Optionally supplement Dex configuration with information required for embedded ui auth

epinio / helm-charts

Epinio Helm chart

https://epinio.github.io/helm-charts/

2 stars 15 forks source link

Optionally supplement Dex configuration with information required for embedded ui auth #504

Closed richard-cox closed 10 months ago

richard-cox commented 11 months ago

Required by https://github.com/epinio/ui/pull/311
Epinio UI, hosted in Rancher, will need to auth via dex
To support this the dex config needs updating
- Allow the rancher domain to contact Dex
- Add a new client specifically for requests from rancher's ui
These changes are only applied via new chart value rancher.url
- This has been added to questions.yaml

richard-cox commented 11 months ago

I had a think, from memory helm managed resources aren't something that the user should be manually changing. We show a warning in the rancher ui for resources managed by helm saying something similar. So I'm guessing any changes made by the user will get overwritten on upgrade.

thehejik commented 11 months ago

Helm upgrade after appending --set rancher.url=https://rancher.somewhere.io produces following new entries.

--- dex-config.yaml 2023-10-23 17:01:21.850655068 +0200
+++ dex-config-rancher.yaml 2023-10-23 17:01:36.402797082 +0200
@@ -1,4 +1,6 @@
 issuer: "https://auth.1.2.3.4.nip.io"
+web:
+  allowedOrigins: ['https://rancher.somewhere.io']
 storage:
   type: kubernetes
   config:
@@ -24,6 +26,7 @@
     trustedPeers:
       - epinio-cli
       - epinio-ui
+      - rancher-dashboard
   - id: epinio-cli
     name: 'Epinio cli'
     public: true
@@ -33,3 +36,8 @@
     # Shouldn't be public, https://dexidp.io/docs/custom-scopes-claims-clients/#public-clients
     redirectURIs:
       - "https://epinio.1.2.3.4.nip.io/auth/verify/"
+  - id: rancher-dashboard
+    name: 'Rancher Dashboard'
+    public: true
+    redirectURIs:
+      - "https://rancher.somewhere.io/epinio/auth/verify/"

The dex-config can be obtained by:

$ kubectl get secrets/dex-config -n epinio -o=go-template='{{index .data "config.yaml" | base64decode }}'

thehejik commented 10 months ago

It works as expected and the dex-config has the same fields related to rancher-dashboard as in report above. Also questions.yml modification is working properly (@mmartin24 the CORS input field has been removed completely ~moved from General settings under a new Rancher section~):

@richard-cox But today I found out that when the chart is installed over rancher:v2.8.0-rc3, there is already value global.cattle.url value automagically set by rancher so maybe we could just reuse the value and remove rancher.url completely, wdyt?

richard-cox commented 10 months ago

OK - deployed in rancher - the CORS field not present anymore - the secret data modified @thehejik Just to confirm... in this test case the ACCESS_CONTROL_ALLOW_ORIGIN value in the epinio-server Deployment is populated?

thehejik commented 10 months ago

@thehejik Just to confirm... in this test case the ACCESS_CONTROL_ALLOW_ORIGIN value in the epinio-server Deployment is populated?

@richard-cox yes, it is:

richard-cox commented 10 months ago

@andreas-kupries , @enrichman unless there are objections i'll merge this tomorrow AM

enrichman commented 10 months ago

I will be very happy so see this merged! Thanks @richard-cox