[opsportal] All authenticated (#420)

* add allowAllAuthenticated option

* system:authenticated

* newline

stable/opsportal/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: 1.0.0
 home: https://github.com/mesosphere/charts
 description: OpsPortal Chart
 name: opsportal
-version: 0.2.3
+version: 0.2.4
 maintainers:
   - name: hectorj2f
   - name: alejandroEsc

stable/opsportal/templates/ingress-opsportal-rolebinding.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.opsportalRBAC.enabled .Values.opsportalRBAC.allowAllAuthenticated }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: opsportal-authenticated-admin
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  name: opsportal-admin
+  kind: ClusterRole
+subjects:
+- apiGroup: "rbac.authorization.k8s.io"
+  kind: Group
+  name: system:authenticated
+{{- end}}

stable/opsportal/values.yaml

@@ -50,6 +50,13 @@ opsportalRBAC:
   enabled: true
   path: /ops/portal
   graphqlPath: /ops/portal/graphql
+  ## traefik-forward-auth 2.0 introduces RBAC support and now requires that users, regardless of whitelist,
+  ## be allowed access to a resource via explicit RBAC policy. Upon upgrade, whitelisted users would no longer
+  ## have access to ops portal resources unless an appropriate role binding existed. To prevent breakage,
+  ## the allowAllAuthenticated option, when true, will result in the group `system:allauthenticated` being bound to
+  ## to the opsportal-admin role. This mimics the existing security policy where any authenticated and whitelisted user
+  ## has full access to the opsportal. This option will be removed in the 0.3 release of this chart.
+  allowAllAuthenticated: false
 
 kibanaRBAC:
   enabled: true