-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix / Enable OAuth configuration #24
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes /cauth and SSO with oauth2-proxy
Added a secure endpoint that can run on the usual 30001 instead
bodom0015
added a commit
that referenced
this pull request
Nov 30, 2021
* Fix / Enable OAuth configuration (#24) * Remove duplicate /dashboard ingress path This fixes /cauth and SSO with oauth2-proxy * Enable OAuth2 configuration via Helm chart values.yaml * Simplify ingress configuration considerably * Expose admin port internally if oauth enabled * Fix auth-repsonse-headers annotation name, fix hard-coded secret name * Fix default values.yaml entry for auth_response_headers * Remove port mapping for 30002 Added a secure endpoint that can run on the usual 30001 instead * Include root Ingress (where did this go??) * Add back ingress rules that were accidentally removed * Parameterize ProductName and ProductLandingHtml for the webui (#28) * Parameterize AdvancedFeatures and ProductLandingHtml * Fix typo in deployment.yaml * Add favicon and logo path configs * Add brand logo and favicon path configs * Add brand_logo and favicon path configs * Consistency is important * Update config.yaml * Update deployment.yaml * Update values.yaml * Fix typo in configmap * Remove duplicate ingress rule * Fix AdvancedFeatures overrides by adding to ConfigMap * Fix AdvancedFeatures overrides by adding to ConfigMap * Redirect non-WWW to the correct subdomain * Added a hacky override for help_links (#29) * Parameterize AdvancedFeatures and ProductLandingHtml * Fix typo in deployment.yaml * feat: add override for help_links * added default values for help_links * feat: start moving to configmap -> json mounted into pod * feat: support traefik ingress (#31)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Login via OAuth2 is supported via ingress annotations in the NGINX ingress controller.
There is no way to currently configure this automatically via the Helm chart.
NOTE: There are some stubbed-out configs in
values.yaml
for this that do not currently wire up to anythingApproach
Allow user to configure
oauth
proxy paths in thevalues.yaml
How to Test
NOTE: This uses the test Docker images built from nds-org/ndslabs#336
Prerequisites:
StorageClass
or have a cluster-level default setcert-manager
properly configured w/ ACMEDNS support for wildcard cert generationInitial Setup
NOTE: By default, this Helm chart deploys version ~5.1 of the oauth2-proxy. Newest release is 7.0.0
cert-manager
):kubectl create secret tls ndslabs-tls --key ${KEY_FILE} --cert ${CERT_FILE}
values.yaml
to set the following:workbench.image.webui: ndslabs/angular-ui:external-auth
- image has additional code to send_oauth2_proxy
cookie to new API endpointworkbench.image.apiserver: ndslabs/apiserver:external-auth
- image has additional code to send_oauth2_proxy
cookie back to theoauth2-proxy
to fetch from its/userinfo
endpointworkbench.support.email
/smtp.gmail_user
/smtp_gmail_pass
to your GMail app credentialsworkbench.domain
/workbench.subdomain_prefix
(Defaults to:local.ndslabs.org
/www
)workbench.etcd_storage.storage_class
/workbench.home_storage.pvc_storage_class
(Defaults to: "")helm upgrade --install workbench . -f values.yaml
?rd=
parameter in the URL query string pointing to the dashboard?rd=
parameter was pointingSetup: Configuring
oauth2-proxy
to use GitHubFinal chain: Workbench -> oauth2-proxy -> Github -> Workbench
clientId
andclientSecret
: https://github.com/settings/developerscookieSecret
by executing the following:python -c 'import os,base64; print base64.b64encode(os.urandom(16))'
oauth-proxy-config.github.yaml
:helm upgrade oauth2-proxy --install stable/oauth2-proxy --values oauth2-proxy-config.github.yaml
values.yaml
, and set the following:helm upgrade --install workbench . -f values.yaml
Setup: Configuring
oauth2-proxy
to use GlobusFinal chain: Workbench -> oauth2-proxy -> Globus -> NCSA -> 2FA -> Workbench
NOTE: These steps require using a custom-built version the
oauth2-proxy
Docker image that adds the Globus provider. This will be submitted back to the project as a PR.oauth2-proxy
Helm chart with the followingoauth2-values.globus.yaml
:Setup: Configuring
oauth2-proxy
to use Keycloak + CILogonFinal chain: Workbench -> oauth2-proxy -> Keycloak -> CILogon -> NCSA -> 2FA -> Workbench
NOTE 1: These steps require using a custom-built version the
oauth2-proxy
Docker image that enriches the key. This will be submitted back to the project as a PR.NOTE 2: The names of the Realm / Client / Identity Provider created below are important, and are used later on to build up the callback URLs we will use in the
oauth2-proxy
Deploying Keycloak
kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
keycloak.local.ndslabs.org
, allowing me to reuse the wildcard cert for*.local.ndslabs.org
admin
/admin
Configuring Keycloak + CILogon
Source: https://osc.github.io/ood-documentation/release-1.7/authentication/tutorial-oidc-keycloak-rhel7/configure-cilogon.html#register-your-keycloak-instance-with-cilogon
workbench
in Keycloak, switch to the Realm using the selector at the top-leftIdentity Providers
- create an OIDC Identity Provider in Keycloak namedCILogon
using the ClientId and ClientSecret that CILogon returned to youClients
- create a Client in Keycloak namecilogon
for the CILogon Identity ProviderAuthentication
- create a new Authentication Flow called "Simple First Login" and add a single "REQUIRED" execution step of "Create New User (if Unique)"NOTE: There may be more that we can do here with Mappings and Scopes to provide more info, but I don't understand enough about Keycloak/OAuth2 to know for sure if that gains us anything valuable for Workbench.
Configuring Keycloak +
oauth2-proxy
Source: https://docs.syseleven.de/metakube/de/tutorials/setup-ingress-auth-to-use-keycloak-oauth
localhost
or.local.ndslabs.org
, then you'll need to add the following magic snippet in yourtemplates/deployment.yaml
:oauth2-proxy
Helm chart with the followingoauth2-values.keycloak.yaml
:Test Steps
With any of the above providers configured, test steps should be identical:
?rd=
parameter in the URL query string pointing to the dashboard