From 98c8f71d63cc8a1488c31d0656e04191d9634030 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 13 Jul 2022 12:51:27 +0200 Subject: [PATCH 1/7] add feature flag for external user management --- charts/ocis/README.md | 148 +++++++++++------- charts/ocis/README.md.gotmpl | 145 ++++++++++------- charts/ocis/docs/values-desc-table.adoc | 30 ++++ charts/ocis/docs/values.adoc.yaml | 23 +++ .../ocis/templates/auth-basic/deployment.yaml | 24 +++ charts/ocis/templates/auth-basic/hpa.yaml | 7 +- charts/ocis/templates/auth-basic/service.yaml | 2 + .../templates/auth-bearer/deployment.yaml | 4 + .../templates/graph-explorer/deployment.yaml | 4 + charts/ocis/templates/graph/deployment.yaml | 11 +- charts/ocis/templates/groups/deployment.yaml | 23 ++- charts/ocis/templates/idm/deployment.yaml | 2 + charts/ocis/templates/idm/hpa.yaml | 3 +- charts/ocis/templates/idm/pvc.yaml | 6 +- charts/ocis/templates/idm/service.yaml | 2 + charts/ocis/templates/idp/deployment.yaml | 2 + charts/ocis/templates/idp/hpa.yaml | 3 +- charts/ocis/templates/idp/service.yaml | 2 + charts/ocis/templates/nats/pvc.yaml | 2 +- charts/ocis/templates/ocs/deployment.yaml | 6 +- charts/ocis/templates/proxy/deployment.yaml | 8 +- charts/ocis/templates/users/deployment.yaml | 25 ++- charts/ocis/templates/web/deployment.yaml | 4 + charts/ocis/values.yaml | 23 +++ 24 files changed, 389 insertions(+), 120 deletions(-) diff --git a/charts/ocis/README.md b/charts/ocis/README.md index 3e6ee36cd..1fad910c9 100644 --- a/charts/ocis/README.md +++ b/charts/ocis/README.md @@ -130,6 +130,11 @@ This chart only supports following oCIS versions: | features.basicAuthentication | bool | `false` | Enable basic authentication. Not recommended for production installations. | | features.demoUsers | bool | `false` | Create demo users on the first startup. Not recommended for production installations. | | features.emailNotifications | bool | `false` | Enables email notifications. This features needs the secret from notificationsSmtpSecretRef present. | +| features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. | +| features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. | +| features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" | +| features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. | +| features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"owncloud/ocis"` | Image repository | | image.sha | string | `""` | Image sha / digest (optional). | @@ -254,59 +259,6 @@ data: # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` jwt-secret: XXXXXXXXXXXXX ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-bind-secrets -type: Opaque -data: - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - reva-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - idp-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - graph-ldap-bind-password: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-ca -type: Opaque -data: - # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority - # example generation commands: - # - `openssl genrsa -out ldap-ca.key 4096` - # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` - # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` - ldap-ca.crt: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-cert -type: Opaque -data: - # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) - # example generation commands: - # - `openssl genrsa -out ldap.key 4096` - # - `cat ldap.key | base64 | tr -d '\n' && echo` - ldap.key: XXXXXXXXXXXXX - - # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. - # example generation commands: - # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` - # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` - # - `cat ldap.crt | base64 | tr -d '\n' && echo` - ldap.crt: XXXXXXXXXXXXX - --- apiVersion: v1 kind: Secret @@ -397,6 +349,8 @@ data: thumbnails-transfer-secret: XXXXXXXXXXXXX ``` +#### Notifications related secrets + If you set `features.emailNotifications` to `true` you also need to configure a SMTP email server secret: ```yaml @@ -415,7 +369,95 @@ data: smtp-port: 1025 # Password of the SMTP host to connect to. smtp-password: XXXXXXXXXXXXX +``` + +#### User management related secrets + +If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + reva-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + idp-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + graph-ldap-bind-password: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority + # example generation commands: + # - `openssl genrsa -out ldap-ca.key 4096` + # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` + # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` + ldap-ca.crt: XXXXXXXXXXXXX +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-cert +type: Opaque +data: + # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) + # example generation commands: + # - `openssl genrsa -out ldap.key 4096` + # - `cat ldap.key | base64 | tr -d '\n' && echo` + ldap.key: XXXXXXXXXXXXX + + # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. + # example generation commands: + # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` + # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` + # - `cat ldap.crt | base64 | tr -d '\n' && echo` + ldap.crt: XXXXXXXXXXXXX +``` + +If you're using an external user managment (`features.externalUserManagement.enabled` == `true`), +you need to set the LDAP bind password into a secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # Base64 encoded password for the LDAP bind user. + reva-ldap-bind-password: XXXXXXXXXXXXX +``` + +If you're LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), +you need to set your LDAP CA (Certificate Authority) certificate in following secret: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # Base64 encoded certificate of the CA that issued the LDAP server certificate. + ldap-ca.crt: XXXXXXXXXXXXX ``` ### Example with NGINX ingress and certificate issued by cert-manager diff --git a/charts/ocis/README.md.gotmpl b/charts/ocis/README.md.gotmpl index a414150c9..6e158a42e 100644 --- a/charts/ocis/README.md.gotmpl +++ b/charts/ocis/README.md.gotmpl @@ -146,60 +146,6 @@ data: # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` jwt-secret: XXXXXXXXXXXXX ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-bind-secrets -type: Opaque -data: - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - reva-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - idp-ldap-bind-password: XXXXXXXXXXXXX - - # how to generate: base64 encode a random string (reasonable long and mixed characters) - # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` - graph-ldap-bind-password: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-ca -type: Opaque -data: - # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority - # example generation commands: - # - `openssl genrsa -out ldap-ca.key 4096` - # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` - # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` - ldap-ca.crt: XXXXXXXXXXXXX - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-cert -type: Opaque -data: - # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) - # example generation commands: - # - `openssl genrsa -out ldap.key 4096` - # - `cat ldap.key | base64 | tr -d '\n' && echo` - ldap.key: XXXXXXXXXXXXX - - # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. - # example generation commands: - # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` - # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` - # - `cat ldap.crt | base64 | tr -d '\n' && echo` - ldap.crt: XXXXXXXXXXXXX - - --- apiVersion: v1 kind: Secret @@ -290,6 +236,8 @@ data: thumbnails-transfer-secret: XXXXXXXXXXXXX ``` +#### Notifications related secrets + If you set `features.emailNotifications` to `true` you also need to configure a SMTP email server secret: ```yaml @@ -308,9 +256,98 @@ data: smtp-port: 1025 # Password of the SMTP host to connect to. smtp-password: XXXXXXXXXXXXX +``` + +#### User management related secrets + +If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + reva-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + idp-ldap-bind-password: XXXXXXXXXXXXX + + # how to generate: base64 encode a random string (reasonable long and mixed characters) + # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64` + graph-ldap-bind-password: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority + # example generation commands: + # - `openssl genrsa -out ldap-ca.key 4096` + # - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt` + # - `cat ldap-ca.crt | base64 | tr -d '\n' && echo` + ldap-ca.crt: XXXXXXXXXXXXX + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-cert +type: Opaque +data: + # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size) + # example generation commands: + # - `openssl genrsa -out ldap.key 4096` + # - `cat ldap.key | base64 | tr -d '\n' && echo` + ldap.key: XXXXXXXXXXXXX + + # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key. + # example generation commands: + # - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr` + # - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial` + # - `cat ldap.crt | base64 | tr -d '\n' && echo` + ldap.crt: XXXXXXXXXXXXX +``` + +If you're using an external user managment (`features.externalUserManagement.enabled` == `true`), +you need to set the LDAP bind password into a secrets: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-bind-secrets +type: Opaque +data: + # Base64 encoded password for the LDAP bind user. + reva-ldap-bind-password: XXXXXXXXXXXXX +``` + +If you're LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), +you need to set your LDAP CA (Certificate Authority) certificate in following secret: +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ldap-ca +type: Opaque +data: + # Base64 encoded certificate of the CA that issued the LDAP server certificate. + ldap-ca.crt: XXXXXXXXXXXXX ``` + ### Example with NGINX ingress and certificate issued by cert-manager To make this work you need to have NGINX ingress and cert-manager installed in your cluster. diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 51dfeb5b4..1cab7e427 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -144,6 +144,36 @@ a| [subs=-attributes] a| [subs=-attributes] `false` | Enables email notifications. This features needs the secret from notificationsSmtpSecretRef present. +| features.externalUserManagement.enabled +a| [subs=-attributes] ++bool+ +a| [subs=-attributes] +`false` +| Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. +| features.externalUserManagement.ldap.bindDN +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"uid=ocis,ou=system-users,dc=owncloud,dc=test"` +| DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. +| features.externalUserManagement.ldap.certTrusted +a| [subs=-attributes] ++bool+ +a| [subs=-attributes] +`true` +| Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" +| features.externalUserManagement.ldap.uri +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"ldaps://ldaps.owncloud.test"` +| URI to connect to the LDAP secure server. +| features.externalUserManagement.oidc.issuerURI +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"https://idp.owncloud.test/realms/ocis"` +| Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. | image.pullPolicy a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index a42e872c7..90c76c82c 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -84,6 +84,29 @@ features: # -- Disables SSL certificate checking for connections to the office suites http api. # Not recommended for production installations. insecure: false + # External user management + externalUserManagement: + # -- Enables external user management (and disables internal user management). + # Needs an external OpenID Connect Identity Provider and an external LDAP server. + enabled: false + # OpenID Connect Identity provider related settings. + oidc: + # -- Issuer URI of the OpenID Connect Identity Provider. + # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. + issuerURI: https://idp.owncloud.test/realms/ocis + # LDAP related settings. + ldap: + # -- URI to connect to the LDAP secure server. + uri: ldaps://ldaps.owncloud.test + # -- Set only to false, if the certificate of your LDAP secure service is not trusted. + # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" + certTrusted: true + # -- DN of the user to use to bind to the LDAP server. + # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. + # The user needs to have permission to list users and groups. + bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test + + # TODO: all other LDAP related settings # Ingress for oCIS. ingress: diff --git a/charts/ocis/templates/auth-basic/deployment.yaml b/charts/ocis/templates/auth-basic/deployment.yaml index 56c295af1..3a829d1aa 100644 --- a/charts/ocis/templates/auth-basic/deployment.yaml +++ b/charts/ocis/templates/auth-basic/deployment.yaml @@ -1,3 +1,4 @@ +{{ if .Values.features.basicAuthentication }} apiVersion: apps/v1 kind: Deployment metadata: @@ -56,9 +57,23 @@ spec: value: gateway:9142 - name: AUTH_BASIC_LDAP_URI + {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 + {{ else }} + value: {{ .Values.features.externalUserManagement.ldap.uri }} + {{ end }} + - name: AUTH_BASIC_LDAP_CACERT + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} value: /etc/ocis/ldap-ca/ldap-ca.crt + {{ else }} + value: "" # no cert needed + {{ end }} + + {{ if .Values.features.externalUserManagement.enabled }} + - name: AUTH_BASIC_LDAP_BIND_DN + value: {{ .Values.features.externalUserManagement.ldap.bindDN }} + {{ end }} - name: AUTH_BASIC_LDAP_BIND_PASSWORD valueFrom: @@ -67,7 +82,11 @@ spec: key: reva-ldap-bind-password - name: AUTH_BASIC_IDP_URL + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: AUTH_BASIC_JWT_SECRET valueFrom: @@ -82,9 +101,11 @@ spec: volumeMounts: - name: ocis-config-tmp mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} - name: tmp-volume mountPath: /tmp volumes: @@ -92,10 +113,13 @@ spec: emptyDir: medium: Memory sizeLimit: 6Mi + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} - name: tmp-volume emptyDir: medium: Memory sizeLimit: 6Mi +{{ end }} diff --git a/charts/ocis/templates/auth-basic/hpa.yaml b/charts/ocis/templates/auth-basic/hpa.yaml index f885ca501..8e93516bb 100644 --- a/charts/ocis/templates/auth-basic/hpa.yaml +++ b/charts/ocis/templates/auth-basic/hpa.yaml @@ -1,5 +1,5 @@ - -{{- if .Values.autoscaling.enabled }} +{{ if .Values.features.basicAuthentication }} +{{ if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: @@ -16,4 +16,5 @@ spec: maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: {{ toYaml .Values.autoscaling.metrics | indent 4 }} -{{- end }} +{{ end }} +{{ end }} diff --git a/charts/ocis/templates/auth-basic/service.yaml b/charts/ocis/templates/auth-basic/service.yaml index 3144b763f..2ca8ab02c 100644 --- a/charts/ocis/templates/auth-basic/service.yaml +++ b/charts/ocis/templates/auth-basic/service.yaml @@ -1,3 +1,4 @@ +{{ if .Values.features.basicAuthentication }} apiVersion: v1 kind: Service metadata: @@ -12,3 +13,4 @@ spec: protocol: TCP selector: app: auth-basic +{{ end }} diff --git a/charts/ocis/templates/auth-bearer/deployment.yaml b/charts/ocis/templates/auth-bearer/deployment.yaml index 25d41c602..9b1306e3e 100644 --- a/charts/ocis/templates/auth-bearer/deployment.yaml +++ b/charts/ocis/templates/auth-bearer/deployment.yaml @@ -59,7 +59,11 @@ spec: value: gateway:9142 - name: AUTH_BEARER_OIDC_ISSUER + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: AUTH_BEARER_JWT_SECRET valueFrom: diff --git a/charts/ocis/templates/graph-explorer/deployment.yaml b/charts/ocis/templates/graph-explorer/deployment.yaml index 5369f5ddf..5f8af2718 100644 --- a/charts/ocis/templates/graph-explorer/deployment.yaml +++ b/charts/ocis/templates/graph-explorer/deployment.yaml @@ -53,7 +53,11 @@ spec: value: 0.0.0.0:9135 - name: GRAPH_EXPLORER_ISSUER + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: GRAPH_EXPLORER_GRAPH_URL_BASE value: https://{{ .Values.externalDomain }} diff --git a/charts/ocis/templates/graph/deployment.yaml b/charts/ocis/templates/graph/deployment.yaml index 05273551e..c70849cf7 100644 --- a/charts/ocis/templates/graph/deployment.yaml +++ b/charts/ocis/templates/graph/deployment.yaml @@ -55,16 +55,21 @@ spec: - name: GRAPH_SPACES_WEBDAV_BASE value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} - name: GRAPH_LDAP_URI value: ldaps://idm:9235 - name: GRAPH_LDAP_CACERT value: /etc/ocis/ldap-ca/ldap-ca.crt - - name: GRAPH_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.secretRefs.ldapSecretRef }} key: graph-ldap-bind-password + {{ else }} + - name: GRAPH_IDENTITY_BACKEND + value: cs3 + {{ end }} + - name: REVA_GATEWAY value: gateway:9142 @@ -81,12 +86,15 @@ spec: ports: - name: http containerPort: 9120 + {{ if not .Values.features.externalUserManagement.enabled }} volumeMounts: - name: ocis-config-tmp mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} + {{ if not .Values.features.externalUserManagement.enabled }} volumes: - name: ocis-config-tmp emptyDir: @@ -95,3 +103,4 @@ spec: - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} diff --git a/charts/ocis/templates/groups/deployment.yaml b/charts/ocis/templates/groups/deployment.yaml index db25ed8ae..9553778cb 100644 --- a/charts/ocis/templates/groups/deployment.yaml +++ b/charts/ocis/templates/groups/deployment.yaml @@ -54,9 +54,22 @@ spec: - name: GROUPS_LDAP_URI + {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 + {{ else }} + value: {{ .Values.features.externalUserManagement.ldap.uri }} + {{ end }} - name: GROUPS_LDAP_CACERT + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} value: /etc/ocis/ldap-ca/ldap-ca.crt + {{ else }} + value: "" # no cert needed + {{ end }} + + {{ if .Values.features.externalUserManagement.enabled }} + - name: GROUPS_LDAP_BIND_DN + value: {{ .Values.features.externalUserManagement.ldap.bindDN }} + {{ end }} - name: GROUPS_LDAP_BIND_PASSWORD valueFrom: @@ -65,7 +78,11 @@ spec: key: reva-ldap-bind-password - name: GROUPS_IDP_URL - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: REVA_GATEWAY value: gateway:9142 @@ -83,9 +100,11 @@ spec: volumeMounts: - name: ocis-config-tmp mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} - name: tmp-volume mountPath: /tmp volumes: @@ -93,9 +112,11 @@ spec: emptyDir: medium: Memory sizeLimit: 6Mi + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} - name: tmp-volume emptyDir: medium: Memory diff --git a/charts/ocis/templates/idm/deployment.yaml b/charts/ocis/templates/idm/deployment.yaml index e80ee5a9b..66d2fe7b9 100644 --- a/charts/ocis/templates/idm/deployment.yaml +++ b/charts/ocis/templates/idm/deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -128,3 +129,4 @@ spec: - name: idm-data emptyDir: {} {{ end }} +{{- end }} diff --git a/charts/ocis/templates/idm/hpa.yaml b/charts/ocis/templates/idm/hpa.yaml index 5c4a8285c..b50f9f01c 100644 --- a/charts/ocis/templates/idm/hpa.yaml +++ b/charts/ocis/templates/idm/hpa.yaml @@ -1,4 +1,4 @@ - +{{- if not .Values.features.externalUserManagement.enabled }} {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -17,3 +17,4 @@ spec: metrics: {{ toYaml .Values.autoscaling.metrics | indent 4 }} {{- end }} +{{- end }} diff --git a/charts/ocis/templates/idm/pvc.yaml b/charts/ocis/templates/idm/pvc.yaml index 61fe18712..fb8f943ea 100644 --- a/charts/ocis/templates/idm/pvc.yaml +++ b/charts/ocis/templates/idm/pvc.yaml @@ -1,4 +1,5 @@ -{{- if and .Values.services.idm.persistence.enabled (not .Values.services.storageUsers.persistence.existingClaim)}} +{{- if not .Values.features.externalUserManagement.enabled }} +{{- if and .Values.services.idm.persistence.enabled (not .Values.services.idm.persistence.existingClaim)}} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -30,4 +31,5 @@ spec: matchLabels: {{ toYaml . | indent 6 }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} diff --git a/charts/ocis/templates/idm/service.yaml b/charts/ocis/templates/idm/service.yaml index 3c8878f74..e39ad34b0 100644 --- a/charts/ocis/templates/idm/service.yaml +++ b/charts/ocis/templates/idm/service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: v1 kind: Service metadata: @@ -12,3 +13,4 @@ spec: protocol: TCP selector: app: idm +{{- end }} diff --git a/charts/ocis/templates/idp/deployment.yaml b/charts/ocis/templates/idp/deployment.yaml index a29a2e2c4..2d41f3695 100644 --- a/charts/ocis/templates/idp/deployment.yaml +++ b/charts/ocis/templates/idp/deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -105,3 +106,4 @@ spec: emptyDir: medium: Memory sizeLimit: 6Mi +{{- end }} diff --git a/charts/ocis/templates/idp/hpa.yaml b/charts/ocis/templates/idp/hpa.yaml index 648ebeea0..4f04604e1 100644 --- a/charts/ocis/templates/idp/hpa.yaml +++ b/charts/ocis/templates/idp/hpa.yaml @@ -1,4 +1,4 @@ - +{{- if not .Values.features.externalUserManagement.enabled }} {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -17,3 +17,4 @@ spec: metrics: {{ toYaml .Values.autoscaling.metrics | indent 4 }} {{- end }} +{{- end }} diff --git a/charts/ocis/templates/idp/service.yaml b/charts/ocis/templates/idp/service.yaml index 5338efc1b..869c09ab5 100644 --- a/charts/ocis/templates/idp/service.yaml +++ b/charts/ocis/templates/idp/service.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.features.externalUserManagement.enabled }} apiVersion: v1 kind: Service metadata: @@ -12,3 +13,4 @@ spec: protocol: TCP selector: app: idp +{{- end }} diff --git a/charts/ocis/templates/nats/pvc.yaml b/charts/ocis/templates/nats/pvc.yaml index 214da6bf9..ee2bb8769 100644 --- a/charts/ocis/templates/nats/pvc.yaml +++ b/charts/ocis/templates/nats/pvc.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.services.search.persistence.enabled (not .Values.services.search.persistence.existingClaim)}} +{{- if and .Values.services.search.persistence.enabled (not .Values.services.nats.persistence.existingClaim)}} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/charts/ocis/templates/ocs/deployment.yaml b/charts/ocis/templates/ocs/deployment.yaml index 66114b640..458dc827d 100644 --- a/charts/ocis/templates/ocs/deployment.yaml +++ b/charts/ocis/templates/ocs/deployment.yaml @@ -53,7 +53,11 @@ spec: value: 0.0.0.0:9110 - name: OCS_IDM_ADDRESS - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: REVA_GATEWAY value: gateway:9142 diff --git a/charts/ocis/templates/proxy/deployment.yaml b/charts/ocis/templates/proxy/deployment.yaml index a1d562900..90b6f86cd 100644 --- a/charts/ocis/templates/proxy/deployment.yaml +++ b/charts/ocis/templates/proxy/deployment.yaml @@ -56,8 +56,14 @@ spec: - name: PROXY_ENABLE_BASIC_AUTH value: "{{ .Values.features.basicAuthentication }}" + - name: PROXY_OIDC_ISSUER - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} + - name: PROXY_TLS value: "false" diff --git a/charts/ocis/templates/users/deployment.yaml b/charts/ocis/templates/users/deployment.yaml index 6edf97a5f..8a99786f1 100644 --- a/charts/ocis/templates/users/deployment.yaml +++ b/charts/ocis/templates/users/deployment.yaml @@ -53,16 +53,35 @@ spec: value: 0.0.0.0:9144 - name: USERS_LDAP_URI + {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 + {{ else }} + value: {{ .Values.features.externalUserManagement.ldap.uri }} + {{ end }} + - name: USERS_LDAP_CACERT + {{ if or (not .Values.features.externalUserManagement.enabled) (not .Values.features.externalUserManagement.ldap.certTrusted) }} value: /etc/ocis/ldap-ca/ldap-ca.crt + {{ else }} + value: "" # no cert needed + {{ end }} + + {{ if .Values.features.externalUserManagement.enabled }} + - name: USERS_LDAP_BIND_DN + value: {{ .Values.features.externalUserManagement.ldap.bindDN }} + {{ end }} + - name: USERS_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.secretRefs.ldapSecretRef }} key: reva-ldap-bind-password - name: USERS_IDP_URL - value: "https://{{ .Values.externalDomain }}" + {{ if not .Values.features.externalUserManagement.enabled }} + value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: REVA_GATEWAY value: gateway:9142 @@ -80,9 +99,11 @@ spec: volumeMounts: - name: ocis-config-tmp mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca mountPath: /etc/ocis/ldap-ca readOnly: true + {{ end }} - name: tmp-volume mountPath: /tmp volumes: @@ -90,9 +111,11 @@ spec: emptyDir: medium: Memory sizeLimit: 6Mi + {{ if or (not .Values.features.externalUserManagement.enabled) ( not .Values.features.externalUserManagement.ldap.certTrusted) }} - name: ldap-ca secret: secretName: {{ .Values.secretRefs.ldapCaRef }} + {{ end }} - name: tmp-volume emptyDir: medium: Memory diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 51828ab2b..05b727d12 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -53,7 +53,11 @@ spec: value: 0.0.0.0:9100 - name: WEB_OIDC_AUTHORITY + {{ if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} + {{ else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} + {{ end }} - name: WEB_UI_THEME_SERVER value: https://{{ .Values.externalDomain }} - name: WEB_UI_CONFIG_SERVER diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 4c955551f..0eed81f8e 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -83,6 +83,29 @@ features: # -- Disables SSL certificate checking for connections to the office suites http api. # Not recommended for production installations. insecure: false + # External user management + externalUserManagement: + # -- Enables external user management (and disables internal user management). + # Needs an external OpenID Connect Identity Provider and an external LDAP server. + enabled: false + # OpenID Connect Identity provider related settings. + oidc: + # -- Issuer URI of the OpenID Connect Identity Provider. + # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. + issuerURI: https://idp.owncloud.test/realms/ocis + # LDAP related settings. + ldap: + # -- URI to connect to the LDAP secure server. + uri: ldaps://ldaps.owncloud.test + # -- Set only to false, if the certificate of your LDAP secure service is not trusted. + # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" + certTrusted: true + # -- DN of the user to use to bind to the LDAP server. + # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. + # The user needs to have permission to list users and groups. + bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test + + # TODO: all other LDAP related settings # Ingress for oCIS. ingress: From e06b13b4f9a4cfaeebb5356225b579a972cd32b4 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 5 Aug 2022 08:06:58 +0200 Subject: [PATCH 2/7] remove empty ingress file --- charts/ocis/templates/gateway/ingress.yaml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 charts/ocis/templates/gateway/ingress.yaml diff --git a/charts/ocis/templates/gateway/ingress.yaml b/charts/ocis/templates/gateway/ingress.yaml deleted file mode 100644 index 92ccec8df..000000000 --- a/charts/ocis/templates/gateway/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -#TODO: optionally expose the CS3 api gateway: https://github.com/owncloud/ocis-charts/issues/14 From f7943a64e20606f1aaf237b47ba058efb0fd6165 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 5 Aug 2022 09:24:27 +0200 Subject: [PATCH 3/7] expose ldap options --- charts/ocis/README.md | 21 +++ charts/ocis/docs/values-desc-table.adoc | 126 ++++++++++++++++++ charts/ocis/docs/values.adoc.yaml | 30 ++++- .../ocis/templates/auth-basic/deployment.yaml | 56 ++++++++ charts/ocis/templates/groups/deployment.yaml | 55 ++++++++ charts/ocis/templates/users/deployment.yaml | 56 ++++++++ charts/ocis/values.yaml | 30 ++++- 7 files changed, 370 insertions(+), 4 deletions(-) diff --git a/charts/ocis/README.md b/charts/ocis/README.md index 1fad910c9..6a3baf327 100644 --- a/charts/ocis/README.md +++ b/charts/ocis/README.md @@ -133,7 +133,28 @@ This chart only supports following oCIS versions: | features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. | | features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. | | features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" | +| features.externalUserManagement.ldap.group.baseDN | string | `"ou=groups,dc=owncloud,dc=com"` | | +| features.externalUserManagement.ldap.group.filter | string | `nil` | | +| features.externalUserManagement.ldap.group.objectClass | string | `"groupOfNames"` | | +| features.externalUserManagement.ldap.group.schema.displayName | string | `"cn"` | | +| features.externalUserManagement.ldap.group.schema.groupName | string | `"cn"` | | +| features.externalUserManagement.ldap.group.schema.id | string | `"ownclouduuid"` | | +| features.externalUserManagement.ldap.group.schema.idIsOctetString | bool | `false` | | +| features.externalUserManagement.ldap.group.schema.mail | string | `"mail"` | | +| features.externalUserManagement.ldap.group.schema.member | string | `"member"` | | +| features.externalUserManagement.ldap.group.scope | string | `"sub"` | | +| features.externalUserManagement.ldap.insecure | bool | `false` | For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations. | | features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. | +| features.externalUserManagement.ldap.user.baseDN | string | `"ou=users,dc=owncloud,dc=com"` | | +| features.externalUserManagement.ldap.user.filter | string | `nil` | | +| features.externalUserManagement.ldap.user.objectClass | string | `"inetOrgPerson"` | | +| features.externalUserManagement.ldap.user.schema.displayName | string | `"displayname"` | | +| features.externalUserManagement.ldap.user.schema.id | string | `"ownclouduuid"` | | +| features.externalUserManagement.ldap.user.schema.idIsOctetString | bool | `false` | | +| features.externalUserManagement.ldap.user.schema.mail | string | `"mail"` | | +| features.externalUserManagement.ldap.user.schema.userName | string | `"uid"` | | +| features.externalUserManagement.ldap.user.scope | string | `"sub"` | | +| features.externalUserManagement.ldap.user.substringFilterType | string | `"any"` | | | features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"owncloud/ocis"` | Image repository | diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 1cab7e427..3cd021ea7 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -162,12 +162,138 @@ a| [subs=-attributes] a| [subs=-attributes] `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" +| features.externalUserManagement.ldap.group.baseDN +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"ou=groups,dc=owncloud,dc=com"` +| +| features.externalUserManagement.ldap.group.filter +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`nil` +| +| features.externalUserManagement.ldap.group.objectClass +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"groupOfNames"` +| +| features.externalUserManagement.ldap.group.schema.displayName +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"cn"` +| +| features.externalUserManagement.ldap.group.schema.groupName +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"cn"` +| +| features.externalUserManagement.ldap.group.schema.id +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"ownclouduuid"` +| +| features.externalUserManagement.ldap.group.schema.idIsOctetString +a| [subs=-attributes] ++bool+ +a| [subs=-attributes] +`false` +| +| features.externalUserManagement.ldap.group.schema.mail +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"mail"` +| +| features.externalUserManagement.ldap.group.schema.member +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"member"` +| +| features.externalUserManagement.ldap.group.scope +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"sub"` +| +| features.externalUserManagement.ldap.insecure +a| [subs=-attributes] ++bool+ +a| [subs=-attributes] +`false` +| For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations. | features.externalUserManagement.ldap.uri a| [subs=-attributes] +string+ a| [subs=-attributes] `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. +| features.externalUserManagement.ldap.user.baseDN +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"ou=users,dc=owncloud,dc=com"` +| +| features.externalUserManagement.ldap.user.filter +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`nil` +| +| features.externalUserManagement.ldap.user.objectClass +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"inetOrgPerson"` +| +| features.externalUserManagement.ldap.user.schema.displayName +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"displayname"` +| +| features.externalUserManagement.ldap.user.schema.id +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"ownclouduuid"` +| +| features.externalUserManagement.ldap.user.schema.idIsOctetString +a| [subs=-attributes] ++bool+ +a| [subs=-attributes] +`false` +| +| features.externalUserManagement.ldap.user.schema.mail +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"mail"` +| +| features.externalUserManagement.ldap.user.schema.userName +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"uid"` +| +| features.externalUserManagement.ldap.user.scope +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"sub"` +| +| features.externalUserManagement.ldap.user.substringFilterType +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"any"` +| | features.externalUserManagement.oidc.issuerURI a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index 90c76c82c..c4916f797 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -101,12 +101,38 @@ features: # -- Set only to false, if the certificate of your LDAP secure service is not trusted. # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" certTrusted: true + # -- Disables SSL certificate checking for connections to the LDAP server. + # -- For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" + # Not recommended for production installations. + insecure: false # -- DN of the user to use to bind to the LDAP server. # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. # The user needs to have permission to list users and groups. bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test - - # TODO: all other LDAP related settings + user: + schema: + id: ownclouduuid + idIsOctetString: false + mail: mail + displayName: displayname + userName: uid + baseDN: ou=users,dc=owncloud,dc=com + scope: sub + substringFilterType: any + filter: + objectClass: inetOrgPerson + group: + schema: + id: ownclouduuid + idIsOctetString: false + mail: mail + displayName: cn + groupName: cn + member: member + baseDN: ou=groups,dc=owncloud,dc=com + scope: sub + filter: + objectClass: groupOfNames # Ingress for oCIS. ingress: diff --git a/charts/ocis/templates/auth-basic/deployment.yaml b/charts/ocis/templates/auth-basic/deployment.yaml index 3a829d1aa..5e3478aee 100644 --- a/charts/ocis/templates/auth-basic/deployment.yaml +++ b/charts/ocis/templates/auth-basic/deployment.yaml @@ -56,6 +56,62 @@ spec: - name: REVA_GATEWAY value: gateway:9142 + {{- if .Values.features.externalUserManagement.enabled }} + - name: AUTH_BASIC_LDAP_INSECURE + value: "{{ .Values.features.externalUserManagement.ldap.insecure }}" + + - name: AUTH_BASIC_LDAP_USER_BASE_DN + value: {{ .Values.features.externalUserManagement.ldap.user.baseDN }} + - name: AUTH_BASIC_LDAP_GROUP_BASE_DN + value: {{ .Values.features.externalUserManagement.ldap.group.baseDN }} + + - name: AUTH_BASIC_LDAP_USER_SCOPE + value: {{ .Values.features.externalUserManagement.ldap.user.scope }} + - name: AUTH_BASIC_LDAP_GROUP_SCOPE + value: {{ .Values.features.externalUserManagement.ldap.group.scope }} + + - name: AUTH_BASIC_LDAP_USER_SUBSTRING_FILTER_TYPE + value: {{ .Values.features.externalUserManagement.ldap.user.substringFilterType }} + + - name: AUTH_BASIC_LDAP_USER_FILTER + value: {{ .Values.features.externalUserManagement.ldap.user.filter }} + - name: AUTH_BASIC_LDAP_GROUP_FILTER + value: {{ .Values.features.externalUserManagement.ldap.group.filter }} + + - name: AUTH_BASIC_LDAP_USER_OBJECTCLASS + value: {{ .Values.features.externalUserManagement.ldap.user.objectClass }} + - name: AUTH_BASIC_LDAP_GROUP_OBJECTCLASS + value: {{ .Values.features.externalUserManagement.ldap.group.objectClass }} + + - name: AUTH_BASIC_LDAP_USER_SCHEMA_ID + value: {{ .Values.features.externalUserManagement.ldap.user.schema.id }} + - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_ID + value: {{ .Values.features.externalUserManagement.ldap.group.schema.id }} + + - name: AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING + value: "{{ .Values.features.externalUserManagement.ldap.user.schema.idIsOctetString }}" + - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING + value: "{{ .Values.features.externalUserManagement.ldap.group.schema.idIsOctetString }}" + + - name: AUTH_BASIC_LDAP_USER_SCHEMA_MAIL + value: {{ .Values.features.externalUserManagement.ldap.user.schema.mail }} + - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL + value: {{ .Values.features.externalUserManagement.ldap.group.schema.mail }} + + - name: AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME + value: {{ .Values.features.externalUserManagement.ldap.user.schema.displayName }} + - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME + value: {{ .Values.features.externalUserManagement.ldap.group.schema.displayName }} + + - name: AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME + value: {{ .Values.features.externalUserManagement.ldap.user.schema.userName }} + - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME + value: {{ .Values.features.externalUserManagement.ldap.group.schema.groupName }} + + - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER + value: {{ .Values.features.externalUserManagement.ldap.group.schema.member }} + {{- end }} + - name: AUTH_BASIC_LDAP_URI {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 diff --git a/charts/ocis/templates/groups/deployment.yaml b/charts/ocis/templates/groups/deployment.yaml index 9553778cb..e51627ba1 100644 --- a/charts/ocis/templates/groups/deployment.yaml +++ b/charts/ocis/templates/groups/deployment.yaml @@ -52,6 +52,61 @@ spec: - name: GROUPS_GRPC_ADDR value: 0.0.0.0:9160 + {{- if .Values.features.externalUserManagement.enabled }} + - name: GROUPS_LDAP_INSECURE + value: "{{ .Values.features.externalUserManagement.ldap.insecure }}" + + - name: GROUPS_LDAP_USER_BASE_DN + value: {{ .Values.features.externalUserManagement.ldap.user.baseDN }} + - name: GROUPS_LDAP_GROUP_BASE_DN + value: {{ .Values.features.externalUserManagement.ldap.group.baseDN }} + + - name: GROUPS_LDAP_USER_SCOPE + value: {{ .Values.features.externalUserManagement.ldap.user.scope }} + - name: GROUPS_LDAP_GROUP_SCOPE + value: {{ .Values.features.externalUserManagement.ldap.group.scope }} + + - name: GROUPS_LDAP_USER_SUBSTRING_FILTER_TYPE + value: {{ .Values.features.externalUserManagement.ldap.user.substringFilterType }} + + - name: GROUPS_LDAP_USER_FILTER + value: {{ .Values.features.externalUserManagement.ldap.user.filter }} + - name: GROUPS_LDAP_GROUP_FILTER + value: {{ .Values.features.externalUserManagement.ldap.group.filter }} + + - name: GROUPS_LDAP_USER_OBJECTCLASS + value: {{ .Values.features.externalUserManagement.ldap.user.objectClass }} + - name: GROUPS_LDAP_GROUP_OBJECTCLASS + value: {{ .Values.features.externalUserManagement.ldap.group.objectClass }} + + - name: GROUPS_LDAP_USER_SCHEMA_ID + value: {{ .Values.features.externalUserManagement.ldap.user.schema.id }} + - name: GROUPS_LDAP_GROUP_SCHEMA_ID + value: {{ .Values.features.externalUserManagement.ldap.group.schema.id }} + + - name: GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING + value: "{{ .Values.features.externalUserManagement.ldap.user.schema.idIsOctetString }}" + - name: GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING + value: "{{ .Values.features.externalUserManagement.ldap.group.schema.idIsOctetString }}" + + - name: GROUPS_LDAP_USER_SCHEMA_MAIL + value: {{ .Values.features.externalUserManagement.ldap.user.schema.mail }} + - name: GROUPS_LDAP_GROUP_SCHEMA_MAIL + value: {{ .Values.features.externalUserManagement.ldap.group.schema.mail }} + + - name: GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME + value: {{ .Values.features.externalUserManagement.ldap.user.schema.displayName }} + - name: GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME + value: {{ .Values.features.externalUserManagement.ldap.group.schema.displayName }} + + - name: GROUPS_LDAP_USER_SCHEMA_USERNAME + value: {{ .Values.features.externalUserManagement.ldap.user.schema.userName }} + - name: GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME + value: {{ .Values.features.externalUserManagement.ldap.group.schema.groupName }} + + - name: GROUPS_LDAP_GROUP_SCHEMA_MEMBER + value: {{ .Values.features.externalUserManagement.ldap.group.schema.member }} + {{- end }} - name: GROUPS_LDAP_URI {{ if not .Values.features.externalUserManagement.enabled }} diff --git a/charts/ocis/templates/users/deployment.yaml b/charts/ocis/templates/users/deployment.yaml index 8a99786f1..ce49eb8bc 100644 --- a/charts/ocis/templates/users/deployment.yaml +++ b/charts/ocis/templates/users/deployment.yaml @@ -52,6 +52,62 @@ spec: - name: USERS_GRPC_ADDR value: 0.0.0.0:9144 + {{- if .Values.features.externalUserManagement.enabled }} + - name: USERS_LDAP_INSECURE + value: "{{ .Values.features.externalUserManagement.ldap.insecure }}" + + - name: USERS_LDAP_USER_BASE_DN + value: {{ .Values.features.externalUserManagement.ldap.user.baseDN }} + - name: USERS_LDAP_GROUP_BASE_DN + value: {{ .Values.features.externalUserManagement.ldap.group.baseDN }} + + - name: USERS_LDAP_USER_SCOPE + value: {{ .Values.features.externalUserManagement.ldap.user.scope }} + - name: USERS_LDAP_GROUP_SCOPE + value: {{ .Values.features.externalUserManagement.ldap.group.scope }} + + - name: USERS_LDAP_USER_SUBSTRING_FILTER_TYPE + value: {{ .Values.features.externalUserManagement.ldap.user.substringFilterType }} + + - name: USERS_LDAP_USER_FILTER + value: {{ .Values.features.externalUserManagement.ldap.user.filter }} + - name: USERS_LDAP_GROUP_FILTER + value: {{ .Values.features.externalUserManagement.ldap.group.filter }} + + - name: USERS_LDAP_USER_OBJECTCLASS + value: {{ .Values.features.externalUserManagement.ldap.user.objectClass }} + - name: USERS_LDAP_GROUP_OBJECTCLASS + value: {{ .Values.features.externalUserManagement.ldap.group.objectClass }} + + - name: USERS_LDAP_USER_SCHEMA_ID + value: {{ .Values.features.externalUserManagement.ldap.user.schema.id }} + - name: USERS_LDAP_GROUP_SCHEMA_ID + value: {{ .Values.features.externalUserManagement.ldap.group.schema.id }} + + - name: USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING + value: "{{ .Values.features.externalUserManagement.ldap.user.schema.idIsOctetString }}" + - name: USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING + value: "{{ .Values.features.externalUserManagement.ldap.group.schema.idIsOctetString }}" + + - name: USERS_LDAP_USER_SCHEMA_MAIL + value: {{ .Values.features.externalUserManagement.ldap.user.schema.mail }} + - name: USERS_LDAP_GROUP_SCHEMA_MAIL + value: {{ .Values.features.externalUserManagement.ldap.group.schema.mail }} + + - name: USERS_LDAP_USER_SCHEMA_DISPLAYNAME + value: {{ .Values.features.externalUserManagement.ldap.user.schema.displayName }} + - name: USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME + value: {{ .Values.features.externalUserManagement.ldap.group.schema.displayName }} + + - name: USERS_LDAP_USER_SCHEMA_USERNAME + value: {{ .Values.features.externalUserManagement.ldap.user.schema.userName }} + - name: USERS_LDAP_GROUP_SCHEMA_GROUPNAME + value: {{ .Values.features.externalUserManagement.ldap.group.schema.groupName }} + + - name: USERS_LDAP_GROUP_SCHEMA_MEMBER + value: {{ .Values.features.externalUserManagement.ldap.group.schema.member }} + {{- end }} + - name: USERS_LDAP_URI {{ if not .Values.features.externalUserManagement.enabled }} value: ldaps://idm:9235 diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 0eed81f8e..d2518635f 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -100,12 +100,38 @@ features: # -- Set only to false, if the certificate of your LDAP secure service is not trusted. # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" certTrusted: true + # -- Disables SSL certificate checking for connections to the LDAP server. + # -- For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" + # Not recommended for production installations. + insecure: false # -- DN of the user to use to bind to the LDAP server. # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. # The user needs to have permission to list users and groups. bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test - - # TODO: all other LDAP related settings + user: + schema: + id: ownclouduuid + idIsOctetString: false + mail: mail + displayName: displayname + userName: uid + baseDN: ou=users,dc=owncloud,dc=com + scope: sub + substringFilterType: any + filter: + objectClass: inetOrgPerson + group: + schema: + id: ownclouduuid + idIsOctetString: false + mail: mail + displayName: cn + groupName: cn + member: member + baseDN: ou=groups,dc=owncloud,dc=com + scope: sub + filter: + objectClass: groupOfNames # Ingress for oCIS. ingress: From 9b18bb4f3ae7329f29582f92a1ee390020ce07fb Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 5 Aug 2022 14:18:24 +0200 Subject: [PATCH 4/7] configure PROXY_OIDC_REWRITE_WELLKNOWN, needs owncloud/ocis#4346 --- charts/ocis/templates/proxy/deployment.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/charts/ocis/templates/proxy/deployment.yaml b/charts/ocis/templates/proxy/deployment.yaml index 90b6f86cd..047c15460 100644 --- a/charts/ocis/templates/proxy/deployment.yaml +++ b/charts/ocis/templates/proxy/deployment.yaml @@ -58,11 +58,16 @@ spec: value: "{{ .Values.features.basicAuthentication }}" - name: PROXY_OIDC_ISSUER - {{ if not .Values.features.externalUserManagement.enabled }} + {{- if not .Values.features.externalUserManagement.enabled }} value: https://{{ .Values.externalDomain }} - {{ else }} + {{- else }} value: {{ .Values.features.externalUserManagement.oidc.issuerURI }} - {{ end }} + {{- end }} + + {{- if .Values.features.externalUserManagement.enabled }} + - name: PROXY_OIDC_REWRITE_WELLKNOWN + value: "true" + {{- end }} - name: PROXY_TLS value: "false" From 13a7e890adaad2c51cd9b53d22f836525447dc70 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 5 Aug 2022 14:29:08 +0200 Subject: [PATCH 5/7] make useridclaim configurable --- charts/ocis/templates/proxy/deployment.yaml | 5 +++++ charts/ocis/values.yaml | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/charts/ocis/templates/proxy/deployment.yaml b/charts/ocis/templates/proxy/deployment.yaml index 047c15460..8fb353b19 100644 --- a/charts/ocis/templates/proxy/deployment.yaml +++ b/charts/ocis/templates/proxy/deployment.yaml @@ -67,6 +67,11 @@ spec: {{- if .Values.features.externalUserManagement.enabled }} - name: PROXY_OIDC_REWRITE_WELLKNOWN value: "true" + + - name: PROXY_USER_OIDC_CLAIM + value: {{ .Values.features.externalUserManagement.oidc.userIDClaim }} + - name: PROXY_USER_CS3_CLAIM + value: {{ .Values.features.externalUserManagement.oidc.userIDClaimAttributeMapping }} {{- end }} - name: PROXY_TLS diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index d2518635f..533ad0480 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -93,6 +93,15 @@ features: # -- Issuer URI of the OpenID Connect Identity Provider. # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. issuerURI: https://idp.owncloud.test/realms/ocis + + # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. + userIDClaim: ocis.user.uuid + # -- Attribute mapping of for the userIDClaim. + # Set to 'userid' if the userIDClaim holds the value of the ldap.user.schema.id user attribute. + # Set to 'mail' if the userIDClaim holds the value of the ldap.user.schema.mail user attribute. + # Set to 'username' if the userIDClaim holds the value of the ldap.user.schema.id user attribute. + userIDClaimAttributeMapping: userid + # LDAP related settings. ldap: # -- URI to connect to the LDAP secure server. From 5da6e0db9ce05cea7438501434b4d2ba3b95de89 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 5 Aug 2022 14:46:20 +0200 Subject: [PATCH 6/7] add documentation --- charts/ocis/README.md | 44 ++++++++++---------- charts/ocis/docs/values-desc-table.adoc | 54 +++++++++++++++---------- charts/ocis/docs/values.adoc.yaml | 31 +++++++++++++- charts/ocis/values.yaml | 28 +++++++++++-- 4 files changed, 110 insertions(+), 47 deletions(-) diff --git a/charts/ocis/README.md b/charts/ocis/README.md index 6a3baf327..d0209ce42 100644 --- a/charts/ocis/README.md +++ b/charts/ocis/README.md @@ -133,29 +133,31 @@ This chart only supports following oCIS versions: | features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. | | features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. | | features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" | -| features.externalUserManagement.ldap.group.baseDN | string | `"ou=groups,dc=owncloud,dc=com"` | | -| features.externalUserManagement.ldap.group.filter | string | `nil` | | -| features.externalUserManagement.ldap.group.objectClass | string | `"groupOfNames"` | | -| features.externalUserManagement.ldap.group.schema.displayName | string | `"cn"` | | -| features.externalUserManagement.ldap.group.schema.groupName | string | `"cn"` | | -| features.externalUserManagement.ldap.group.schema.id | string | `"ownclouduuid"` | | -| features.externalUserManagement.ldap.group.schema.idIsOctetString | bool | `false` | | -| features.externalUserManagement.ldap.group.schema.mail | string | `"mail"` | | -| features.externalUserManagement.ldap.group.schema.member | string | `"member"` | | -| features.externalUserManagement.ldap.group.scope | string | `"sub"` | | +| features.externalUserManagement.ldap.group.baseDN | string | `"ou=groups,dc=owncloud,dc=com"` | Search base DN for looking up LDAP groups. | +| features.externalUserManagement.ldap.group.filter | string | `nil` | LDAP filter to add to the default filters for group searches. | +| features.externalUserManagement.ldap.group.objectClass | string | `"groupOfNames"` | The object class to use for groups in the default group search filter like `groupOfNames`. | +| features.externalUserManagement.ldap.group.schema.displayName | string | `"cn"` | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | +| features.externalUserManagement.ldap.group.schema.groupName | string | `"cn"` | LDAP Attribute to use for the name of groups. | +| features.externalUserManagement.ldap.group.schema.id | string | `"ownclouduuid"` | LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. | +| features.externalUserManagement.ldap.group.schema.idIsOctetString | bool | `false` | Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. | +| features.externalUserManagement.ldap.group.schema.mail | string | `"mail"` | LDAP Attribute to use for the email address of groups (can be empty). | +| features.externalUserManagement.ldap.group.schema.member | string | `"member"` | LDAP Attribute that is used for group members. | +| features.externalUserManagement.ldap.group.scope | string | `"sub"` | LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. | | features.externalUserManagement.ldap.insecure | bool | `false` | For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations. | | features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. | -| features.externalUserManagement.ldap.user.baseDN | string | `"ou=users,dc=owncloud,dc=com"` | | -| features.externalUserManagement.ldap.user.filter | string | `nil` | | -| features.externalUserManagement.ldap.user.objectClass | string | `"inetOrgPerson"` | | -| features.externalUserManagement.ldap.user.schema.displayName | string | `"displayname"` | | -| features.externalUserManagement.ldap.user.schema.id | string | `"ownclouduuid"` | | -| features.externalUserManagement.ldap.user.schema.idIsOctetString | bool | `false` | | -| features.externalUserManagement.ldap.user.schema.mail | string | `"mail"` | | -| features.externalUserManagement.ldap.user.schema.userName | string | `"uid"` | | -| features.externalUserManagement.ldap.user.scope | string | `"sub"` | | -| features.externalUserManagement.ldap.user.substringFilterType | string | `"any"` | | +| features.externalUserManagement.ldap.user.baseDN | string | `"ou=users,dc=owncloud,dc=com"` | Search base DN for looking up LDAP users. | +| features.externalUserManagement.ldap.user.filter | string | `nil` | LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. | +| features.externalUserManagement.ldap.user.objectClass | string | `"inetOrgPerson"` | The object class to use for users in the default user search filter like `inetOrgPerson`. | +| features.externalUserManagement.ldap.user.schema.displayName | string | `"displayname"` | LDAP Attribute to use for the displayname of users. | +| features.externalUserManagement.ldap.user.schema.id | string | `"ownclouduuid"` | LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. | +| features.externalUserManagement.ldap.user.schema.idIsOctetString | bool | `false` | Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. | +| features.externalUserManagement.ldap.user.schema.mail | string | `"mail"` | LDAP Attribute to use for the email address of users. | +| features.externalUserManagement.ldap.user.schema.userName | string | `"uid"` | LDAP Attribute to use for username of users. | +| features.externalUserManagement.ldap.user.scope | string | `"sub"` | LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. | +| features.externalUserManagement.ldap.user.substringFilterType | string | `"any"` | Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches | | features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. | +| features.externalUserManagement.oidc.userIDClaim | string | `"ocis.user.uuid"` | Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. | +| features.externalUserManagement.oidc.userIDClaimAttributeMapping | string | `"userid"` | Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"owncloud/ocis"` | Image repository | | image.sha | string | `""` | Image sha / digest (optional). | @@ -230,7 +232,7 @@ This chart only supports following oCIS versions: | services.storageUsers.persistence.storageClassName | string | `nil` | Storage class to use. Uses the default storage class if not set. | | services.storageUsers.storageBackend.driver | string | `"ocis"` | Configures the storage driver. Possible values are "ocis" and "s3ng". The oCIS driver stores all data in the persistent volume if persistence is enabled. The S3NG driver stores all metadata in the persistent volume and uploads blobs to s3 if persistence is enabled. | | services.storageUsers.storageBackend.driverConfig.s3ng.accessKey | string | `"lorem-ipsum"` | S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng". | -| services.storageUsers.storageBackend.driverConfig.s3ng.bucket | string | `"example-bucket"` | - S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". | +| services.storageUsers.storageBackend.driverConfig.s3ng.bucket | string | `"example-bucket"` | S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". | | services.storageUsers.storageBackend.driverConfig.s3ng.endpoint | string | `"https://localhost:1234"` | S3 endpoint to use for the S3NG driver. Only used if driver is set to "s3ng". | | services.storageUsers.storageBackend.driverConfig.s3ng.region | string | `"default"` | S3 region to use for the S3NG driver. Only used if driver is set to "s3ng". | | services.storageUsers.storageBackend.driverConfig.s3ng.secretKey | string | `"lorem-ipsum"` | S3 secret key to use for the S3NG driver. Only used if driver is set to "s3ng". | diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 3cd021ea7..cdc6cc9bb 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -167,61 +167,61 @@ a| [subs=-attributes] +string+ a| [subs=-attributes] `"ou=groups,dc=owncloud,dc=com"` -| +| Search base DN for looking up LDAP groups. | features.externalUserManagement.ldap.group.filter a| [subs=-attributes] +string+ a| [subs=-attributes] `nil` -| +| LDAP filter to add to the default filters for group searches. | features.externalUserManagement.ldap.group.objectClass a| [subs=-attributes] +string+ a| [subs=-attributes] `"groupOfNames"` -| +| The object class to use for groups in the default group search filter like `groupOfNames`. | features.externalUserManagement.ldap.group.schema.displayName a| [subs=-attributes] +string+ a| [subs=-attributes] `"cn"` -| +| LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | features.externalUserManagement.ldap.group.schema.groupName a| [subs=-attributes] +string+ a| [subs=-attributes] `"cn"` -| +| LDAP Attribute to use for the name of groups. | features.externalUserManagement.ldap.group.schema.id a| [subs=-attributes] +string+ a| [subs=-attributes] `"ownclouduuid"` -| +| LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. | features.externalUserManagement.ldap.group.schema.idIsOctetString a| [subs=-attributes] +bool+ a| [subs=-attributes] `false` -| +| Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. | features.externalUserManagement.ldap.group.schema.mail a| [subs=-attributes] +string+ a| [subs=-attributes] `"mail"` -| +| LDAP Attribute to use for the email address of groups (can be empty). | features.externalUserManagement.ldap.group.schema.member a| [subs=-attributes] +string+ a| [subs=-attributes] `"member"` -| +| LDAP Attribute that is used for group members. | features.externalUserManagement.ldap.group.scope a| [subs=-attributes] +string+ a| [subs=-attributes] `"sub"` -| +| LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. | features.externalUserManagement.ldap.insecure a| [subs=-attributes] +bool+ @@ -239,67 +239,79 @@ a| [subs=-attributes] +string+ a| [subs=-attributes] `"ou=users,dc=owncloud,dc=com"` -| +| Search base DN for looking up LDAP users. | features.externalUserManagement.ldap.user.filter a| [subs=-attributes] +string+ a| [subs=-attributes] `nil` -| +| LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. | features.externalUserManagement.ldap.user.objectClass a| [subs=-attributes] +string+ a| [subs=-attributes] `"inetOrgPerson"` -| +| The object class to use for users in the default user search filter like `inetOrgPerson`. | features.externalUserManagement.ldap.user.schema.displayName a| [subs=-attributes] +string+ a| [subs=-attributes] `"displayname"` -| +| LDAP Attribute to use for the displayname of users. | features.externalUserManagement.ldap.user.schema.id a| [subs=-attributes] +string+ a| [subs=-attributes] `"ownclouduuid"` -| +| LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. | features.externalUserManagement.ldap.user.schema.idIsOctetString a| [subs=-attributes] +bool+ a| [subs=-attributes] `false` -| +| Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. | features.externalUserManagement.ldap.user.schema.mail a| [subs=-attributes] +string+ a| [subs=-attributes] `"mail"` -| +| LDAP Attribute to use for the email address of users. | features.externalUserManagement.ldap.user.schema.userName a| [subs=-attributes] +string+ a| [subs=-attributes] `"uid"` -| +| LDAP Attribute to use for username of users. | features.externalUserManagement.ldap.user.scope a| [subs=-attributes] +string+ a| [subs=-attributes] `"sub"` -| +| LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. | features.externalUserManagement.ldap.user.substringFilterType a| [subs=-attributes] +string+ a| [subs=-attributes] `"any"` -| +| Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches | features.externalUserManagement.oidc.issuerURI a| [subs=-attributes] +string+ a| [subs=-attributes] `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. +| features.externalUserManagement.oidc.userIDClaim +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"ocis.user.uuid"` +| Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. +| features.externalUserManagement.oidc.userIDClaimAttributeMapping +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"userid"` +| Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. | image.pullPolicy a| [subs=-attributes] +string+ @@ -749,7 +761,7 @@ a| [subs=-attributes] +string+ a| [subs=-attributes] `"example-bucket"` -| - S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". +| S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". | services.storageUsers.storageBackend.driverConfig.s3ng.endpoint a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index c4916f797..5ce477c0e 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -94,6 +94,15 @@ features: # -- Issuer URI of the OpenID Connect Identity Provider. # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. issuerURI: https://idp.owncloud.test/realms/ocis + + # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. + userIDClaim: ocis.user.uuid + # -- Attribute mapping of for the userIDClaim. + # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. + # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. + # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. + userIDClaimAttributeMapping: userid + # LDAP related settings. ldap: # -- URI to connect to the LDAP secure server. @@ -111,27 +120,47 @@ features: bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test user: schema: + # -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. id: ownclouduuid + # -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. idIsOctetString: false + # -- LDAP Attribute to use for the email address of users. mail: mail + # -- LDAP Attribute to use for the displayname of users. displayName: displayname + # -- LDAP Attribute to use for username of users. userName: uid + # -- Search base DN for looking up LDAP users. baseDN: ou=users,dc=owncloud,dc=com + # -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. scope: sub + # -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches substringFilterType: any + # -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. filter: + # -- The object class to use for users in the default user search filter like `inetOrgPerson`. objectClass: inetOrgPerson group: schema: + # -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. id: ownclouduuid + # -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. idIsOctetString: false + # -- LDAP Attribute to use for the email address of groups (can be empty). mail: mail + # -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). displayName: cn + # -- LDAP Attribute to use for the name of groups. groupName: cn + # -- LDAP Attribute that is used for group members. member: member + # -- Search base DN for looking up LDAP groups. baseDN: ou=groups,dc=owncloud,dc=com + # -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. scope: sub + # -- LDAP filter to add to the default filters for group searches. filter: + # -- The object class to use for groups in the default group search filter like `groupOfNames`. objectClass: groupOfNames # Ingress for oCIS. @@ -291,7 +320,7 @@ services: endpoint: https://localhost:1234 # -- S3 region to use for the S3NG driver. Only used if driver is set to "s3ng". region: default - # --- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". + # -- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". bucket: example-bucket # -- S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng". accessKey: lorem-ipsum diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 533ad0480..7f87e730e 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -97,9 +97,9 @@ features: # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. userIDClaim: ocis.user.uuid # -- Attribute mapping of for the userIDClaim. - # Set to 'userid' if the userIDClaim holds the value of the ldap.user.schema.id user attribute. - # Set to 'mail' if the userIDClaim holds the value of the ldap.user.schema.mail user attribute. - # Set to 'username' if the userIDClaim holds the value of the ldap.user.schema.id user attribute. + # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. + # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. + # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. userIDClaimAttributeMapping: userid # LDAP related settings. @@ -119,27 +119,47 @@ features: bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test user: schema: + # -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. id: ownclouduuid + # -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. idIsOctetString: false + # -- LDAP Attribute to use for the email address of users. mail: mail + # -- LDAP Attribute to use for the displayname of users. displayName: displayname + # -- LDAP Attribute to use for username of users. userName: uid + # -- Search base DN for looking up LDAP users. baseDN: ou=users,dc=owncloud,dc=com + # -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. scope: sub + # -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches substringFilterType: any + # -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. filter: + # -- The object class to use for users in the default user search filter like `inetOrgPerson`. objectClass: inetOrgPerson group: schema: + # -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. id: ownclouduuid + # -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. idIsOctetString: false + # -- LDAP Attribute to use for the email address of groups (can be empty). mail: mail + # -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). displayName: cn + # -- LDAP Attribute to use for the name of groups. groupName: cn + # -- LDAP Attribute that is used for group members. member: member + # -- Search base DN for looking up LDAP groups. baseDN: ou=groups,dc=owncloud,dc=com + # -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. scope: sub + # -- LDAP filter to add to the default filters for group searches. filter: + # -- The object class to use for groups in the default group search filter like `groupOfNames`. objectClass: groupOfNames # Ingress for oCIS. @@ -299,7 +319,7 @@ services: endpoint: https://localhost:1234 # -- S3 region to use for the S3NG driver. Only used if driver is set to "s3ng". region: default - # --- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". + # -- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". bucket: example-bucket # -- S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng". accessKey: lorem-ipsum From 1fdbc37b905665974830a72249f08882525b13fd Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 5 Aug 2022 15:17:52 +0200 Subject: [PATCH 7/7] fix typo --- charts/ocis/README.md | 2 +- charts/ocis/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ocis/README.md b/charts/ocis/README.md index d0209ce42..02fa53774 100644 --- a/charts/ocis/README.md +++ b/charts/ocis/README.md @@ -468,7 +468,7 @@ data: reva-ldap-bind-password: XXXXXXXXXXXXX ``` -If you're LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), +If your LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), you need to set your LDAP CA (Certificate Authority) certificate in following secret: ```yaml diff --git a/charts/ocis/README.md.gotmpl b/charts/ocis/README.md.gotmpl index 6e158a42e..e4d267bce 100644 --- a/charts/ocis/README.md.gotmpl +++ b/charts/ocis/README.md.gotmpl @@ -332,7 +332,7 @@ data: reva-ldap-bind-password: XXXXXXXXXXXXX ``` -If you're LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), +If your LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`), you need to set your LDAP CA (Certificate Authority) certificate in following secret: ```yaml