Skip to content

Commit

Permalink
charts: Provide 3 options for oidc configuration
Browse files Browse the repository at this point in the history 
Now users have 3 different way they can set oidc configuration

- Directly set values of respective config.oidc.clientID and others
  which inject them into ENV variable, to be used by args.
- Use external i.e. already created secret with the same keys as args.
- Use config.oidc.secret.create functionality to create secret and have
  them dynamically loaded into the headlamp deployment.

Fixes: #1897
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
  • Loading branch information
@knrt10
knrt10 committed Apr 29, 2024
1 parent 16a9375 commit 715e8c3
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 23 deletions.
22 changes: 12 additions & 10 deletions charts/headlamp/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,15 @@ See [MAINTAINERS.md](https://github.com/headlamp-k8s/headlamp/blob/main/MAINTAIN

### Headlamp Configuration

| Key | Type | Default | Description |
|---------------------------|--------|-----------------------|--------------------------------------------|
| config.baseURL | string | `""` | base url path at which headlamp should run |
| config.oidc.clientID | string | `""` | OIDC client ID |
| config.oidc.clientSecret | string | `""` | OIDC client secret |
| config.oidc.issuerURL | string | `""` | OIDC issuer URL |
| config.oidc.scopes | string | `""` | OIDC scopes to be used |
| config.oidc.secret.create | bool | `true` | Enable this option to have the chart automatically create the OIDC secret using the specified values. |
| config.oidc.secret.name | string | `oidc` | Name of the OIDC secret used by headlamp |
| config.pluginsDir | string | `"/headlamp/plugins"` | directory to look for plugins |
| Key | Type | Default | Description |
|------------------------------------|--------|-----------------------|-------------------------------------------------------------------------------------------------------|
| config.baseURL | string | `""` | base url path at which headlamp should run |
| config.oidc.clientID | string | `""` | OIDC client ID |
| config.oidc.clientSecret | string | `""` | OIDC client secret |
| config.oidc.issuerURL | string | `""` | OIDC issuer URL |
| config.oidc.scopes | string | `""` | OIDC scopes to be used |
| config.oidc.secret.create | bool | `true` | Enable this option to have the chart automatically create the OIDC secret using the specified values. |
| config.oidc.secret.name | string | `oidc` | Name of the OIDC secret used by headlamp |
| config.oidc.externalSecret.enabled | bool | `false` | Enable this option if you want to use an external secret for OIDC configuration. |
| config.oidc.externalSecret.name | string | `""` | Name of the external OIDC secret to be used by headlamp. |
| config.pluginsDir | string | `"/headlamp/plugins"` | directory to look for plugins |
59 changes: 46 additions & 13 deletions charts/headlamp/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,35 +37,57 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{ if or .Values.config.oidc .Values.env }}
env:
{{- with .Values.config.oidc }}
{{- if or .clientID (not .secret.create) }}
{{- if .Values.config.oidc.secret.create }}
{{- if .Values.config.oidc.clientID }}
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .secret.name }}
name: {{ .Values.config.oidc.secret.name }}
key: clientID
{{- end }}
{{- if or .clientSecret (not .secret.create) }}
{{- if .Values.config.oidc.clientSecret }}
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .secret.name }}
name: {{ .Values.config.oidc.secret.name }}
key: clientSecret
{{- end }}
{{- if or .issuerURL (not .secret.create) }}
{{- if .Values.config.oidc.issuerURL }}
- name: OIDC_ISSUER_URL
valueFrom:
secretKeyRef:
name: {{ .secret.name }}
name: {{ .Values.config.oidc.secret.name }}
key: issuerURL
{{- end }}
{{- if or .scopes (not .secret.create) }}
{{- if .Values.config.oidc.scopes }}
- name: OIDC_SCOPES
valueFrom:
secretKeyRef:
name: {{ .secret.name }}
name: {{ .Values.config.oidc.secret.name }}
key: scopes
{{- end }}
{{- else if .Values.config.oidc.externalSecret.enabled }}
# Check if externalSecret is enabled
envFrom:
- secretRef:
name: {{ .Values.config.oidc.externalSecret.name }}
{{- else }}
{{- if .Values.config.oidc.clientID }}
- name: OIDC_CLIENT_ID
value: {{ .Values.config.oidc.clientID }}
{{- end }}
{{- if .Values.config.oidc.clientSecret }}
- name: OIDC_CLIENT_SECRET
value: {{ .Values.config.oidc.clientSecret }}
{{- end }}
{{- if .Values.config.oidc.issuerURL }}
- name: OIDC_ISSUER_URL
value: {{ .Values.config.oidc.issuerURL }}
{{- end }}
{{- if .Values.config.oidc.scopes }}
- name: OIDC_SCOPES
value: {{ .Values.config.oidc.scopes }}
{{- end }}
{{- end }}
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 12 }}
Expand All @@ -76,16 +98,27 @@ spec:
{{- with .Values.config.pluginsDir}}
- "-plugins-dir={{ . }}"
{{- end }}
{{- if or .Values.config.oidc.clientID (not .Values.config.oidc.secret.create) }}
{{- if or (and .Values.config.oidc.clientID (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.clientID "")) }}
# Check if clientID is set and secret.create is false, or if secret.create is true and clientID is not an empty string
- "-oidc-client-id=$(OIDC_CLIENT_ID)"
{{- end }}
{{- if or .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create) }}
{{- if or (and .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.clientSecret "")) }}
# Check if clientSecret is set and secret.create is false, or if secret.create is true and clientSecret is not an empty string
- "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
{{- end }}
{{- if or .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create) }}
{{- if or (and .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.issuerURL "")) }}
# Check if issuerURL is set and secret.create is false, or if secret.create is true and issuerURL is not an empty string
- "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
{{- end }}
{{- if or .Values.config.oidc.scopes (not .Values.config.oidc.secret.create) }}
{{- if or (and .Values.config.oidc.scopes (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.scopes "")) }}
# Check if scopes are set and secret.create is false, or if secret.create is true and scopes are not an empty string
- "-oidc-scopes=$(OIDC_SCOPES)"
{{- end }}
{{- if .Values.config.oidc.externalSecret.enabled }}
# Check if externalSecret is enabled
- "-oidc-client-id=$(OIDC_CLIENT_ID)"
- "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
- "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
- "-oidc-scopes=$(OIDC_SCOPES)"
{{- end }}
{{- with .Values.config.baseURL }}
Expand Down
39 changes: 39 additions & 0 deletions charts/headlamp/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,34 @@ config:
# -- base url path at which headlamp should run
baseURL: ""
oidc:
# Option 1:
# @param config.oidc.secret - OIDC secret configuration
# If you want to use an existing secret, set create to false and provide the name of the secret.
# If you want to create a new secret, set create to true and provide the name of the secret.
# Also provide the values for clientID, clientSecret, issuerURL, and scopes.
# Example:
# config:
# oidc:
# secret:
# create: true
# name: oidc
secret:
# -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
create: true
# -- Name of the OIDC secret.
name: oidc

# Option 2:
# @param config.oidc - OIDC env configuration
# If you want to set the OIDC configuration directly, set the following values.
# Example:
# config:
# oidc:
# clientID: "clientID"
# clientSecret: "clientSecret"
# issuerURL: "issuerURL"
# scopes: "scopes"

# -- OIDC client ID
clientID: ""
# -- OIDC client secret
Expand All @@ -42,6 +65,22 @@ config:
issuerURL: ""
# -- OIDC scopes to be used
scopes: ""

# Option 3:
# @param config.oidc - External OIDC secret configuration
# If you want to use an external secret for OIDC configuration, enable this option.
# Provide the name of the secret to use.
# Example:
# config:
# oidc:
# secret:
# create: false
# externalSecret:
# enabled: true
# name: oidc
externalSecret:
enabled: false
name: ""
# -- directory to look for plugins
pluginsDir: "/headlamp/plugins"

Expand Down

0 comments on commit 715e8c3

Please sign in to comment.