From 603c20a437e57a48e9f180f83a1cd899f5a9a774 Mon Sep 17 00:00:00 2001 From: Kautilya Tripathi Date: Mon, 22 Apr 2024 11:59:00 +0530 Subject: [PATCH] charts: Provide 3 options for oidc configuration Now users have 3 different way they can set oidc configuration - Directly set values of respective config.oidc.clientID and others which inject them into ENV variable, to be used by args. - Use external i.e. already created secret with the same keys as args. - Use config.oidc.secret.create functionality to create secret and have them dynamically loaded into the headlamp deployment. Fixes: #1897 Signed-off-by: Kautilya Tripathi --- charts/headlamp/README.md | 23 +-- charts/headlamp/templates/deployment.yaml | 85 ++++++++-- .../tests/expected_templates/extra-args.yaml | 4 + .../oidc-create-secret.yaml | 153 ++++++++++++++++++ .../expected_templates/oidc-directly-env.yaml | 137 ++++++++++++++++ .../expected_templates/oidc-directly.yaml | 129 +++++++++++++++ .../oidc-external-secret.yaml | 120 ++++++++++++++ .../expected_templates/volumes-added.yaml | 4 + .../headlamp/tests/test_cases/extra-args.yaml | 2 + .../tests/test_cases/oidc-create-secret.yaml | 16 ++ .../tests/test_cases/oidc-directly-env.yaml | 10 ++ .../tests/test_cases/oidc-directly.yaml | 14 ++ .../test_cases/oidc-external-secret.yaml | 10 ++ .../tests/test_cases/volumes-added.yaml | 7 +- charts/headlamp/values.yaml | 39 +++++ 15 files changed, 724 insertions(+), 29 deletions(-) create mode 100644 charts/headlamp/tests/expected_templates/oidc-create-secret.yaml create mode 100644 charts/headlamp/tests/expected_templates/oidc-directly-env.yaml create mode 100644 charts/headlamp/tests/expected_templates/oidc-directly.yaml create mode 100644 charts/headlamp/tests/expected_templates/oidc-external-secret.yaml create mode 100644 charts/headlamp/tests/test_cases/oidc-create-secret.yaml create mode 100644 charts/headlamp/tests/test_cases/oidc-directly-env.yaml create mode 100644 charts/headlamp/tests/test_cases/oidc-directly.yaml create mode 100644 charts/headlamp/tests/test_cases/oidc-external-secret.yaml diff --git a/charts/headlamp/README.md b/charts/headlamp/README.md index 6da98005b9..e68d95b444 100644 --- a/charts/headlamp/README.md +++ b/charts/headlamp/README.md @@ -67,14 +67,15 @@ See [MAINTAINERS.md](https://github.com/headlamp-k8s/headlamp/blob/main/MAINTAIN ### Headlamp Configuration -| Key | Type | Default | Description | -|---------------------------|--------|-----------------------|-------------------------------------------------------------------------------------------------------| -| config.baseURL | string | `""` | base url path at which headlamp should run | -| config.extraArgs | object | `{}` | Extra arguments that can be given to the headlamp container | -| config.oidc.clientID | string | `""` | OIDC client ID | -| config.oidc.clientSecret | string | `""` | OIDC client secret | -| config.oidc.issuerURL | string | `""` | OIDC issuer URL | -| config.oidc.scopes | string | `""` | OIDC scopes to be used | -| config.oidc.secret.create | bool | `true` | Enable this option to have the chart automatically create the OIDC secret using the specified values. | -| config.oidc.secret.name | string | `oidc` | Name of the OIDC secret used by headlamp | -| config.pluginsDir | string | `"/headlamp/plugins"` | directory to look for plugins | +| Key | Type | Default | Description | +|------------------------------------|--------|-----------------------|-------------------------------------------------------------------------------------------------------| +| config.baseURL | string | `""` | base url path at which headlamp should run | +| config.oidc.clientID | string | `""` | OIDC client ID | +| config.oidc.clientSecret | string | `""` | OIDC client secret | +| config.oidc.issuerURL | string | `""` | OIDC issuer URL | +| config.oidc.scopes | string | `""` | OIDC scopes to be used | +| config.oidc.secret.create | bool | `true` | Enable this option to have the chart automatically create the OIDC secret using the specified values. | +| config.oidc.secret.name | string | `oidc` | Name of the OIDC secret used by headlamp | +| config.oidc.externalSecret.enabled | bool | `false` | Enable this option if you want to use an external secret for OIDC configuration. | +| config.oidc.externalSecret.name | string | `""` | Name of the external OIDC secret to be used by headlamp. | +| config.pluginsDir | string | `"/headlamp/plugins"` | directory to look for plugins | diff --git a/charts/headlamp/templates/deployment.yaml b/charts/headlamp/templates/deployment.yaml index 1923f86aa8..e398c1cd94 100644 --- a/charts/headlamp/templates/deployment.yaml +++ b/charts/headlamp/templates/deployment.yaml @@ -1,3 +1,28 @@ +{{- $oidc := .Values.config.oidc }} +{{- $env := .Values.env }} + +{{- $clientID := "" }} +{{- $clientSecret := "" }} +{{- $issuerURL := "" }} +{{- $scopes := "" }} + +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. +{{- range $env }} + {{- if eq .name "OIDC_CLIENT_ID" }} + {{- $clientID = .value }} + {{- end }} + {{- if eq .name "OIDC_CLIENT_SECRET" }} + {{- $clientSecret = .value }} + {{- end }} + {{- if eq .name "OIDC_ISSUER_URL" }} + {{- $issuerURL = .value }} + {{- end }} + {{- if eq .name "OIDC_SCOPES" }} + {{- $scopes = .value }} + {{- end }} +{{- end }} + apiVersion: apps/v1 kind: Deployment metadata: @@ -37,35 +62,57 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} {{ if or .Values.config.oidc .Values.env }} env: - {{- with .Values.config.oidc }} - {{- if or .clientID (not .secret.create) }} + {{- if .Values.config.oidc.secret.create }} + {{- if .Values.config.oidc.clientID }} - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: clientID {{- end }} - {{- if or .clientSecret (not .secret.create) }} + {{- if .Values.config.oidc.clientSecret }} - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: clientSecret {{- end }} - {{- if or .issuerURL (not .secret.create) }} + {{- if .Values.config.oidc.issuerURL }} - name: OIDC_ISSUER_URL valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: issuerURL {{- end }} - {{- if or .scopes (not .secret.create) }} + {{- if .Values.config.oidc.scopes }} - name: OIDC_SCOPES valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: scopes {{- end }} + {{- else if .Values.config.oidc.externalSecret.enabled }} + # Check if externalSecret is enabled + envFrom: + - secretRef: + name: {{ .Values.config.oidc.externalSecret.name }} + {{- else }} + {{- if .Values.config.oidc.clientID }} + - name: OIDC_CLIENT_ID + value: {{ .Values.config.oidc.clientID }} + {{- end }} + {{- if .Values.config.oidc.clientSecret }} + - name: OIDC_CLIENT_SECRET + value: {{ .Values.config.oidc.clientSecret }} + {{- end }} + {{- if .Values.config.oidc.issuerURL }} + - name: OIDC_ISSUER_URL + value: {{ .Values.config.oidc.issuerURL }} + {{- end }} + {{- if .Values.config.oidc.scopes }} + - name: OIDC_SCOPES + value: {{ .Values.config.oidc.scopes }} + {{- end }} {{- end }} {{- if .Values.env }} {{- toYaml .Values.env | nindent 12 }} @@ -76,16 +123,28 @@ spec: {{- with .Values.config.pluginsDir}} - "-plugins-dir={{ . }}" {{- end }} - {{- if or .Values.config.oidc.clientID (not .Values.config.oidc.secret.create) }} + {{- if not .Values.config.oidc.externalSecret.enabled}} + # Check if externalSecret is disabled + {{- if or (ne $oidc.clientID "") (ne $clientID "") }} + # Check if clientID is non empty either from env or oidc.config - "-oidc-client-id=$(OIDC_CLIENT_ID)" {{- end }} - {{- if or .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create) }} + {{- if or (ne $oidc.clientSecret "") (ne $clientSecret "") }} + # Check if clientSecret is non empty either from env or oidc.config - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" {{- end }} - {{- if or .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create) }} + {{- if or (ne $oidc.issuerURL "") (ne $issuerURL "") }} + # Check if issuerURL is non empty either from env or oidc.config - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" {{- end }} - {{- if or .Values.config.oidc.scopes (not .Values.config.oidc.secret.create) }} + {{- if or (ne $oidc.scopes "") (ne $scopes "") }} + # Check if scopes are non empty either from env or oidc.config + - "-oidc-scopes=$(OIDC_SCOPES)" + {{- end }} + {{- else }} + - "-oidc-client-id=$(OIDC_CLIENT_ID)" + - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" + - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" - "-oidc-scopes=$(OIDC_SCOPES)" {{- end }} {{- with .Values.config.baseURL }} diff --git a/charts/headlamp/tests/expected_templates/extra-args.yaml b/charts/headlamp/tests/expected_templates/extra-args.yaml index 326c7a22b1..a842da9cf6 100644 --- a/charts/headlamp/tests/expected_templates/extra-args.yaml +++ b/charts/headlamp/tests/expected_templates/extra-args.yaml @@ -62,6 +62,9 @@ spec: app.kubernetes.io/instance: headlamp --- # Source: headlamp/templates/deployment.yaml +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. + apiVersion: apps/v1 kind: Deployment metadata: @@ -101,6 +104,7 @@ spec: args: - "-in-cluster" - "-plugins-dir=/headlamp/plugins" + # Check if externalSecret is disabled - -insecure-ssl ports: - name: http diff --git a/charts/headlamp/tests/expected_templates/oidc-create-secret.yaml b/charts/headlamp/tests/expected_templates/oidc-create-secret.yaml new file mode 100644 index 0000000000..8baec98ef3 --- /dev/null +++ b/charts/headlamp/tests/expected_templates/oidc-create-secret.yaml @@ -0,0 +1,153 @@ +--- +# Source: headlamp/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +--- +# Source: headlamp/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: oidc +type: Opaque +data: + clientID: "dGVzdENsaWVudElk" + clientSecret: "dGVzdENsaWVudFNlY3JldA==" + issuerURL: "dGVzdElzc3VlclVSTA==" + scopes: "dGVzdFNjb3Bl" +--- +# Source: headlamp/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: headlamp-admin + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: headlamp + namespace: default +--- +# Source: headlamp/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp +--- +# Source: headlamp/templates/deployment.yaml +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + template: + metadata: + labels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + spec: + serviceAccountName: headlamp + securityContext: + {} + containers: + - name: headlamp + securityContext: + privileged: false + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 100 + image: "ghcr.io/headlamp-k8s/headlamp:v0.23.2" + imagePullPolicy: IfNotPresent + + env: + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc + key: clientID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc + key: clientSecret + - name: OIDC_ISSUER_URL + valueFrom: + secretKeyRef: + name: oidc + key: issuerURL + - name: OIDC_SCOPES + valueFrom: + secretKeyRef: + name: oidc + key: scopes + args: + - "-in-cluster" + - "-plugins-dir=/headlamp/plugins" + # Check if externalSecret is disabled + # Check if clientID is non empty either from env or oidc.config + - "-oidc-client-id=$(OIDC_CLIENT_ID)" + # Check if clientSecret is non empty either from env or oidc.config + - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" + # Check if issuerURL is non empty either from env or oidc.config + - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" + # Check if scopes are non empty either from env or oidc.config + - "-oidc-scopes=$(OIDC_SCOPES)" + ports: + - name: http + containerPort: 4466 + protocol: TCP + livenessProbe: + httpGet: + path: "/" + port: http + readinessProbe: + httpGet: + path: "/" + port: http + resources: + {} diff --git a/charts/headlamp/tests/expected_templates/oidc-directly-env.yaml b/charts/headlamp/tests/expected_templates/oidc-directly-env.yaml new file mode 100644 index 0000000000..f8246552e4 --- /dev/null +++ b/charts/headlamp/tests/expected_templates/oidc-directly-env.yaml @@ -0,0 +1,137 @@ +--- +# Source: headlamp/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +--- +# Source: headlamp/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: oidc +type: Opaque +data: +--- +# Source: headlamp/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: headlamp-admin + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: headlamp + namespace: default +--- +# Source: headlamp/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp +--- +# Source: headlamp/templates/deployment.yaml +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + template: + metadata: + labels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + spec: + serviceAccountName: headlamp + securityContext: + {} + containers: + - name: headlamp + securityContext: + privileged: false + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 100 + image: "ghcr.io/headlamp-k8s/headlamp:v0.23.2" + imagePullPolicy: IfNotPresent + + env: + - name: OIDC_CLIENT_ID + value: testClientId + - name: OIDC_CLIENT_SECRET + value: testClientSecret + - name: OIDC_ISSUER_URL + value: testIssuerURL + - name: OIDC_SCOPES + value: testScope + args: + - "-in-cluster" + - "-plugins-dir=/headlamp/plugins" + # Check if externalSecret is disabled + # Check if clientID is non empty either from env or oidc.config + - "-oidc-client-id=$(OIDC_CLIENT_ID)" + # Check if clientSecret is non empty either from env or oidc.config + - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" + # Check if issuerURL is non empty either from env or oidc.config + - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" + # Check if scopes are non empty either from env or oidc.config + - "-oidc-scopes=$(OIDC_SCOPES)" + ports: + - name: http + containerPort: 4466 + protocol: TCP + livenessProbe: + httpGet: + path: "/" + port: http + readinessProbe: + httpGet: + path: "/" + port: http + resources: + {} diff --git a/charts/headlamp/tests/expected_templates/oidc-directly.yaml b/charts/headlamp/tests/expected_templates/oidc-directly.yaml new file mode 100644 index 0000000000..7fc974ab3d --- /dev/null +++ b/charts/headlamp/tests/expected_templates/oidc-directly.yaml @@ -0,0 +1,129 @@ +--- +# Source: headlamp/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +--- +# Source: headlamp/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: headlamp-admin + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: headlamp + namespace: default +--- +# Source: headlamp/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp +--- +# Source: headlamp/templates/deployment.yaml +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + template: + metadata: + labels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + spec: + serviceAccountName: headlamp + securityContext: + {} + containers: + - name: headlamp + securityContext: + privileged: false + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 100 + image: "ghcr.io/headlamp-k8s/headlamp:v0.23.2" + imagePullPolicy: IfNotPresent + + env: + - name: OIDC_CLIENT_ID + value: testClientId + - name: OIDC_CLIENT_SECRET + value: testClientSecret + - name: OIDC_ISSUER_URL + value: testIssuerURL + - name: OIDC_SCOPES + value: testScope + args: + - "-in-cluster" + - "-plugins-dir=/headlamp/plugins" + # Check if externalSecret is disabled + # Check if clientID is non empty either from env or oidc.config + - "-oidc-client-id=$(OIDC_CLIENT_ID)" + # Check if clientSecret is non empty either from env or oidc.config + - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" + # Check if issuerURL is non empty either from env or oidc.config + - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" + # Check if scopes are non empty either from env or oidc.config + - "-oidc-scopes=$(OIDC_SCOPES)" + ports: + - name: http + containerPort: 4466 + protocol: TCP + livenessProbe: + httpGet: + path: "/" + port: http + readinessProbe: + httpGet: + path: "/" + port: http + resources: + {} diff --git a/charts/headlamp/tests/expected_templates/oidc-external-secret.yaml b/charts/headlamp/tests/expected_templates/oidc-external-secret.yaml new file mode 100644 index 0000000000..97450d0007 --- /dev/null +++ b/charts/headlamp/tests/expected_templates/oidc-external-secret.yaml @@ -0,0 +1,120 @@ +--- +# Source: headlamp/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +--- +# Source: headlamp/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: headlamp-admin + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: headlamp + namespace: default +--- +# Source: headlamp/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp +--- +# Source: headlamp/templates/deployment.yaml +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: headlamp + labels: + helm.sh/chart: headlamp-0.21.0 + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + app.kubernetes.io/version: "0.23.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + template: + metadata: + labels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/instance: headlamp + spec: + serviceAccountName: headlamp + securityContext: + {} + containers: + - name: headlamp + securityContext: + privileged: false + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 100 + image: "ghcr.io/headlamp-k8s/headlamp:v0.23.2" + imagePullPolicy: IfNotPresent + + env: + # Check if externalSecret is enabled + envFrom: + - secretRef: + name: oidc + args: + - "-in-cluster" + - "-plugins-dir=/headlamp/plugins" + - "-oidc-client-id=$(OIDC_CLIENT_ID)" + - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" + - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" + - "-oidc-scopes=$(OIDC_SCOPES)" + ports: + - name: http + containerPort: 4466 + protocol: TCP + livenessProbe: + httpGet: + path: "/" + port: http + readinessProbe: + httpGet: + path: "/" + port: http + resources: + {} diff --git a/charts/headlamp/tests/expected_templates/volumes-added.yaml b/charts/headlamp/tests/expected_templates/volumes-added.yaml index 4ca836c04b..e3f1fedc52 100644 --- a/charts/headlamp/tests/expected_templates/volumes-added.yaml +++ b/charts/headlamp/tests/expected_templates/volumes-added.yaml @@ -62,6 +62,9 @@ spec: app.kubernetes.io/instance: headlamp --- # Source: headlamp/templates/deployment.yaml +# This block of code is used to extract the values from the env. +# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. + apiVersion: apps/v1 kind: Deployment metadata: @@ -101,6 +104,7 @@ spec: args: - "-in-cluster" - "-plugins-dir=/headlamp/plugins" + # Check if externalSecret is disabled ports: - name: http containerPort: 4466 diff --git a/charts/headlamp/tests/test_cases/extra-args.yaml b/charts/headlamp/tests/test_cases/extra-args.yaml index 80ea3d45c1..51e69e4df3 100644 --- a/charts/headlamp/tests/test_cases/extra-args.yaml +++ b/charts/headlamp/tests/test_cases/extra-args.yaml @@ -1,3 +1,5 @@ +# This is a test case for extraArgs in the Headlamp deployment. +# Each test case is a dictionary with the following keys: config: extraArgs: - -insecure-ssl diff --git a/charts/headlamp/tests/test_cases/oidc-create-secret.yaml b/charts/headlamp/tests/test_cases/oidc-create-secret.yaml new file mode 100644 index 0000000000..7a5f652a6a --- /dev/null +++ b/charts/headlamp/tests/test_cases/oidc-create-secret.yaml @@ -0,0 +1,16 @@ +# This is a test case for the oidc.secret.create field in the Headlamp deployment. +# The oidc.secret.create field is a boolean that determines whether to create a secret for OIDC. +# The oidc.secret.name field is a string that specifies the name of the OIDC secret. +# The oidc.clientID field is a string that specifies the client ID for OIDC. +# The oidc.clientSecret field is a string that specifies the client secret for OIDC. +# The oidc.issuerURL field is a string that specifies the issuer URL for OIDC. +# The oidc.scopes field is a string that specifies the scopes for OIDC. +config: + oidc: + secret: + create: true + name: oidc + clientID: "testClientId" + clientSecret: "testClientSecret" + issuerURL: "testIssuerURL" + scopes: "testScope" diff --git a/charts/headlamp/tests/test_cases/oidc-directly-env.yaml b/charts/headlamp/tests/test_cases/oidc-directly-env.yaml new file mode 100644 index 0000000000..53f9fe3b09 --- /dev/null +++ b/charts/headlamp/tests/test_cases/oidc-directly-env.yaml @@ -0,0 +1,10 @@ +# This is a test case where user can set env values directly for OIDC configuration. +env: + - name: OIDC_CLIENT_ID + value: testClientId + - name: OIDC_CLIENT_SECRET + value: testClientSecret + - name: OIDC_ISSUER_URL + value: testIssuerURL + - name: OIDC_SCOPES + value: testScope diff --git a/charts/headlamp/tests/test_cases/oidc-directly.yaml b/charts/headlamp/tests/test_cases/oidc-directly.yaml new file mode 100644 index 0000000000..4a318c60b4 --- /dev/null +++ b/charts/headlamp/tests/test_cases/oidc-directly.yaml @@ -0,0 +1,14 @@ +# This is a test case for the direct OIDC configuration in the Headlamp deployment. +# The oidc.secret.create field is false to avoid creating a secret for OIDC. +# The oidc.clientID field is a string that specifies the client ID for OIDC. +# The oidc.clientSecret field is a string that specifies the client secret for OIDC. +# The oidc.issuerURL field is a string that specifies the issuer URL for OIDC. +# The oidc.scopes field is a string that specifies the scopes for OIDC. +config: + oidc: + secret: + create: false + clientID: "testClientId" + clientSecret: "testClientSecret" + issuerURL: "testIssuerURL" + scopes: "testScope" diff --git a/charts/headlamp/tests/test_cases/oidc-external-secret.yaml b/charts/headlamp/tests/test_cases/oidc-external-secret.yaml new file mode 100644 index 0000000000..6773732812 --- /dev/null +++ b/charts/headlamp/tests/test_cases/oidc-external-secret.yaml @@ -0,0 +1,10 @@ +# This is a test case for OIDC external secret. +# The oidc.externalSecret.enabled field is a boolean that determines whether to use an external secret for OIDC. +# The oidc.externalSecret.name field is a string that specifies the name of the external OIDC secret. +config: + oidc: + secret: + create: false + externalSecret: + enabled: true + name: oidc diff --git a/charts/headlamp/tests/test_cases/volumes-added.yaml b/charts/headlamp/tests/test_cases/volumes-added.yaml index db7dbfaf6f..b84a646d3d 100644 --- a/charts/headlamp/tests/test_cases/volumes-added.yaml +++ b/charts/headlamp/tests/test_cases/volumes-added.yaml @@ -1,8 +1,5 @@ -# custom values for headlamp with volume added. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Headlamp pod's volumes +# This is a test case for volumes in the Headlamp deployment. +# The volumes field is a list of dictionaries that specify the volumes to add to the Headlamp deployment. volumes: - name: plugins emptyDir: {} diff --git a/charts/headlamp/values.yaml b/charts/headlamp/values.yaml index d6ae0c4a0f..9b306b2475 100644 --- a/charts/headlamp/values.yaml +++ b/charts/headlamp/values.yaml @@ -29,11 +29,34 @@ config: # -- base url path at which headlamp should run baseURL: "" oidc: + # Option 1: + # @param config.oidc.secret - OIDC secret configuration + # If you want to use an existing secret, set create to false and provide the name of the secret. + # If you want to create a new secret, set create to true and provide the name of the secret. + # Also provide the values for clientID, clientSecret, issuerURL, and scopes. + # Example: + # config: + # oidc: + # secret: + # create: true + # name: oidc secret: # -- Generate OIDC secret. If true, will generate a secret using .config.oidc. create: true # -- Name of the OIDC secret. name: oidc + + # Option 2: + # @param config.oidc - OIDC env configuration + # If you want to set the OIDC configuration directly, set the following values. + # Example: + # config: + # oidc: + # clientID: "clientID" + # clientSecret: "clientSecret" + # issuerURL: "issuerURL" + # scopes: "scopes" + # -- OIDC client ID clientID: "" # -- OIDC client secret @@ -42,6 +65,22 @@ config: issuerURL: "" # -- OIDC scopes to be used scopes: "" + + # Option 3: + # @param config.oidc - External OIDC secret configuration + # If you want to use an external secret for OIDC configuration, enable this option. + # Provide the name of the secret to use. + # Example: + # config: + # oidc: + # secret: + # create: false + # externalSecret: + # enabled: true + # name: oidc + externalSecret: + enabled: false + name: "" # -- directory to look for plugins pluginsDir: "/headlamp/plugins" # Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.