feat: use oidc_login as oidc provider for nextcloud (glasskube#252)

Moreover, read clientId and clientSecret from a Kubernetes secret and feed it into the nextcloud pod as an environment variable. Signed-off-by: Jens Schneider <jens.schneider.ac@posteo.de>
JensAc · Sep 15, 2023 · a24e2da · a24e2da
1 parent abee1cc
commit a24e2da
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 22 deletions.
diff --git a/deploy/crd/nextclouds.glasskube.eu-v1.yml b/deploy/crd/nextclouds.glasskube.eu-v1.yml
@@ -33,12 +33,17 @@ spec:
                     properties:
                       name:
                         type: string
-                      clientId:
-                        type: string
-                      clientSecret:
-                        type: string
-                      discoveryEndpoint:
+                      oidcSecret:
+                        properties:
+                          name:
+                            type: string
+                        type: object
+                      issuerUrl:
                         type: string
+                    required:
+                    - name
+                    - oidcSecret
+                    - issuerUrl
                     type: object
                 type: object
               resources:

diff --git a/operator/src/main/kotlin/eu/glasskube/operator/apps/nextcloud/NextcloudAppsSpec.kt b/operator/src/main/kotlin/eu/glasskube/operator/apps/nextcloud/NextcloudAppsSpec.kt
@@ -1,6 +1,8 @@
 package eu.glasskube.operator.apps.nextcloud
 
 import io.fabric8.generator.annotation.Nullable
+import io.fabric8.generator.annotation.Required
+import io.fabric8.kubernetes.api.model.LocalObjectReference
 
 data class NextcloudAppsSpec(
     @field:Nullable
@@ -11,9 +13,11 @@ data class NextcloudAppsSpec(
         val host: String
     )
     data class Oidc(
+        @field:Required
         val name: String,
-        val clientId: String,
-        val clientSecret: String,
-        val discoveryEndpoint: String
+        @field:Required
+        val oidcSecret: LocalObjectReference,
+        @field:Required
+        val issuerUrl: String
     )
 }
diff --git a/...ator/src/main/kotlin/eu/glasskube/operator/apps/nextcloud/dependent/NextcloudConfigMap.kt b/...ator/src/main/kotlin/eu/glasskube/operator/apps/nextcloud/dependent/NextcloudConfigMap.kt
@@ -56,7 +56,17 @@ class NextcloudConfigMap : CRUDKubernetesDependentResource<ConfigMap, Nextcloud>
                         "192.168.0.0/16"
                     ),
                     "log_type" to "errorlog",
-                    "log_level" to 2
+                    "log_level" to 2,
+                    spec.apps.oidc?.let { "oidc_login_provider_url" to it.issuerUrl },
+                    spec.apps.oidc?.let { "oidc_login_logout_url" to spec.host },
+                    spec.apps.oidc?.let { "oidc_login_button_text" to "Login with " + it.name },
+                    spec.apps.oidc?.let { "oidc_login_disable_registration" to false },
+                    spec.apps.oidc?.let { "oidc_login_scope" to "openid profile email"},
+                    spec.apps.oidc?.let { "oidc_login_attributes" to mapOf(
+                        "id" to "sub",
+                        "name" to "name",
+                        "mail" to "email",)
+                    },
                 ).toMap(),
                 listOfNotNull(
                     spec.apps.office?.let {

diff --git a/...tor/src/main/kotlin/eu/glasskube/operator/apps/nextcloud/dependent/NextcloudDeployment.kt b/...tor/src/main/kotlin/eu/glasskube/operator/apps/nextcloud/dependent/NextcloudDeployment.kt
@@ -108,18 +108,15 @@ class NextcloudDeployment : CRUDKubernetesDependentResource<Deployment, Nextclou
                             command = listOf("sh")
                             args = listOf(
                                 "-c",
-                                """
-                                    php $OCC_PATH app:install richdocuments
-                                    php $OCC_PATH app:install contacts
-                                    php $OCC_PATH app:install calendar
-                                    php $OCC_PATH app:install user_oidc
-                                    php ./occ user_oidc:provider ${primary.spec.apps.oidc?.name} \
-                                        --clientid=${primary.spec.apps.oidc?.clientId} \
-                                        --clientsecret=${primary.spec.apps.oidc?.clientSecret} \
-                                        --discoveryuri=${primary.spec.apps.oidc?.discoveryEndpoint} \
-                                        --unique-uid=0
-                                    true
-                                """.trimIndent()
+                                listOf(
+                                    "php $OCC_PATH app:install richdocuments",
+                                    "php $OCC_PATH app:install contacts",
+                                    "php $OCC_PATH app:install calendar",
+                                    primary.spec.apps?.oidc.let {
+                                        "php $OCC_PATH app:install oidc_login"
+                                    },
+                                    "true"
+                                ).joinToString("\n") { it }
                             )
                             securityContext {
                                 runAsUser = 33
@@ -181,7 +178,8 @@ class NextcloudDeployment : CRUDKubernetesDependentResource<Deployment, Nextclou
                             name = Nextcloud.APP_NAME
                             image = Nextcloud.APP_IMAGE
                             resources = primary.spec.resources
-                            env = primary.defaultEnv + primary.databaseEnv + primary.smtpEnv + primary.storageEnv
+                            env =
+                                primary.defaultEnv + primary.databaseEnv + primary.smtpEnv + primary.oidcEnv + primary.storageEnv
                             volumeMounts {
                                 volumeMount {
                                     name = DATA_VOLUME
@@ -277,6 +275,19 @@ class NextcloudDeployment : CRUDKubernetesDependentResource<Deployment, Nextclou
             envVar("SMTP_PASSWORD") { secretKeyRef(authSecret.name, "password") }
         }
 
+    private val Nextcloud.oidcEnv
+        get() = createEnv {
+            spec.apps.oidc?.let { envVar("NC_oidc_login_client_id") { secretKeyRef(it.oidcSecret.name, "clientId") } }
+            spec.apps.oidc?.let {
+                envVar("NC_oidc_login_client_secret") {
+                    secretKeyRef(
+                        it.oidcSecret.name,
+                        "clientSecret"
+                    )
+                }
+            }
+        }
+
     private val Nextcloud.storageEnv
         get() = createEnv {
             spec.storage?.s3?.apply {