From d4da31233f1f766d28d7834f5b5ad6819429a956 Mon Sep 17 00:00:00 2001 From: Cedric Verstraeten Date: Tue, 30 Jan 2024 23:40:55 +0100 Subject: [PATCH] feature: allow multiple OIDC providers and different domains --- .../hub/templates/kerberos-hub/hub-api.yaml | 18 +++++++++-------- .../templates/kerberos-hub/hub-frontend.yaml | 5 +++-- charts/hub/values.yaml | 20 +++++++++++-------- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/charts/hub/templates/kerberos-hub/hub-api.yaml b/charts/hub/templates/kerberos-hub/hub-api.yaml index 499ffdd..bae86b5 100644 --- a/charts/hub/templates/kerberos-hub/hub-api.yaml +++ b/charts/hub/templates/kerberos-hub/hub-api.yaml @@ -172,14 +172,16 @@ spec: value: "{{ .Values.kerberoshub.api.jwtSecret }}" # SSO (OIDC) setup - - name: SSO_ISSUER - value: "{{ .Values.kerberoshub.api.sso.issuer }}" - - name: SSO_CLIENTID - value: "{{ .Values.kerberoshub.api.sso.clientId }}" - - name: SSO_CLIENTSECRET - value: "{{ .Values.kerberoshub.api.sso.clientSecret }}" - - name: SSO_REDIRECTURL - value: "{{ .Values.kerberoshub.api.schema }}://{{ .Values.kerberoshub.api.url }}{{ .Values.kerberoshub.api.sso.redirectUrl }}" + - name: SSO_DOMAINS + value: "{{- range .Values.kerberoshub.api.sso }}{{ .domain }};{{- end }}" + - name: SSO_REDIRECTURLS + value: "{{- range .Values.kerberoshub.api.sso }}{{ .redirectUrl }};{{- end }}" + - name: SSO_ISSUERS + value: "{{- range .Values.kerberoshub.api.sso }}{{ .issuer }};{{- end }}" + - name: SSO_CLIENTIDS + value: "{{- range .Values.kerberoshub.api.sso }}{{ .clientId }};{{- end }}" + - name: SSO_CLIENTSECRETS + value: "{{- range .Values.kerberoshub.api.sso }}{{ .clientSecret }};{{- end }}" # Kerberos pipeline - name: QUEUE_SYSTEM diff --git a/charts/hub/templates/kerberos-hub/hub-frontend.yaml b/charts/hub/templates/kerberos-hub/hub-frontend.yaml index 88ba718..29086c1 100644 --- a/charts/hub/templates/kerberos-hub/hub-frontend.yaml +++ b/charts/hub/templates/kerberos-hub/hub-frontend.yaml @@ -123,8 +123,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} env: - - name: SSO_DOMAIN - value: "{{ .Values.kerberoshub.frontend.ssoDomain }}" + - name: SSO_DOMAINS + # get the domain attribute from the list of sso domains + value: "{{- range .Values.kerberoshub.api.sso }}{{ .domain }};{{- end }}" - name: TITLE value: "{{ .Values.kerberoshub.frontend.title }}" - name: LOGO_NAME diff --git a/charts/hub/values.yaml b/charts/hub/values.yaml index 343e6eb..f2cbe0f 100644 --- a/charts/hub/values.yaml +++ b/charts/hub/values.yaml @@ -139,7 +139,7 @@ kerberoshub: api: repository: kerberos/hub-api pullPolicy: IfNotPresent - tag: "1.0.1065879492" + tag: "1.0.1158276216" replicas: 2 jwtSecret: "this-is-a-secret-please-change-to-random-string" # change to a random value, this is for generating JWT tokens. schema: "https" @@ -203,14 +203,20 @@ kerberoshub: username: "" password: "" sso: # OIDC settings for allowing SSO. - issuer: "" #"https://accounts.google.com" - clientId: "" # 4294xxxxsk4no3.apps.googleusercontent.com" - clientSecret: "" # UksvZ-QKGdB1W2mOu5l_Jg3R" - redirectUrl: "/sso/response" + - domain: "uug.ai" + redirectUrl: "https://api.cloud.kerberos.io/sso/callback/uug.ai" + issuer: "https://xxx.eu.auth0.com/" + clientId: "xxx" + clientSecret: "xxx" + - domain: "kerberos.io" + redirectUrl: "https://api.cloud.kerberos.io/sso/callback/kerberos.io" + issuer: "https://accounts.google.com" + clientId: "xxx" + clientSecret: "xxx" frontend: repository: kerberos/hub-frontend pullPolicy: IfNotPresent - tag: "1.0.1070125878" + tag: "1.0.1158265189" replicas: 2 schema: "https" url: "yourdomain.com" @@ -235,7 +241,6 @@ kerberoshub: # - hosts: # - "demo.yourdomain.com" # secretName: kerberoshub-demo - ssoDomain: "@yourdomain.com" mixpanel: # We can keep track logging in Mixpanel as well apikey: "xxx" sentry: # We can trace errors in Sentry @@ -250,7 +255,6 @@ kerberoshub: key: "xxx" url: "https://posthog.domain.com" - # You can disable the Kerberos agent buttons, this make sense # in a white-label setup, or where you are managing the Kerberos Agents for your customers. hideAddAgent: "false"