Improve wording and semantics for external oauth proxy support. (#1945)

* Improve wording and semantics for external oauth proxy support. * Switch to use authProxy.external as per review.
vmware-tanzu · Aug 19, 2020 · bcecc87 · bcecc87
1 parent 1312971
commit bcecc87
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 17 deletions.
diff --git a/chart/kubeapps/templates/dashboard-config.yaml b/chart/kubeapps/templates/dashboard-config.yaml
@@ -41,7 +41,7 @@ data:
     {
       "namespace": "{{ .Release.Namespace }}",
       "appVersion": "{{ .Chart.AppVersion }}",
-      "authProxyEnabled": {{ or .Values.authProxy.enabled .Values.authProxy.externallyEnabled }},
+      "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
       "featureFlags": {{ .Values.featureFlags | toJson }},

diff --git a/chart/kubeapps/templates/kubeapps-frontend-deployment.yaml b/chart/kubeapps/templates/kubeapps-frontend-deployment.yaml
@@ -54,7 +54,7 @@ spec:
           {{- if .Values.frontend.resources }}
           resources: {{- toYaml .Values.frontend.resources | nindent 12 }}
           {{- end }}
-        {{- if .Values.authProxy.enabled }}
+        {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }}
         - name: auth-proxy
           args:
             - --provider={{ required "You must fill \".Values.authProxy.provider\" with the provider. Valid values at https://pusher.github.io/oauth2_proxy/auth-configuration" .Values.authProxy.provider }}
@@ -83,10 +83,9 @@ spec:
           {{- if .Values.authProxy.resources }}
           resources: {{- toYaml .Values.authProxy.resources | nindent 12 }}
           {{- end }}
-        {{- else }}
-          {{- if and .Values.clusters (not .Values.authProxy.externallyEnabled) }}
-            {{ fail "clusters can be configured only when using an auth proxy for cluster oidc authentication."}}
-          {{ end -}}
+        {{- end }}
+        {{- if and (gt (len .Values.clusters) 0) (not .Values.authProxy.enabled) }}
+          {{ fail "clusters can be configured only when using an auth proxy for cluster oidc authentication."}}
         {{- end }}
       volumes:
         - name: vhost

diff --git a/chart/kubeapps/values.yaml b/chart/kubeapps/values.yaml
@@ -654,14 +654,25 @@ testImage:
   repository: bitnami/nginx
   tag: 1.19.1-debian-10-r16
 
-# Auth Proxy for OIDC support
+# Auth Proxy configuration for OIDC support
 # ref: https://github.com/kubeapps/kubeapps/blob/master/docs/user/using-an-OIDC-provider.md
 authProxy:
-  # Set to true to enable the OIDC proxy
+  ## Set to true if Kubeapps should configure the OAuth login/logout URIs defined below.
+  #
   enabled: false
-  # Set to true if an external auth proxy is setup to provide cookie authentication
-  # at the oauthLoginURI and oauthLogoutURI values below.
-  externallyEnabled: false
+  ## When authProxy.enabled is true, by default Kubeapps will deploy its own
+  ## auth-proxy service as part of the Kubeapps frontend. Set external to true
+  ## if you are configuring your own auth proxy service external to Kubeapps
+  ## and therefore don't want Kubeapps to deploy its own auth-proxy.
+  #
+  external: false
+  ## Overridable flags for OAuth URIs to which the Kubeapps frontend redirects for authn.
+  ## Useful when serving Kubeapps under a sub path or using an external auth proxy.
+  ##
+  oauthLoginURI: /oauth2/start
+  oauthLogoutURI: /oauth2/sign_out
+  ## The remaining auth proxy values are relevant only if an internal auth-proxy is
+  ## being configured by Kubeapps.
   ## Bitnami OAuth2 Proxy image
   ## ref: https://hub.docker.com/r/bitnami/oauth2-proxy/tags/
   ##
@@ -674,7 +685,7 @@ authProxy:
     ##
     pullPolicy: IfNotPresent
 
-  ## Mandatory parameters
+  ## Mandatory parameters for the internal auth-proxy.
   ##
   provider: ""
   clientID: ""
@@ -697,11 +708,6 @@ authProxy:
   ## OAuth2 Proxy containers' resource requests and limits
   ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
   ##
-  ## Overridable flags for OAuth URIs that Kubeapps uses, useful when serving
-  ## Kubeapps under a sub path
-  oauthLoginURI: /oauth2/start
-  oauthLogoutURI: /oauth2/sign_out
-  ##
   resources:
     ## Default values set based on usage data from running Kubeapps instances
     ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262
@@ -712,6 +718,7 @@ authProxy:
     requests:
       cpu: 25m
       memory: 32Mi
+
 ## Feature flags
 ## These are used to switch on in development features or new features which are ready to be released.
 featureFlags: