From fdef87e3b9bfc74262d77994b3fb74325b397087 Mon Sep 17 00:00:00 2001 From: Yu Inoue <34591767+eternity1984@users.noreply.github.com> Date: Mon, 20 Nov 2023 22:16:19 +0900 Subject: [PATCH] fix: Add support for OIDC configuration thru Helm (#550) Closes #548 --- charts/planka/Chart.yaml | 2 +- charts/planka/templates/deployment.yaml | 27 ++++++++++ charts/planka/templates/secret-oidc.yaml | 17 +++++++ charts/planka/values.yaml | 65 ++++++++++++++++++++++++ 4 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 charts/planka/templates/secret-oidc.yaml diff --git a/charts/planka/Chart.yaml b/charts/planka/Chart.yaml index 03358308..615e3593 100644 --- a/charts/planka/Chart.yaml +++ b/charts/planka/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.10 +version: 0.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/planka/templates/deployment.yaml b/charts/planka/templates/deployment.yaml index dd79eb2f..06d56b96 100644 --- a/charts/planka/templates/deployment.yaml +++ b/charts/planka/templates/deployment.yaml @@ -87,6 +87,33 @@ spec: - name: {{ $k | quote }} value: {{ $v | quote }} {{- end }} + {{- if .Values.oidc.enabled }} + {{- $secretName := default (printf "%s-oidc" (include "planka.fullname" .)) .Values.oidc.existingSecret }} + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + key: clientId + name: {{ $secretName }} + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: clientSecret + name: {{ $secretName }} + - name: OIDC_ISSUER + value: {{ required "issuerUrl is required when configuring OIDC" .Values.oidc.issuerUrl | quote }} + - name: OIDC_SCOPES + value: {{ join " " .Values.oidc.scopes | default "openid profile email" | quote }} + {{- if .Values.oidc.admin.roles }} + - name: OIDC_ADMIN_ROLES + value: {{ join "," .Values.oidc.admin.roles | quote }} + {{- end }} + - name: OIDC_ROLES_ATTRIBUTE + value: {{ .Values.oidc.admin.rolesAttribute | default "groups" | quote }} + {{- if .Values.oidc.admin.ignoreRoles }} + - name: OIDC_IGNORE_ROLES + value: {{ .Values.oidc.admin.ignoreRoles | quote }} + {{- end }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/planka/templates/secret-oidc.yaml b/charts/planka/templates/secret-oidc.yaml new file mode 100644 index 00000000..7d5293b6 --- /dev/null +++ b/charts/planka/templates/secret-oidc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.oidc.enabled }} +{{- if eq (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (not (empty .Values.oidc.existingSecret)) -}} + {{- fail "Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`" -}} +{{- end }} +{{- if (and (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (empty .Values.oidc.existingSecret)) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "planka.fullname" . }}-oidc + labels: + {{- include "planka.labels" . | nindent 4 }} +type: Opaque +data: + clientId: {{ .Values.oidc.clientId | b64enc | quote }} + clientSecret: {{ .Values.oidc.clientSecret | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/planka/values.yaml b/charts/planka/values.yaml index a5697a7b..04cc5a84 100644 --- a/charts/planka/values.yaml +++ b/charts/planka/values.yaml @@ -113,3 +113,68 @@ persistence: accessMode: ReadWriteOnce size: 10Gi + +## OpenID Identity Management configuration +## +## Example: +## --------------- +## oidc: +## enabled: true +## clientId: sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d +## clientSecret: om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI +## issuerUrl: https://auth.local/application/o/planka/ +## admin: +## roles: +## - planka-admin +## +## --------------- +## NOTE: A minimal configuration requires setting `clientId`, `clientSecret` and `issuerUrl`. (plus `admin.roles` for administrators) +## ref: https://docs.planka.cloud/docs/Configuration/OIDC +## +oidc: + ## @param oidc.enabled Enable single sign-on (SSO) with OpenID Connect (OIDC) + ## + enabled: false + + ## OIDC credentials + ## @param oidc.clientId A string unique to the provider that identifies your app. + ## @param oidc.clientSecret A secret string that the provider uses to confirm ownership of a client ID. + ## + ## NOTE: Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret` + ## + clientId: "" + clientSecret: "" + + ## @param oidc.existingSecret Name of an existing secret containing OIDC credentials + ## NOTE: Must contain key `clientId` and `clientSecret` + ## NOTE: When it's set, the `clientId` and `clientSecret` parameters are ignored + ## + existingSecret: "" + + ## @param oidc.issuerUrl The OpenID connect metadata document endpoint + ## + issuerUrl: "" + + ## @param oidc.scopes A list of scopes required for OIDC client. + ## If empty will default to `openid`, `profile` and `email` + ## NOTE: Planka needs the email and name claims + ## + scopes: [] + + ## Admin permissions configuration + admin: + ## @param oidc.admin.ignoreRoles If set to true, the admin roles will be ignored. + ## It is useful if you want to use OIDC for authentication but not for authorization. + ## If empty will default to `false` + ## + ignoreRoles: false + + ## @param oidc.admin.rolesAttribute The name of a custom group claim that you have configured in your OIDC provider + ## If empty will default to `groups` + ## + rolesAttribute: groups + + ## @param oidc.admin.roles The names of the admin groups + ## + roles: [] + # - planka-admin