Merge pull request #32 from skrobul/dex-optional-azure

feat: make Azure auth backend optional

apps/components/dexidp.yaml

@@ -5,9 +5,19 @@ metadata:
 spec:
   project: understack
   sources:
-    - repoURL: https://github.com/rackerlabs/understack.git
-      path: components/13-dexidp/
+    - chart: dex
+      repoURL: https://charts.dexidp.io
+      targetRevision: 0.16.0
+      helm:
+        releaseName: dex
+        valueFiles:
+          - $values/components/13-dexidp/values-generic.yaml
+          # enable this for Azure integration (you need to create secret yourself)
+          #  - values-azure.yaml
+    - repoURL: https://github.com/rackerlabs/understack
+      path: components/13-dexidp
       targetRevision: ${UC_REPO_REF}
+      ref: values
     - repoURL: ${UC_DEPLOY_GIT_URL}
       path: secrets/${DEPLOY_NAME}/
       targetRevision: HEAD

components/01-secrets/README.md

@@ -180,12 +180,22 @@ done
 ```
 ## Azure SSO authentication
 
+Setting up Understack for Azure backed authentication involves two steps:
+1. Creating a Kubernetes secret that contains credentials to talk to AAD.
+2. Updating Dexidp `Application` to use Azure settings/values
+
+Detailed steps are:
+
 First, you need to obtain necessary credentials from [PasswordSafe](https://passwordsafe.corp.rackspace.com/projects/37639/credentials/329301/). Replace the `<CLIENTID>`, `<CLIENTSECRET>` and `<ISSUER>` in the following command.
 
 PasswordSafe mappings:
 - `<CLIENTID>` is stored as `Username`
 - `<CLIENTSECRET>` is stored in `Password` field
-- `<ISSUER>` needs to be constructed. The value should be `https://login.microsoftonline.com/<APPID>/v2.0`, where `<APPID>` is stored in PasswordSafe under `Hostname` field. Pay particular attention to `/v2.0` at the end of URL and don't add trailing slash. Example value would be: `https://login.microsoftonline.com/1234abcd-1234-0000-beef-12345678900a/v2.0`
+- `<ISSUER>` needs to be constructed. The value should be
+`https://login.microsoftonline.com/<APPID>/v2.0`, where `<APPID>` is stored in
+PasswordSafe under `Hostname` field. Pay particular attention to `/v2.0` at the
+end of URL and don't add trailing slash. Example value would be:
+`https://login.microsoftonline.com/1234abcd-1234-0000-beef-12345678900a/v2.0`
 
 ```bash
 kubectl --namespace dex \
@@ -203,6 +213,14 @@ kubeseal \
   -w components/01-secrets/encrypted-azure-sso.yaml
 ```
 
+The second part of the setup involves switching Dex to use the Azure backend.
+This can be done by executing:
+
+```shell
+argocd app set argocd/dexidp --values '$values/components/13-dexidp/values-azure.yaml'
+```
+
+
 ## Generate Kustomize for the Install
 
 Now generate the kustomize for this.

components/13-dexidp/README.md

@@ -58,16 +58,22 @@ deployment.apps/coredns restarted
 $
 ```
 
-### Making components accessible from your machine If running development
+### Making components accessible from your machine
 
-cluster on your machine, you may need to create  create an entry in
-your `/etc/hosts` file that looks similiar to this:
+If running development cluster on your machine, you may need to create  create
+an entry in your `/etc/hosts` file that looks similar to this:
 
 ```hosts
 # Nautobot kind cluster
-127.0.0.1 argocd.local nautobot.local keystone keystone.openstack dexidp.local
+127.0.0.1 argocd.local nautobot.local keystone keystone.openstack dexidp.local workflows.local
 ```
 
+
+### Azure authentication
+Dex can optionally be configured to allow authentication through Azure SSO. The
+exact steps to configure this are available in
+[01-secrets/README.md](../01-secrets/README.md).
+
 [socialauth]: https://python-social-auth.readthedocs.io/en/latest/backends/oidc.html
 [disco]: https://openid.net/specs/openid-connect-discovery-1_0.html
 [authzcodegrant]: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1

components/13-dexidp/values-generic.yaml

@@ -0,0 +1,70 @@
+# Full documentation available at
+# https://github.com/dexidp/helm-charts/tree/master/charts/dex#values
+#
+
+replicaCount: 1
+config:
+  # Set it to a valid URL
+  issuer: https://dexidp.local
+
+  # See https://dexidp.io/docs/storage/ for more options
+  # We probably want 'postgres' or 'crd' in production
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+
+  oauth2:
+    skipApprovalScreen: true
+
+  enablePasswordDB: false
+  connectors:
+    - type: keystone
+      # Required field for connector id.
+      id: keystone_internal
+      # Required field for connector name.
+      name: Keystone
+      config:
+        # Required, without v3 suffix.
+        keystoneHost: http://keystone-api.openstack.svc.cluster.local:5000
+        # Required, admin user credentials to connect to keystone.
+        domain: default
+        keystoneUsername: demo
+        keystonePassword: DEMO_PASS
+  logger:
+    level: info
+
+  staticClients:
+    - id: nautobot
+      secretEnv: NAUTOBOT_SSO_CLIENT_SECRET
+      name: "Undercloud Nautobot"
+      redirectURIs:
+        - "http://localhost:8000/complete/oidc/"
+        - "https://nautobot.local/complete/oidc/"
+    - id: argo
+      secretEnv: ARGO_SSO_CLIENT_SECRET
+      name: "Undercloud Argo"
+      redirectURIs:
+        - "https://workflows.local/oauth2/callback"
+
+envVars:
+  - name: NAUTOBOT_SSO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: nautobot-sso
+        key: client-secret
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  className: "nginx"
+  hosts:
+    - host: dexidp.local
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - hosts:
+      - dexidp.local
+      secretName: dex-ingress-tls