-
Notifications
You must be signed in to change notification settings - Fork 228
feature/enh290 Set OIDC clientSecret to be set via a secret #303
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -153,7 +153,8 @@ The following table lists the configurable parameters of the nifi chart and the | |
| `auth.oidc.enabled` | Enable User auth via oidc | `false` | | ||
| `auth.oidc.discoveryUrl` | oidc discover url | `https://<provider>/.well-known/openid-configuration` | | ||
| `auth.oidc.clientId` | oidc clientId | `nil` | | ||
| `auth.oidc.clientSecret` | oidc clientSecret | `nil` | | ||
| `auth.oidc.clientSecret` | oidc clientSecret (plaintext secret that could get stored in git, logs, etc.) | `nil` | | ||
| `auth.oidc.existingSecret` | Name of an existing secret with the oidc clientSecret | `nil` | | ||
| `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | | ||
| `auth.oidc.admin` | Default OIDC admin identity | `[email protected]` | | ||
| Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{{- if and .Values.auth.oidc.enabled (not (.Values.auth.oidc.existingSecret)) }} | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ template "apache-nifi.fullname" . }}-oidc | ||
labels: | ||
app: {{ include "apache-nifi.name" . | quote }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" | ||
release: {{ .Release.Name | quote }} | ||
heritage: {{ .Release.Service | quote }} | ||
data: | ||
clientSecret: {{ .Values.auth.oidc.clientSecret | b64enc }} | ||
|
||
{{- end }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -147,6 +147,9 @@ auth: | |
discoveryUrl: #http://<oidc_provider_address>:<oidc_provider_port>/auth/realms/<client_realm>/.well-known/openid-configuration | ||
clientId: #<client_name_in_oidc_provider> | ||
clientSecret: #<client_secret_in_oidc_provider> | ||
# try to use an existing secret that has been sourced from a key vault so the clientSecret isn't stored in plaintext | ||
# if this is set then the clientSecret above is ignored. | ||
existingSecret: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wh not use the same property "clientSecret" with value comes from the vault or any other tools for secrets? Personally I think it adds confusion with two properties for the same purpose. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The way I did it is what most public Helm charts I've seen do. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is also backwards compatible for existing user's config There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've seen this pattern before too, it's pretty common |
||
claimIdentifyingUser: email | ||
admin: [email protected] | ||
## Request additional scopes, for example profile | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the
master
branch already has the code you want (not hardcoded with SIMPLE. Not sure why the PR still shows SIMPE on the left pane??There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I don't recall changing this file.
For people who do GitOps we need a existingSecret to be referred to. Not using values. So the secrets aren't stored in git.