Configure okta

charts/opserver/templates/deployment.yaml

@@ -110,6 +110,43 @@ spec:
             secretKeyRef:
               name: {{ .Values.sqlExternalSecret.targetName }}
               key: exceptionalPassword
+        - name: Security__Provider
+          value: {{ .Values.security.provider }}
+
+{{- if eq .Values.security.provider "OIDC" }}              
+        - name: Security__Name
+          value: "Okta"
+        - name: Security__ViewEverythingGroups
+          value: {{ .Values.security.viewGroups | quote }}
+        - name: Security__AdminEverythingGroups
+          value: {{ .Values.security.adminGroups | quote }}
+        - name: Security__ClientId
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.opserverSecret.targetName }}
+              key: oktaClientId
+        - name: Security__ClientSecret
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.opserverSecret.targetName }}
+              key: oktaClientSecret
+        - name: Security__AuthorizationUrl
+          value: "https://stackoverflow.okta.com/oauth2/v1/authorize"
+        - name: Security__AccessTokenUrl
+          value: "https://stackoverflow.okta.com/oauth2/v1/token"
+        - name: Security__UserInfoUrl
+          value: "https://stackoverflow.okta.com/oauth2/v1/userinfo"
+        - name: Security__NameClaim
+          value: "preferred_username"
+        - name: Security__GroupsClaim
+          value: "groups"
+        - name: Security__Scopes__0
+          value: "email"
+        - name: Security__Scopes__1
+          value: "groups"
+        - name: Security__Scopes__2
+          value: "profile"          
+{{- end }}
 
       {{- if hasKey .Values.opserverSettings "sql" }}      
         - name: Modules__Sql__defaultConnectionString

charts/opserver/templates/opserver-secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.opserverSecret.name }}
+spec:
+  refreshInterval: {{ .Values.opserverSecret.refreshInterval }}
+  secretStoreRef:
+    name: {{ .Values.opserverSecret.storeRefName }}
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.opserverSecret.targetName }}
+  data:
+  - secretKey: oktaClientId
+    remoteRef:
+      key: {{ .Values.opserverSecret.remoteRefs.oktaClientId }}
+  - secretKey: oktaClientSecret
+    remoteRef:
+      key: {{ .Values.opserverSecret.remoteRefs.oktaClientSecret }}

charts/opserver/values.yaml

@@ -5,6 +5,11 @@ tier: "Local"
 product: "public" # used for datadog metrics and logs
 aspnetcoreEnvironment: "Local"
 
+security:
+  provider: "EveryonesAnAdmin"
+  viewGroups: ""
+  adminGroups: ""
+
 requests:
   cpu: "1m"
   memory: "1M"
@@ -53,6 +58,15 @@ ingress:
 db:
   ExceptionalDbName: Local.Exceptions
 
+opserverSecret:
+  name: opserver-secret
+  refreshInterval: 5m
+  storeRefName: fakeopserversecretstore
+  targetName: opserver-secret
+  remoteRefs:
+    oktaClientId: opserver-okta-client-id
+    oktaClientSecret: opserver-okta-client-secret
+
 sqlExternalSecret:
   name: opserver-sqldb-external-secret
   refreshInterval: 5m

cnab/app/variables.GCP.json

@@ -38,7 +38,12 @@
       ],
       "exceptions": [
         { "serverName": "host.docker.internal" }        
-      ]
+      ],
+      "security": {
+        "adminGroups": ["OpserverDev-Admin"],
+        "viewGroups": ["OpserverDev-View"],
+        "provider": "OIDC"          
+      }
     }
   }
 }