Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optionally supplement Dex configuration with information required for embedded ui auth #504

Merged
merged 6 commits into from
Nov 16, 2023
Merged

Optionally supplement Dex configuration with information required for embedded ui auth #504

merged 6 commits into from
Nov 16, 2023

Conversation

richard-cox
Copy link
Member

  • Required by Intergrate Authorisation into embedded ui ui#311
  • Epinio UI, hosted in Rancher, will need to auth via dex
  • To support this the dex config needs updating
    • Allow the rancher domain to contact Dex
    • Add a new client specifically for requests from rancher's ui
  • These changes are only applied via new chart value rancher.url
    • This has been added to questions.yaml

@richard-cox richard-cox added this to the v1.11.0 milestone Oct 18, 2023
@richard-cox richard-cox self-assigned this Oct 18, 2023
@richard-cox richard-cox mentioned this pull request Oct 18, 2023
Merged
@richard-cox richard-cox force-pushed the ui-embedded-dex-config branch 2 times, most recently from a80e212 to 255486e Compare October 18, 2023 13:06
andreas-kupries
andreas-kupries requested changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@andreas-kupries andreas-kupries left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one nit (missing end-of-line at end of file).
one big question (about a possible mis-committed file)
the rest looks to be ok.

chart/epinio/get_helm.sh Outdated Show resolved Hide resolved
chart/epinio/templates/dex.yaml Outdated Show resolved Hide resolved
andreas-kupries
andreas-kupries previously approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@andreas-kupries andreas-kupries left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks ok to me.
I would like to have approval from @enrichman also, as the main dev for the dex/oidc parts.

@richard-cox richard-cox requested a review from enrichman October 18, 2023 14:46
enrichman
enrichman previously approved these changes Oct 20, 2023
View reviewed changes
Copy link
Member

@enrichman enrichman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it looks good to me.

The Dex config update is probably something that we need to test.
I'm not sure about the behavior across Epinio upgrades.

/cc @mmartin24 @thehejik

@richard-cox
Copy link
Member Author

I had a think, from memory helm managed resources aren't something that the user should be manually changing. We show a warning in the rancher ui for resources managed by helm saying something similar. So I'm guessing any changes made by the user will get overwritten on upgrade.

thehejik
thehejik reviewed Oct 23, 2023
View reviewed changes
chart/epinio/questions.yml Outdated
@@ -173,3 +173,9 @@ questions:
required: false
type: string
group: "Debugging"
- variable: rancher.url
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be possible to replace the existing one server.accessControlAllowOrigin by this new?

server:
  # Domain which serves the Rancher UI (to access the API)
  accessControlAllowOrigin: ""

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. server.accessControlAllowOrigin has been replaced with server.url.

@enrichman Can we add something that might stand out in release notes, to ensure people who upgrade can switch over?

@thehejik
Copy link
Contributor

thehejik commented Oct 23, 2023
edited
Loading

Helm upgrade after appending --set rancher.url=https://rancher.somewhere.io produces following new entries.

--- dex-config.yaml	2023-10-23 17:01:21.850655068 +0200
+++ dex-config-rancher.yaml	2023-10-23 17:01:36.402797082 +0200
@@ -1,4 +1,6 @@
 issuer: "https://auth.1.2.3.4.nip.io"
+web:
+  allowedOrigins: ['https://rancher.somewhere.io']
 storage:
   type: kubernetes
   config:
@@ -24,6 +26,7 @@
     trustedPeers:
       - epinio-cli
       - epinio-ui
+      - rancher-dashboard
   - id: epinio-cli
     name: 'Epinio cli'
     public: true
@@ -33,3 +36,8 @@
     # Shouldn't be public, https://dexidp.io/docs/custom-scopes-claims-clients/#public-clients
     redirectURIs:
       - "https://epinio.1.2.3.4.nip.io/auth/verify/"
+  - id: rancher-dashboard
+    name: 'Rancher Dashboard'
+    public: true
+    redirectURIs:
+      - "https://rancher.somewhere.io/epinio/auth/verify/"

The dex-config can be obtained by:

$ kubectl get secrets/dex-config -n epinio -o=go-template='{{index .data "config.yaml" | base64decode }}'

@thehejik
Copy link
Contributor

thehejik commented Nov 14, 2023
edited
Loading

It works as expected and the dex-config has the same fields related to rancher-dashboard as in report above. Also questions.yml modification is working properly (@mmartin24 the CORS input field has been removed completely moved from General settings under a new Rancher section):
image

@richard-cox But today I found out that when the chart is installed over rancher:v2.8.0-rc3, there is already value global.cattle.url value automagically set by rancher so maybe we could just reuse the value and remove rancher.url completely, wdyt?

@richard-cox richard-cox requested a review from thehejik November 14, 2023 17:21
@richard-cox
Optionally supplement Dex configuration with information required for…
dd8161f 
… embedded ui auth

- Allows the rancher domain to contact Dex
- Adds a new client specifically for requests from rancher's ui (where the embedded ui lives)
- Optionally applied via new chart value `rancher.url` (also added to questions.yaml)
@richard-cox
Changes following review
f3e6bd3 
- get_helm sneaked in, that should not be included in PR
- added new line at end of file
@richard-cox
Remove server.accessControlAllowOrigin, use rancher.url instead
1a17866 
- This is the same content, so only require one. Keep rancher.url as more generic
- Also added rancher.url to values.schema
- We should add this change to the release notes, specificaly to warn when upgrading
@richard-cox
Use global.cattle.url provided in rancher contexts, fall back on ex…
d6793b7 
…isting `rancher.url`

- as questions.yaml is only applicable in rancher contexts, also remove rancher.url from there
@richard-cox
Attempted lint fix
de415d4
@richard-cox
remove dashes, move location
f62c3f8
@richard-cox richard-cox force-pushed the ui-embedded-dex-config branch from f5c0612 to f62c3f8 Compare November 15, 2023 09:38
thehejik
thehejik approved these changes Nov 15, 2023
View reviewed changes
Copy link
Contributor

@thehejik thehejik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test report:

  • OK - deployed out of rancher without rancher.url set - the secret data NOT modified

  • OK - deployed out if rancher with rancher.url set - the secret data modified

  • OK - deployed in rancher - the CORS field not present anymore - the secret data modified

  • OK - prev. released E version deployed in rancher -> upgrade from CLI by using the values.yaml from rancher installation extended by rancher.url - the secret data modified

  • OK - prev. released E version deployed in rancher -> upgrade from CLI by using the values.yaml from rancher installation without rancher.url - the secret data modified

  • OK - prev. released E version deployed in rancher -> upgrade from CLI by using the values.yaml from rancher installation without rancher.url and global.cattle.url - the secret data NOT modified

  • OK - upgraded over CLI to the chart under test with removed global.cattle.url - the secret data doesn't contain the rancher-dashboard client anymore

All good including questions.yml, the CORS field is gone but the URL is rendered correctly when installed over rancher.

@richard-cox
Copy link
Member Author

OK - deployed in rancher - the CORS field not present anymore - the secret data modified
@thehejik Just to confirm... in this test case the ACCESS_CONTROL_ALLOW_ORIGIN value in the epinio-server Deployment is populated?

@thehejik
Copy link
Contributor

@thehejik Just to confirm... in this test case the ACCESS_CONTROL_ALLOW_ORIGIN value in the epinio-server Deployment is populated?

@richard-cox yes, it is:
image

@richard-cox
Copy link
Member Author

@andreas-kupries , @enrichman unless there are objections i'll merge this tomorrow AM

@enrichman
Copy link
Member

I will be very happy so see this merged! Thanks @richard-cox

@richard-cox richard-cox merged commit 04fd986 into epinio:main Nov 16, 2023
2 checks passed
@richard-cox richard-cox deleted the ui-embedded-dex-config branch November 16, 2023 08:05
@mmartin24 mmartin24 mentioned this pull request Nov 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thehejik thehejik thehejik approved these changes

@andreas-kupries andreas-kupries Awaiting requested review from andreas-kupries

@enrichman enrichman Awaiting requested review from enrichman

Assignees

@richard-cox richard-cox

Labels
None yet
Projects
Epinio planning
Status: Done
Milestone
v1.11.0
Development

Successfully merging this pull request may close these issues.
4 participants
@richard-cox @thehejik @enrichman @andreas-kupries