forked from vouch/helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
allowing for multiple existingSecrets for vouch and change all parame…
…ters to camelCase (#4) * allowing for multiple existingSecrets for vouch you can now specify a seperate secret for both oauth and vouch domains/emails. Both use specific keys in the secret instead of overwriting the entire vouch config, though you can still do that too * fix trailing space in values.yaml * quote bool env for allow all users env var for deployment * clean up our self generated secret * fix values comments about arrays * remove mustache type * clean up secrets to always pass in certain values to the secret, but not the deployment * change PR test flow to not do bweso stuff :P * only include each variable if they're actually set * disable example set args since they wouldn't work anyway * fix userInfoUrl call
- Loading branch information
Showing
8 changed files
with
330 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -43,13 +43,7 @@ jobs: | |
| uses: helm/[email protected] | ||
| if: steps.list-changed.outputs.changed == 'true' | ||
|
|
||
| - name: Pull and side-load docker container | ||
| run: | | ||
| docker pull --platform=linux/amd64 docker.io/jessebot/bweso:v0.2.0 && \ | ||
| kind load docker-image docker.io/jessebot/bweso:v0.2.0 --name chart-testing | ||
| shell: bash | ||
|
|
||
| - name: Run chart-testing (install) | ||
| id: install | ||
| if: steps.list-changed.outputs.changed == 'true' | ||
| run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args="--set=bitwarden_eso_provider.create_cluster_secret_store=false --set=bitwarden_eso_provider.auth.password=${BOT_PASSWORD} --set=bitwarden_eso_provider.auth.clientID=${BOT_CLIENT_ID} --set=bitwarden_eso_provider.auth.clientSecret=${BOT_CLIENT_SECRET}" | ||
| run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args="--timeout 150s" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,7 @@ | |
|
|
||
| This is a fork of the official Vouch helm chart with some quality of life updates to match standard helm chart style. It's actively maintained and kept up to date by @jessebot and renovateBot, so if a new version of the Vouch docker image comes out, we'll automatically get a PR to update it :) | ||
|
|
||
| ## Usage | ||
| # Usage | ||
|
|
||
| Make sure you have helm installed. To get started with helm, read their [documentation](https://helm.sh/docs/). | ||
| Here's the basics of running this chart, however you'll want to update your [`values.yaml`](./charts/vouch/values.yaml). | ||
|
|
@@ -16,14 +16,100 @@ helm install vouch/vouch vouch --values.yaml | |
|
|
||
| Docs for the [`values.yaml`](./charts/vouch/values.yaml) can be found in in the chart [README](./charts/vouch/README.md). | ||
|
|
||
| ### Using an external secret | ||
| ## Using Existing Kubernetes Secrets for Private Info | ||
|
|
||
| You can configure your values.yml for vouch to use an existing Kubernetes Secret for it's config file. Example `values.yaml`: | ||
| ### Existing Secret for the Oauth config | ||
|
|
||
| In your values.yaml specify the name of the of the secret and then the names of the keys that will store the sensitive info: | ||
|
|
||
| ```yaml | ||
| config: | ||
| # https://console.developers.google.com/apis/credentials | ||
| oauth: | ||
| # -- existingSecret for clientId, clientSecret, authUrl, tokenUrl,userInfoUrl, callbackUrls, and preferredDomain. | ||
| # If this value is not empty, we will ignore all of those plain text values and only use your secret keys | ||
| existingSecret: 'my-vouch-oauth-secret' | ||
| # keys in oauth.existingSecret to use for Oauth2 config | ||
| secretKeys: | ||
| # -- key in existingSecret for the clientID from your provider | ||
| clientId: 'clientId' | ||
| # -- key in existingSecret for clientSecret from your provider | ||
| clientSecret: 'clientSecret' | ||
| # -- key in existingSecret for authentication url from your oidc provider | ||
| authUrl: 'authUrl' | ||
| # -- key in existingSecret for token url from your oidc provider | ||
| tokenUrl: 'tokenUrl' | ||
| # -- key in existingSecret for userInfoUrl from your oidc provider | ||
| userInfoUrl: 'userInfoUrl' | ||
| # -- key in oauth.existingSecret for comma seperated list of valid | ||
| # callback urls to use, example value for your key in your existing secert: | ||
| # 'https://vouch.example.com/auth,https://vouch.example.com/login' | ||
| callbackUrls: 'callbackUrls' | ||
| # -- secret key in oauth.existingSecret for your preferred domain | ||
| preferredDomain: 'preferredDomain' | ||
| ``` | ||
| Example secret: | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: my-vouch-oauth-secret | ||
| # "stringData" doesn't have to be used, but if you use "data", you have to base64 encode the string values below | ||
| stringData: | ||
| clientId: 'vouch' | ||
| clientSecret: '6f7dag78dagr4bcfydsuoivh9a8fh89' | ||
| authUrl: 'https://iam.example.com/realms/demo-realm/protocol/openid-connect/auth' | ||
| tokenUrl: 'https://iam.example.com/realms/master/protocol/openid-connect/token' | ||
| userInfoUrl: 'https://iam.example.com/realms/master/protocol/openid-connect/userinfo' | ||
| callbackUrls: 'https://vouch.example.com/auth' | ||
| ``` | ||
| ### Existing Secret for vouch allowed domains and allowed emails | ||
| In your values.yaml specify the name of the of the secret and then the names of the keys that will store the sensitive info: | ||
| ```yaml | ||
| config: | ||
| vouch: | ||
| # -- existingSecret for domains, whiteList, and jwtSecret. If this value is | ||
| # not empty, we ignore vouch.domains, vouch.whiteList, and vouch.jwt.secret | ||
| existingSecret: 'my-vouch-config-secret' | ||
| # keys in vouch.existingSecret to use for vouch config | ||
| secretKeys: | ||
| # -- secret key in vouch.existingSecret with comma seperated list of | ||
| # domains you'd like to allow access from. | ||
| domains: 'domains' | ||
| # -- secret key in vouch.existingSecret with comma seperated list of emails | ||
| # for users that allowed to use SSO via vouch. | ||
| whiteList: 'whiteList' | ||
| # -- secret key in vouch.existingSecret to pass in a secret to used for cookies | ||
| jwtSecret: 'jwtSecret' | ||
| ``` | ||
| Make sure that `config.vouch.secretKeys.domains` and `config.vouch.secretKeys.whiteList` are both comma seperated lists. | ||
|
|
||
| Example secret: | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: my-vouch-config-secret | ||
| # "stringData" doesn't have to be used, but if you use "data", you have to base64 encode the string values below | ||
| stringData: | ||
| domains: "coolcats.com,cooldogs.com" | ||
| whiteList: "[email protected],[email protected]" | ||
| ``` | ||
|
|
||
| ### Overriding the entire `config.yaml` for vouch-proxy | ||
| You can configure your `values.yml` for vouch to use an existing Kubernetes Secret for it's *ENTIRE* config file. | ||
|
|
||
| Example `values.yaml`: | ||
| ```yaml | ||
| config: | ||
| # -- Allow overriding the config value with an existing secret, like a sealed secret | ||
| existingSecretName: "vouch-existing-secret" | ||
| overrideConfigExistingSecret: "vouch-existing-secret" | ||
| ``` | ||
|
|
||
| Example of setting an existing Secret via the helm cli: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,15 +17,11 @@ keywords: | |
| - sso | ||
| - sso-login | ||
|
|
||
| version: 3.3.1 | ||
| version: 4.0.0 | ||
|
|
||
| # renovate: image=quay.io/vouch/vouch-proxy | ||
| appVersion: "0.39" | ||
|
|
||
| maintainers: | ||
| - name: punkle | ||
| email: [email protected] | ||
| - name: halkeye | ||
| email: [email protected] | ||
| - name: jessebot | ||
| email: [email protected] | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| # vouch | ||
|
|
||
|    | ||
|    | ||
|
|
||
| An SSO and OAuth login solution for nginx using the auth_request module. | ||
|
|
||
|
|
@@ -10,8 +10,6 @@ An SSO and OAuth login solution for nginx using the auth_request module. | |
|
|
||
| | Name | Email | Url | | ||
| | ---- | ------ | --- | | ||
| | punkle | <[email protected]> | | | ||
| | halkeye | <[email protected]> | | | ||
| | jessebot | <[email protected]> | | | ||
|
|
||
| ## Source Code | ||
|
|
@@ -24,19 +22,36 @@ An SSO and OAuth login solution for nginx using the auth_request module. | |
| |-----|------|---------|-------------| | ||
| | affinity | object | `{}` | | | ||
| | args | list | `[]` | arguments to command for container | | ||
| | command | list | `[]` | Allow to specify an alternate command before launching vouch example: command: ["/bin/sh", "-c", "source /vault/secrets/config && /vouch-proxy"] | | ||
| | config.existingSecretName | string | `""` | Allow overriding the config value with an existing secret, like a sealed secret | | ||
| | config.oauth.callback_urls | list | `[]` | valid callback urls to use, example https://vouch.example.com/auth | | ||
| | config.oauth.client_id | string | `""` | clientID from your provider | | ||
| | config.oauth.client_secret | string | `""` | clientSecret from your provider | | ||
| | command | list | `[]` | Allow to specify an alternate command before launching vouch example: command: ['/bin/sh', '-c', 'source /vault/secrets/config && /vouch-proxy'] | | ||
| | config.oauth.authUrl | string | `""` | authentication url from your oidc provider | | ||
| | config.oauth.callbackUrls | list | `[]` | valid callback urls to use, example https://vouch.example.com/auth | | ||
| | config.oauth.clientId | string | `""` | clientID from your provider | | ||
| | config.oauth.clientSecret | string | `""` | clientSecret from your provider | | ||
| | config.oauth.existingSecret | string | `""` | existingSecret for clientId, clientSecret, authUrl, tokenUrl, userInfoUrl, scopes, callbackUrls, and preferredDomain. If this value is not empty, we will ignore all of those plain text values and only use your secret keys | | ||
| | config.oauth.preferredDomain | string | `""` | preferred domain | | ||
| | config.oauth.provider | string | `""` | oauth2 provider, such as keycloak | | ||
| | config.vouch.allowAllUsers | bool | `false` | wheather or not to allow ALL users to login | | ||
| | config.vouch.domains | list | `[]` | specific domains you'd like to allow access from | | ||
| | config.oauth.scopes | list | `[]` | array of scopes to get from the provider e.g. [openid, email, profile] | | ||
| | config.oauth.secretKeys.authUrl | string | `"authUrl"` | secret key in oauth.existingSecret for authentication url from your oidc provider | | ||
| | config.oauth.secretKeys.callbackUrls | string | `"callbackUrls"` | secret key in oauth.existingSecret for commas seperated list of valid callback urls to use, example value for your key in your existing secert: 'https://vouch.example.com/auth,https://vouch.example.com/login' | | ||
| | config.oauth.secretKeys.clientId | string | `"clientId"` | secret key in oauth.existingSecret for the clientID from your provider | | ||
| | config.oauth.secretKeys.clientSecret | string | `"clientSecret"` | secret key in oauth.existingSecret for clientSecret from your provider | | ||
| | config.oauth.secretKeys.preferredDomain | string | `"preferredDomain"` | secret key in oauth.existingSecret for your preferred domain | | ||
| | config.oauth.secretKeys.tokenUrl | string | `"tokenUrl"` | secret key in oauth.existingSecret for token url from your oidc provider | | ||
| | config.oauth.secretKeys.userInfoUrl | string | `"userInfoUrl"` | secret key in oauth.existingSecret for userInfoUrl from your oidc provider | | ||
| | config.oauth.tokenUrl | string | `""` | token url from your oidc provider | | ||
| | config.oauth.userInfoUrl | string | `""` | user info Url from your oidc provider | | ||
| | config.overrideConfigExistingSecret | string | `""` | Allow overriding the ENTIRE config.yaml value with an existing secret, like a sealed secret. If not empty string, ALL values under config are ignored except for config.existing. For all possible config.yaml values, see: https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example | | ||
| | config.vouch.allowAllUsers | bool | `false` | whether or not to allow ALL users to login | | ||
| | config.vouch.domains | list | `[]` | array of specific domains you'd like to allow access from | | ||
| | config.vouch.existingSecret | string | `""` | existingSecret for domains, whiteList, and jwtSecret. If this value is not empty, we ignore vouch.domains, vouch.whiteList, and vouch.jwt.secret | | ||
| | config.vouch.jwt.secret | string | `""` | pass in a secret to used for cookies | | ||
| | config.vouch.logLevel | string | `"debug"` | logging level for vouch | | ||
| | config.vouch.port | int | `9090` | the container port for vouch | | ||
| | config.vouch.testing | bool | `false` | set to true to enable a testing mode, see more: https://github.com/vouch/vouch-proxy#im-getting-an-infinite-redirect-loop-which-returns-me-to-my-idp-googleoktagithub | | ||
| | config.vouch.whiteList | list | `[]` | list of emails for users that allowed to use SSO via vouch | | ||
| | config.vouch.secretKeys.domains | string | `"domains"` | secret key in vouch.existingSecret with comma seperated list of domains you'd like to allow access from. Example secret value in your existing secret: 'coolcats.com,cooldogs.com' | | ||
| | config.vouch.secretKeys.jwtSecret | string | `"jwtSecret"` | secret key in vouch.existingSecret to pass in a secret to used for cookies | | ||
| | config.vouch.secretKeys.whiteList | string | `"whiteList"` | secret key in vouch.existingSecret with comma seperated list of emails for users that allowed to use SSO via vouch. Example secret value in your '[email protected],[email protected]' | | ||
| | config.vouch.testing | bool | `false` | if you enable this, it will force all 302 redirects to be rendered as a webpage with a link | | ||
| | config.vouch.whiteList | list | `[]` | array of emails for users that allowed to use SSO via vouch | | ||
| | deploymentAnnotations | object | `{}` | | | ||
| | extraEnvVars | list | `[]` | An array to add extra environment variables | | ||
| | fullnameOverride | string | `""` | | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.