diff --git a/charts/ocis/README.md b/charts/ocis/README.md index 14db0a28f..1261f8ba9 100644 --- a/charts/ocis/README.md +++ b/charts/ocis/README.md @@ -61,6 +61,11 @@ This chart only supports following oCIS versions: | extraResources | list | `[]` | Extra resources to be included. | | features.basicAuthentication | bool | `false` | Enable basic authentication. Not recommended for production installations. | | features.demoUsers | bool | `false` | Create demo users on the first startup. Not recommended for production installations. | +| features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. | +| features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. | +| features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" | +| features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. | +| features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"owncloud/ocis"` | Image repository | | image.sha | string | `""` | Image sha / digest (optional). | @@ -82,8 +87,8 @@ This chart only supports following oCIS versions: | secretRefs.idpSecretRef | string | `"idp-secrets"` | Reference to an existing IDP secret (see [Secrets](#secrets)) | | secretRefs.jwtSecretRef | string | `"jwt-secret"` | Reference to an existing JWT secret (see [Secrets](#secrets)) | | secretRefs.ldapCaRef | string | `"ldap-ca"` | Reference to an existing LDAP certificate authority secret (see [Secrets](#secrets)) | -| secretRefs.ldapCertRef | string | `"ldap-cert"` | Reference to an existing LDAP cert secret (see [Secrets](#secrets)) | | secretRefs.ldapSecretRef | string | `"ldap-bind-secrets"` | Reference to an existing LDAP bind secret (see [Secrets](#secrets)) | +| secretRefs.ldapcertRef | string | `"ldap-cert"` | Reference to an existing LDAP cert secret (see [Secrets](#secrets)) | | secretRefs.machineAuthApiKeySecretRef | string | `"machine-auth-api-key"` | Reference to an existing machine auth api key secret (see [Secrets](#secrets)) | | secretRefs.storageSystemJwtSecretRef | string | `"storage-system-jwt-secret"` | Reference to an existing storage-system JWT secret (see [Secrets](#secrets)) | | secretRefs.storageSystemSecretRef | string | `"storage-system"` | Reference to an existing storage-system secret (see [Secrets](#secrets)) | @@ -175,59 +180,6 @@ data: # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` jwt-secret: XXXXXXXXXXXXX ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-bind-secrets -type: Opaque -data: - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - reva-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - idp-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - graph-ldap-bind-password: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-ca -type: Opaque -data: - # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority - # example generation commands: - # - `openssl genrsa -out ldap-ca.key 4096` - # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` - # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` - ldap-ca.crt: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-cert -type: Opaque -data: - # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) - # example generation commands: - # - `openssl genrsa -out ldap.key 4096` - # - `cat ldap.key | base64 | tr -d '\n' && echo` - ldap.key: XXXXXXXXXXXXX - - # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. - # example generation commands: - # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` - # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` - # - `cat ldap.crt | base64 | tr -d '\n' && echo` - ldap.crt: XXXXXXXXXXXXX - --- apiVersion: v1 kind: Secret @@ -318,6 +270,95 @@ data: thumbnails-transfer-secret: XXXXXXXXXXXXX ``` +#### User management related secrets + +If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + reva-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + idp-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + graph-ldap-bind-password: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority + # example generation commands: + # - `openssl genrsa -out ldap-ca.key 4096` + # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` + # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` + ldap-ca.crt: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-cert +type: Opaque +data: + # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) + # example generation commands: + # - `openssl genrsa -out ldap.key 4096` + # - `cat ldap.key | base64 | tr -d '\n' && echo` + ldap.key: XXXXXXXXXXXXX + + # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. + # example generation commands: + # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` + # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` + # - `cat ldap.crt | base64 | tr -d '\n' && echo` + ldap.crt: XXXXXXXXXXXXX +``` + +If you're using an external user managment (`features.externalUserManagement.enabled` == `true`), +you need to set the LDAP bind password into a secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # Base64 encoded password for the LDAP bind user. + reva-ldap-bind-password: XXXXXXXXXXXXX +``` + +If you're LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), +you need to set your LDAP CA (Certificate Authority) certificate in following secret: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # Base64 encoded certificate of the CA that issued the LDAP server certificate. + ldap-ca.crt: XXXXXXXXXXXXX +``` + ### Example with NGINX ingress and certificate issued by cert-manager To make this work you need to have NGINX ingress and cert-manager installed in your cluster. diff --git a/charts/ocis/README.md.gotmpl b/charts/ocis/README.md.gotmpl index 5036ae170..1b81a98bb 100644 --- a/charts/ocis/README.md.gotmpl +++ b/charts/ocis/README.md.gotmpl @@ -86,60 +86,6 @@ data: # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` jwt-secret: XXXXXXXXXXXXX ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-bind-secrets -type: Opaque -data: - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - reva-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - idp-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - graph-ldap-bind-password: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-ca -type: Opaque -data: - # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority - # example generation commands: - # - `openssl genrsa -out ldap-ca.key 4096` - # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` - # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` - ldap-ca.crt: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-cert -type: Opaque -data: - # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) - # example generation commands: - # - `openssl genrsa -out ldap.key 4096` - # - `cat ldap.key | base64 | tr -d '\n' && echo` - ldap.key: XXXXXXXXXXXXX - - # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. - # example generation commands: - # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` - # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` - # - `cat ldap.crt | base64 | tr -d '\n' && echo` - ldap.crt: XXXXXXXXXXXXX - - --- apiVersion: v1 kind: Secret @@ -230,6 +176,96 @@ data: thumbnails-transfer-secret: XXXXXXXXXXXXX ``` +#### User management related secrets + +If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + reva-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + idp-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + graph-ldap-bind-password: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority + # example generation commands: + # - `openssl genrsa -out ldap-ca.key 4096` + # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` + # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` + ldap-ca.crt: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-cert +type: Opaque +data: + # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) + # example generation commands: + # - `openssl genrsa -out ldap.key 4096` + # - `cat ldap.key | base64 | tr -d '\n' && echo` + ldap.key: XXXXXXXXXXXXX + + # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. + # example generation commands: + # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` + # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` + # - `cat ldap.crt | base64 | tr -d '\n' && echo` + ldap.crt: XXXXXXXXXXXXX +``` + +If you're using an external user managment (`features.externalUserManagement.enabled` == `true`), +you need to set the LDAP bind password into a secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # Base64 encoded password for the LDAP bind user. + reva-ldap-bind-password: XXXXXXXXXXXXX +``` + +If you're LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), +you need to set your LDAP CA (Certificate Authority) certificate in following secret: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # Base64 encoded certificate of the CA that issued the LDAP server certificate. + ldap-ca.crt: XXXXXXXXXXXXX +``` + + ### Example with NGINX ingress and certificate issued by cert-manager To make this work you need to have NGINX ingress and cert-manager installed in your cluster. diff --git a/charts/ocis/templates/auth-basic/deployment.yaml b/charts/ocis/templates/auth-basic/deployment.yaml index 2494b44aa..27dd7b756 100644 --- a/charts/ocis/templates/auth-basic/deployment.yaml +++ b/charts/ocis/templates/auth-basic/deployment.yaml @@ -1,3 +1,4 @@ +{{ if .Values.features.basicAuthentication }} apiVersion: apps/v1 kind: Deployment metadata: @@ -56,9 +57,23 @@ spec: value: gateway:9142 - name: AUTH_BASIC_LDAP_URI + {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 + {{ else }} + value: {{ .Values.features.externalUserManagement.ldap.uri }} + {{ end }} + - name: AUTH_BASIC_LDAP_CACERT + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} value: /etc/ocis/ldap-ca/ldap-ca.crt + {{ else }} + value: "" # no cert needed + {{ end }} + + {{ if .Values.features.externalUserManagement.enabled }} + - name: AUTH_BASIC_LDAP_BIND_DN + value: {{ .Values.features.externalUserManagement.ldap.bindDN }} + {{ end }} - name: AUTH_BASIC_LDAP_BIND_PASSWORD valueFrom: @@ -67,7 +82,11 @@ spec: key: reva-ldap-bind-password - name: AUTH_BASIC_IDP_URL + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: AUTH_BASIC_JWT_SECRET valueFrom: @@ -80,16 +99,21 @@ spec: - name: grpc containerPort: 9146 volumeMounts: + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} - name: tmp-volume mountPath: /tmp volumes: + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} - name: tmp-volume emptyDir: medium: Memory sizeLimit: 6Mi +{{ end }} diff --git a/charts/ocis/templates/auth-basic/hpa.yaml b/charts/ocis/templates/auth-basic/hpa.yaml index f885ca501..8e93516bb 100644 --- a/charts/ocis/templates/auth-basic/hpa.yaml +++ b/charts/ocis/templates/auth-basic/hpa.yaml @@ -1,5 +1,5 @@ - -{{- if .Values.autoscaling.enabled }} +{{ if .Values.features.basicAuthentication }} +{{ if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: @@ -16,4 +16,5 @@ spec: maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: {{ toYaml .Values.autoscaling.metrics | indent 4 }} -{{- end }} +{{ end }} +{{ end }} diff --git a/charts/ocis/templates/auth-basic/service.yaml b/charts/ocis/templates/auth-basic/service.yaml index 3144b763f..2ca8ab02c 100644 --- a/charts/ocis/templates/auth-basic/service.yaml +++ b/charts/ocis/templates/auth-basic/service.yaml @@ -1,3 +1,4 @@ +{{ if .Values.features.basicAuthentication }} apiVersion: v1 kind: Service metadata: @@ -12,3 +13,4 @@ spec: protocol: TCP selector: app: auth-basic +{{ end }} diff --git a/charts/ocis/templates/auth-bearer/deployment.yaml b/charts/ocis/templates/auth-bearer/deployment.yaml index 28f473da3..55f4ab37a 100644 --- a/charts/ocis/templates/auth-bearer/deployment.yaml +++ b/charts/ocis/templates/auth-bearer/deployment.yaml @@ -59,7 +59,11 @@ spec: value: gateway:9142 - name: AUTH_BEARER_OIDC_ISSUER + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: AUTH_BEARER_JWT_SECRET valueFrom: diff --git a/charts/ocis/templates/graph-explorer/deployment.yaml b/charts/ocis/templates/graph-explorer/deployment.yaml index 5c0e48114..f67307e08 100644 --- a/charts/ocis/templates/graph-explorer/deployment.yaml +++ b/charts/ocis/templates/graph-explorer/deployment.yaml @@ -53,7 +53,11 @@ spec: value: 0.0.0.0:9135 - name: GRAPH_EXPLORER_ISSUER + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: GRAPH_EXPLORER_GRAPH_URL_BASE value: https://{{ .Values.externalDomain }} diff --git a/charts/ocis/templates/graph/deployment.yaml b/charts/ocis/templates/graph/deployment.yaml index 4f43fbaa6..dfcad6f07 100644 --- a/charts/ocis/templates/graph/deployment.yaml +++ b/charts/ocis/templates/graph/deployment.yaml @@ -55,16 +55,21 @@ spec: - name: GRAPH_SPACES_WEBDAV_BASE value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} - name: GRAPH_LDAP_URI value: ldaps://idm:9235 - name: GRAPH_LDAP_CACERT value: /etc/ocis/ldap-ca/ldap-ca.crt - - name: GRAPH_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.secretRefs.ldapSecretRef }} key: graph-ldap-bind-password + {{ else }} + - name: GRAPH_IDENTITY_BACKEND + value: cs3 + {{ end }} + - name: REVA_GATEWAY value: gateway:9142 @@ -84,11 +89,15 @@ spec: ports: - name: http containerPort: 9120 + {{ if not .Values.features.externalUserManagement.enabled }} volumeMounts: - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} + {{ if not .Values.features.externalUserManagement.enabled }} volumes: - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} diff --git a/charts/ocis/templates/groups/deployment.yaml b/charts/ocis/templates/groups/deployment.yaml index e44078cde..2171e32d9 100644 --- a/charts/ocis/templates/groups/deployment.yaml +++ b/charts/ocis/templates/groups/deployment.yaml @@ -54,9 +54,22 @@ spec: - name: GROUPS_LDAP_URI + {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 + {{ else }} + value: {{ .Values.features.externalUserManagement.ldap.uri }} + {{ end }} - name: GROUPS_LDAP_CACERT + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} value: /etc/ocis/ldap-ca/ldap-ca.crt + {{ else }} + value: "" # no cert needed + {{ end }} + + {{ if .Values.features.externalUserManagement.enabled }} + - name: GROUPS_LDAP_BIND_DN + value: {{ .Values.features.externalUserManagement.ldap.bindDN }} + {{ end }} - name: GROUPS_LDAP_BIND_PASSWORD valueFrom: @@ -65,7 +78,11 @@ spec: key: reva-ldap-bind-password - name: GROUPS_IDP_URL - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: REVA_GATEWAY value: gateway:9142 @@ -81,15 +98,19 @@ spec: - name: grpc containerPort: 9160 volumeMounts: + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} - name: tmp-volume mountPath: /tmp volumes: + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} - name: tmp-volume emptyDir: medium: Memory diff --git a/charts/ocis/templates/idm/deployment.yaml b/charts/ocis/templates/idm/deployment.yaml index f03386e68..52abeac92 100644 --- a/charts/ocis/templates/idm/deployment.yaml +++ b/charts/ocis/templates/idm/deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -117,7 +118,7 @@ spec: volumes: - name: ldap-cert secret: - secretName: {{ .Values.secretRefs.ldapCertRef }} + secretName: {{ .Values.secretRefs.ldapcertRef }} {{ if .Values.services.idm.persistence.enabled }} - name: idm-data persistentVolumeClaim: @@ -126,3 +127,4 @@ spec: - name: idm-data emptyDir: {} {{ end }} +{{- end }} diff --git a/charts/ocis/templates/idm/hpa.yaml b/charts/ocis/templates/idm/hpa.yaml index 5c4a8285c..b50f9f01c 100644 --- a/charts/ocis/templates/idm/hpa.yaml +++ b/charts/ocis/templates/idm/hpa.yaml @@ -1,4 +1,4 @@ - +{{- if not .Values.features.externalUserManagement.enabled }} {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -17,3 +17,4 @@ spec: metrics: {{ toYaml .Values.autoscaling.metrics | indent 4 }} {{- end }} +{{- end }} diff --git a/charts/ocis/templates/idm/pvc.yaml b/charts/ocis/templates/idm/pvc.yaml index 61fe18712..fb8f943ea 100644 --- a/charts/ocis/templates/idm/pvc.yaml +++ b/charts/ocis/templates/idm/pvc.yaml @@ -1,4 +1,5 @@ -{{- if and .Values.services.idm.persistence.enabled (not .Values.services.storageUsers.persistence.existingClaim)}} +{{- if not .Values.features.externalUserManagement.enabled }} +{{- if and .Values.services.idm.persistence.enabled (not .Values.services.idm.persistence.existingClaim)}} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -30,4 +31,5 @@ spec: matchLabels: {{ toYaml . | indent 6 }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} diff --git a/charts/ocis/templates/idm/service.yaml b/charts/ocis/templates/idm/service.yaml index 3c8878f74..e39ad34b0 100644 --- a/charts/ocis/templates/idm/service.yaml +++ b/charts/ocis/templates/idm/service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: v1 kind: Service metadata: @@ -12,3 +13,4 @@ spec: protocol: TCP selector: app: idm +{{- end }} diff --git a/charts/ocis/templates/idp/deployment.yaml b/charts/ocis/templates/idp/deployment.yaml index 9f457b590..2222b7760 100644 --- a/charts/ocis/templates/idp/deployment.yaml +++ b/charts/ocis/templates/idp/deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -93,3 +94,4 @@ spec: - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} +{{- end }} diff --git a/charts/ocis/templates/idp/hpa.yaml b/charts/ocis/templates/idp/hpa.yaml index 648ebeea0..4f04604e1 100644 --- a/charts/ocis/templates/idp/hpa.yaml +++ b/charts/ocis/templates/idp/hpa.yaml @@ -1,4 +1,4 @@ - +{{- if not .Values.features.externalUserManagement.enabled }} {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -17,3 +17,4 @@ spec: metrics: {{ toYaml .Values.autoscaling.metrics | indent 4 }} {{- end }} +{{- end }} diff --git a/charts/ocis/templates/idp/service.yaml b/charts/ocis/templates/idp/service.yaml index 5338efc1b..869c09ab5 100644 --- a/charts/ocis/templates/idp/service.yaml +++ b/charts/ocis/templates/idp/service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: v1 kind: Service metadata: @@ -12,3 +13,4 @@ spec: protocol: TCP selector: app: idp +{{- end }} diff --git a/charts/ocis/templates/nats/pvc.yaml b/charts/ocis/templates/nats/pvc.yaml index 214da6bf9..ee2bb8769 100644 --- a/charts/ocis/templates/nats/pvc.yaml +++ b/charts/ocis/templates/nats/pvc.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.services.search.persistence.enabled (not .Values.services.search.persistence.existingClaim)}} +{{- if and .Values.services.search.persistence.enabled (not .Values.services.nats.persistence.existingClaim)}} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/charts/ocis/templates/ocs/deployment.yaml b/charts/ocis/templates/ocs/deployment.yaml index f9abc0691..acaa4e25e 100644 --- a/charts/ocis/templates/ocs/deployment.yaml +++ b/charts/ocis/templates/ocs/deployment.yaml @@ -53,7 +53,11 @@ spec: value: 0.0.0.0:9110 - name: OCS_IDM_ADDRESS - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: REVA_GATEWAY value: gateway:9142 diff --git a/charts/ocis/templates/proxy/deployment.yaml b/charts/ocis/templates/proxy/deployment.yaml index cca872c01..80933f499 100644 --- a/charts/ocis/templates/proxy/deployment.yaml +++ b/charts/ocis/templates/proxy/deployment.yaml @@ -56,8 +56,14 @@ spec: - name: PROXY_ENABLE_BASIC_AUTH value: "{{ .Values.features.basicAuthentication }}" + - name: PROXY_OIDC_ISSUER - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} + - name: PROXY_TLS value: "false" diff --git a/charts/ocis/templates/users/deployment.yaml b/charts/ocis/templates/users/deployment.yaml index b31e9c867..479bbd2c0 100644 --- a/charts/ocis/templates/users/deployment.yaml +++ b/charts/ocis/templates/users/deployment.yaml @@ -53,16 +53,35 @@ spec: value: 0.0.0.0:9144 - name: USERS_LDAP_URI + {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 + {{ else }} + value: {{ .Values.features.externalUserManagement.ldap.uri }} + {{ end }} + - name: USERS_LDAP_CACERT + {{ if or (not .Values.features.externalUserManagement.enabled) (not .Values.features.externalUserManagement.ldap.certTrusted) }} value: /etc/ocis/ldap-ca/ldap-ca.crt + {{ else }} + value: "" # no cert needed + {{ end }} + + {{ if .Values.features.externalUserManagement.enabled }} + - name: USERS_LDAP_BIND_DN + value: {{ .Values.features.externalUserManagement.ldap.bindDN }} + {{ end }} + - name: USERS_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.secretRefs.ldapSecretRef }} key: reva-ldap-bind-password - name: USERS_IDP_URL - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: REVA_GATEWAY value: gateway:9142 @@ -78,15 +97,19 @@ spec: - name: grpc containerPort: 9144 volumeMounts: + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} - name: tmp-volume mountPath: /tmp volumes: + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} - name: tmp-volume emptyDir: medium: Memory diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 52d501439..228134454 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -53,7 +53,11 @@ spec: value: 0.0.0.0:9100 - name: WEB_OIDC_AUTHORITY + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.IssuerURI }} + {{ end }} - name: WEB_UI_THEME_SERVER value: https://{{ .Values.externalDomain }} - name: WEB_UI_CONFIG_SERVER diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 7530ac2a7..a2a9e9584 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -48,6 +48,29 @@ features: # -- Create demo users on the first startup. # Not recommended for production installations. demoUsers: false + # External user management + externalUserManagement: + # -- Enables external user management (and disables internal user management). + # Needs an external OpenID Connect Identity Provider and an external LDAP server. + enabled: false + # OpenID Connect Identity provider related settings. + oidc: + # -- Issuer URI of the OpenID Connect Identity Provider. + # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. + issuerURI: https://idp.owncloud.test/realms/ocis + # LDAP related settings. + ldap: + # -- URI to connect to the LDAP secure server. + uri: ldaps://ldaps.owncloud.test + # -- Set only to false, if the certificate of your LDAP secure service is not trusted. + # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" + certTrusted: true + # -- DN of the user to use to bind to the LDAP server. + # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. + # The user needs to have permission to list users and groups. + bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test + + # TODO: all other LDAP related settings # Ingress for oCIS. ingress: @@ -79,7 +102,7 @@ secretRefs: # -- Reference to an existing LDAP certificate authority secret (see [Secrets](#secrets)) ldapCaRef: "ldap-ca" # -- Reference to an existing LDAP cert secret (see [Secrets](#secrets)) - ldapCertRef: "ldap-cert" + ldapcertRef: "ldap-cert" # -- Reference to an existing LDAP bind secret (see [Secrets](#secrets)) ldapSecretRef: "ldap-bind-secrets" # -- Reference to an existing machine auth api key secret (see [Secrets](#secrets))