Code Review / oom.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: bbf711b)
[SDNC] Enable SDNC to use external oauth provider 04/120404/1
authordemskeq8 <alexander.dehn@highstreet-technologies.com>
Fri, 12 Feb 2021 14:43:48 +0000 (15:43 +0100)
committerToineSiebelink <toine.siebelink@est.tech>
Mon, 12 Apr 2021 11:20:57 +0000 (12:20 +0100)
- add additional environment variables

- add config file for external oauth-providers

Issue-ID: OOM-2675
Signed-off-by: demskeq8 <alexander.dehn@highstreet-technologies.com>
Change-Id: I235d3f46f5d109a1e82bdaa3c9de97508116fbe3
[Improve secretes handling]
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml patch | blob | history
kubernetes/sdnc/components/sdnc-web/values.yaml patch | blob | history
kubernetes/sdnc/resources/config/conf/oauth-provider.config.json [new file with mode: 0644] patch | blob
kubernetes/sdnc/templates/statefulset.yaml patch | blob | history
kubernetes/sdnc/values.yaml patch | blob | history

diff --git a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml
index a2e3a48..7b04773 100644 (file)
--- a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml
+++ b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml
@@ -85,7 +85,10 @@ spec:
           - name: TILEURL
             value: {{ .Values.config.topologyserver.tileserverUrl }}
           {{ end }}
-
+          - name: ENABLE_OAUTH
+            value: "{{ .Values.config.oauth.enabled | default "false" }}"
+          - name: ENABLE_ODLUX_RBAC
+            value: "{{ .Values.config.oauth.odluxRbac.enabled | default "false" }}"
           volumeMounts:  {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
           - mountPath: /etc/localtime
             name: localtime
diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml
index 72126b6..3577c84 100644 (file)
--- a/kubernetes/sdnc/components/sdnc-web/values.yaml
+++ b/kubernetes/sdnc/components/sdnc-web/values.yaml
@@ -36,6 +36,10 @@ config:
   sslCertDir: "/opt/app/osaaf/local/certs"
   sslCertiticate: "cert.pem"
   sslCertKey: "key.pem"
+  oauth:
+    enabled: false
+    odluxRbac:
+      enabled: false
   transportpce:
     enabled: false
     transportpceUrl: http://transportpce.transportpce:8181
diff --git a/kubernetes/sdnc/resources/config/conf/oauth-provider.config.json b/kubernetes/sdnc/resources/config/conf/oauth-provider.config.json
new file mode 100644 (file)
index 0000000..8d3c106
--- /dev/null
+++ b/kubernetes/sdnc/resources/config/conf/oauth-provider.config.json
@@ -0,0 +1,8 @@
+{
+    "tokenSecret": "${OAUTH_TOKEN_SECRET}",
+    "tokenIssuer": {{ .Values.config.sdnr.oauth.tokenIssuer | quote }},
+    "publicUrl": {{ .Values.config.sdnr.oauth.publicUrl | quote }},
+    "redirectUri": "{{ .Values.config.sdnr.oauth.redirectUri | quote | default "null" }}",
+    "supportOdlUsers": "{{ .Values.config.sdnr.oauth.supportOdlUsers | default "true" }}",
+    "providers": {{ .Values.config.sdnr.oauth.providers | toJson  }}
+}
\ No newline at end of file
diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index ea544e6..152337e 100644 (file)
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -111,6 +111,15 @@ spec:
         - name: DMAAP_HTTP_PROXY_PASSWORD
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }}
         {{- end }}
+        {{ if .Values.config.sdnr.oauth.enabled }}
+        - name: OAUTH_TOKEN_SECRET
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oauth-token-secret" "key" "password") | indent 10 }}
+        - name: KEYCLOAK_SECRET
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keycloak-secret" "key" "password") | indent 10 }}
+
+        - name: ENABLE_ODLUX_RBAC
+          value: "{{ .Values.config.sdnr.oauth.odluxRbac.enabled | default "true" }}"
+        {{ end }}
 
 
         volumeMounts:
@@ -294,7 +303,8 @@ spec:
           - name: ODL_CERT_DIR
             value: {{ (mustFirst (.Values.certificates)).mountPath }}
           {{- end }}
-
+          - name: ENABLE_OAUTH
+            value: "{{ .Values.config.sdnr.oauth.enabled | default "false" }}"
           volumeMounts:
 {{ include "common.certInitializer.volumeMount" . | indent 10 }}
 {{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
@@ -362,6 +372,11 @@ spec:
           - mountPath: {{ .Values.config.odl.etcDir }}/org.opendaylight.daexim.cfg
             name: properties
             subPath: org.opendaylight.daexim.cfg
+          {{- if .Values.config.sdnr.oauth.enabled }}
+          - mountPath: {{ .Values.config.odl.etcDir }}/oauth-provider.config.json
+            name: properties
+            subPath: oauth-provider.config.json
+          {{ end }}
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index e3f3a6e..399740e 100644 (file)
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -172,6 +172,17 @@ secrets:
     login: '{{ .Values.config.scaleoutUser }}'
     password: '{{ .Values.config.scaleoutPassword }}'
     passwordPolicy: required
+  - uid: oauth-token-secret
+    type: password
+    externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.tokenExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
+    password: '{{ .Values.config.sdnr.oauth.tokenSecret }}'
+    passwordPolicy: required
+  - uid: keycloak-secret
+    type: password
+    externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.providersSecrets.keycloakExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
+    password: '{{ .Values.config.sdnr.oauth.providersSecrets.keycloak }}'
+    passwordPolicy: required
+
 #################################################################
 # Certificates
 #################################################################
@@ -311,6 +322,7 @@ config:
     sdnrdbTrustAllCerts: true
     mountpointRegistrarEnabled: false
     mountpointStateProviderEnabled: false
+    #
     # enable and set dmaap-proxy for mountpointRegistrar
     dmaapProxy:
       enabled: false
@@ -318,10 +330,28 @@ config:
       user: addUserHere
       password: addPasswordHere
       url: addProxyUrlHere
-
-
-
-
+    oauth:
+      enabled: false
+      tokenIssuer: ONAP SDNC
+      tokenSecret: secret
+      supportOdlusers: true
+      redirectUri: null
+      publicUrl: none
+      odluxRbac:
+        enabled: true
+      # example definition for a oauth provider
+      providersSecrets:
+        keycloak: d8d7ed52-0691-4353-9ac6-5383e72e9c46
+      providers:
+      - id: keycloak
+        type: KEYCLOAK
+        host: http://keycloak:8080
+        clientId: odlux.app
+        secret: ${KEYCLOAK_SECRET}
+        scope: openid
+        title: ONAP Keycloak Provider
+        roleMapping:
+          mykeycloak: admin
 
 # dependency / sub-chart configuration
 certInitializer:
Introduces the ONAP Platform OOM (ONAP Operations Manager) to efficiently Deploy, Manage, Operate the ONAP platform and its components (e.g. MSO, DCAE, SDC, etc.) and infrastructure (VMs, Containers).