Skip to content

Commit

Permalink
Add docs for superuser flow
Browse files Browse the repository at this point in the history
  • Loading branch information
yiannistri committed Feb 22, 2022
1 parent 4578bd9 commit 6059053
Showing 1 changed file with 49 additions and 5 deletions.
54 changes: 49 additions & 5 deletions website/docs/gitops-dashboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,22 +33,32 @@ Applications being managed by Weave GitOps are displayed in a list. Clicking the
- Information from Flux regarding the state of the reconciliation
- A list of the 10 most recent commits to the source git repository helping you to verify which change has been applied to the cluster. This includes a hyperlink back to your git provider for each commit.

## Securing the dashboard using OIDC and Kubernetes RBAC
## Dashboard Login

:::note WORK IN PROGRESS
The following instructions describe a feature that is being actively developed and is therefore behind a feature toggle. To enable this feature, set the following OS environment variable:
There are 2 supported methods for logging in to the dashboard:
- Login via an OIDC provider
- Login via the superuser account

The recommended approach is to integrate with an OIDC provider, as this will let you control permissions for your platform users and groups using standard Kubernetes RBAC. However, it is also possible to use a superuser account to login, if an OIDC provider is not available to use.

:::note FEATURE TOGGLE
The following instructions describe a feature that is behind a feature toggle. To enable this feature, set the following OS environment variable:
```sh
export WEAVE_GITOPS_AUTH_ENABLED=true
```
:::

### Login via an OIDC provider

#### Securing the dashboard using OIDC and Kubernetes RBAC

You may decide to host the dashboard centrally to allow for your engineering teams to access it in order to manage their workloads. In this case, you will want to secure access to the dashboard and restrict who can interact with it. Weave GitOps integrates with your OIDC provider and uses standard Kubernetes RBAC to give you fine-grained control of the permissions for the dashboard users.

### Background
#### Background

OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, this information is used by Weave GitOps to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and also the dashboard.

### Configuration
#### Configuration

After enabling the feature, `gitops ui run` will require the following additional parameters:

Expand Down Expand Up @@ -128,5 +138,39 @@ The table below contains all the permissions that the dashboard uses:
| `secrets` | | `get` | Required to read deploy key secret in order to retrieve the list of commits |
| `customresourcedefinitions` | `apiextensions.k8s.io` | `get` | Required to read custom resources of type `apps.wego.weave.works` when adding an application |

### Login via the superuser account

Before you login via the superuser account, you need to generate a bcrypt hash for your chosen password and store it as a secret in Kubernetes. There are several different ways to generate a bcrypt hash, this guide uses an Alpine Docker image to generate one:

Run an Alpine Docker image interactively and supply the password of your choice as an environment variable:

```sh
docker run -e CLEAR_PASSWORD="super secret password" -it alpine
```

Once inside the shell environment of the Alpine image, install the bcrypt library dependencies as well as the bcrypt library itself:

```sh
# apk add --update musl-dev gcc libffi-dev python3 python3-dev py3-pip
# pip install bcrypt
```

Run the following Python script to generate a hash:

```sh
# python3 -c 'import bcrypt, os; print(bcrypt.hashpw(os.getenv("CLEAR_PASSWORD").encode(), bcrypt.gensalt()))'
b'$2b$12$nLfl7lKBiYzgAN2aI3ii6exZSZ9KRsj18C7CEWY8kscj9.c6bRXim'
```

Now create a Kubernetes secret to store the password hash:

```sh
kubectl create secret generic admin-password-hash \
--namespace wego-system \
--from-literal="password=$2b$12$nLfl7lKBiYzgAN2aI3ii6exZSZ9KRsj18C7CEWY8kscj9.c6bRXim"
```

You should now be able to login via the superuser account using your chosen password.

## Future development
The GitOps Dashboard is under active development, watch this space for exciting new features.

0 comments on commit 6059053

Please sign in to comment.