Merge pull request #240 from openziti/browzer

BrowZer Bootstrapper

.github/release.yml

@@ -20,6 +20,9 @@ changelog:
     - title: zrok Changes
       labels:
         - notes:zrok
+    - title: BrowZer Bootstrapper Changes
+      labels:
+        - notes:ziti-browzer-bootstrapper
     - title: Other Changes
       labels:
         - "*"

.github/workflows/bump-version.yml

@@ -17,6 +17,7 @@ jobs:
           - ziti-host
           - ziti-router
           - zrok
+          - ziti-browzer-bootstrapper
     runs-on: ubuntu-latest
     steps:
       - name: Bump Chart Versions if Changed

.github/workflows/release-charts.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: v3.15.1
+          version: v4.2.0
 
       - name: Add dependency repositories
         run: |
@@ -36,7 +36,7 @@ jobs:
       - name: Run chart-releaser
         uses: netfoundry/chart-releaser-action@v0
         with:
-          version: v0.1.6107
+          version: v0.1.6108
           charts_dir: charts
           skip_existing: true
           mark_as_latest: true

charts/ziti-browzer-bootstrapper/.gitignore

@@ -0,0 +1,2 @@
+/browzer-values.yaml
+/cluster-issuer.yaml

charts/ziti-browzer-bootstrapper/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/ziti-browzer-bootstrapper/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 0.74.0
+description: Deploy OpenZiti BrowZer Bootstrapper as Kubernetes Service
+name: ziti-browzer-bootstrapper
+type: application
+version: 0.1.0

charts/ziti-browzer-bootstrapper/README.md

@@ -0,0 +1,44 @@
+<!-- README.md generated by helm-docs from README.md.gotmpl -->
+# ziti-browzer-bootstrapper
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.74.0](https://img.shields.io/badge/AppVersion-0.74.0-informational?style=flat-square)
+
+Deploy OpenZiti BrowZer Bootstrapper as Kubernetes Service
+
+## Kubernetes Cluster Prerequisites
+
+1. You must have a way to bind a publicly trusted cert to the BrowZer Bootstrapper's ingress, e.g., a cert-manager ClusterIssuer with an HTTP01 solver is sufficient for a public ingress.
+
+## Ziti NetworkPrerequisites
+
+Before configuring the BrowZer Bootstrapper, you must have a working OpenZiti network with special configuration for BrowZer.
+
+1. The Ziti network must be configured to trust an OpenID Connect provider. Follow [the instructions](https://github.com/openziti/ziti-browzer-bootstrapper?tab=readme-ov-file#configuring-the-openziti-network) to configure the network. Optionally, you can study [the provided shell script, `provision-openziti.bash`](https://github.com/openziti/helm-charts/blob/main/charts/ziti-browzer-bootstrapper/provision-openziti.bash), to see how to create the necessary entities.
+  1. Create an ext-jwt-signer entity representing your OIDC provider
+  1. Create an auth-policy entity for associating identities with the OIDC provider
+  1. Create an identity that uses the new auth-policy
+1. The Ziti Controller's client API must be configured with a publicly trusted server certificate. If the controller is deployed in Kubernetes, you can set [input values to like these](https://openziti.io/docs/guides/deployments/kubernetes/kubernetes-controller#alternative-web-server-certificates).
+1. The Ziti Router's edge listener must be configured with a publicly trusted server certificate for the WebSocket protocol. If the router is deployed in Kubernetes, you can set [input values to like these](https://openziti.io/docs/guides/deployments/kubernetes/kubernetes-router#additional-listeners-and-volumes).
+
+## Add the OpenZiti Charts Repo to Helm
+
+```bash
+helm repo add openziti https://docs.openziti.io/helm-charts/
+```
+
+## Minimal Installation
+
+This chart deploys a pod running `ziti-browzer-bootstrapper`, the [OpenZiti browzer bootstrapper](https://github.com/openziti/ziti-browzer-bootstrapper/).
+
+After adding the charts repo to Helm then you may install the chart.
+
+```bash
+helm install \
+  --namespace ziti-browzer --create-namespace --generate-name \
+  openziti/ziti-browzer-bootstrapper \
+    --values values-browzer.yaml
+```
+
+See [the provided sample `values-browzer.yaml` file](https://github.com/openziti/helm-charts/blob/browzer/charts/ziti-browzer-bootstrapper/values-browzer.yaml).
+
+<!-- README.md generated by helm-docs from README.md.gotmpl -->

charts/ziti-browzer-bootstrapper/README.md.gotmpl

@@ -0,0 +1,53 @@
+<!-- README.md generated by helm-docs from README.md.gotmpl -->
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## Kubernetes Cluster Prerequisites
+
+1. You must have a way to bind a publicly trusted cert to the BrowZer Bootstrapper's ingress, e.g., a cert-manager ClusterIssuer with an HTTP01 solver is sufficient for a public ingress.
+
+## Ziti NetworkPrerequisites
+
+Before configuring the BrowZer Bootstrapper, you must have a working OpenZiti network with special configuration for BrowZer.
+
+1. The Ziti network must be configured to trust an OpenID Connect provider. Follow [the instructions](https://github.com/openziti/ziti-browzer-bootstrapper?tab=readme-ov-file#configuring-the-openziti-network) to configure the network. Optionally, you can study [the provided shell script, `provision-openziti.bash`](https://github.com/openziti/helm-charts/blob/main/charts/ziti-browzer-bootstrapper/provision-openziti.bash), to see how to create the necessary entities.
+  1. Create an ext-jwt-signer entity representing your OIDC provider
+  1. Create an auth-policy entity for associating identities with the OIDC provider
+  1. Create an identity that uses the new auth-policy
+1. The Ziti Controller's client API must be configured with a publicly trusted server certificate. If the controller is deployed in Kubernetes, you can set [input values to like these](https://openziti.io/docs/guides/deployments/kubernetes/kubernetes-controller#alternative-web-server-certificates).
+1. The Ziti Router's edge listener must be configured with a publicly trusted server certificate for the WebSocket protocol. If the router is deployed in Kubernetes, you can set [input values to like these](https://openziti.io/docs/guides/deployments/kubernetes/kubernetes-router#additional-listeners-and-volumes).
+
+## Add the OpenZiti Charts Repo to Helm
+
+```bash
+helm repo add openziti https://docs.openziti.io/helm-charts/
+```
+
+## Minimal Installation
+
+This chart deploys a pod running `ziti-browzer-bootstrapper`, the [OpenZiti browzer bootstrapper](https://github.com/openziti/ziti-browzer-bootstrapper/).
+
+After adding the charts repo to Helm then you may install the chart.
+
+```bash
+helm install \
+  --namespace ziti-browzer --create-namespace --generate-name \
+  openziti/ziti-browzer-bootstrapper \
+    --values values-browzer.yaml
+```
+
+See [the provided sample `values-browzer.yaml` file](https://github.com/openziti/helm-charts/blob/browzer/charts/ziti-browzer-bootstrapper/values-browzer.yaml).
+
+<!-- README.md generated by helm-docs from README.md.gotmpl -->

charts/ziti-browzer-bootstrapper/provision-openziti.bash

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+#
+# inputs:
+#   ZITI_BROWZER_OIDC_URL   OIDC issuer url
+#   ZITI_BROWZER_CLIENT_ID  OIDC client id
+#   BROWZER_EMAILS          space or comma separated list of emails to create with a role
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o xtrace
+
+# workaround: ext-jwt-signer cannot be updated, so dependency tree must be cleaned up first;
+#   https://github.com/openziti/ziti/issues/2459
+function cleanup() {
+    for EMAIL in "${EMAILS[@]}"
+    do
+        ziti edge delete identity "${EMAIL}"
+    done
+    ziti edge delete auth-policy "${AUTH_POLICY_NAME}"
+    ziti edge delete ext-jwt-signer "${EXT_JWT_SIGNER_NAME}"
+}
+
+: "${ZITI_BROWZER_FIELD:=email}"
+: "${EXT_JWT_SIGNER_NAME:="browzer-auth0-ext-jwt-signer"}"
+: "${AUTH_POLICY_NAME:="browzer-auth0-auth-policy"}"
+: "${IDENTITY_ROLES:="browzer.enabled.identities"}"
+
+BROWZER_EMAILS="${BROWZER_EMAILS//,/ }"
+typeset -a EMAILS=(${BROWZER_EMAILS})
+
+oidc_config="$(curl -sSf ${ZITI_BROWZER_OIDC_URL%/}/.well-known/openid-configuration)"
+issuer="$(jq -r .issuer <<< "${oidc_config}")"
+jwks="$(jq -r .jwks_uri <<< "${oidc_config}")"
+
+if ziti edge list ext-jwt-signers "name=\"$EXT_JWT_SIGNER_NAME\"" --csv \
+| awk -F, "\$2==\"$EXT_JWT_SIGNER_NAME\"" | grep -q $EXT_JWT_SIGNER_NAME
+then
+    cleanup
+fi
+ext_jwt_signer=$(ziti edge create ext-jwt-signer "${EXT_JWT_SIGNER_NAME}" "${issuer}" --jwks-endpoint "${jwks}" --audience "${ZITI_BROWZER_CLIENT_ID}" --claims-property ${ZITI_BROWZER_FIELD})
+
+if ziti edge list auth-policies "name=\"$AUTH_POLICY_NAME\"" | grep -q $AUTH_POLICY_NAME
+then
+    auth_policy=$(ziti edge update auth-policy "${AUTH_POLICY_NAME}" --primary-ext-jwt-allowed --primary-ext-jwt-allowed-signers ${ext_jwt_signer})
+else
+    auth_policy=$(ziti edge create auth-policy "${AUTH_POLICY_NAME}" --primary-ext-jwt-allowed --primary-ext-jwt-allowed-signers ${ext_jwt_signer})
+fi
+
+for EMAIL in "${EMAILS[@]}"
+do
+    if ziti edge list identities "name=\"${EMAIL}\"" | grep -q "${EMAIL}"
+    then
+        ziti edge update identity "${EMAIL}" --auth-policy ${auth_policy} --external-id "${EMAIL}" -a "${IDENTITY_ROLES}"
+    else
+        ziti edge create identity "${EMAIL}" --auth-policy ${auth_policy} --external-id "${EMAIL}" -a "${IDENTITY_ROLES}"
+    fi
+done
+
+echo -e "\nissuer:" "$issuer\n"\
+        "jwks:" "$jwks\n"\
+        "ext-jwt-signer:" "$ext_jwt_signer\n"\
+        "auth-policy:" "$auth_policy\n"\
+        "email(s):" "${EMAILS[@]}\n" \
+| column -t

charts/ziti-browzer-bootstrapper/templates/NOTES.txt

@@ -0,0 +1,16 @@
+{{ if .Release.IsUpgrade }}
+Your release {{ .Release.Name }} was upgraded.
+{{ else if .Release.IsInstall }}
+This is the first install of release {{ .Release.Name }}.
+{{ else }}
+{{ .Chart.Name }} was neither installed nor upgraded.
+{{ end }}
+
+You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}.
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+This deployment provides an OpenZiti browzer bootstrapper.

charts/ziti-browzer-bootstrapper/templates/_helpers.tpl

@@ -0,0 +1,78 @@
+{{/*
+Expand the name of the chart.
+*/}}
+
+{{- define "ziti-browzer-bootstrapper.name" -}}
+    {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ziti-browzer-bootstrapper.fullname" -}}
+    {{- if .Values.fullnameOverride }}
+        {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+        {{- $name := default ( trimPrefix "ziti-" .Chart.Name ) .Values.nameOverride }}
+    {{- if contains $name .Release.Name }}
+        {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+        {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+    {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ziti-browzer-bootstrapper.chart" -}}
+    {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ziti-browzer-bootstrapper.labels" -}}
+helm.sh/chart: {{ include "ziti-browzer-bootstrapper.chart" . }}
+{{ include "ziti-browzer-bootstrapper.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ziti-browzer-bootstrapper.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ziti-browzer-bootstrapper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ziti-browzer-bootstrapper.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ziti-browzer-bootstrapper.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Default ingress http config
+*/}}
+{{- define "ingress-http-def" -}}
+      http:
+        paths:
+          - path: /
+            pathType: "Prefix"
+            backend:
+              service:
+                name: {{ include "ziti-browzer-bootstrapper.fullname" . }}
+                port:
+                  name: {{ .Values.service.portName }}
+{{- end }}