Configure Headlamp authentication using Zitadel (OIDC)

Smana commented 2 weeks ago

PR Type

enhancement, configuration changes

Description

Updated IAM module version and permissions in Terraform configurations.
Added support for cluster identity providers in EKS module.
Updated Zitadel configurations, including certificates, gateways, and network policies.
Increased CPU limits for Grafana and added Zitadel authentication configuration comments.
Added new ExternalSecret and RBAC configuration for Headlamp.

Changes walkthrough 📝

Relevant files

Enhancement

1 files

iam.tf

Update IAM module version and permissions

terraform/eks/iam.tf

Updated IAM module version from 5.47.1 to 5.48.0.

Added iam:DeletePolicyVersion permission to crossplane_iam policy.

+3/-2

Configuration changes

11 files

main.tf `Add cluster identity providers configuration` terraform/eks/main.tf - Added `cluster_identity_providers` variable to EKS module.	+2/-0
variables.tf `Introduce cluster identity providers variable` terraform/eks/variables.tf Introduced `cluster_identity_providers` variable for identity provider configurations.	+6/-0
helmrelease.yaml `Increase Grafana CPU limit` observability/base/grafana-operator/helmrelease.yaml - Increased CPU limit from 100m to 500m.	+1/-1
vault-clusterissuer.yaml `Update Vault AppRole roleId` security/base/cert-manager/vault-clusterissuer.yaml - Updated `roleId` for Vault AppRole authentication.	+1/-1
certificate.yaml `Update Zitadel certificate configuration` security/base/zitadel/certificate.yaml Changed `commonName` and `dnsNames` to use `auth.${domain_name}`. Updated issuer reference to `letsencrypt-prod`.	+3/-4
gateway.yaml `Update Zitadel gateway configuration` security/base/zitadel/gateway.yaml Changed load balancer scheme to `internet-facing`. Updated hostname annotations to `auth.${domain_name}`.	+4/-4
helmrelease.yaml `Update Zitadel Helm release configuration` security/base/zitadel/helmrelease.yaml Added timeout setting to Zitadel Helm release. Updated `ExternalDomain` to `auth.${domain_name}`.	+2/-1
network-policy.yaml `Update Zitadel network policy` security/base/zitadel/network-policy.yaml Updated description to reflect traffic limitations. Removed port 80 from allowed egress ports.	+1/-3
externalsecret-zitadel-envvars.yaml `Add ExternalSecret for Headlamp environment variables` tooling/base/headlamp/externalsecret-zitadel-envvars.yaml - Added new ExternalSecret for Headlamp environment variables.	+17/-0
helmrelease.yaml `Enable external secret for Headlamp OIDC` tooling/base/headlamp/helmrelease.yaml - Enabled external secret for OIDC configuration.	+6/-0
rbac-admin.yaml `Add ClusterRoleBinding for admin user` tooling/base/headlamp/rbac-admin.yaml - Added ClusterRoleBinding for admin user.	+12/-0

Documentation

2 files

example-public-gateway.yaml `Add comments and modify annotations in gateway example` infrastructure/base/gapi/example-public-gateway.yaml Added comments explaining the purpose of the manifest. Removed `external-dns.alpha.kubernetes.io/hostname` annotation.	+3/-1
helmrelease-vmsingle.yaml `Add Zitadel authentication configuration comments` observability/base/victoria-metrics-k8s-stack/helmrelease-vmsingle.yaml - Added commented-out configuration for Zitadel authentication.	+17/-0

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

github-actions[bot] commented 2 weeks ago

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review

Hardcoded Value
The `roleId` in the Vault ClusterIssuer configuration is hardcoded, which might not be ideal for a production environment as it changes each time the platform is recreated. Domain Exposure
The gateway configuration exposes the `auth.${domain_name}` to the internet, which could lead to security risks if not properly secured. Staging Issuer
The certificate configuration uses the `letsencrypt-staging` issuer, which should be replaced with a production issuer before deployment. External Secret Configuration
The ExternalSecret configuration for Headlamp might expose sensitive environment variables if not properly secured.

github-actions[bot] commented 2 weeks ago

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Best practice	Improve backup path configuration to ensure unique and traceable backup entries ___ Ensure that the backup path includes a variable or dynamic element to prevent overwriting backups and to maintain a clear backup history. [security/base/zitadel/sqlinstance.yaml [13]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-c8f70d2eea287798b1a885c2cfd6ac8fd71de8a681552ae3056e239aec5c3059R13-R13) ```diff -path: "zitadel-20241111" +path: "zitadel-${current_date}" ``` Suggestion importance[1-10]: 7 Why: This suggestion is valuable as it promotes best practices for backup management by incorporating dynamic elements into the backup path, thus preventing potential data loss from overwrites.	7
Best practice	Document the new IAM permission to maintain clarity and compliance ___ Add the newly introduced IAM permission "iam:DeletePolicyVersion" to the documentation or the permissions management policy to maintain clarity and compliance. [terraform/eks/iam.tf [67]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-a11e2f02c4c990223f6e8c1d83c73528359d055b66e90b599c5362a163be822bR67-R67) ```diff -"iam:DeletePolicyVersion", +"iam:DeletePolicyVersion", # Ensure documentation reflects this permission ``` Suggestion importance[1-10]: 2 Why: Adding a comment for documentation purposes is a minor improvement. It enhances clarity but does not affect the functionality or correctness of the code.	2
Enhancement	Automate the `roleId` updates to enhance maintainability and reduce manual errors ___ Automate the update of the `roleId` in the Vault ClusterIssuer configuration to avoid manual changes with each platform recreation. [security/base/cert-manager/vault-clusterissuer.yaml [14]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-ef454d0ddaf31b989827e79a4c946cfe5c38277fbdd2545c54dd6ea97708ac22R14-R14) ```diff -roleId: 516d8162-f107-286e-6194-f337b2842d73 # !! This value changes each time I recreate the whole platform +roleId: # Automatically retrieve and update roleId ``` Suggestion importance[1-10]: 7 Why: Automating the update of `roleId` is a significant enhancement that reduces manual intervention and potential errors during platform recreation. This change improves maintainability and reliability of the configuration.	7
Possible issue	Ensure correct formatting and security of the external DNS hostname ___ Ensure that the hostname in the `external-dns.alpha.kubernetes.io/hostname` annotation matches the expected format and does not inadvertently expose internal DNS names due to variable interpolation issues. [security/base/zitadel/gateway.yaml [13]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-bd8fc5cfeb250c2bafbd3db4a85e84ab316d7a1fd7b8c5dca36afe3d646a24b9R13-R13) ```diff -external-dns.alpha.kubernetes.io/hostname: "auth.${domain_name}" +external-dns.alpha.kubernetes.io/hostname: "auth.${domain_name}.example.com" ``` Suggestion importance[1-10]: 6 Why: The suggestion correctly identifies a potential security issue with DNS hostname exposure. However, the improved code example does not necessarily reflect a universal fix, as the domain suffix might vary.	6
Possible issue	Ensure the IAM role version is compatible and fully functional with the existing infrastructure ___ Verify the compatibility of the IAM role version "5.48.0" with the existing infrastructure and ensure it includes all necessary permissions for the EBS CSI driver and Crossplane. [terraform/eks/iam.tf [4-25]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-a11e2f02c4c990223f6e8c1d83c73528359d055b66e90b599c5362a163be822bR4-R25) ```diff -version = "5.48.0" +version = "" ``` Suggestion importance[1-10]: 3 Why: The suggestion to verify compatibility of the IAM role version is valid, but it is a general best practice and not a specific code improvement. The impact is moderate as it ensures compatibility but does not directly alter code functionality.	3
Security	Ensure the OIDC configuration in Headlamp HelmRelease is fully integrated with the external secret ___ Confirm that the `oidc` configuration in the HelmRelease for Headlamp correctly integrates with the external secret and that the secret contains all necessary OIDC parameters. [tooling/base/headlamp/helmrelease.yaml [20-25]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-8dbebd8b1123cf1d4fd1439590ce0cc4a607e523832c037c7299744065174c04R20-R25) ```diff oidc: secret: create: false externalSecret: enabled: true name: "headlamp-envvars" + keys: ["client_id", "issuer_url", "client_secret"] ``` Suggestion importance[1-10]: 5 Why: The suggestion is relevant for security and configuration integrity. However, it assumes the presence of specific keys in the external secret without verification, which might not always be applicable.	5
Possible bug	Validate the OIDC provider configurations to ensure they are correct and functional ___ Validate the structure and data of `var.cluster_identity_providers` to ensure it meets the expected format and contains valid OIDC provider configurations. [terraform/eks/main.tf [48]](https://github.com/Smana/cloud-native-ref/pull/551/files#diff-417ec24690b4cefab94c36369121105f6a398a3640e69aab37f04c36bd48840dR48-R48) ```diff -cluster_identity_providers = var.cluster_identity_providers +cluster_identity_providers = ``` Suggestion importance[1-10]: 4 Why: Validating the structure and data of `var.cluster_identity_providers` is crucial for ensuring the correct configuration of OIDC providers. This suggestion could prevent potential runtime errors, making it a valuable addition.	4

Smana commented 2 weeks ago

/describe

github-actions[bot] commented 2 weeks ago

PR Description updated to latest commit (https://github.com/Smana/cloud-native-ref/commit/883d8df82b09f4aa158495fd8ffe33577055958c)

Smana / cloud-native-ref