From e067eb1d7e4aef1be38cb461735f34093f8b2c6f Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Wed, 10 Apr 2024 18:10:06 +0300 Subject: [PATCH 1/7] AWS external auth example --- .../enterprise/values-external-aws.yaml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 examples/lakefs/enterprise/values-external-aws.yaml diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml new file mode 100644 index 0000000..7d6cf4c --- /dev/null +++ b/examples/lakefs/enterprise/values-external-aws.yaml @@ -0,0 +1,62 @@ +lakefsConfig: | + logging: + level: "INFO" + blockstore: + type: local + auth: + authentication_api: + endpoint: http://localhost:8080/api/v1 + external_principals_enabled: true + api: + endpoint: http://localhost:9006/api/v1 + remote_authenticator: + enabled: true + endpoint: http://localhost:9006/api/v1 + ui_config: + login_cookie_names: + - internal_auth_session +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +################################################## +########### lakeFS enterprise - FLUFFY ########### +################################################## + +fluffy: + enabled: true + image: + repository: treeverse/fluffy + tag: '0.3.0' + pullPolicy: IfNotPresent + privateRegistry: + enabled: true + secretToken: + fluffyConfig: | + logging: + format: "json" + level: "INFO" + auth: + serve_disable_authentication: true + serve_listen_address: localhost:9006 + encrypt: + secret_key: shared-secrey-key + external: + aws_auth: + enabled: true + # list of headers that are required to be present in the GetCallerIdentity request + required_headers: + x-lakefs-custom-key: "custom-value" + secrets: + create: true + sso: + enabled: true + rbac: + enabled: true + +useDevPostgres: true From 4eaab0a68918f2ac500584d461cb55367a5099d6 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Wed, 10 Apr 2024 18:10:09 +0300 Subject: [PATCH 2/7] AWS external auth example --- examples/lakefs/enterprise/values-external-aws.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml index 7d6cf4c..04c88b3 100644 --- a/examples/lakefs/enterprise/values-external-aws.yaml +++ b/examples/lakefs/enterprise/values-external-aws.yaml @@ -49,9 +49,18 @@ fluffy: external: aws_auth: enabled: true + get_caller_identity_max_age: 60 + # list of headers that are required to be present in the GetCallerIdentity request required_headers: - x-lakefs-custom-key: "custom-value" + required-key: "custom-value" + # list of headers that are optional for the GetCallerIdentity request + optional_headers: + optional-key: "custom-value" + # list of valid STS hosts for the GetCallerIdentity request + valid_sts_hosts: + - "sts.amazonaws.com" + - "sts.us-east-1.amazonaws.com" secrets: create: true sso: From 2ffb7ddb5ed05ead7509dba36e43d57b1ef731e1 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 11 Apr 2024 12:25:14 +0300 Subject: [PATCH 3/7] PR review --- .../enterprise/values-external-aws.yaml | 38 +++++++++++-------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml index 04c88b3..2bbb0ed 100644 --- a/examples/lakefs/enterprise/values-external-aws.yaml +++ b/examples/lakefs/enterprise/values-external-aws.yaml @@ -4,6 +4,10 @@ lakefsConfig: | blockstore: type: local auth: + oidc: + # the claim that's provided by the OIDC provider (e.g Okta) that will be used as the username according to OIDC provider claims provided after successfull authentication + friendly_name_claim_name: "" + default_initial_groups: ["Developers"] authentication_api: endpoint: http://localhost:8080/api/v1 external_principals_enabled: true @@ -15,6 +19,7 @@ lakefsConfig: | ui_config: login_cookie_names: - internal_auth_session + - oidc_auth_session ingress: enabled: true ingressClassName: @@ -42,29 +47,30 @@ fluffy: format: "json" level: "INFO" auth: - serve_disable_authentication: true - serve_listen_address: localhost:9006 - encrypt: - secret_key: shared-secrey-key + logout_redirect_url: https://oidc-provider-url.com/logout/example + oidc: + enabled: true + url: https://oidc-provider-url.com/ + client_id: + callback_base_url: https:// + is_default_login: true + # the claim name that represents the client identifier in the OIDC provider (e.g Okta) + logout_client_id_query_parameter: client_id + # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout + logout_endpoint_query_parameters: + - returnTo + - https:///oidc/login external: aws_auth: enabled: true - get_caller_identity_max_age: 60 - - # list of headers that are required to be present in the GetCallerIdentity request - required_headers: - required-key: "custom-value" - # list of headers that are optional for the GetCallerIdentity request - optional_headers: - optional-key: "custom-value" - # list of valid STS hosts for the GetCallerIdentity request - valid_sts_hosts: - - "sts.amazonaws.com" - - "sts.us-east-1.amazonaws.com" secrets: create: true sso: enabled: true + oidc: + enabled: true + # secret given by the OIDC provider (e.g auth0, Okta, etc) + client_secret: rbac: enabled: true From bfe7269c2399df46c7720e64a62b915849bbee48 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 11 Apr 2024 16:03:29 +0300 Subject: [PATCH 4/7] Review comment --- .github/workflows/release.yml | 1 - charts/lakefs/templates/_env.tpl | 4 ++ .../enterprise/values-external-aws.yaml | 42 ++++++------------- examples/lakefs/enterprise/values-oidc.yaml | 2 +- 4 files changed, 17 insertions(+), 32 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index db9d683..a87f90d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,4 +49,3 @@ jobs: uses: helm/chart-releaser-action@v1.5.0 env: CR_TOKEN: "${{ secrets.CR_TOKEN }}" - diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index eb19ea9..a508857 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -53,6 +53,10 @@ env: - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} + {{- if (.Values.fluffy.sso).enabled }} + - name: LAKEFS_AUTH_AUTHENTICATION_API_ENDPOINT + value: {{ printf "http://%s/api/v1" (include "fluffy.ssoServiceName" .) | quote }} + {{- end }} {{- end }} {{- if (.Values.fluffy.rbac).enabled }} - name: LAKEFS_AUTH_API_ENDPOINT diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml index 2bbb0ed..23a9928 100644 --- a/examples/lakefs/enterprise/values-external-aws.yaml +++ b/examples/lakefs/enterprise/values-external-aws.yaml @@ -4,22 +4,9 @@ lakefsConfig: | blockstore: type: local auth: - oidc: - # the claim that's provided by the OIDC provider (e.g Okta) that will be used as the username according to OIDC provider claims provided after successfull authentication - friendly_name_claim_name: "" - default_initial_groups: ["Developers"] authentication_api: endpoint: http://localhost:8080/api/v1 external_principals_enabled: true - api: - endpoint: http://localhost:9006/api/v1 - remote_authenticator: - enabled: true - endpoint: http://localhost:9006/api/v1 - ui_config: - login_cookie_names: - - internal_auth_session - - oidc_auth_session ingress: enabled: true ingressClassName: @@ -47,30 +34,25 @@ fluffy: format: "json" level: "INFO" auth: - logout_redirect_url: https://oidc-provider-url.com/logout/example - oidc: - enabled: true - url: https://oidc-provider-url.com/ - client_id: - callback_base_url: https:// - is_default_login: true - # the claim name that represents the client identifier in the OIDC provider (e.g Okta) - logout_client_id_query_parameter: client_id - # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout - logout_endpoint_query_parameters: - - returnTo - - https:///oidc/login external: aws_auth: enabled: true + # the maximum age in seconds for the GetCallerIdentity request + #get_caller_identity_max_age: 60 + # list of headers that are required to be present in the GetCallerIdentity request + #required_headers: + # x-lakefs-custom-key: "custom-value" + # list of headers that are optional for the GetCallerIdentity request + #optional_headers: + # optional-key: "custom-value" + # list of valid STS hosts for the GetCallerIdentity request + #valid_sts_hosts: + # - "sts.amazonaws.com" + # - "sts.us-east-1.amazonaws.com" secrets: create: true sso: enabled: true - oidc: - enabled: true - # secret given by the OIDC provider (e.g auth0, Okta, etc) - client_secret: rbac: enabled: true diff --git a/examples/lakefs/enterprise/values-oidc.yaml b/examples/lakefs/enterprise/values-oidc.yaml index e678b40..1176553 100644 --- a/examples/lakefs/enterprise/values-oidc.yaml +++ b/examples/lakefs/enterprise/values-oidc.yaml @@ -29,7 +29,7 @@ fluffy: enabled: true image: repository: treeverse/fluffy - tag: '0.2.7' + tag: '0.3.0' pullPolicy: IfNotPresent privateRegistry: enabled: true From 64d6b49e6f63237d4b4080a12c31e36ea6136f79 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 11 Apr 2024 16:16:50 +0300 Subject: [PATCH 5/7] Bump chart version --- charts/lakefs/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index 0c1ea78..9fbf269 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application -version: 1.2.7 +version: 1.2.8 appVersion: 1.17.0 home: https://lakefs.io From 060ac2ec60b79d315c511d6967d7dd62f694bb53 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 11 Apr 2024 16:35:40 +0300 Subject: [PATCH 6/7] PR review --- charts/lakefs/templates/_env.tpl | 6 ++--- .../enterprise/values-external-aws.yaml | 26 +++---------------- 2 files changed, 6 insertions(+), 26 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index a508857..ea51f12 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -40,6 +40,8 @@ env: value: {{ printf "%s/sso/login-saml" .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: {{ printf "%s/sso/logout-saml" .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} + - name: LAKEFS_AUTH_AUTHENTICATION_API_ENDPOINT + value: {{ printf "http://%s/api/v1" (include "fluffy.ssoServiceName" .) | quote }} {{- end }} {{- if (.Values.fluffy.sso.oidc).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL @@ -53,10 +55,6 @@ env: - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} - {{- if (.Values.fluffy.sso).enabled }} - - name: LAKEFS_AUTH_AUTHENTICATION_API_ENDPOINT - value: {{ printf "http://%s/api/v1" (include "fluffy.ssoServiceName" .) | quote }} - {{- end }} {{- end }} {{- if (.Values.fluffy.rbac).enabled }} - name: LAKEFS_AUTH_API_ENDPOINT diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml index 23a9928..164f455 100644 --- a/examples/lakefs/enterprise/values-external-aws.yaml +++ b/examples/lakefs/enterprise/values-external-aws.yaml @@ -1,12 +1,3 @@ -lakefsConfig: | - logging: - level: "INFO" - blockstore: - type: local - auth: - authentication_api: - endpoint: http://localhost:8080/api/v1 - external_principals_enabled: true ingress: enabled: true ingressClassName: @@ -30,25 +21,16 @@ fluffy: enabled: true secretToken: fluffyConfig: | - logging: - format: "json" - level: "INFO" auth: external: aws_auth: enabled: true # the maximum age in seconds for the GetCallerIdentity request #get_caller_identity_max_age: 60 - # list of headers that are required to be present in the GetCallerIdentity request - #required_headers: - # x-lakefs-custom-key: "custom-value" - # list of headers that are optional for the GetCallerIdentity request - #optional_headers: - # optional-key: "custom-value" - # list of valid STS hosts for the GetCallerIdentity request - #valid_sts_hosts: - # - "sts.amazonaws.com" - # - "sts.us-east-1.amazonaws.com" + # headers that must be present by the client when doing login request + required_headers: + # same host as the lakeFS server ingress + X-LakeFS-Server-ID: secrets: create: true sso: From 598eb7a83f4ee16d808824ca826043546e911fa3 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 11 Apr 2024 16:44:03 +0300 Subject: [PATCH 7/7] Bump chart version --- charts/lakefs/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index 79741ec..d816dcd 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application -version: 1.2.8 +version: 1.2.9 appVersion: 1.18.0 home: https://lakefs.io