diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 3ea6d5a5..60e46c53 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -110,6 +110,43 @@ spec: secretKeyRef: name: {{ .Values.sqlExternalSecret.targetName }} key: exceptionalPassword + - name: Security__Provider + value: {{ .Values.security.provider }} + +{{- if eq .Values.security.provider "OIDC" }} + - name: Security__Name + value: "Okta" + - name: Security__ViewEverythingGroups + value: {{ .Values.security.viewGroups | quote }} + - name: Security__AdminEverythingGroups + value: {{ .Values.security.adminGroups | quote }} + - name: Security__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.opserverSecret.targetName }} + key: oktaClientId + - name: Security__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.opserverSecret.targetName }} + key: oktaClientSecret + - name: Security__AuthorizationUrl + value: "https://stackoverflow.okta.com/oauth2/v1/authorize" + - name: Security__AccessTokenUrl + value: "https://stackoverflow.okta.com/oauth2/v1/token" + - name: Security__UserInfoUrl + value: "https://stackoverflow.okta.com/oauth2/v1/userinfo" + - name: Security__NameClaim + value: "preferred_username" + - name: Security__GroupsClaim + value: "groups" + - name: Security__Scopes__0 + value: "email" + - name: Security__Scopes__1 + value: "groups" + - name: Security__Scopes__2 + value: "profile" +{{- end }} {{- if hasKey .Values.opserverSettings "sql" }} - name: Modules__Sql__defaultConnectionString diff --git a/charts/opserver/templates/opserver-secret.yaml b/charts/opserver/templates/opserver-secret.yaml new file mode 100644 index 00000000..d48934a7 --- /dev/null +++ b/charts/opserver/templates/opserver-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ .Values.opserverSecret.name }} +spec: + refreshInterval: {{ .Values.opserverSecret.refreshInterval }} + secretStoreRef: + name: {{ .Values.opserverSecret.storeRefName }} + kind: ClusterSecretStore + target: + name: {{ .Values.opserverSecret.targetName }} + data: + - secretKey: oktaClientId + remoteRef: + key: {{ .Values.opserverSecret.remoteRefs.oktaClientId }} + - secretKey: oktaClientSecret + remoteRef: + key: {{ .Values.opserverSecret.remoteRefs.oktaClientSecret }} diff --git a/charts/opserver/values.yaml b/charts/opserver/values.yaml index d0d9c0ba..88644899 100644 --- a/charts/opserver/values.yaml +++ b/charts/opserver/values.yaml @@ -5,6 +5,11 @@ tier: "Local" product: "public" # used for datadog metrics and logs aspnetcoreEnvironment: "Local" +security: + provider: "EveryonesAnAdmin" + viewGroups: "" + adminGroups: "" + requests: cpu: "1m" memory: "1M" @@ -53,6 +58,15 @@ ingress: db: ExceptionalDbName: Local.Exceptions +opserverSecret: + name: opserver-secret + refreshInterval: 5m + storeRefName: fakeopserversecretstore + targetName: opserver-secret + remoteRefs: + oktaClientId: opserver-okta-client-id + oktaClientSecret: opserver-okta-client-secret + sqlExternalSecret: name: opserver-sqldb-external-secret refreshInterval: 5m diff --git a/cnab/app/variables.GCP.json b/cnab/app/variables.GCP.json index 22164e5c..0fa7c59a 100644 --- a/cnab/app/variables.GCP.json +++ b/cnab/app/variables.GCP.json @@ -38,7 +38,12 @@ ], "exceptions": [ { "serverName": "host.docker.internal" } - ] + ], + "security": { + "adminGroups": ["OpserverDev-Admin"], + "viewGroups": ["OpserverDev-View"], + "provider": "OIDC" + } } } } \ No newline at end of file