Adding default config

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- added support for simplified configuration of the auth bundle apps, which minimizes the number pf properties the user needs to provide manually.
+
 ## [0.1.4] - 2024-04-25
 
 - changed: README.md to include more information.

README.md

@@ -28,8 +28,98 @@ The auth-bundle can be installed using Giant Swarm's web interface or via direct
 
 ## Configuring
 
+The auth-bundle can be configured in 2 different ways: "Default configuration" and "Full configuration". These 2 ways can be combined if needed.
+
+### Default configuration
+
+Default configuration minimizes manual setup and performs the most of the auth-bundle apps' configuration automatically.
+You only need to provide the configuration of Dex connectors you intend to use and basic rbac setup. 
+Everything else is taken care of automatically.
+
+Default configuration is suitable for basic use cases, which do not require any fine-tuning.
+
+#### Config properties
+
+```yaml
+# Optional: Default configuration root object
+defaultConfig:
+
+  # Optional: Determines whether the K8s Authenticator is deployed together with Dex.
+  # The K8s Authenticator is deprecated and will be removed in the future versions of the platform.
+  # It does not need to be deployed unless there is an existing need for it originating in the past while using legacy versions of the platform.
+  deployDexK8SAuthenticator: false
+
+  # Required: In case the defaultConfig is defined, the oidc property is required
+  oidc:
+
+     # Optional: Defines expiration rules for tokens generated by Dex
+     expiry:
+        signingKeys: 6h
+        idTokens: 30m
+
+     # Required: Specification of Dex connectors
+     customer: 
+        connectors:
+           - id: CONNECTOR_ID # common name is "customer"
+             connectorName: CONNECTOR_NAME
+             connectorType: CONNECTOR_TYPE # e.g. "microsoft", "github", etc.
+             connectorConfig: |- # specific configuration based on connector type, structure comes from Dex.
+                clientID: CLIENT_ID
+                clientSecret: CLIENT_SECRET
+                tenant: TENANT_ID
+                redirectURI: CALLBACK_URL # optional: if omitted, it will be provided automatically
+
+  # Optional but recommended: RBAC setup
+  rbac:
+  - role: ROLE_NAME # required
+    namespaces: # optional: if omitted, cluster-wide bindings are created
+    - NAMESPACE
+    groups: # either groups or users or both are required
+    - CUSTOMER_GROUP_NAME
+    users:
+    - USER_NAME
+```
+
+Ensure that you [enable the required OIDC settings on the cluster resource](https://docs.giantswarm.io/advanced/access-management/configure-dex-in-your-cluster/#configure-the-oidc-values-on-the-cluster-resource).
+
+Most Dex connectors require credentials to be provided in the configuration. 
+Therefore, it is recommended to [include the default configuration in a secret](https://docs.giantswarm.io/vintage/getting-started/app-platform/app-configuration/#example-secret) when installing the auth-bundle.
+
+Connector configuration (`defaultConfig.oidc.customer.connectors[n].connectorConfig`) format depends on the connector type (`defaultConfig.oidc.customer.connectors[n].connectorType`). 
+All supported connector types and configuration formats can be found in [Dex documentation](https://dexidp.io/docs/connectors/).
+
+#### Example configuration
+
+This example shows the minimum required configuration for [Microsoft connector in Dex](https://dexidp.io/docs/connectors/microsoft/).
+
+```yaml
+defaultConfig:
+  oidc:
+     customer: 
+        connectors:
+           - id: customer
+             connectorName: your_name_here
+             connectorType: microsoft
+             connectorConfig: |
+                clientID: CLIENT_ID
+                clientSecret: CLIENT_SECRET
+                tenant: TENANT_ID
+  rbac:
+  - role: cluster-admin
+    groups:
+    - CUSTOMER_GROUP_NAME
+```
+
+### Full configuration
+
+Full configuration enables you to set up each app in the auth-bundle separately. 
+It requires more values to be provided manually, but it supports more advanced and fine-tuned configurations for more complex use cases.
+
 Each app within the `auth-bundle` can be configured to meet your specific needs. For each app you can use `userConfig` to supply values or `extraConfigs` as secret or configmap
-### Example configuration
+
+In case both Default configuration and Full configuration are specified, the Full configuration takes priority and overwrites the intersecting sections of the Default configuration. 
+
+#### Example configuration
 ```yaml
 apps:
   athena:
@@ -48,13 +138,13 @@ apps:
   ingress-nginx:
     enabled: false
 ```
-### [Dex-app](https://github.com/giantswarm/dex-app) Configuration
+#### [Dex-app](https://github.com/giantswarm/dex-app) Configuration
 
 - **Enable access to your cluster via dex**: ensure that the needed [oidc settings are enabled on the cluster resource.](https://docs.giantswarm.io/advanced/access-management/configure-dex-in-your-cluster/#configure-the-oidc-values-on-the-cluster-resource)
 - **Deploying Dex K8s Authenticator**: Optional based on requirements. Can be enabled with `deployDexK8SAuthenticator: true`.
 - **Copying OIDC Configuration**: It's possible to copy the OIDC part from the MC to the WC, ensuring seamless authentication across clusters.
 
-### [Athena](https://github.com/giantswarm/athena) Configuration
+#### [Athena](https://github.com/giantswarm/athena) Configuration
 
 - **Setup Guide**: Detailed instructions on setting up Athena for authentication management, highlighting its integration with Dex in Workload Clusters.
 

helm/auth-bundle/templates/_helpers.tpl

@@ -45,3 +45,59 @@ giantswarm.io/service-type: managed
 application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
 helm.sh/chart: {{ include "chart" . | quote }}
 {{- end -}}
+
+{{- define "default.config.oidc.connectors" -}}
+  connectors:
+  {{- range $connector := .connectors }}
+  - id: {{ $connector.id }}
+    connectorName: {{ $connector.connectorName }}
+    connectorType: {{ $connector.connectorType }}
+    connectorConfig: |-
+    {{- (merge (fromYaml $connector.connectorConfig) (dict "redirectURI" (printf "https://dex.%s/callback" $.baseDomain))) | toYaml | nindent 6 }}
+  {{- end }}
+{{- end -}}
+
+{{- define "default.config" -}}
+{{- if .Values.defaultConfig -}}
+dex-app:
+  userConfig:
+    configMap:
+      values: |
+        isWorkloadCluster: {{ ne .Values.managementCluster .Values.clusterID }}
+        deployDexK8SAuthenticator: {{ eq .Values.defaultConfig.deployDexK8SAuthenticator true }}
+        {{ if .Values.defaultConfig.oidc.expiry -}}
+        oidc:
+          expiry:
+            {{- .Values.defaultConfig.oidc.expiry | toYaml |  nindent 12 -}}
+        {{- end }}
+    secret:
+      values: |
+        oidc:
+{{- if .Values.defaultConfig.oidc.customer }}
+          customer:
+            {{- (include "default.config.oidc.connectors" (dict "connectors" .Values.defaultConfig.oidc.customer.connectors "baseDomain" .Values.baseDomain)) | nindent 12 }}
+{{ end -}}
+{{- if .Values.defaultConfig.oidc.giantswarm }}
+          giantswarm:
+            {{- (include "default.config.oidc.connectors" (dict "connectors" .Values.defaultConfig.oidc.giantswarm.connectors "baseDomain" .Values.baseDomain)) | nindent 12 }}
+{{ end -}}
+athena:
+  userConfig:
+    configMap:
+      values: |-
+        managementCluster:
+          name: {{ .Values.managementCluster }}
+ingress-nginx:
+  enabled: true
+{{- if .Values.defaultConfig.rbac }}
+rbac-bootstrap:
+  userConfig:
+    configMap:
+      values: |
+        bindings:
+        {{- .Values.defaultConfig.rbac | toYaml | nindent 8 }}
+{{ end -}}
+{{- else -}}
+{}
+{{- end -}}
+{{- end -}}

helm/auth-bundle/templates/apps.yaml

@@ -1,4 +1,5 @@
-{{- range $key, $value := .Values.apps }}
+{{ $defaultConfig := fromYaml (include "default.config" .) -}}
+{{- range $key, $value := (merge .Values.apps $defaultConfig) }}
 {{- $appName := include "app.name" (dict "app" .appName "cluster" $.Values.clusterID "ns" $.Release.Namespace) }}
 {{- if .enabled }}
 ---
@@ -38,7 +39,7 @@ spec:
     {{- end }}
   {{- end }}
   {{- end }}
-  {{- end }}  
+  {{- end }}
   kubeConfig:
     {{- if eq $.Release.Namespace "giantswarm" }}  ## Vintage MCs do not have a kubeconfig secret
     inCluster: true
@@ -78,6 +79,7 @@ spec:
   {{- end }}
 {{- end }}
 {{- if .userConfig }}
+{{- $appDefaultConfig := index $defaultConfig $appName -}}
 {{- if .userConfig.configMap }}
 ---
 apiVersion: v1
@@ -89,7 +91,12 @@ metadata:
   name: {{ $appName }}-user-values
   namespace: {{ $.Release.Namespace }}
 data:
-  {{- (tpl (.userConfig.configMap | toYaml | toString) $) | nindent 2 }}
+  values: |
+    {{- if $appDefaultConfig.userConfig.configMap.values -}}
+    {{- (merge (fromYaml .userConfig.configMap.values) (fromYaml (toString $appDefaultConfig.userConfig.configMap.values))) | toYaml | nindent 4 }}
+    {{- else -}}
+    {{- (fromYaml .userConfig.configMap.values) | toYaml | nindent 4 }}
+    {{- end -}}
 {{- end }}
 {{- if .userConfig.secret }}
 ---
@@ -102,7 +109,12 @@ metadata:
   name: {{ $appName }}-user-secrets
   namespace: {{ $.Release.Namespace }}
 stringData:
-  {{- (tpl (.userConfig.secret | toYaml | toString) $) | nindent 2 }}
+  values: |
+    {{- if $appDefaultConfig.userConfig.secret.values -}}
+    {{- (merge (fromYaml .userConfig.secret.values) (fromYaml (toString $appDefaultConfig.userConfig.secret.values))) | toYaml | nindent 4 }}
+    {{- else -}}
+    {{- (fromYaml .userConfig.secret.values) | toYaml | nindent 4 }}
+    {{- end -}}
 {{- end }}
 {{- end }}
 {{- end }}

helm/auth-bundle/values.schema.json

@@ -61,10 +61,139 @@
                     "type": "string"
                 }
             }
+        },
+        "connector": {
+            "type": "object",
+            "properties": {
+                "id": {
+                    "type": "string"
+                },
+                "connectorName": {
+                    "type": "string"
+                },
+                "connectorType": {
+                    "type": "string"
+                },
+                "connectorConfig": {
+                    "type": "string"
+                }
+            },
+            "required": [
+                "id",
+                "connectorName",
+                "connectorType",
+                "connectorConfig"
+            ]
+        },
+        "owner": {
+            "type": "object",
+            "properties": {
+                "connectors": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/$defs/connector"
+                    }
+                }
+            },
+            "required": [
+                "connectors"
+            ]
+        },
+        "rbacRule": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string"
+                },
+                "namespaces": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "groups": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "users": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                }
+            },
+            "required": [
+                "role"
+            ],
+            "anyOf": [
+                {
+                    "required": [
+                        "groups"
+                    ]
+                },
+                {
+                    "required": [
+                        "users"
+                    ]
+                }
+            ]
         }
     },
     "type": "object",
     "properties": {
+        "defaultConfig": {
+            "type": "object",
+            "properties": {
+                "deployDexK8SAuthenticator": {
+                    "type": "boolean"
+                },
+                "oidc": {
+                    "type": "object",
+                    "properties": {
+                        "expiry": {
+                            "type": "object",
+                            "properties": {
+                                "signingKeys": {
+                                    "type": "string"
+                                },
+                                "idTokens": {
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "customer": {
+                            "$ref": "#/$defs/owner"
+                        },
+                        "giantswarm": {
+                            "$ref": "#/$defs/owner"
+                        }
+                    },
+                    "anyOf": [
+                        {
+                            "required": [
+                                "customer"
+                            ]
+                        },
+                        {
+                            "required": [
+                                "giantswarm"
+                            ]
+                        }
+                    ]
+                },
+                "rbac": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/$defs/rbacRule"
+                    }
+                }
+            },
+            "required": [
+                "oidc"
+            ]
+        },
         "apps": {
             "type": "object",
             "properties": {

helm/auth-bundle/values.yaml

@@ -1,5 +1,5 @@
+baseDomain: ""
 clusterID: ""
-organization: ""
 managementCluster: ""
 
 apps: