fix: #222 (#224)

* feat: Add Support for Azure as Secrets Manager * chore: Bump Chart Versions * fix: usage for `openmetadata-ops.sh` script for db-migrations * fix: Lint issues * fix: Lint issues * chore: Bump AppVersions to `1.3.2` * feat: Add provision for OIDC Confidential client configurations
open-metadata · Apr 8, 2024 · 83b837d · 83b837d
1 parent 4664d0d
commit 83b837d
Show file tree

Hide file tree

Showing 9 changed files with 314 additions and 36 deletions.
diff --git a/charts/deps/Chart.yaml b/charts/deps/Chart.yaml
@@ -16,13 +16,13 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.3.1
+version: 1.3.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.3.1"
+appVersion: "1.3.2"
 
 home: https://open-metadata.org/
 

diff --git a/charts/deps/values.yaml b/charts/deps/values.yaml
@@ -61,7 +61,7 @@ airflow:
   airflow:
     image:
       repository: docker.getcollate.io/openmetadata/ingestion
-      tag: 1.3.1
+      tag: 1.3.2
       pullPolicy: "IfNotPresent"
     executor: "KubernetesExecutor"
     config:

diff --git a/charts/openmetadata/Chart.yaml b/charts/openmetadata/Chart.yaml
@@ -16,13 +16,13 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.3.1
+version: 1.3.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.3.1"
+appVersion: "1.3.2"
 
 home: https://open-metadata.org/
 

diff --git a/charts/openmetadata/README.md b/charts/openmetadata/README.md
@@ -34,6 +34,7 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
 | Key | Type | Default | Conf/Openmetadata.yaml |
 |-----|------|---------| ---------------------- |
 | openmetadata.config.authentication.enabled | bool | `true` | |
+| openmetadata.config.authentication.clientType | string | `public` | AUTHENTICATION_CLIENT_TYPE |
 | openmetadata.config.authentication.provider | string | `basic` | AUTHENTICATION_PROVIDER |
 | openmetadata.config.authentication.publicKeys | list | `[http://openmetadata:8585/api/v1/system/config/jwks]` | AUTHENTICATION_PUBLIC_KEYS |
 | openmetadata.config.authentication.authority | string | `https://accounts.google.com` | AUTHENTICATION_AUTHORITY |
@@ -70,6 +71,24 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
 | openmetadata.config.authentication.ldapConfiguration.trustStoreConfig.hostNameConfig.acceptableHostNames | string | `[Empty String]` | AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES |
 | openmetadata.config.authentication.ldapConfiguration.trustStoreConfig.jvmDefaultConfig.verifyHostname | string | `Empty String` | AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST |
 | openmetadata.config.authentication.ldapConfiguration.trustStoreConfig.trustAllConfig.examineValidityDates | bool | `true` | AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES |
+| openmetadata.config.authentication.oidcConfiguration.callbackUrl | string | `http://openmetadata:8585/callback` | OIDC_CALLBACK |
+| openmetadata.config.authentication.oidcConfiguration.clientAuthenticationMethod | string | `client_secret_post` | OIDC_CLIENT_AUTH_METHOD |
+| openmetadata.config.authentication.oidcConfiguration.clientId.secretKey | string | `openmetadata-oidc-client-id` | OIDC_CLIENT_ID |
+| openmetadata.config.authentication.oidcConfiguration.clientId.secretRef | string | `oidc-secrets` | OIDC_CLIENT_ID |
+| openmetadata.config.authentication.oidcConfiguration.clientSecret.secretKey | string | `openmetadata-oidc-client-secret` | OIDC_CLIENT_SECRET |
+| openmetadata.config.authentication.oidcConfiguration.clientSecret.secretRef | string | `oidc-secrets` | OIDC_CLIENT_SECRET |
+| openmetadata.config.authentication.oidcConfiguration.customParams | string | `Empty` | OIDC_CUSTOM_PARAMS |
+| openmetadata.config.authentication.oidcConfiguration.disablePkce | bool | true | OIDC_DISABLE_PKCE |
+| openmetadata.config.authentication.oidcConfiguration.discoveryUri | string | `Empty` | OIDC_DISCOVERY_URI |
+| openmetadata.config.authentication.oidcConfiguration.enabled | bool | false | |
+| openmetadata.config.authentication.oidcConfiguration.maxClockSkew | string | `Empty` | OIDC_MAX_CLOCK_SKEW |
+| openmetadata.config.authentication.oidcConfiguration.oidcType | string | `Empty` | OIDC_TYPE |
+| openmetadata.config.authentication.oidcConfiguration.preferredJwsAlgorithm | string | `RS256` | OIDC_PREFERRED_JWS |
+| openmetadata.config.authentication.oidcConfiguration.responseType | string | `code` | OIDC_RESPONSE_TYPE |
+| openmetadata.config.authentication.oidcConfiguration.scope | string | `openid email profile` | OIDC_SCOPE |
+| openmetadata.config.authentication.oidcConfiguration.serverUrl | string | `http://openmetadata:8585` | OIDC_SERVER_URL |
+| openmetadata.config.authentication.oidcConfiguration.tenant | string | `Empty` | OIDC_TENANT |
+| openmetadata.config.authentication.oidcConfiguration.useNonce | bool | `true` | OIDC_USE_NONCE |
 | openmetadata.config.authentication.saml.debugMode | bool | false | SAML_DEBUG_MODE |
 | openmetadata.config.authentication.saml.idp.entityId | string | `Empty` | SAML_IDP_ENTITY_ID |
 | openmetadata.config.authentication.saml.idp.ssoLoginUrl |  string | `Empty` | SAML_IDP_SSO_LOGIN_URL |
@@ -178,6 +197,14 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
 | openmetadata.config.secretsManager.additionalParameters.enabled | bool | `false` | |
 | openmetadata.config.secretsManager.additionalParameters.accessKeyId.secretRef | string | `aws-access-key-secret` | OM_SM_ACCESS_KEY_ID |
 | openmetadata.config.secretsManager.additionalParameters.accessKeyId.secretKey | string | `aws-key-secret` | OM_SM_ACCESS_KEY_ID |
+| openmetadata.config.secretsManager.additionalParameters.clientId.secretRef | string | `azure-client-id-secret` | OM_SM_CLIENT_ID |
+| openmetadata.config.secretsManager.additionalParameters.clientId.secretKey | string | `azure-key-secret` | OM_SM_CLIENT_ID |
+| openmetadata.config.secretsManager.additionalParameters.clientSecret.secretRef | string | `azure-client-secret` | OM_SM_CLIENT_SECRET |
+| openmetadata.config.secretsManager.additionalParameters.clientSecret.secretKey | string | `azure-key-secret` | OM_SM_CLIENT_SECRET |
+| openmetadata.config.secretsManager.additionalParameters.tenantId.secretRef | string | `azure-tenant-id-secret` | OM_SM_TENANT_ID |
+| openmetadata.config.secretsManager.additionalParameters.tenantId.secretKey | string | `azure-key-secret` | OM_SM_TENANT_ID |
+| openmetadata.config.secretsManager.additionalParameters.vaultName.secretRef | string | `azure-vault-name-secret` | OM_SM_VAULT_NAME |
+| openmetadata.config.secretsManager.additionalParameters.vaultName.secretKey | string | `azure-key-secret` | OM_SM_VAULT_NAME |
 | openmetadata.config.secretsManager.additionalParameters.region | string | `Empty String` | OM_SM_REGION |
 | openmetadata.config.secretsManager.additionalParameters.secretAccessKey.secretRef | string | `aws-secret-access-key-secret` | OM_SM_ACCESS_KEY |
 | openmetadata.config.secretsManager.additionalParameters.secretAccessKey.secretKey | string | `aws-key-secret` | OM_SM_ACCESS_KEY |
@@ -191,8 +218,8 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
 | openmetadata.config.smtpConfig.supportUrl | string | `https://slack.open-metadata.org` | OM_SUPPORT_URL |
 | openmetadata.config.smtpConfig.transportationStrategy | string | `SMTP_TLS` | SMTP_SERVER_STRATEGY |
 | openmetadata.config.smtpConfig.username | string | `Empty String` | SMTP_SERVER_USERNAME |
-| openmetadata.config.upgradeMigrationConfigs.force | bool | `false` |  |
-| openmetadata.config.upgradeMigrationConfigs.migrationLimitParam | int | `1200` | MIGRATION_LIMIT_PARAM |
+| openmetadata.config.upgradeMigrationConfigs.debug | bool | `false` |  |
+| openmetadata.config.upgradeMigrationConfigs.additionalArgs | string | `Empty String` |  |
 | openmetadata.config.web.enabled | bool | `true` | |
 | openmetadata.config.web.contentTypeOptions.enabled | bool | `false` | WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED |
 | openmetadata.config.web.csp.enabled | bool | `false` | WEB_CONF_XSS_CSP_ENABLED |
@@ -227,7 +254,7 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
 | fullnameOverride | string | `"openmetadata"` |
 | image.pullPolicy | string | `"Always"` |
 | image.repository | string | `"docker.getcollate.io/openmetadata/server"` |
-| image.tag | string | `1.3.1` |
+| image.tag | string | `1.3.2` |
 | imagePullSecrets | list | `[]` |
 | ingress.annotations | object | `{}` |
 | ingress.className | string | `""` |

diff --git a/charts/openmetadata/templates/_helpers.tpl b/charts/openmetadata/templates/_helpers.tpl
@@ -96,6 +96,7 @@ Warning to update openmetadata global keyword to openmetadata.config */}}
 {{- printf "Error: %s" . | fail }}
 {{- end }}
 
+
 {{/*
 Function to check if passed value is empty string or null value */}}
 {{- define "OpenMetadata.utils.checkEmptyString" -}}
@@ -106,6 +107,71 @@ Function to check if passed value is empty string or null value */}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+OpenMetadata Configurations AWS Additional Parameters Environment Variables for Secret Manager*/}}
+{{- define "OpenMetadata.configs.secretManager.aws.additionalParameters" -}}
+{{- if .Values.openmetadata.config.secretsManager.additionalParameters.accessKeyId.secretRef }}
+{{- with .Values.openmetadata.config.secretsManager.additionalParameters.accessKeyId }}
+- name: OM_SM_ACCESS_KEY_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+{{- if .Values.openmetadata.config.secretsManager.additionalParameters.secretAccessKey.secretRef }}
+{{- with .Values.openmetadata.config.secretsManager.additionalParameters.secretAccessKey }}
+- name: OM_SM_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+OpenMetadata Configurations Azure Additional Parameters Environment Variables for Secret Manager
+*/}}
+{{- define "OpenMetadata.configs.secretManager.azure.additionalParameters" -}}
+{{- if .Values.openmetadata.config.secretsManager.additionalParameters.clientId.secretRef }}
+{{- with .Values.openmetadata.config.secretsManager.additionalParameters.clientId }}
+- name: OM_SM_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+{{- if .Values.openmetadata.config.secretsManager.additionalParameters.clientSecret.secretRef }}
+{{- with .Values.openmetadata.config.secretsManager.additionalParameters.clientSecret }}
+- name: OM_SM_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+{{- if .Values.openmetadata.config.secretsManager.additionalParameters.tenantId.secretRef }}
+{{- with .Values.openmetadata.config.secretsManager.additionalParameters.tenantId }}
+- name: OM_SM_TENANT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+{{- if .Values.openmetadata.config.secretsManager.additionalParameters.vaultName.secretRef }}
+{{- with .Values.openmetadata.config.secretsManager.additionalParameters.vaultName }}
+- name: OM_SM_VAULT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
 {{/*
 OpenMetadata Configurations Environment Variables*/}}
 {{- define "OpenMetadata.configs" -}}
@@ -118,6 +184,22 @@ OpenMetadata Configurations Environment Variables*/}}
       key: {{ .secretKey }}
 {{- end }}
 {{- end }}
+{{- if and (eq .Values.openmetadata.config.authentication.clientType "confidential") (.Values.openmetadata.config.authentication.oidcConfiguration.enabled) }}
+{{- with .Values.openmetadata.config.authentication.oidcConfiguration.clientId }}
+- name: OIDC_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- with .Values.openmetadata.config.authentication.oidcConfiguration.clientSecret }}
+- name: OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretRef }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
 {{- if eq .Values.openmetadata.config.authentication.provider "ldap" }}
 {{- if .Values.openmetadata.config.authentication.ldapConfiguration.dnAdminPassword.secretRef }}
 {{- with .Values.openmetadata.config.authentication.ldapConfiguration.dnAdminPassword }}
@@ -227,23 +309,11 @@ OpenMetadata Configurations Environment Variables*/}}
 {{- end }}
 {{- end }}
 {{- if .Values.openmetadata.config.secretsManager.additionalParameters.enabled }}
-{{- if .Values.openmetadata.config.secretsManager.additionalParameters.accessKeyId.secretRef }}
-{{- with .Values.openmetadata.config.secretsManager.additionalParameters.accessKeyId }}
-- name: OM_SM_ACCESS_KEY_ID
-  valueFrom:
-    secretKeyRef:
-      name: {{ .secretRef }}
-      key: {{ .secretKey }}
-{{- end }}
-{{- end }}
-{{- if .Values.openmetadata.config.secretsManager.additionalParameters.secretAccessKey.secretRef }}
-{{- with .Values.openmetadata.config.secretsManager.additionalParameters.secretAccessKey }}
-- name: OM_SM_ACCESS_KEY
-  valueFrom:
-    secretKeyRef:
-      name: {{ .secretRef }}
-      key: {{ .secretKey }}
+{{- if has .Values.openmetadata.config.secretsManager.provider (list "aws" "aws-ssm" "managed-aws" "managed-aws-ssm") }}
+{{ include "OpenMetadata.configs.secretManager.aws.additionalParameters" . }}
 {{- end }}
+{{- if has .Values.openmetadata.config.secretsManager.provider (list "managed-azure-kv" "azure-kv") }}
+{{ include "OpenMetadata.configs.secretManager.azure.additionalParameters" . }}
 {{- end }}
 {{- end }}
 {{- if and ( .Values.openmetadata.config.smtpConfig.enableSmtpServer ) ( .Values.openmetadata.config.smtpConfig.password.secretRef )}}
@@ -255,5 +325,4 @@ OpenMetadata Configurations Environment Variables*/}}
       key: {{ .secretKey }}
 {{- end }}
 {{- end }}
-
 {{- end }}
diff --git a/charts/openmetadata/templates/deployment.yaml b/charts/openmetadata/templates/deployment.yaml
@@ -99,8 +99,6 @@ spec:
             {{- toYaml . | nindent 10 }}
           {{- end }}
         env:
-        - name: MIGRATION_LIMIT_PARAM
-          value: "{{ .Values.openmetadata.config.upgradeMigrationConfigs.migrationLimitParam }}"
         {{- include "OpenMetadata.configs" . | nindent 8 }}
         {{- with .Values.extraEnvs }}
           {{- toYaml . | nindent 8 }}

diff --git a/charts/openmetadata/templates/secrets.yaml b/charts/openmetadata/templates/secrets.yaml
@@ -217,8 +217,24 @@ data:
   AUTHENTICATION_RESPONSE_TYPE: {{ .responseType | quote | b64enc }}
   AUTHENTICATION_AUTHORITY: {{ .authority | quote | b64enc }}
   AUTHENTICATION_CLIENT_ID: {{ .clientId | quote | b64enc }}
+  AUTHENTICATION_CLIENT_TYPE: {{ .clientType | quote | b64enc }}
   AUTHENTICATION_CALLBACK_URL: {{ .callbackUrl | quote | b64enc }}
   AUTHENTICATION_ENABLE_SELF_SIGNUP: {{ .enableSelfSignup | quote | b64enc }}
+{{- if and (eq .clientType "confidential") (.oidcConfiguration.enabled) }}
+  OIDC_TYPE: {{ .oidcConfiguration.oidcType | quote | b64enc }}
+  OIDC_SCOPE: {{ .oidcConfiguration.scope | quote | b64enc }}
+  OIDC_DISCOVERY_URI: {{ .oidcConfiguration.discoveryUri | quote | b64enc }}
+  OIDC_USE_NONCE: {{  .oidcConfiguration.useNonce | quote | b64enc }}
+  OIDC_PREFERRED_JWS: {{ .oidcConfiguration.preferredJwsAlgorithm | quote | b64enc }}
+  OIDC_RESPONSE_TYPE: {{ .oidcConfiguration.responseType | quote | b64enc }}
+  OIDC_DISABLE_PKCE: {{ .oidcConfiguration.disablePkce | quote | b64enc }}
+  OIDC_CALLBACK: {{ .oidcConfiguration.callbackUrl | quote | b64enc }}
+  OIDC_SERVER_URL: {{ .oidcConfiguration.serverUrl | quote | b64enc }}
+  OIDC_CLIENT_AUTH_METHOD: {{ .oidcConfiguration.clientAuthenticationMethod | quote | b64enc }}
+  OIDC_TENANT: {{ .oidcConfiguration.tenant | quote | b64enc }}
+  OIDC_MAX_CLOCK_SKEW: {{ .oidcConfiguration.maxClockSkew | quote | b64enc }}
+  OIDC_CUSTOM_PARAMS: {{ .oidcConfiguration.customParams | quote | b64enc }}
+{{ end }}
 {{- if eq .provider "ldap" }}
   AUTHENTICATION_LDAP_HOST: {{ .ldapConfiguration.host | b64enc }}
   AUTHENTICATION_LDAP_PORT: {{ .ldapConfiguration.port | quote | b64enc }}