From 4569bdda6b3d7763ba018d6c2a348dde13cf1c73 Mon Sep 17 00:00:00 2001 From: Pedro Juarez Date: Mon, 12 Feb 2024 11:55:37 -0800 Subject: [PATCH] Operator Console OpenID configuration (#1949) * Operator Console OpenID configuration Add example configuration by environment variables to enable OpenID in Operator Console. Added also a README.md document explaining the different options. Signed-off-by: pjuarezd * add line at the end of the file Signed-off-by: pjuarezd * Apply Andrea's suggestions and add kustomization execution example Signed-off-by: pjuarezd * Update examples/kustomization/operator-external-idp-oid/README.md Co-authored-by: Andrea Longo * Update examples/kustomization/operator-external-idp-oid/README.md Co-authored-by: Andrea Longo * Update examples/kustomization/operator-external-idp-oid/README.md Co-authored-by: Andrea Longo * Update examples/kustomization/operator-external-idp-oid/README.md Co-authored-by: Ravind Kumar * remove commented env variable Signed-off-by: pjuarezd --------- Signed-off-by: pjuarezd Co-authored-by: Andrea Longo Co-authored-by: Ravind Kumar --- .../operator-external-idp-oid/README.md | 95 +++++++++++++++++++ .../console-deployment.yaml | 31 ++++++ .../console-tls-secret.yaml | 9 ++ .../kustomization.yaml | 9 ++ 4 files changed, 144 insertions(+) create mode 100644 examples/kustomization/operator-external-idp-oid/README.md create mode 100644 examples/kustomization/operator-external-idp-oid/console-deployment.yaml create mode 100644 examples/kustomization/operator-external-idp-oid/console-tls-secret.yaml create mode 100644 examples/kustomization/operator-external-idp-oid/kustomization.yaml diff --git a/examples/kustomization/operator-external-idp-oid/README.md b/examples/kustomization/operator-external-idp-oid/README.md new file mode 100644 index 00000000000..c90b17dfb2d --- /dev/null +++ b/examples/kustomization/operator-external-idp-oid/README.md @@ -0,0 +1,95 @@ +# Operator Console SSO with OpenID + +Operator Console supports authentication with a Kubernetes Service Account Json Web Token (JWT) or OpenID. This guide explains how to configure OpenID authentication for Operator Console using the [OpenID Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth). + +Note: only one authentication method can be enabled at the same time, either JWT or OpenID. + +The `kustomization.yaml` file provided in this directory installs Operator and applies the basic configurations to enable OpenID authentication for Operator Console. Modify its environment variable values as needed for your deployment and provide the CA certificate in `console-deployment.yaml` and `console-tls-secret.yaml`. + +```shell +kubectl apply -k examples/kustomization/operator-external-idp-oid/ +``` + +### IDP Server + +Specify the OpenID server URL in the Operator Console Deployment by setting the `CONSOLE_IDP_URL` environment variable. This value should point to the appropriate OpenID Endpoint configuration, for example: `https://your-extenal-idp.com/.well-known/openid-configuration`. + +Also provide the Certificate Authority (CA) that signed the certificate the IDP server presents. You can do this by mounting a secret containing the certificate `ca.crt`. For example: + +For a CA certificate resembling the following: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: idp-ca-tls + namespace: minio-operator +type: Opaque +stringData: + ca.crt: | + +``` + +Mount the secret in the Deployment as follows: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: console + namespace: minio-operator +spec: + template: + spec: + containers: + - name: console + volumeMounts: + - mountPath: /tmp/certs/CAs + name: idp-certificate + volumes: + - name: idp-certificate + projected: + sources: + - secret: + items: + - key: ca.crt + path: idp.crt + name: idp-ca-tls +... +``` + +### Client credentials + +Operator Console is a standalone application that identifies itself to the OpenID server using *client credentials*. The client credentials are set in the Operator Console with the following environment variables: +- `CONSOLE_IDP_CLIENT_ID` (client id) +- `CONSOLE_IDP_SECRET` (client secret) + +### Access Management + +All users in the OIDC realm have access to the Operator Console upon successful authentication. + +To restrict access, create a new OIDC realm and use the client ID/Secret for that realm when configuring OIDC. + +### Scopes: + +In OAuth2, scopes defines the specific actions that an application (client) is allowed to perform. If the `Client` has assigned scopes to the OpenID server to allow login in Operator Console, such scopes need to be set to Operator Console in the `CONSOLE_IDP_SCOPES` environment variable. This value should be a comma delimited string. If no value is provided, the default is `openid,profile,email`. + +### Callback URL +OpenID uses a "call back" URL to redirect back to the application once the authentication succeeds. This callback URL is set in Operator Console with the `CONSOLE_IDP_CALLBACK` environment variable. + +A Callback URL can also be constructed dynamically. To do this, set `CONSOLE_IDP_CALLBACK_DYNAMIC` environment variable to `on` instead of setting a `CONSOLE_IDP_CALBACK`. + +The constructed URL resembles following: `$protocol://$host/oauth_callback` + +- `$protocol` is either `https` or `http`, depending on whether the Operator Console has TLS enabled. +- `$host` is determined from the `HOST` header (URL) where the end user is sending the login request to Operator Console. For example, for the login URL `https://operator.mydomain.com/login`, `$host` is `operator.mydomain.com`. + +Setting `CONSOLE_IDP_CALLBACK` can be useful if you need to specify a custom domain for the Operator Console, or if the Operator Console is behind a reverse proxy or load balancer and the `HOST` header is not available. +The page located at `/oauth_callback` handles the redirect after a successful login. + +Make sure the `CONSOLE_IDP_CALLBACK` URL contains the correct path, for example `https://minio-operator.mydomain.com/oauth_callback`. + +### Token expiration + +The default OpenID login token duration is 3600 seconds (1 hour). You can set a longer duration with the +`CONSOLE_IDP_TOKEN_EXPIRATION` environment variable. diff --git a/examples/kustomization/operator-external-idp-oid/console-deployment.yaml b/examples/kustomization/operator-external-idp-oid/console-deployment.yaml new file mode 100644 index 00000000000..55d82d7e89a --- /dev/null +++ b/examples/kustomization/operator-external-idp-oid/console-deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: console + namespace: minio-operator +spec: + template: + spec: + containers: + - name: console + env: + - name: CONSOLE_IDP_URL + value: https://myidpserver.com/realms/realmname/.well-known/openid-configuration + - name: CONSOLE_IDP_CLIENT_ID + value: "" # Client registered in Open ID + - name: CONSOLE_IDP_SECRET + value: "" #Client secret in Open ID + - name: CONSOLE_IDP_CALLBACK_DYNAMIC + value: "on" + volumeMounts: + - mountPath: /tmp/certs/CAs + name: idp-certificate + volumes: + - name: idp-certificate + projected: + sources: + - secret: + items: + - key: ca.crt + path: idp.crt + name: idp-ca-tls diff --git a/examples/kustomization/operator-external-idp-oid/console-tls-secret.yaml b/examples/kustomization/operator-external-idp-oid/console-tls-secret.yaml new file mode 100644 index 00000000000..8c3ea55966c --- /dev/null +++ b/examples/kustomization/operator-external-idp-oid/console-tls-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: idp-ca-tls + namespace: minio-operator +type: Opaque +stringData: + ca.crt: | + diff --git a/examples/kustomization/operator-external-idp-oid/kustomization.yaml b/examples/kustomization/operator-external-idp-oid/kustomization.yaml new file mode 100644 index 00000000000..ab49c756e54 --- /dev/null +++ b/examples/kustomization/operator-external-idp-oid/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../resources + - console-tls-secret.yaml + +patchesStrategicMerge: + - console-deployment.yaml