values.yaml @@ -1,5 +1,5 @@ +baseDomain: "" clusterID: "" -organization: "" managementCluster: "" apps: From 31b770534be73acfb9dca44dd733a6283c392097 Mon Sep 17 00:00:00 2001 From: vvondruska Date: Tue, 2 Jul 2024 08:28:00 +0200 Subject: [PATCH 2/6] Fixed processing rbac default config --- helm/auth-bundle/templates/_helpers.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm/auth-bundle/templates/_helpers.tpl b/helm/auth-bundle/templates/_helpers.tpl index 9abfe09..259bbef 100644 --- a/helm/auth-bundle/templates/_helpers.tpl +++ b/helm/auth-bundle/templates/_helpers.tpl @@ -89,12 +89,14 @@ athena: name: {{ .Values.managementCluster }} ingress-nginx: enabled: true +{{- if .Values.defaultConfig.rbac }} rbac-bootstrap: userConfig: configMap: values: | bindings: {{- .Values.defaultConfig.rbac | toYaml | nindent 8 }} +{{ end -}} {{- else -}} {} {{- end -}} From 7f7c41128953f34f9133891537b495df42feff8a Mon Sep 17 00:00:00 2001 From: vvondruska Date: Tue, 2 Jul 2024 08:28:11 +0200 Subject: [PATCH 3/6] Updated json schema --- helm/auth-bundle/values.schema.json | 129 ++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/helm/auth-bundle/values.schema.json b/helm/auth-bundle/values.schema.json index 14eef3d..0b69b25 100644 --- a/helm/auth-bundle/values.schema.json +++ b/helm/auth-bundle/values.schema.json @@ -61,10 +61,139 @@ "type": "string" } } + }, + "connector": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "connectorName": { + "type": "string" + }, + "connectorType": { + "type": "string" + }, + "connectorConfig": { + "type": "string" + } + }, + "required": [ + "id", + "connectorName", + "connectorType", + "connectorConfig" + ] + }, + "owner": { + "type": "object", + "properties": { + "connectors": { + "type": "array", + "items": { + "$ref": "#/$defs/connector" + } + } + }, + "required": [ + "connectors" + ] + }, + "rbacRule": { + "type": "object", + "properties": { + "role": { + "type": "string" + }, + "namespaces": { + "type": "array", + "items": { + "type": "string" + } + }, + "groups": { + "type": "array", + "items": { + "type": "string" + } + }, + "users": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "role" + ], + "anyOf": [ + { + "required": [ + "groups" + ] + }, + { + "required": [ + "users" + ] + } + ] } }, "type": "object", "properties": { + "defaultConfig": { + "type": "object", + "properties": { + "deployDexK8SAuthenticator": { + "type": "boolean" + }, + "oidc": { + "type": "object", + "properties": { + "expiry": { + "type": "object", + "properties": { + "signingKeys": { + "type": "string" + }, + "idTokens": { + "type": "string" + } + } + }, + "customer": { + "$ref": "#/$defs/owner" + }, + "giantswarm": { + "$ref": "#/$defs/owner" + } + }, + "anyOf": [ + { + "required": [ + "customer" + ] + }, + { + "required": [ + "giantswarm" + ] + } + ] + }, + "rbac": { + "type": "array", + "items": { + "$ref": "#/$defs/rbacRule" + } + } + }, + "required": [ + "oidc" + ] + }, "apps": { "type": "object", "properties": { From d199a40a89b066b72e70ee0602dbbb7ff49e4a21 Mon Sep 17 00:00:00 2001 From: vvondruska Date: Wed, 3 Jul 2024 09:23:12 +0200 Subject: [PATCH 4/6] Updated changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e207b98..3b954af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +- added support for simplified configuration of the auth bundle apps, which minimizes the number pf properties the user needs to provide manually. + ## [0.1.4] - 2024-04-25 - changed: README.md to include more information. From 85a7168c47afafd009dfe80cc249334277f28772 Mon Sep 17 00:00:00 2001 From: vvondruska Date: Thu, 4 Jul 2024 08:27:21 +0200 Subject: [PATCH 5/6] Updated readme --- README.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6f358a9..c0c4c6f 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,96 @@ The auth-bundle can be installed using Giant Swarm's web interface or via direct ## Configuring +The auth-bundle can be configured in 2 different ways: "Default configuration" and "Full configuration". These 2 ways can be combined if needed. + +### Default configuration + +Default configuration minimizes manual setup and performs the most of the auth-bundle apps' configuration automatically. +You only need to provide the configuration of Dex connectors you intend to use and basic rbac setup. +Everything else is taken care of automatically. + +Default configuration is suitable for basic use cases, which do not require any fine-tuning. + +#### Config properties + +```yaml +# Optional: Default configuration root object +defaultConfig: + + # Optional: Determines whether the K8s Authenticator is deployed together with Dex + deployDexK8SAuthenticator: false + + # Required: In case the defaultConfig is defined, the oidc property is required + oidc: + + # Optional: Defines expiration rules for tokens generated by Dex + expiry: + signingKeys: 6h + idTokens: 30m + + # Required: Specification of Dex connectors + customer: + connectors: + - id: CONNECTOR_ID # common name is "customer" + connectorName: CONNECTOR_NAME + connectorType: CONNECTOR_TYPE # e.g. "microsoft", "github", etc. + connectorConfig: |- # specific configuration based on connector type, structure comes from Dex. + clientID: CLIENT_ID + clientSecret: CLIENT_SECRET + tenant: TENANT_ID + redirectURI: CALLBACK_URL # optional: if omitted, it will be provided automatically + + # Optional but recommended: RBAC setup + rbac: + - role: ROLE_NAME # required + namespaces: # optional: if omitted, cluster-wide bindings are created + - NAMESPACE + groups: # either groups or users or both are required + - CUSTOMER_GROUP_NAME + users: + - USER_NAME +``` + +Ensure that you [enable the required OIDC settings on the cluster resource](https://docs.giantswarm.io/advanced/access-management/configure-dex-in-your-cluster/#configure-the-oidc-values-on-the-cluster-resource). + +Most Dex connectors require credentials to be provided in the configuration. +Therefore, it is recommended to [include the default configuration in a secret](https://docs.giantswarm.io/vintage/getting-started/app-platform/app-configuration/#example-secret) when installing the auth-bundle. + +Connector configuration (`defaultConfig.oidc.customer.connectors[n].connectorConfig`) format depends on the connector type (`defaultConfig.oidc.customer.connectors[n].connectorType`). +All supported connector types and configuration formats can be found in [Dex documentation](https://dexidp.io/docs/connectors/). + +#### Example configuration + +This example shows the minimum required configuration. + +```yaml +defaultConfig: + oidc: + customer: + connectors: + - id: customer + connectorName: your_name_here + connectorType: microsoft + connectorConfig: | + clientID: CLIENT_ID + clientSecret: CLIENT_SECRET + tenant: TENANT_ID + rbac: + - role: cluster-admin + groups: + - CUSTOMER_GROUP_NAME +``` + +### Full configuration + +Full configuration enables you to set up each app in the auth-bundle separately. +It requires more values to be provided manually, but it supports more advanced and fine-tuned configurations for more complex use cases. + Each app within the `auth-bundle` can be configured to meet your specific needs. For each app you can use `userConfig` to supply values or `extraConfigs` as secret or configmap -### Example configuration + +In case both Default configuration and Full configuration are specified, the Full configuration takes priority and overwrites the intersecting sections of the Default configuration. + +#### Example configuration ```yaml apps: athena: @@ -48,13 +136,13 @@ apps: ingress-nginx: enabled: false ``` -### [Dex-app](https://github.com/giantswarm/dex-app) Configuration +#### [Dex-app](https://github.com/giantswarm/dex-app) Configuration - **Enable access to your cluster via dex**: ensure that the needed [oidc settings are enabled on the cluster resource.](https://docs.giantswarm.io/advanced/access-management/configure-dex-in-your-cluster/#configure-the-oidc-values-on-the-cluster-resource) - **Deploying Dex K8s Authenticator**: Optional based on requirements. Can be enabled with `deployDexK8SAuthenticator: true`. - **Copying OIDC Configuration**: It's possible to copy the OIDC part from the MC to the WC, ensuring seamless authentication across clusters. -### [Athena](https://github.com/giantswarm/athena) Configuration +#### [Athena](https://github.com/giantswarm/athena) Configuration - **Setup Guide**: Detailed instructions on setting up Athena for authentication management, highlighting its integration with Dex in Workload Clusters. From 0e76e754bae51e3aa15f0bf1749c90abb648dbbe Mon Sep 17 00:00:00 2001 From: vvondruska Date: Thu, 4 Jul 2024 08:54:56 +0200 Subject: [PATCH 6/6] Updated readme --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c0c4c6f..5fd244a 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,9 @@ Default configuration is suitable for basic use cases, which do not require any # Optional: Default configuration root object defaultConfig: - # Optional: Determines whether the K8s Authenticator is deployed together with Dex + # Optional: Determines whether the K8s Authenticator is deployed together with Dex. + # The K8s Authenticator is deprecated and will be removed in the future versions of the platform. + # It does not need to be deployed unless there is an existing need for it originating in the past while using legacy versions of the platform. deployDexK8SAuthenticator: false # Required: In case the defaultConfig is defined, the oidc property is required @@ -88,7 +90,7 @@ All supported connector types and configuration formats can be found in [Dex doc #### Example configuration -This example shows the minimum required configuration. +This example shows the minimum required configuration for [Microsoft connector in Dex](https://dexidp.io/docs/connectors/microsoft/). ```yaml defaultConfig: