From 045a8bb574e18a57f362c18016a5fe8685023712 Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Tue, 27 Jun 2023 14:01:44 +0300 Subject: [PATCH 1/2] oidc: add oidc-gateway manifests --- oidc-gateway/crds.yml | 276 ++++++++++++++++++++++++++++++++++++ oidc-gateway/deployment.yml | 157 ++++++++++++++++++++ oidc-gateway/rbac.yml | 59 ++++++++ oidc-gateway/texts.yml | 65 +++++++++ 4 files changed, 557 insertions(+) create mode 100644 oidc-gateway/crds.yml create mode 100644 oidc-gateway/deployment.yml create mode 100644 oidc-gateway/rbac.yml create mode 100644 oidc-gateway/texts.yml diff --git a/oidc-gateway/crds.yml b/oidc-gateway/crds.yml new file mode 100644 index 0000000..67008c4 --- /dev/null +++ b/oidc-gateway/crds.yml @@ -0,0 +1,276 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcgatewayusers.codemowers.io +spec: + group: codemowers.io + names: + plural: oidcgatewayusers + singular: oidcgatewayuser + kind: OIDCGWUser + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: { } + schema: + openAPIV3Schema: + required: + - spec + type: object + properties: + spec: + type: object + properties: + email: + type: string + customGroups: + type: array + items: + type: object + properties: + prefix: + type: string + name: + type: string + customProfile: + type: object + properties: + name: + type: string + company: + type: string + githubEmails: + type: array + items: + type: object + properties: + email: + type: string + primary: + type: boolean + default: false + githubGroups: + type: array + items: + type: object + properties: + prefix: + type: string + enum: [ 'github.com' ] + name: + type: string + githubProfile: + type: object + properties: + name: + type: string + company: + type: string + id: + type: integer + login: + type: string + slackId: + type: string + status: + type: object + properties: + primaryEmail: + type: string + emails: + type: array + items: + type: string + groups: + type: array + items: + type: object + properties: + prefix: + type: string + name: + type: string + profile: + type: object + properties: + name: + type: string + company: + type: string + slackId: + type: string + conditions: + type: array + items: + type: object + x-kubernetes-embedded-resource: true + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Name + type: string + jsonPath: .status.profile.name + - name: Emails + type: string + jsonPath: .status.emails + - name: Groups + type: string + jsonPath: .status.groups +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcgatewayclients.codemowers.io +spec: + group: codemowers.io + names: + plural: oidcgatewayclients + singular: oidcgatewayclient + kind: OIDCGWClient + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: { } + schema: + openAPIV3Schema: + required: + - spec + type: object + properties: + spec: + type: object + required: + - redirectUris # TODO: add validation + - grantTypes + - responseTypes + properties: + uri: + type: string + displayName: + type: string + redirectUris: + type: array + items: + type: string + grantTypes: + type: array + items: + type: string + enum: [ 'implicit', 'authorization_code', 'refresh_token' ] + responseTypes: + type: array + items: + type: string + enum: [ 'code id_token', 'code', 'id_token', 'none' ] + tokenEndpointAuthMethod: + type: string + enum: [ 'client_secret_basic', 'client_secret_jwt', 'client_secret_post', 'private_key_jwt', 'none' ] + idTokenSignedResponseAlg: + type: string + enum: [ 'PS256','RS256', 'ES256' ] + allowedGroups: + type: array + items: + type: string + availableScopes: + type: array + items: + type: string + enum: [ 'openid', 'profile', 'offline_access' ] + default: [ 'openid' ] + pkce: + type: boolean + default: true + status: + type: object + properties: + gateway: + type: string + additionalPrinterColumns: + - name: Gateway + type: string + description: 'OIDC gateway deployment which manages this client' + jsonPath: .status.gateway + - name: Uris + type: string + description: 'Redirect URLs configured for this client' + jsonPath: .spec.redirectUris + - name: Allowed groups + type: string + description: 'Groups allowed to this client' + jsonPath: .spec.allowedGroups +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcgatewaymiddlewareclients.codemowers.io +spec: + group: codemowers.io + names: + plural: oidcgatewaymiddlewareclients + singular: oidcgatewaymiddlewareclient + kind: OIDCGWMiddlewareClient + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: { } + schema: + openAPIV3Schema: + required: + - spec + type: object + properties: + spec: + type: object + properties: + uri: + type: string + displayName: + type: string + allowedGroups: + type: array + items: + type: string + headerMapping: + type: object + default: + user: 'Remote-User' + name: 'Remote-Name' + email: 'Remote-Email' + groups: 'Remote-Groups' + properties: + user: + type: string + name: + type: string + email: + type: string + groups: + type: string + status: + type: object + properties: + gateway: + type: string + additionalPrinterColumns: + - name: Gateway + type: string + description: 'OIDC gateway deployment which manages this client' + jsonPath: .status.gateway + - name: Uri + type: string + description: 'URL configured for this client' + jsonPath: .spec.uri + - name: Allowed groups + type: string + description: 'Groups allowed to this client' + jsonPath: .spec.allowedGroups diff --git a/oidc-gateway/deployment.yml b/oidc-gateway/deployment.yml new file mode 100644 index 0000000..8d7a18e --- /dev/null +++ b/oidc-gateway/deployment.yml @@ -0,0 +1,157 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-gateway-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: oidc-gateway +subjects: + - kind: ServiceAccount + name: oidc-gateway +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oidc-gateway +--- +apiVersion: codemowers.io/v1alpha1 +kind: KeyDBCluster +spec: + persistent: false + replicas: 3 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: oidc-gateway + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee +spec: + rules: + - host: auth2.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: oidc-gateway + port: + number: 3000 + tls: + - hosts: + - "*.k-space.ee" +--- +apiVersion: v1 +kind: Service +metadata: + name: oidc-gateway +spec: + type: ClusterIP + selector: + app: oidc-gateway + ports: + - protocol: TCP + port: 3000 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: oidc-key-manager +spec: + template: + spec: + serviceAccountName: oidc-gateway + containers: + - name: oidc-key-manager + image: codemowers/oidc-gateway + command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] + restartPolicy: Never +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oidc-gateway + labels: + app: oidc-gateway +spec: + selector: + matchLabels: + app: oidc-gateway + replicas: 3 + template: + metadata: + labels: + app: oidc-gateway + spec: + serviceAccountName: oidc-gateway + containers: + - name: oidc-gateway + image: codemowers/oidc-gateway + ports: + - containerPort: 3000 + env: + - name: ISSUER_URL + value: 'https://auth2.k-space.ee/' + - name: DEPLOYMENT_NAME + valueFrom: + fieldRef: + fieldPath: metadata.labels['app'] + - name: GROUP_PREFIX + value: 'k-space' + - name: ADMIN_GROUP + value: 'k-space:admins' +# - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level. +# value: 'codemowers:users' + - name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for. + value: 'codemowers' + - name: ENROLL_USERS # allow everyone to self-register + value: 'true' + - name: NAMESPACE_SELECTOR + value: '*' + - name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent + value: 'k-space.ee' + envFrom: + - secretRef: + name: redis-oidc-gateway-owner-secrets + - secretRef: + name: oidc-keys + - secretRef: + name: oidc-gateway-email-credentials + - secretRef: + name: github-client + - secretRef: + name: slack-client + readinessProbe: + httpGet: + path: /.well-known/openid-configuration + port: 3000 + httpHeaders: + - name: x-forwarded-for # suppress oidc-provider warning + value: 'https://auth2.k-space.ee/' + - name: x-forwarded-proto # suppress oidc-provider warning + value: https + initialDelaySeconds: 5 + periodSeconds: 1 + volumeMounts: + - mountPath: /app/tos + name: tos + - mountPath: /app/approval + name: approval + - mountPath: /app/src/views/custom/emails + name: email-templates + volumes: + - name: tos + configMap: + name: oidc-gateway-tos-v1 + - name: approval + configMap: + name: oidc-gateway-approval-required + - name: email-templates + configMap: + name: oidc-gateway-email-templates diff --git a/oidc-gateway/rbac.yml b/oidc-gateway/rbac.yml new file mode 100644 index 0000000..52e9c6d --- /dev/null +++ b/oidc-gateway/rbac.yml @@ -0,0 +1,59 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: oidc-gateway +rules: + - apiGroups: + - codemowers.io + resources: + - oidcgatewayusers + - oidcgatewayusers/status + - oidcgatewayclients + - oidcgatewayclients/status + - oidcgatewaymiddlewareclients + - oidcgatewaymiddlewareclients/status + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - patch + - delete + - apiGroups: + - traefik.containo.us + resources: + - middlewares + verbs: + - get + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: oidc-gateway +subjects: + - kind: ServiceAccount + name: oidc-gateway + namespace: oidc-gateway +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oidc-gateway diff --git a/oidc-gateway/texts.yml b/oidc-gateway/texts.yml new file mode 100644 index 0000000..d472d0f --- /dev/null +++ b/oidc-gateway/texts.yml @@ -0,0 +1,65 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: oidc-gateway-tos-v1 +data: + tos.txt: | + Terms of Service + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: oidc-gateway-approval-required +data: + approval.txt: | + Dear User, + + Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee + + Also see https://www.k-space.ee/ + + Best regards, K-Space MTÜ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: oidc-gateway-email-templates +data: + tos.txt: | + Hi, <%= name %>! + + You agreed with the Terms of Service at <%= timestamp %> + + Content SHA256 hash: <%= hash %> + + Best regards, + K-Space MTÜ + tos.ejs: | +
+

Hi, <%= name %>!

+

You agreed with the following Terms of Service at <%= timestamp %>

+

Content SHA256 hash: <%= hash %>

+
+
+ <%- content -%> +
+
+

Best regards,
K-Space MTÜ

+
+ tos.subject: | + Terms of Service agreement confirmation + link.txt: | + Open the following link to log in: <%= url %> + + Best regards, + K-Space MTÜ + link.ejs: | +
+

Open the following link to log in: <%= url %>

+
+

Best regards,
K-Space MTÜ

+
+ link.subject: | + auth.k-space.ee login link -- 2.45.2 From be330ad121fc0aed8c1463b00d2f27f4279bcbfe Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Tue, 27 Jun 2023 22:24:30 +0300 Subject: [PATCH 2/2] oidc: require custom username --- oidc-gateway/deployment.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/oidc-gateway/deployment.yml b/oidc-gateway/deployment.yml index 8d7a18e..42263d1 100644 --- a/oidc-gateway/deployment.yml +++ b/oidc-gateway/deployment.yml @@ -116,6 +116,8 @@ spec: value: '*' - name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent value: 'k-space.ee' + - name: REQUIRE_CUSTOM_USERNAME + value: 'true' envFrom: - secretRef: name: redis-oidc-gateway-owner-secrets -- 2.45.2