Replace keycloak-proxy by oaht2-proxy for Grafana

kyma-project · Jun 22, 2021 · adac19b · adac19b
1 parent 3fabb5f
commit adac19b
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 79 deletions.
diff --git a/resources/monitoring/charts/grafana/templates/_helpers.tpl b/resources/monitoring/charts/grafana/templates/_helpers.tpl
@@ -112,22 +112,6 @@ Return the appropriate apiVersion for rbac.
 {{- end -}}
 {{- end -}}
 
-{{- define "grafana.kyma.authProxy.groups" -}}
-{{- if .Values.kyma.authProxy.config.resources.useKymaGroups }}
-{{- printf "|groups=%s,%s,%s,%s" .Values.global.kymaRuntime.adminGroup .Values.global.kymaRuntime.operatorGroup .Values.global.kymaRuntime.developerGroup .Values.global.kymaRuntime.namespaceAdminGroup -}}
-{{- else if .Values.kyma.authProxy.config.resources.groups }}
-{{- printf "|groups=%s" .Values.kyma.authProxy.config.resources.groups }}
-{{- end }}
-{{- end -}}
-
-{{- define "grafana.kyma.authProxy.methods" -}}
-{{- if .Values.kyma.authProxy.config.resources.methods }}
-{{- printf "|methods=%s" .Values.kyma.authProxy.config.resources.methods }}
-{{- end }}
-{{- end -}}
-
-{{- define "grafana.kyma.authProxy.roles" -}}
-{{- if .Values.kyma.authProxy.config.resources.roles }}
-{{- printf "|roles=%s" .Values.kyma.authProxy.config.resources.roles }}
-{{- end }}
+{{- define "grafana.kyma.authProxy.kymaGroups" -}}
+{{- printf "%s,%s,%s,%s" .Values.global.kymaRuntime.adminGroup .Values.global.kymaRuntime.operatorGroup .Values.global.kymaRuntime.developerGroup .Values.global.kymaRuntime.namespaceAdminGroup -}}
 {{- end -}}
diff --git a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-configmap.yaml b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.kyma.authProxy.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}-templates
+  namespace: kyma-system
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: auth-proxy
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "grafana.chart" . }}
+data:
+  sign_in.html: |
+    <!DOCTYPE html>
+    <html lang="en" charset="utf-8">
+      <head>
+        <meta http-equiv = "refresh" content = "0; url = {{ .Values.kyma.authProxy.configDocsLink }}" />
+      </head>
+      <body>
+      </body>
+    </html>
+{{- end }}
diff --git a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-deployment.yaml b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-deployment.yaml
@@ -32,74 +32,44 @@ spec:
       nodeSelector:
 {{ toYaml .Values.kyma.authProxy.nodeSelector | indent 8 }}
       {{- end }}
+      volumes:
+      - name: templates-cm
+        configMap:
+          name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}-templates
       containers:
       - image: "{{ .Values.kyma.authProxy.image.repository }}:{{ .Values.kyma.authProxy.image.tag }}"
         imagePullPolicy: {{ .Values.kyma.authProxy.image.pullPolicy }}
         name: auth-proxy
-        command: ["/keycloak-gatekeeper"]
         args:
-        - --discovery-url=https://dex.{{ .Values.global.ingress.domainName }}
-        - --skip-openid-provider-tls-verify={{ not .Values.kyma.authProxy.config.tlsVerify }}
-        - --client-id=$(CLIENT_ID)
-        - --client-secret=$(CLIENT_SECRET)
-        - --resources=uri={{ .Values.kyma.authProxy.config.resources.uri }}{{ template "grafana.kyma.authProxy.methods" . }}{{ template "grafana.kyma.authProxy.groups" . }}{{ template "grafana.kyma.authProxy.roles" . }}
-        - --redirection-url=https://grafana.{{ .Values.global.ingress.domainName }}
-        {{- if .Values.kyma.authProxy.config.scopes }}
-        {{- range $i, $scope := (splitList "," .Values.kyma.authProxy.config.scopes) }}
-        - --scopes={{ $scope }}
-        {{- end }}
-        {{- end }}
-        {{- if .Values.kyma.authProxy.config.addClaims }}
-        {{- range $i, $claim := (splitList "," .Values.kyma.authProxy.config.addClaims) }}
-        - --add-claims={{ $claim }}
-        {{- end }}
-        {{- end }}
-        {{- if .Values.kyma.authProxy.config.matchClaims }}
-        {{- range $i, $claim := (splitList "," .Values.kyma.authProxy.config.matchClaims) }}
-        - --match-claims={{ $claim }}
-        {{- end }}
-        {{- end }}
-        {{- if .Values.kyma.authProxy.config.headers }}
-        {{- range $i, $header := (splitList "," .Values.kyma.authProxy.config.headers) }}
-        - --headers={{ $header }}
-        {{- end }}
-        {{- end }}
-        - --verbose=false
-        - --listen=0.0.0.0:{{ .Values.kyma.authProxy.port }}
-        - --upstream-url=http://{{ template "grafana.fullname" . }}:{{ .Values.service.port }}
-        - --enable-logging=false
-        - --enable-json-logging=true
-        - --secure-cookie=true
-        - --enable-authorization-cookies=false
-        - --enable-authorization-header=false
-        - --enable-token-header=false
-        - --enable-encrypted-token=true
-        - --enable-security-filter=true
-        - --filter-browser-xss=true
-        - --filter-content-nosniff=true
-        - --filter-frame-deny=true
-        - --encryption-key=$(ENCRYPTION_KEY)
-        - --http-only-cookie=true
-        - --upstream-keepalives=true
-        - --upstream-keepalive-timeout=60s
+        - --http-address=0.0.0.0:{{ .Values.kyma.authProxy.port }}
+        - --upstream=http://{{ template "grafana.fullname" . }}:{{ .Values.service.port }}
+        - --cookie-secure=true
         - --cookie-domain=https://grafana.{{ .Values.global.ingress.domainName }}
-        - --cookie-access-name=KYMA_GRAFANA_TOKEN
+        - --cookie-name=KYMA_GRAFANA_TOKEN
+        - --silence-ping-logging=true
+        - --reverse-proxy=true
         envFrom:
         - secretRef:
             name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}
             optional: false
+        - secretRef:
+            name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}-user
+            optional: true
         ports:
         - name: http
           containerPort: {{ .Values.kyma.authProxy.port }}
           protocol: TCP
         livenessProbe:
           httpGet:
-            path: /oauth/health
+            path: /ping
             port: http
         {{- if .Values.kyma.authProxy.securityContext }}
         securityContext:
 {{ toYaml .Values.kyma.authProxy.securityContext | nindent 10 }}
         {{- end }}
         resources:
 {{ toYaml .Values.kyma.authProxy.resources | indent 10 }}
+        volumeMounts:
+          - name: templates-cm
+            mountPath: /templates
 {{- end}}
diff --git a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-secret.yaml b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-secret.yaml
@@ -10,7 +10,29 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     helm.sh/chart: {{ include "grafana.chart" . }}
 data:
-  CLIENT_ID: {{ .Values.kyma.authProxy.config.clientId | b64enc | quote }}
-  CLIENT_SECRET: {{ .Values.kyma.authProxy.config.clientSecret | b64enc | quote }}
-  ENCRYPTION_KEY: {{ randAlphaNum 32 | b64enc | quote }}
+  OAUTH2_PROXY_CLIENT_ID: {{ .Values.kyma.authProxy.config.clientId | b64enc | quote }}
+  OAUTH2_PROXY_CLIENT_SECRET: {{ .Values.kyma.authProxy.config.clientSecret | b64enc | quote }}
+  OAUTH2_PROXY_EMAIL_DOMAINS: {{ .Values.kyma.authProxy.config.emailDomains | b64enc | quote }}
+  OAUTH2_PROXY_COOKIE_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
+{{- if .Values.kyma.authProxy.configDocsLink }}
+  OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR: {{ "/templates" | b64enc | quote }}
+{{- end }}
+  OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: {{ not .Values.kyma.authProxy.config.tlsVerify | toString | b64enc | quote }}
+{{- if .Values.kyma.authProxy.config.useKymaGroups }}
+  OAUTH2_PROXY_ALLOWED_GROUPS: {{ template "grafana.kyma.authProxy.kymaGroups" . | b64enc | quote }}
+{{- else if .Values.kyma.authProxy.config.groups }}
+  OAUTH2_PROXY_ALLOWED_GROUPS: {{ .Values.kyma.authProxy.config.groups | b64enc | quote }}
+{{- end }}
+{{- if .Values.kyma.authProxy.config.scopes }}
+  OAUTH2_PROXY_SCOPES: {{ .Values.kyma.authProxy.config.scopes | b64enc | quote }}
+{{- end }}
+{{- if .Values.kyma.authProxy.config.useDex }}
+  OAUTH2_PROXY_PROVIDER: {{ "oidc" | b64enc | quote }}
+  OAUTH2_PROXY_OIDC_ISSUER_URL: {{ print "https://dex." .Values.global.ingress.domainName | b64enc | quote }}
+{{- else }}
+  OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: {{ "false" | b64enc | quote }}
+{{- end }}
+{{- range $key, $val := .Values.kyma.authProxy.env }}
+  {{ $key }}: {{ $val | b64enc | quote }}
+{{- end  }}
 {{- end }}
diff --git a/resources/monitoring/charts/grafana/values.yaml b/resources/monitoring/charts/grafana/values.yaml
@@ -714,29 +714,26 @@ kyma:
   authProxy:
     enabled: false
     replicaCount: 1
+    configDocsLink: ""
     config:
       clientId: "grafana"
       clientSecret: "apie4eeX6hiC9ainieli"
+      useDex: false
       tlsVerify: false
-      resources:
-        uri: "/*"
-        methods: "GET,POST,PUT,DELETE"
-        useKymaGroups: false
-        groups: ""
-        roles: ""
+      emailDomains: "*"
+      groups: ""
+      useKymaGroups: false
       scopes: "groups"
-      headers: ""
-      matchClaims: ""
-      addClaims: ""
+    env: {}
     nodeSelector: {}
     securityContext:
       allowPrivilegeEscalation: false
       privileged: false
       runAsNonRoot: true
     port: 3000
     image:
-      repository: eu.gcr.io/kyma-project/external/bitnami/keycloak-gatekeeper
-      tag: 10.0.0
+      repository: eu.gcr.io/kyma-project/tpi/oauth2-proxy
+      tag: 7.1.3-2d6c9454
       pullPolicy: IfNotPresent
     resources:
       limits: