Replace keycloak-proxy by oauth2-proxy (kyma-project#11518)

* Replace keycloak-proxy by oaht2-proxy for Grafana * Replace keycloak-proxy by oauth2-proxy for Kiali * Replace keycloak-proxy by oauth2-proxy for Jaeger * Update values for kcproxy to oauth2 proxy migration * Do not shop oauth2 proxy login page when using Dex * Adapt Dex redirect URLs for oauth2 proxy * Add oauth2 proxy overrides for fast integration test * Apply review comments * Update oauth2 proxy image tag * Disable request logging
sankalp-r · Jun 25, 2021 · 2d94fad · 2d94fad
1 parent dd7c314
commit 2d94fad
Show file tree

Hide file tree

Showing 27 changed files with 384 additions and 395 deletions.
diff --git a/installation/resources/values.yaml b/installation/resources/values.yaml
@@ -3,15 +3,15 @@
 global:
   installCRDs: false
 tracing:
-  kcproxy:
-    enabled: false
-  virtualservice:
-    enabled: false
+  authProxy:
+    configDocsLink: "https://kyma-project.io/docs" # TODO: Update link once docs are available
+    config:
+      useDex: false
 kiali:
-  kcproxy:
-    enabled: false
-  virtualservice:
-    enabled: false
+  authProxy:
+    configDocsLink: "https://kyma-project.io/docs" # TODO: Update link once docs are available
+    config:
+      useDex: false
 logging:
   logui:
     enabled: false
@@ -22,13 +22,14 @@ monitoring:
   alertmanager:
     enabled: false
   grafana:
-    virtualservice:
-      enabled: false
     kyma:
       console:
         enabled: false
       authProxy:
-        enabled: false
+        enabled: true
+        configDocsLink: "https://kyma-project.io/docs" # TODO: Update link once docs are available
+        config:
+          useDex: false
     env:
       GF_AUTH_ANONYMOUS_ENABLED: "true"
       GF_AUTH_GENERIC_OAUTH_ENABLED: "false"
@@ -44,5 +45,5 @@ helm-broker:
   addons-ui:
     enabled: false
 service-catalog-addons:
-  service-catalog-ui: 
-    enabled: false
+  service-catalog-ui:
+    enabled: false
diff --git a/resources/dex/values.yaml b/resources/dex/values.yaml
@@ -24,19 +24,19 @@ oidc:
       name: Grafana UI
       redirectURIs:
       - 'https://grafana.{{ .Values.global.ingress.domainName }}/login/generic_oauth'
-      - 'https://grafana.{{ .Values.global.ingress.domainName }}/oauth/callback'
+      - 'https://grafana.{{ .Values.global.ingress.domainName }}/oauth2/callback'
       secret: apie4eeX6hiC9ainieli
     - id: jaeger
       name: Jaeger UI
       redirectURIs:
-      - 'http://jaeger.{{ .Values.global.ingress.domainName }}:3000/oauth/callback'
-      - 'https://jaeger.{{ .Values.global.ingress.domainName }}/oauth/callback'
+      - 'http://jaeger.{{ .Values.global.ingress.domainName }}:3000/oauth2/callback'
+      - 'https://jaeger.{{ .Values.global.ingress.domainName }}/oauth2/callback'
       secret: oiEWUWOIEwedfgg
     - id: kiali
       name: Kiali UI
       redirectURIs:
-      - 'http://kiali.{{ .Values.global.ingress.domainName }}:3000/oauth/callback'
-      - 'https://kiali.{{ .Values.global.ingress.domainName }}/oauth/callback'
+      - 'http://kiali.{{ .Values.global.ingress.domainName }}:3000/oauth2/callback'
+      - 'https://kiali.{{ .Values.global.ingress.domainName }}/oauth2/callback'
       secret: hiFWLWqIxw5d3gl
     - id: compass-ui
       name: Compass UI

diff --git a/resources/kiali/templates/_helpers.tpl b/resources/kiali/templates/_helpers.tpl
@@ -187,22 +187,6 @@ Determine the auth strategy to use - default is "token" on Kubernetes and "opens
 {{- end }}
 {{- end }}
 
-{{- define "kiali.kcproxy.groups" -}}
-{{- if .Values.kcproxy.config.resources.useKymaGroups }}
-{{- printf "|groups=%s,%s,%s,%s" .Values.global.kymaRuntime.adminGroup .Values.global.kymaRuntime.operatorGroup .Values.global.kymaRuntime.developerGroup .Values.global.kymaRuntime.namespaceAdminGroup -}}
-{{- else if .Values.kcproxy.config.resources.groups }}
-{{- printf "|groups=%s" .Values.kcproxy.config.resources.groups }}
-{{- end }}
-{{- end -}}
-
-{{- define "kiali.kcproxy.methods" -}}
-{{- if .Values.kcproxy.config.resources.methods }}
-{{- printf "|methods=%s" .Values.kcproxy.config.resources.methods }}
-{{- end }}
-{{- end -}}
-
-{{- define "kiali.kcproxy.roles" -}}
-{{- if .Values.kcproxy.config.resources.roles }}
-{{- printf "|roles=%s" .Values.kcproxy.config.resources.roles }}
-{{- end }}
+{{- define "kiali.kyma.authProxy.kymaGroups" -}}
+{{- printf "%s,%s,%s,%s" .Values.global.kymaRuntime.adminGroup .Values.global.kymaRuntime.operatorGroup .Values.global.kymaRuntime.developerGroup .Values.global.kymaRuntime.namespaceAdminGroup -}}
 {{- end -}}
diff --git a/resources/kiali/templates/kyma-additions/auth-proxy-configmap.yaml b/resources/kiali/templates/kyma-additions/auth-proxy-configmap.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.authProxy.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kiali-server.name" . }}-auth-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kiali-server.labels" . | nindent 4 }}
+data:
+  sign_in.html: |
+    <!DOCTYPE html>
+    <html lang="en" charset="utf-8">
+      <head>
+        <meta http-equiv = "refresh" content = "0; url = {{ .Values.authProxy.configDocsLink }}" />
+      </head>
+      <body>
+      </body>
+    </html>
+{{- end }}
diff --git a/resources/kiali/templates/kyma-additions/auth-proxy-deployment.yaml b/resources/kiali/templates/kyma-additions/auth-proxy-deployment.yaml
@@ -0,0 +1,72 @@
+{{if .Values.authProxy.enabled}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kiali-server.name" . }}-auth-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kiali-server.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.authProxy.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "kiali-server.name" . }}-auth-proxy
+  template:
+    metadata:
+      labels:
+        app: {{ template "kiali-server.name" . }}-auth-proxy
+    spec:
+      {{- if .Values.global.isLocalEnv }}
+      hostNetwork: true   #only for minikube
+      hostAliases:
+        - ip: {{ .Values.global.minikubeIP }}
+          hostnames:
+          - "dex.{{ .Values.global.ingress.domainName }}"
+      {{- end }}
+      {{- if .Values.authProxy.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.authProxy.nodeSelector | indent 8 }}
+      {{- end }}
+      volumes:
+        - name: templates-cm
+          configMap:
+            name: {{ template "kiali-server.name" . }}-auth-proxy
+      containers:
+      - image: "{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag }}"
+        imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }}
+        name: auth-proxy
+        args:
+        - --http-address=0.0.0.0:{{ .Values.authProxy.port }}
+        - --upstream=http://{{ template "kiali-server.name" . }}-server:{{ .Values.kiali.spec.server.port }}
+        - --cookie-secure=true
+        - --cookie-domain=kiali.{{ .Values.global.ingress.domainName }}
+        - --cookie-name=KYMA_KIALI_TOKEN
+        - --silence-ping-logging=true
+        - --reverse-proxy=true
+        - --auth-logging={{ .Values.authProxy.config.authLogging }}
+        - --request-logging={{ .Values.authProxy.config.requestLogging }}
+        envFrom:
+        - secretRef:
+            name: {{ template "kiali-server.name" . }}-auth-proxy
+            optional: false
+        - secretRef:
+            name: {{ template "kiali-server.name" . }}-auth-proxy-user
+            optional: true
+        ports:
+        - name: http
+          containerPort: {{ .Values.authProxy.port }}
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: http
+        {{- if .Values.authProxy.securityContext }}
+        securityContext:
+{{ toYaml .Values.authProxy.securityContext | nindent 10 }}
+        {{- end }}
+        resources:
+{{ toYaml .Values.authProxy.resources | indent 10 }}
+        volumeMounts:
+          - name: templates-cm
+            mountPath: /templates
+{{end}}
diff --git a/resources/kiali/templates/kyma-additions/auth-proxy-secret.yaml b/resources/kiali/templates/kyma-additions/auth-proxy-secret.yaml
@@ -0,0 +1,34 @@
+{{if .Values.authProxy.enabled}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kiali-server.name" . }}-auth-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kiali-server.labels" . | nindent 4 }}
+data:
+  OAUTH2_PROXY_CLIENT_ID: {{ .Values.authProxy.config.clientId | b64enc | quote }}
+  OAUTH2_PROXY_CLIENT_SECRET: {{ .Values.authProxy.config.clientSecret | b64enc | quote }}
+  OAUTH2_PROXY_EMAIL_DOMAINS: {{ .Values.authProxy.config.emailDomains | b64enc | quote }}
+  OAUTH2_PROXY_COOKIE_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
+  {{- if .Values.authProxy.configDocsLink }}
+  OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR: {{ "/templates" | b64enc | quote }}
+  {{- end }}
+  OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: {{ not .Values.authProxy.config.tlsVerify | toString | b64enc | quote }}
+  {{- if .Values.authProxy.config.useKymaGroups }}
+  OAUTH2_PROXY_ALLOWED_GROUPS: {{ template "kiali.kyma.authProxy.kymaGroups" . | b64enc | quote }}
+  {{- else if .Values.authProxy.config.groups }}
+  OAUTH2_PROXY_ALLOWED_GROUPS: {{ .Values.authProxy.config.groups | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.authProxy.config.scopes }}
+  OAUTH2_PROXY_SCOPES: {{ .Values.authProxy.config.scopes | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.authProxy.config.useDex }}
+  OAUTH2_PROXY_PROVIDER: {{ "oidc" | b64enc | quote }}
+  OAUTH2_PROXY_OIDC_ISSUER_URL: {{ print "https://dex." .Values.global.ingress.domainName | b64enc | quote }}
+  OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: {{ "true" | b64enc | quote }}
+  {{- end }}
+  {{- range $key, $val := .Values.authProxy.env }}
+  {{ $key }}: {{ $val | b64enc | quote }}
+  {{- end  }}
+  {{- end }}
diff --git a/...lates/kyma-additions/kcproxy-service.yaml → ...es/kyma-additions/auth-proxy-service.yaml b/...lates/kyma-additions/kcproxy-service.yaml → ...es/kyma-additions/auth-proxy-service.yaml
@@ -1,4 +1,4 @@
-{{if .Values.kcproxy.enabled}}
+{{if .Values.authProxy.enabled}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -12,5 +12,5 @@ spec:
       protocol: TCP
       name: http
   selector:
-      app: {{ template "kiali-server.name" . }}-kcproxy
+      app: {{ template "kiali-server.name" . }}-auth-proxy
 {{end}}
diff --git a/resources/kiali/templates/kyma-additions/kcproxy-deployment.yaml b/resources/kiali/templates/kyma-additions/kcproxy-deployment.yaml
diff --git a/resources/kiali/templates/kyma-additions/kcproxy-secret.yaml b/resources/kiali/templates/kyma-additions/kcproxy-secret.yaml
diff --git a/resources/kiali/templates/kyma-additions/peerauthentication.yaml b/resources/kiali/templates/kyma-additions/peerauthentication.yaml
@@ -14,3 +14,5 @@ spec:
   portLevelMtls:
     9090:
       mode: PERMISSIVE
+    {{ .Values.kiali.spec.server.port }}:
+      mode: PERMISSIVE
diff --git a/resources/kiali/templates/kyma-additions/virtualservice.yaml b/resources/kiali/templates/kyma-additions/virtualservice.yaml
@@ -14,7 +14,7 @@ spec:
   http:
   - route:
     - destination:
-        {{- if .Values.kcproxy.enabled}}
+        {{- if .Values.authProxy.enabled}}
         host: {{ template "kiali-server.name" . }}-secured
         {{- else}}
         host: {{ template "kiali-server.name" . }}-server