diff --git a/resources/monitoring/charts/grafana/templates/_helpers.tpl b/resources/monitoring/charts/grafana/templates/_helpers.tpl index 46a3324321b1..80171974fd11 100644 --- a/resources/monitoring/charts/grafana/templates/_helpers.tpl +++ b/resources/monitoring/charts/grafana/templates/_helpers.tpl @@ -112,22 +112,6 @@ Return the appropriate apiVersion for rbac. {{- end -}} {{- end -}} -{{- define "grafana.kyma.authProxy.groups" -}} -{{- if .Values.kyma.authProxy.config.resources.useKymaGroups }} -{{- printf "|groups=%s,%s,%s,%s" .Values.global.kymaRuntime.adminGroup .Values.global.kymaRuntime.operatorGroup .Values.global.kymaRuntime.developerGroup .Values.global.kymaRuntime.namespaceAdminGroup -}} -{{- else if .Values.kyma.authProxy.config.resources.groups }} -{{- printf "|groups=%s" .Values.kyma.authProxy.config.resources.groups }} -{{- end }} -{{- end -}} - -{{- define "grafana.kyma.authProxy.methods" -}} -{{- if .Values.kyma.authProxy.config.resources.methods }} -{{- printf "|methods=%s" .Values.kyma.authProxy.config.resources.methods }} -{{- end }} -{{- end -}} - -{{- define "grafana.kyma.authProxy.roles" -}} -{{- if .Values.kyma.authProxy.config.resources.roles }} -{{- printf "|roles=%s" .Values.kyma.authProxy.config.resources.roles }} -{{- end }} +{{- define "grafana.kyma.authProxy.kymaGroups" -}} +{{- printf "%s,%s,%s,%s" .Values.global.kymaRuntime.adminGroup .Values.global.kymaRuntime.operatorGroup .Values.global.kymaRuntime.developerGroup .Values.global.kymaRuntime.namespaceAdminGroup -}} {{- end -}} diff --git a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-configmap.yaml b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-configmap.yaml new file mode 100644 index 000000000000..6b803d3ac242 --- /dev/null +++ b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-configmap.yaml @@ -0,0 +1,22 @@ +{{- if .Values.kyma.authProxy.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}-templates + namespace: kyma-system + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: auth-proxy + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "grafana.chart" . }} +data: + sign_in.html: | + + + + + + + + +{{- end }} diff --git a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-deployment.yaml b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-deployment.yaml index 45072fb21df7..4f6c93552b59 100644 --- a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-deployment.yaml +++ b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-deployment.yaml @@ -32,69 +32,36 @@ spec: nodeSelector: {{ toYaml .Values.kyma.authProxy.nodeSelector | indent 8 }} {{- end }} + volumes: + - name: templates-cm + configMap: + name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}-templates containers: - image: "{{ .Values.kyma.authProxy.image.repository }}:{{ .Values.kyma.authProxy.image.tag }}" imagePullPolicy: {{ .Values.kyma.authProxy.image.pullPolicy }} name: auth-proxy - command: ["/keycloak-gatekeeper"] args: - - --discovery-url=https://dex.{{ .Values.global.ingress.domainName }} - - --skip-openid-provider-tls-verify={{ not .Values.kyma.authProxy.config.tlsVerify }} - - --client-id=$(CLIENT_ID) - - --client-secret=$(CLIENT_SECRET) - - --resources=uri={{ .Values.kyma.authProxy.config.resources.uri }}{{ template "grafana.kyma.authProxy.methods" . }}{{ template "grafana.kyma.authProxy.groups" . }}{{ template "grafana.kyma.authProxy.roles" . }} - - --redirection-url=https://grafana.{{ .Values.global.ingress.domainName }} - {{- if .Values.kyma.authProxy.config.scopes }} - {{- range $i, $scope := (splitList "," .Values.kyma.authProxy.config.scopes) }} - - --scopes={{ $scope }} - {{- end }} - {{- end }} - {{- if .Values.kyma.authProxy.config.addClaims }} - {{- range $i, $claim := (splitList "," .Values.kyma.authProxy.config.addClaims) }} - - --add-claims={{ $claim }} - {{- end }} - {{- end }} - {{- if .Values.kyma.authProxy.config.matchClaims }} - {{- range $i, $claim := (splitList "," .Values.kyma.authProxy.config.matchClaims) }} - - --match-claims={{ $claim }} - {{- end }} - {{- end }} - {{- if .Values.kyma.authProxy.config.headers }} - {{- range $i, $header := (splitList "," .Values.kyma.authProxy.config.headers) }} - - --headers={{ $header }} - {{- end }} - {{- end }} - - --verbose=false - - --listen=0.0.0.0:{{ .Values.kyma.authProxy.port }} - - --upstream-url=http://{{ template "grafana.fullname" . }}:{{ .Values.service.port }} - - --enable-logging=false - - --enable-json-logging=true - - --secure-cookie=true - - --enable-authorization-cookies=false - - --enable-authorization-header=false - - --enable-token-header=false - - --enable-encrypted-token=true - - --enable-security-filter=true - - --filter-browser-xss=true - - --filter-content-nosniff=true - - --filter-frame-deny=true - - --encryption-key=$(ENCRYPTION_KEY) - - --http-only-cookie=true - - --upstream-keepalives=true - - --upstream-keepalive-timeout=60s + - --http-address=0.0.0.0:{{ .Values.kyma.authProxy.port }} + - --upstream=http://{{ template "grafana.fullname" . }}:{{ .Values.service.port }} + - --cookie-secure=true - --cookie-domain=https://grafana.{{ .Values.global.ingress.domainName }} - - --cookie-access-name=KYMA_GRAFANA_TOKEN + - --cookie-name=KYMA_GRAFANA_TOKEN + - --silence-ping-logging=true + - --reverse-proxy=true envFrom: - secretRef: name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }} optional: false + - secretRef: + name: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}-user + optional: true ports: - name: http containerPort: {{ .Values.kyma.authProxy.port }} protocol: TCP livenessProbe: httpGet: - path: /oauth/health + path: /ping port: http {{- if .Values.kyma.authProxy.securityContext }} securityContext: @@ -102,4 +69,7 @@ spec: {{- end }} resources: {{ toYaml .Values.kyma.authProxy.resources | indent 10 }} + volumeMounts: + - name: templates-cm + mountPath: /templates {{- end}} diff --git a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-secret.yaml b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-secret.yaml index a3f0b301cb2c..9a72ffcfcc7d 100644 --- a/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-secret.yaml +++ b/resources/monitoring/charts/grafana/templates/kyma-additions/auth-proxy-secret.yaml @@ -10,7 +10,29 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "grafana.chart" . }} data: - CLIENT_ID: {{ .Values.kyma.authProxy.config.clientId | b64enc | quote }} - CLIENT_SECRET: {{ .Values.kyma.authProxy.config.clientSecret | b64enc | quote }} - ENCRYPTION_KEY: {{ randAlphaNum 32 | b64enc | quote }} + OAUTH2_PROXY_CLIENT_ID: {{ .Values.kyma.authProxy.config.clientId | b64enc | quote }} + OAUTH2_PROXY_CLIENT_SECRET: {{ .Values.kyma.authProxy.config.clientSecret | b64enc | quote }} + OAUTH2_PROXY_EMAIL_DOMAINS: {{ .Values.kyma.authProxy.config.emailDomains | b64enc | quote }} + OAUTH2_PROXY_COOKIE_SECRET: {{ randAlphaNum 32 | b64enc | quote }} +{{- if .Values.kyma.authProxy.configDocsLink }} + OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR: {{ "/templates" | b64enc | quote }} +{{- end }} + OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: {{ not .Values.kyma.authProxy.config.tlsVerify | toString | b64enc | quote }} +{{- if .Values.kyma.authProxy.config.useKymaGroups }} + OAUTH2_PROXY_ALLOWED_GROUPS: {{ template "grafana.kyma.authProxy.kymaGroups" . | b64enc | quote }} +{{- else if .Values.kyma.authProxy.config.groups }} + OAUTH2_PROXY_ALLOWED_GROUPS: {{ .Values.kyma.authProxy.config.groups | b64enc | quote }} +{{- end }} +{{- if .Values.kyma.authProxy.config.scopes }} + OAUTH2_PROXY_SCOPES: {{ .Values.kyma.authProxy.config.scopes | b64enc | quote }} +{{- end }} +{{- if .Values.kyma.authProxy.config.useDex }} + OAUTH2_PROXY_PROVIDER: {{ "oidc" | b64enc | quote }} + OAUTH2_PROXY_OIDC_ISSUER_URL: {{ print "https://dex." .Values.global.ingress.domainName | b64enc | quote }} +{{- else }} + OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: {{ "false" | b64enc | quote }} +{{- end }} +{{- range $key, $val := .Values.kyma.authProxy.env }} + {{ $key }}: {{ $val | b64enc | quote }} +{{- end }} {{- end }} diff --git a/resources/monitoring/charts/grafana/values.yaml b/resources/monitoring/charts/grafana/values.yaml index e495993f197a..f1ea71c0a9bd 100644 --- a/resources/monitoring/charts/grafana/values.yaml +++ b/resources/monitoring/charts/grafana/values.yaml @@ -714,20 +714,17 @@ kyma: authProxy: enabled: false replicaCount: 1 + configDocsLink: "" config: clientId: "grafana" clientSecret: "apie4eeX6hiC9ainieli" + useDex: false tlsVerify: false - resources: - uri: "/*" - methods: "GET,POST,PUT,DELETE" - useKymaGroups: false - groups: "" - roles: "" + emailDomains: "*" + groups: "" + useKymaGroups: false scopes: "groups" - headers: "" - matchClaims: "" - addClaims: "" + env: {} nodeSelector: {} securityContext: allowPrivilegeEscalation: false @@ -735,8 +732,8 @@ kyma: runAsNonRoot: true port: 3000 image: - repository: eu.gcr.io/kyma-project/external/bitnami/keycloak-gatekeeper - tag: 10.0.0 + repository: eu.gcr.io/kyma-project/tpi/oauth2-proxy + tag: 7.1.3-2d6c9454 pullPolicy: IfNotPresent resources: limits: