Add new OIDC properties and remove SP references

e4a94d7a · Vojdan Kjorveziroski · ade5ef77 · e4a94d7a · e4a94d7a · e4a94d7a
Commit e4a94d7a authored 5 months ago by Vojdan Kjorveziroski
--- a/charts/nmaas/Chart.yaml
+++ b/charts/nmaas/Chart.yaml
 apiVersion: v2
 name: nmaas
 description: GÉANT Network Management as a Service Helm chart for Kubernetes
-version: 1.3.0-alpha.1
+version: 1.3.0-alpha.2
 appVersion: 1.7.0-alfa
 keywords:
  - Network Management

--- a/charts/nmaas/templates/nmaas-jwt-secret.yaml
+++ b/charts/nmaas/templates/nmaas-jwt-secret.yaml
+{{- if and .Values.platform.properties.jwt.signingKey.literal .Values.platform.properties.jwt.resetKey.literal }}
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+  name: {{ .Values.platform.properties.jwt.secretName | quote }}
+data:
+  {{ .Values.platform.properties.jwt.signingKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.signingKey.literal | b64enc | quote }}
+  {{ .Values.platform.properties.jwt.resetKey.secret.key | quote }}: {{ .Values.platform.properties.jwt.resetKey.literal | b64enc | quote }}
+{{- end }}
\ No newline at end of file
--- a/charts/nmaas/templates/nmaas-oidc-secret.yaml
+++ b/charts/nmaas/templates/nmaas-oidc-secret.yaml
+{{- if and .Values.platform.properties.oidc.enabled .Values.platform.properties.oidc.clientSecret.literal }}
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+  name: {{ .Values.platform.properties.oidc.secretName | quote }}
+data:
+  {{ .Values.platform.properties.oidc.clientSecret.secret.key | quote }}: {{ .Values.platform.properties.oidc.clientSecret.literal | b64enc | quote }}
+{{- end }}
\ No newline at end of file
--- a/charts/nmaas/templates/nmaas-platform-deployment.yaml
+++ b/charts/nmaas/templates/nmaas-platform-deployment.yaml
@@ -82,10 +82,6 @@ spec:
          - name: POSTGRESQL_PORT
            value: {{ .Values.platform.properties.postgresql.port | quote }}
          {{- end }}
-          - name: SSO_URL_LOGIN
-            value: {{ .Values.platform.properties.sso.urlLogin | default (printf "https://%s/sso" .Values.global.nmaasDomain) | quote }}
-          - name: SSO_URL_LOGOUT
-            value: {{ .Values.platform.properties.sso.urlLogout | default (printf "https://%s/Shibboleth.sso/Logout" .Values.global.nmaasDomain) | quote }}
          - name: ADMIN_EMAIL
            value: {{ .Values.platform.properties.adminEmail }}
          - name: ADMIN_PASSWORD
@@ -122,15 +118,6 @@ spec:
              secretKeyRef:
                name: {{ .Values.platform.apiSecret.secret.name }}
                key: {{ .Values.platform.apiSecret.secret.key }}
-          {{- if .Values.platform.properties.sso.enabled }}
-          - name: SSO_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
-                key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
-          - name: SSO_TIMEOUT
-            value: "{{ .Values.platform.properties.sso.timeout }}"
-          {{- end }}
          - name: SMTP_LOGIN
            value: {{ .Values.platform.properties.smtp.login }}
          - name: SMTP_PASSWORD
@@ -209,8 +196,6 @@ spec:
            value: {{ .Values.platform.properties.k8s.deployment.defaultStorageClass }}
          - name: PORTAL_MAINTENANCE_FLAG
            value: {{ .Values.platform.properties.maintenance | quote }}
-          - name: PORTAL_SSO_ALLOWED_FLAG
-            value: {{ .Values.platform.properties.sso.enabled | quote }}
          - name: PORTAL_TEST_INSTANCE_FLAG
            value: {{ .Values.platform.properties.testInstance | quote }}
          - name: PORTAL_SEND_FAILURE_NOTIF_FLAG
@@ -229,6 +214,27 @@ spec:
            value: {{ .Values.platform.properties.showDomainRegistrationSelector | quote }}
          - name: NAMESPACE_CREATION_ENABLED
            value: {{ .Values.platform.properties.autoNamespaceCreationForDomains | quote }}
+          - name: PORTAL_SSO_ALLOWED_FLAG
+            value: {{ .Values.platform.properties.oidc.enabled | quote }}
+          - name: OIDC_CLIENT_ID
+            value: {{ .Values.platform.properties.oidc.clientId | quote }}
+          - name: OIDC_ISSUER_URI
+            value: {{ .Values.platform.properties.oidc.issuerUri | quote }}
+          - name: OIDC_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.platform.properties.oidc.secretName }}
+                key: {{ .Values.platform.properties.oidc.clientSecret.secret.key }}
+          - name: JWT_SIGNING_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.platform.properties.jwt.secretName }}
+                key: {{ .Values.platform.properties.jwt.signingKey.secret.key }}
+          - name: JWT_RESET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.platform.properties.jwt.secretName }}
+                key: {{ .Values.platform.properties.jwt.resetKey.secret.key }}
      imagePullSecrets:
      - name: {{ .Values.global.registrysecret }}
 {{- end -}}
--- a/charts/nmaas/templates/nmaas-sp-deployment.yaml
+++ b/charts/nmaas/templates/nmaas-sp-deployment.yaml
-{{- if .Values.sp.enabled -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ .Values.sp.name }}
-  labels:
-    app: {{ .Values.sp.name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-spec:
-  selector:
-    matchLabels:
-      app: {{ .Values.sp.name }}
-  strategy: 
-    type: Recreate
-  replicas: {{ .Values.replicaCount }}
-  template:
-    metadata:
-      labels:
-        app: {{ .Values.sp.name }}
-    spec:
-      containers:
-      - name: {{ .Chart.Name }}
-        image: "{{ .Values.sp.image.repository }}:{{ .Values.sp.image.tag }}"
-        imagePullPolicy: {{ .Values.sp.image.pullPolicy }}
-        ports:
-        - containerPort: {{ .Values.sp.port }}
-          protocol: TCP
-        env:
-          - name: SP_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name }}
-                key: {{ .Values.platform.properties.sso.encryptionSecret.secret.key }}
-          - name: SP_URL
-            {{- if .Values.sp.tls }}
-            value: {{ .Values.sp.host | default (printf "https://%s/" .Values.global.nmaasDomain) | quote}}
-            {{- else }}
-            value: {{ .Values.sp.host | default (printf "http://%s/" .Values.global.nmaasDomain) | quote}}
-            {{- end }}
-          - name: PORTAL_URL
-            value: {{ .Values.sp.properties.portalUrl | default .Values.global.nmaasDomain }}
-          - name: IDP_NAME
-            value: {{ .Values.sp.properties.idp.name }}
-          - name: IDP_URI
-            value: {{ .Values.sp.properties.idp.uri | quote}}
-          - name: SP_HOST
-            value: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
-          - name: SP_USED_ID
-            value: {{ .Values.sp.properties.idp.userId | quote }}
-          - name: SP_REMOTE_USER
-            value: {{ .Values.sp.properties.idp.remoteUser | quote }}
-          - name: SP_SSO_ENTITY_ID
-            value: {{ .Values.sp.properties.idp.entityId | quote }}
-          - name: SP_METADATA_URL
-            value: {{ .Values.sp.properties.idp.metadataUrl | quote }}
-      imagePullSecrets:
-      - name: {{ .Values.global.registrysecret }}
-{{- end -}}
--- a/charts/nmaas/templates/nmaas-sp-ingress.yaml
+++ b/charts/nmaas/templates/nmaas-sp-ingress.yaml
-{{- if .Values.sp.enabled -}}
-{{- if .Values.global.createIngressResources -}}
-{{- $kubeVersion := .Capabilities.KubeVersion.GitVersion -}}
-{{- if semverCompare ">=1.19-0" $kubeVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ .Values.global.ingressName }}-sp
-  annotations:
-    {{- if not (semverCompare ">=1.19-0" $kubeVersion) }}
-    kubernetes.io/ingress.class: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
-    {{- end }}
-    nginx.org/mergeable-ingress-type: minion
-    {{- if and .Values.platform.tls .Values.global.acmeIssuer }}
-    kubernetes.io/tls-acme: "true"
-    certmanager.k8s.io/cluster-issuer: {{ .Values.global.issuerName }}
-    {{- end }}
-spec:
-  {{- if $.Values.sp.tls }}
-  tls:
-  - hosts:
-    - {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
-    {{- if .Values.global.acmeIssuer }}
-    secretName: {{ .Values.sp.certName | default "nmaas-sp-tls" | quote }}
-    {{- else }}
-    secretName: {{ .Values.sp.certName | default .Values.global.wildcardCertificateName | quote }}
-    {{- end }}
-  {{- end }}
-  {{- if semverCompare ">=1.19-0" $kubeVersion }}
-  ingressClassName: {{ .Values.sp.ingress.className | default .Values.platform.properties.k8s.ingress.controller.ingressClass }}
-  {{- end }}
-  rules:
-  - host: {{ .Values.sp.host | default .Values.global.nmaasDomain | quote }}
-    http:
-      paths:
-      - path: /sso
-        {{- if semverCompare ">=1.19-0" $kubeVersion }}
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.sp.name }}
-            port:
-              number: {{ .Values.sp.targetPort }}
-        {{- else }}      
-        backend:
-          serviceName: {{ .Values.sp.name }}
-          servicePort: {{ .Values.sp.targetPort }}
-        {{- end }}
-      - path: /Shibboleth.sso
-        {{- if semverCompare ">=1.19-0" $kubeVersion }}
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.sp.name }}
-            port:
-              number: {{ .Values.sp.targetPort }}
-        {{- else }}      
-        backend:
-          serviceName: {{ .Values.sp.name }}
-          servicePort: {{ .Values.sp.targetPort }}
-        {{- end }}
-{{- end -}}
-{{- end -}}
--- a/charts/nmaas/templates/nmaas-sp-secret.yaml
+++ b/charts/nmaas/templates/nmaas-sp-secret.yaml
-{{- if .Values.platform.properties.sso.encryptionSecret.literal }}
-apiVersion: v1
-type: Opaque
-kind: Secret
-metadata:
-  name: {{ .Values.platform.properties.sso.encryptionSecret.secret.name | quote }}
-data:
-  {{ .Values.platform.properties.sso.encryptionSecret.secret.key | quote }}: {{ .Values.platform.properties.sso.encryptionSecret.literal | b64enc | quote }}
-{{- end }}
\ No newline at end of file
--- a/charts/nmaas/templates/nmaas-sp-service.yaml
+++ b/charts/nmaas/templates/nmaas-sp-service.yaml
-{{- if .Values.sp.enabled -}}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Values.sp.name }}
-  labels:
-    app: {{ .Values.sp.name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-spec:
-  type: {{ .Values.sp.type }}
-  ports:
-  - port: {{ .Values.sp.port }}
-    targetPort: {{ .Values.sp.targetPort }}
-    protocol: TCP
-  selector:
-    app: {{ .Values.sp.name }}
-{{- end -}}
--- a/charts/nmaas/values.yaml
+++ b/charts/nmaas/values.yaml
@@ -101,18 +101,6 @@ platform:
    showDomainRegistrationSelector: true
    # -- if true nmaas will automatically create the corresponding Kubernetes namespace for each new domain
    autoNamespaceCreationForDomains: false
-    sso:
-      enabled: false
-      urlLogin: ""
-      urlLogout: ""
-      encryptionSecret:
-        # -- leave empty to use existing secret specified below
-        literal: ""
-        secret:
-          # -- must be created manually if literal is empty
-          name: nmaas-sp-secret
-          key: secret
-      timeout: 15
    adminEmail: admin@example.com
    # -- only required if an external postgresql instance is used (when postgresql.install is false)
    postgresql:
@@ -126,7 +114,6 @@ platform:
        secret:
          name: nmaas-postgresql-secret
          key: secret
    helm:
      address: nmaas-helm
      username: helm
@@ -180,6 +167,28 @@ platform:
        key: secret
    # -- expose Prometheus metrics
    nmaasMetricsEnabled: true
+    jwt:
+      secretName: nmaas-jwt
+      signingKey:
+        secret:
+          key:
+        # -- leave empty to use existing secret
+        literal: ""
+      resetKey:
+        secret:
+          key:
+        # -- leave empty to use existing secret
+        literal: ""
+    oidc:
+      enabled: false
+      secretName: nmaas-oidc
+      clientId: ""
+      issuerUri: "https://auth.example.com/realms/master"
+      clientSecret:
+        secret:
+          key: oidcClientSecret
+        # -- leave empty to use existing secret
+        literal: ""
 portal:
  enabled: true
@@ -240,29 +249,6 @@ postfix:
        secret:
          key: smtpPassword
-sp:
-  enabled: false
-  name: nmaas-sp
-  image:
-    repository: artifactory.software.geant.org/nmaas-docker-local/nmaas-sp
-    tag: "1.6.3"
-    pullPolicy: Always
-  ingress:
-    # -- defaults to .Values.platform.properties.k8s.ingress.controller.ingressClass if not set
-    className: ''
-  port: 443
-  targetPort: 80
-  type: ClusterIP
-  tls: true
-  properties:
-    idp:
-      name: edugain
-      uri: https://login.terena.org/wayf/saml2/idp/metadata.php
-      userId: uid
-      remoteUser: email
-      entityId: https://keycloak.example.com/realms/master
-      metadataUrl: https://keycloak.example.com/realms/master/protocol/saml/descriptor
 helm:
  enabled: true
  name: nmaas-helm