charts: Provide 3 options for oidc configuration

Now users have 3 different way they can set oidc configuration - Directly set values of respective config.oidc.clientID and others which inject them into ENV variable, to be used by args. - Use external i.e. already created secret with the same keys as args. - Use config.oidc.secret.create functionality to create secret and have them dynamically loaded into the headlamp deployment. Fixes: #1897 Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
headlamp-k8s · May 20, 2024 · f7bf857 · f7bf857
1 parent 45b8420
commit f7bf857
Show file tree

Hide file tree

Showing 11 changed files with 533 additions and 29 deletions.
diff --git a/charts/headlamp/README.md b/charts/headlamp/README.md
@@ -67,14 +67,15 @@ See [MAINTAINERS.md](https://github.com/headlamp-k8s/headlamp/blob/main/MAINTAIN
 
 ### Headlamp Configuration
 
-| Key                       | Type   | Default               | Description                                                                                           |
-|---------------------------|--------|-----------------------|-------------------------------------------------------------------------------------------------------|
-| config.baseURL            | string | `""`                  | base url path at which headlamp should run                                                            |
-| config.extraArgs          | object | `{}`                  | Extra arguments that can be given to the headlamp container                                           |
-| config.oidc.clientID      | string | `""`                  | OIDC client ID                                                                                        |
-| config.oidc.clientSecret  | string | `""`                  | OIDC client secret                                                                                    |
-| config.oidc.issuerURL     | string | `""`                  | OIDC issuer URL                                                                                       |
-| config.oidc.scopes        | string | `""`                  | OIDC scopes to be used                                                                                |
-| config.oidc.secret.create | bool   | `true`                | Enable this option to have the chart automatically create the OIDC secret using the specified values. |
-| config.oidc.secret.name   | string | `oidc`                | Name of the OIDC secret used by headlamp                                                              |
-| config.pluginsDir         | string | `"/headlamp/plugins"` | directory to look for plugins                                                                         |
+| Key                                | Type   | Default               | Description                                                                                           |
+|------------------------------------|--------|-----------------------|-------------------------------------------------------------------------------------------------------|
+| config.baseURL                     | string | `""`                  | base url path at which headlamp should run                                                            |
+| config.oidc.clientID               | string | `""`                  | OIDC client ID                                                                                        |
+| config.oidc.clientSecret           | string | `""`                  | OIDC client secret                                                                                    |
+| config.oidc.issuerURL              | string | `""`                  | OIDC issuer URL                                                                                       |
+| config.oidc.scopes                 | string | `""`                  | OIDC scopes to be used                                                                                |
+| config.oidc.secret.create          | bool   | `true`                | Enable this option to have the chart automatically create the OIDC secret using the specified values. |
+| config.oidc.secret.name            | string | `oidc`                | Name of the OIDC secret used by headlamp                                                              |
+| config.oidc.externalSecret.enabled | bool   | `false`               | Enable this option if you want to use an external secret for OIDC configuration.                      |
+| config.oidc.externalSecret.name    | string | `""`                  | Name of the external OIDC secret to be used by headlamp.                                              |
+| config.pluginsDir                  | string | `"/headlamp/plugins"` | directory to look for plugins                                                                         |
diff --git a/charts/headlamp/templates/deployment.yaml b/charts/headlamp/templates/deployment.yaml
@@ -37,35 +37,57 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{ if or .Values.config.oidc .Values.env }}
           env:
-            {{- with .Values.config.oidc }}
-            {{- if or .clientID (not .secret.create) }}
+            {{- if .Values.config.oidc.secret.create }}
+            {{- if .Values.config.oidc.clientID }}
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: {{ .secret.name }}
+                  name: {{ .Values.config.oidc.secret.name }}
                   key: clientID
             {{- end }}
-            {{- if or .clientSecret (not .secret.create) }}
+            {{- if .Values.config.oidc.clientSecret }}
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ .secret.name }}
+                  name: {{ .Values.config.oidc.secret.name }}
                   key: clientSecret
             {{- end }}
-            {{- if or .issuerURL (not .secret.create) }}
+            {{- if .Values.config.oidc.issuerURL }}
             - name: OIDC_ISSUER_URL
               valueFrom:
                 secretKeyRef:
-                  name: {{ .secret.name }}
+                  name: {{ .Values.config.oidc.secret.name }}
                   key: issuerURL
             {{- end }}
-            {{- if or .scopes (not .secret.create) }}
+            {{- if .Values.config.oidc.scopes }}
             - name: OIDC_SCOPES
               valueFrom:
                 secretKeyRef:
-                  name: {{ .secret.name }}
+                  name: {{ .Values.config.oidc.secret.name }}
                   key: scopes
             {{- end }}
+            {{- else if .Values.config.oidc.externalSecret.enabled }}
+            # Check if externalSecret is enabled
+            envFrom:
+            - secretRef:
+                name: {{ .Values.config.oidc.externalSecret.name }}
+            {{- else }}
+            {{- if .Values.config.oidc.clientID }}
+            - name: OIDC_CLIENT_ID
+              value: {{ .Values.config.oidc.clientID }}
+            {{- end }}
+            {{- if .Values.config.oidc.clientSecret }}
+            - name: OIDC_CLIENT_SECRET
+              value: {{ .Values.config.oidc.clientSecret }}
+            {{- end }}
+            {{- if .Values.config.oidc.issuerURL }}
+            - name: OIDC_ISSUER_URL
+              value: {{ .Values.config.oidc.issuerURL }}
+            {{- end }}
+            {{- if .Values.config.oidc.scopes }}
+            - name: OIDC_SCOPES
+              value: {{ .Values.config.oidc.scopes }}
+            {{- end }}
             {{- end }}
             {{- if .Values.env }}
             {{- toYaml .Values.env | nindent 12 }}
@@ -76,16 +98,27 @@ spec:
             {{- with .Values.config.pluginsDir}}
             - "-plugins-dir={{ . }}"
             {{- end }}
-            {{- if or .Values.config.oidc.clientID (not .Values.config.oidc.secret.create) }}
+            {{- if or (and .Values.config.oidc.clientID (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.clientID "")) }}
+            # Check if clientID is set and secret.create is false, or if secret.create is true and clientID is not an empty string
             - "-oidc-client-id=$(OIDC_CLIENT_ID)"
             {{- end }}
-            {{- if or .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create) }}
+            {{- if or (and .Values.config.oidc.clientSecret (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.clientSecret "")) }}
+            # Check if clientSecret is set and secret.create is false, or if secret.create is true and clientSecret is not an empty string
             - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
             {{- end }}
-            {{- if or .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create) }}
+            {{- if or (and .Values.config.oidc.issuerURL (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.issuerURL "")) }}
+            # Check if issuerURL is set and secret.create is false, or if secret.create is true and issuerURL is not an empty string
             - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
             {{- end }}
-            {{- if or .Values.config.oidc.scopes (not .Values.config.oidc.secret.create) }}
+            {{- if or (and .Values.config.oidc.scopes (not .Values.config.oidc.secret.create)) (and .Values.config.oidc.secret.create (ne .Values.config.oidc.scopes "")) }}
+            # Check if scopes are set and secret.create is false, or if secret.create is true and scopes are not an empty string
+            - "-oidc-scopes=$(OIDC_SCOPES)"
+            {{- end }}
+            {{- if .Values.config.oidc.externalSecret.enabled }}
+            # Check if externalSecret is enabled
+            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
+            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
+            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
             - "-oidc-scopes=$(OIDC_SCOPES)"
             {{- end }}
             {{- with .Values.config.baseURL }}

diff --git a/charts/headlamp/tests/expected_templates/oidc-create-secret.yaml b/charts/headlamp/tests/expected_templates/oidc-create-secret.yaml
@@ -0,0 +1,149 @@
+---
+# Source: headlamp/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: headlamp
+  labels:
+    helm.sh/chart: headlamp-0.21.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.23.2"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: headlamp/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oidc
+type: Opaque
+data:
+  clientID: "dGVzdENsaWVudElk"
+  clientSecret: "dGVzdENsaWVudFNlY3JldA=="
+  issuerURL: "dGVzdElzc3VlclVSTA=="
+  scopes: "dGVzdFNjb3Bl"
+---
+# Source: headlamp/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-admin
+  labels:
+    helm.sh/chart: headlamp-0.21.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.23.2"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: headlamp
+  namespace: default
+---
+# Source: headlamp/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: headlamp
+  labels:
+    helm.sh/chart: headlamp-0.21.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.23.2"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+---
+# Source: headlamp/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headlamp
+  labels:
+    helm.sh/chart: headlamp-0.21.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.23.2"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: headlamp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: headlamp
+    spec:
+      serviceAccountName: headlamp
+      securityContext:
+        {}
+      containers:
+        - name: headlamp
+          securityContext:
+            privileged: false
+            runAsGroup: 101
+            runAsNonRoot: true
+            runAsUser: 100
+          image: "ghcr.io/headlamp-k8s/headlamp:v0.23.2"
+          imagePullPolicy: IfNotPresent
+
+          env:
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc
+                  key: clientID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc
+                  key: clientSecret
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc
+                  key: issuerURL
+            - name: OIDC_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: oidc
+                  key: scopes
+          args:
+            - "-in-cluster"
+            - "-plugins-dir=/headlamp/plugins"
+            # Check if clientID is set and secret.create is false, or if secret.create is true and clientID is not an empty string
+            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
+            # Check if clientSecret is set and secret.create is false, or if secret.create is true and clientSecret is not an empty string
+            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
+            # Check if issuerURL is set and secret.create is false, or if secret.create is true and issuerURL is not an empty string
+            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
+            # Check if scopes are set and secret.create is false, or if secret.create is true and scopes are not an empty string
+            - "-oidc-scopes=$(OIDC_SCOPES)"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: "/"
+              port: http
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: http
+          resources:
+            {}