Merge pull request #23 from skrobul/dex-auth-azure

feat: Azure authentication with Dex

apps/components/kustomization.yaml

@@ -16,3 +16,4 @@ resources:
   - argo-workflows.yaml
   - argo-events.yaml
   - ironic.yaml
+  - dexidp.yaml

components/00-namespaces/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - nautobot.yaml
   - openstack.yaml
   - argo-workflows.yaml
+  - dexidp.yaml

components/01-secrets/README.md

@@ -61,6 +61,21 @@ kubectl --namespace nautobot \
     > secret-nautobot-redis.yaml
 ```
 
+```bash
+# This secret needs to be synchronized in both namespaces
+NAUTOBOT_SSO_SECRET=$(./scripts/pwgen.sh)
+for ns in nautobot dex; do
+  kubectl --namespace $ns \
+    create secret generic nautobot-sso \
+    --dry-run=client \
+    -o yaml \
+    --type Opaque \
+    --from-literal=client-secret="$NAUTOBOT_SSO_SECRET" \
+    > secret-nautobot-sso-$ns.yaml
+done
+unset NAUTOBOT_SSO_SECRET
+```
+
 Let's encrypt them.
 
 ```bash
@@ -77,6 +92,15 @@ kubeseal \
     -o yaml \
     -f secret-nautobot-redis.yaml \
     -w components/01-secrets/encrypted-nautobot-redis.yaml
+
+for ns in nautobot dex; do
+  kubeseal \
+    --scope cluster-wide \
+    --allow-empty-data \
+    -o yaml \
+    -f secret-nautobot-sso-$ns.yaml \
+    -w components/01-secrets/encrypted-nautobot-sso-$ns.yaml
+done
 ```
 
 ## Keystone
@@ -157,6 +181,31 @@ for skrt in $(find . -maxdepth 1-name "secret-ironic*.yaml"); do
         -f "${skrt}" \
         -w "${encskrt}"
 done
+
+```
+## Azure SSO authentication
+
+First, you need to obtain necessary credentials from [PasswordSafe](https://passwordsafe.corp.rackspace.com/projects/37639/credentials/329301/). Replace the `<CLIENTID>`, `<CLIENTSECRET>` and `<ISSUER>` in the following command.
+
+PasswordSafe mappings:
+- `<CLIENTID>` is stored as `Username`
+- `<CLIENTSECRET>` is stored in `Password` field
+- `<ISSUER>` needs to be constructed. The value should be `https://login.microsoftonline.com/<APPID>/v2.0`, where `<APPID>` is stored in PasswordSafe under `Hostname` field. Pay particular attention to `/v2.0` at the end of URL and don't add trailing slash. Example value would be: `https://login.microsoftonline.com/1234abcd-1234-0000-beef-12345678900a/v2.0`
+
+```bash
+kubectl --namespace dex \
+    create secret generic azure-sso --dry-run=client \
+    --from-literal=client-id=<CLIENTID> \
+    --from-literal=client-secret=<CLIENTSECRET> \
+    --from-literal=issuer=<ISSUER> \
+    -o yaml > secret-azure-sso.yaml
+
+kubeseal \
+  --scope cluster-wide \
+  --allow-empty-data \
+  -o yaml \
+  -f secret-azure-sso.yaml \
+  -w components/01-secrets/encrypted-azure-sso.yaml
 ```
 
 ## Generate Kustomize for the Install

components/09-nautobot/base/nautobot/templates/configmap.yaml

@@ -581,7 +581,8 @@ data:
     SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = "http://dexidp.local"
     SOCIAL_AUTH_OIDC_USERNAME_KEY = 'name'
     SOCIAL_AUTH_OIDC_KEY = 'nautobot'
-    SOCIAL_AUTH_OIDC_SECRET = 'verysecret'
+    with open("/opt/nautobot/dex_client_secret") as oidc_secret:
+      SOCIAL_AUTH_OIDC_SECRET = oidc_secret.read()
     # The “openid”, “profile” and “email” are requested by default,
     # below *adds* scope.
     SOCIAL_AUTH_OIDC_SCOPE = ['groups']

components/09-nautobot/base/nautobot/templates/nautobot-deployment.yaml

@@ -103,6 +103,14 @@ spec:
             - name: "nautobot-config"
               mountPath: "/opt/nautobot/nautobot_config.py"
               subPath: "nautobot_config.py"
+            - name: "nautobot-dexauth"
+              mountPath: "/opt/nautobot/dexauth.py"
+              subPath: "dexauth.py"
+              readOnly: true
+            - name: "nautobot-dex-creds"
+              mountPath: "/opt/nautobot/dex_client_secret"
+              subPath: client-secret
+              readOnly: true
       containers:
         - name: nautobot
           tty: true
@@ -178,6 +186,11 @@ spec:
             - name: "nautobot-dexauth"
               mountPath: "/opt/nautobot/dexauth.py"
               subPath: "dexauth.py"
+              readOnly: true
+            - name: "nautobot-dex-creds"
+              mountPath: "/opt/nautobot/dex_client_secret"
+              subPath: client-secret
+              readOnly: true
           ports:
             - name: "https"
               containerPort: 8443
@@ -196,3 +209,7 @@ spec:
         - name: "nautobot-dexauth"
           configMap:
             name: dexauth
+        - name: "nautobot-dex-creds"
+          secret:
+            secretName: nautobot-sso
+            optional: false

components/13-dexidp/kustomization.yaml

@@ -2,9 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-resources:
-  - namespace.yaml
-
 namespace: dex
 helmGlobals:
   chartHome: ../../charts/

components/13-dexidp/values.yaml

@@ -30,17 +30,57 @@ config:
         domain: default
         keystoneUsername: demo
         keystonePassword: DEMO_PASS
+    - type: oidc
+      name: azure
+      id: azure
+      config:
+        issuer: $AZURE_ISSUER
+        clientId: $AZURE_SSO_CLIENT_ID
+        clientSecret: $AZURE_SSO_CLIENT_SECRET
+        redirectURI: https://dexidp.local/callback
+        scopes:
+          - openid
+          - email
+        insecureSkipEmailVerified: true
+        # enabling insecureEnableGroups adds the list of group UUIDs to the
+        # access token, which in turn results in a HTTP headers for requests to
+        # https://dexidp.local/userinfo being way too large for Ingress
+        # controller and python requests library. Even after adjusting ingress
+        # controlloer, the Nautobot still cannot handle token that large.
+        insecureEnableGroups: false
+        getUserInfo: true
   logger:
     level: info
 
   staticClients:
     - id: nautobot
-      secret: verysecret
+      secretEnv: NAUTOBOT_SSO_CLIENT_SECRET
       name: "Undercloud Nautobot"
       redirectURIs:
         - "http://localhost:8000/complete/oidc/"
         - "https://nautobot.local/complete/oidc/"
 
+envVars:
+  - name: NAUTOBOT_SSO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: nautobot-sso
+        key: client-secret
+  - name: AZURE_SSO_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: azure-sso
+        key: client-id
+  - name: AZURE_SSO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: azure-sso
+        key: client-secret
+  - name: AZURE_ISSUER
+    valueFrom:
+      secretKeyRef:
+        name: azure-sso
+        key: issuer
 ingress:
   enabled: true
   annotations:

scripts/easy-secrets-gen.sh

@@ -29,6 +29,18 @@ kubectl --namespace nautobot \
     --from-literal=redis-password="$(./scripts/pwgen.sh)" \
     > secret-nautobot-redis.yaml
 
+NAUTOBOT_SSO_SECRET=$(./scripts/pwgen.sh)
+for ns in nautobot dex; do
+  kubectl --namespace $ns \
+    create secret generic nautobot-sso \
+    --dry-run=client \
+    -o yaml \
+    --type Opaque \
+    --from-literal=client-secret="$NAUTOBOT_SSO_SECRET" \
+    > secret-nautobot-sso-$ns.yaml
+done
+unset NAUTOBOT_SSO_SECRET
+
 kubectl --namespace openstack \
     create secret generic keystone-rabbitmq-password \
     --type Opaque \
@@ -105,6 +117,15 @@ for skrt in $(find . -maxdepth 1 -name "secret-keystone*.yaml" -o -name "secret-
         -w "${encskrt}"
 done
 
+for ns in nautobot dex; do
+  kubeseal \
+    --scope cluster-wide \
+    --allow-empty-data \
+    -o yaml \
+    -f secret-nautobot-sso-$ns.yaml \
+    -w components/01-secrets/encrypted-nautobot-sso-$ns.yaml
+done
+
 cd components/01-secrets/
 rm -f kustomization.yaml
 kustomize create --autodetect