diff --git a/charts/headlamp/README.md b/charts/headlamp/README.md index b0d325ffce..49adcb0a94 100644 --- a/charts/headlamp/README.md +++ b/charts/headlamp/README.md @@ -66,13 +66,15 @@ See [MAINTAINERS.md](https://github.com/headlamp-k8s/headlamp/blob/main/MAINTAIN ### Headlamp Configuration -| Key | Type | Default | Description | -|---------------------------|--------|-----------------------|--------------------------------------------| -| config.baseURL | string | `""` | base url path at which headlamp should run | -| config.oidc.clientID | string | `""` | OIDC client ID | -| config.oidc.clientSecret | string | `""` | OIDC client secret | -| config.oidc.issuerURL | string | `""` | OIDC issuer URL | -| config.oidc.scopes | string | `""` | OIDC scopes to be used | -| config.oidc.secret.create | bool | `true` | Enable this option to have the chart automatically create the OIDC secret using the specified values. | -| config.oidc.secret.name | string | `oidc` | Name of the OIDC secret used by headlamp | -| config.pluginsDir | string | `"/headlamp/plugins"` | directory to look for plugins | +| Key | Type | Default | Description | +|------------------------------------|--------|-----------------------|-------------------------------------------------------------------------------------------------------| +| config.baseURL | string | `""` | base url path at which headlamp should run | +| config.oidc.clientID | string | `""` | OIDC client ID | +| config.oidc.clientSecret | string | `""` | OIDC client secret | +| config.oidc.issuerURL | string | `""` | OIDC issuer URL | +| config.oidc.scopes | string | `""` | OIDC scopes to be used | +| config.oidc.secret.create | bool | `true` | Enable this option to have the chart automatically create the OIDC secret using the specified values. | +| config.oidc.secret.name | string | `oidc` | Name of the OIDC secret used by headlamp | +| config.oidc.externalSecret.enabled | bool | `false` | Enable this option if you want to use an external secret for OIDC configuration. | +| config.oidc.externalSecret.name | string | `""` | Name of the external OIDC secret to be used by headlamp. | +| config.pluginsDir | string | `"/headlamp/plugins"` | directory to look for plugins | diff --git a/charts/headlamp/templates/deployment.yaml b/charts/headlamp/templates/deployment.yaml index f83c35dfba..406383535a 100644 --- a/charts/headlamp/templates/deployment.yaml +++ b/charts/headlamp/templates/deployment.yaml @@ -37,35 +37,57 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} {{ if or .Values.config.oidc .Values.env }} env: - {{- with .Values.config.oidc }} - {{- if or .clientID (not .secret.create) }} + {{- if .Values.config.oidc.secret.create }} + {{- if .Values.config.oidc.clientID }} - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: clientID {{- end }} - {{- if or .clientSecret (not .secret.create) }} + {{- if .Values.config.oidc.clientSecret }} - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: clientSecret {{- end }} - {{- if or .issuerURL (not .secret.create) }} + {{- if .Values.config.oidc.issuerURL }} - name: OIDC_ISSUER_URL valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: issuerURL {{- end }} - {{- if or .scopes (not .secret.create) }} + {{- if .Values.config.oidc.scopes }} - name: OIDC_SCOPES valueFrom: secretKeyRef: - name: {{ .secret.name }} + name: {{ .Values.config.oidc.secret.name }} key: scopes {{- end }} + {{- else if .Values.config.oidc.externalSecret.enabled }} + # Check if externalSecret is enabled + envFrom: + - secretRef: + name: {{ .Values.config.oidc.externalSecret.name }} + {{- else }} + {{- if .Values.config.oidc.clientID }} + - name: OIDC_CLIENT_ID + value: {{ .Values.config.oidc.clientID }} + {{- end }} + {{- if .Values.config.oidc.clientSecret }} + - name: OIDC_CLIENT_SECRET + value: {{ .Values.config.oidc.clientSecret }} + {{- end }} + {{- if .Values.config.oidc.issuerURL }} + - name: OIDC_ISSUER_URL + value: {{ .Values.config.oidc.issuerURL }} + {{- end }} + {{- if .Values.config.oidc.scopes }} + - name: OIDC_SCOPES + value: {{ .Values.config.oidc.scopes }} + {{- end }} {{- end }} {{- if .Values.env }} {{- toYaml .Values.env | nindent 12 }} @@ -76,16 +98,27 @@ spec: {{- with .Values.config.pluginsDir}} - "-plugins-dir={{ . }}" {{- end }} - {{- if or .Values.config.oidc.clientID (not .Values.config.oidc.secret.create) }} + {{- if or (and .Values.config.oidc.clientID (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.clientID "")) }} + # Check if clientID is set and secret.create is false, or if secret.create is true and clientID is not an empty string - "-oidc-client-id=$(OIDC_CLIENT_ID)" {{- end }} - {{- if or .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create) }} + {{- if or (and .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.clientSecret "")) }} + # Check if clientSecret is set and secret.create is false, or if secret.create is true and clientSecret is not an empty string - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" {{- end }} - {{- if or .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create) }} + {{- if or (and .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.issuerURL "")) }} + # Check if issuerURL is set and secret.create is false, or if secret.create is true and issuerURL is not an empty string - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" {{- end }} - {{- if or .Values.config.oidc.scopes (not .Values.config.oidc.secret.create) }} + {{- if or (and .Values.config.oidc.scopes (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.scopes "")) }} + # Check if scopes are set and secret.create is false, or if secret.create is true and scopes are not an empty string + - "-oidc-scopes=$(OIDC_SCOPES)" + {{- end }} + {{- if .Values.config.oidc.externalSecret.enabled }} + # Check if externalSecret is enabled + - "-oidc-client-id=$(OIDC_CLIENT_ID)" + - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" + - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" - "-oidc-scopes=$(OIDC_SCOPES)" {{- end }} {{- with .Values.config.baseURL }} diff --git a/charts/headlamp/values.yaml b/charts/headlamp/values.yaml index 1e27d8bb2e..3e232ccc31 100644 --- a/charts/headlamp/values.yaml +++ b/charts/headlamp/values.yaml @@ -29,11 +29,34 @@ config: # -- base url path at which headlamp should run baseURL: "" oidc: + # Option 1: + # @param config.oidc.secret - OIDC secret configuration + # If you want to use an existing secret, set create to false and provide the name of the secret. + # If you want to create a new secret, set create to true and provide the name of the secret. + # Also provide the values for clientID, clientSecret, issuerURL, and scopes. + # Example: + # config: + # oidc: + # secret: + # create: true + # name: oidc secret: # -- Generate OIDC secret. If true, will generate a secret using .config.oidc. create: true # -- Name of the OIDC secret. name: oidc + + # Option 2: + # @param config.oidc - OIDC env configuration + # If you want to set the OIDC configuration directly, set the following values. + # Example: + # config: + # oidc: + # clientID: "clientID" + # clientSecret: "clientSecret" + # issuerURL: "issuerURL" + # scopes: "scopes" + # -- OIDC client ID clientID: "" # -- OIDC client secret @@ -42,6 +65,22 @@ config: issuerURL: "" # -- OIDC scopes to be used scopes: "" + + # Option 3: + # @param config.oidc - External OIDC secret configuration + # If you want to use an external secret for OIDC configuration, enable this option. + # Provide the name of the secret to use. + # Example: + # config: + # oidc: + # secret: + # create: false + # externalSecret: + # enabled: true + # name: oidc + externalSecret: + enabled: false + name: "" # -- directory to look for plugins pluginsDir: "/headlamp/plugins"