Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add feature flag for external user management #58

Merged
merged 8 commits into from
Aug 12, 2022
Merged

add feature flag for external user management #58

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
98c8f71
add feature flag for external user management
wkloucek Jul 13, 2022
e06b13b
remove empty ingress file
wkloucek Aug 5, 2022
f7943a6
expose ldap options
wkloucek Aug 5, 2022
9b18bb4
configure PROXY_OIDC_REWRITE_WELLKNOWN, needs owncloud/ocis#4346
wkloucek Aug 5, 2022
13a7e89
make useridclaim configurable
wkloucek Aug 5, 2022
5da6e0d
add documentation
wkloucek Aug 5, 2022
1fdbc37
fix typo
wkloucek Aug 5, 2022
63c450d
Merge branch 'master' into external-user-management
wkloucek Aug 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
173 changes: 119 additions & 54 deletions charts/ocis/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,34 @@ This chart only supports following oCIS versions:
| features.basicAuthentication | bool | `false` | Enable basic authentication. Not recommended for production installations. |
| features.demoUsers | bool | `false` | Create demo users on the first startup. Not recommended for production installations. |
| features.emailNotifications | bool | `false` | Enables email notifications. This features needs the secret from notificationsSmtpSecretRef present. |
| features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. |
| features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. |
| features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" |
| features.externalUserManagement.ldap.group.baseDN | string | `"ou=groups,dc=owncloud,dc=com"` | Search base DN for looking up LDAP groups. |
| features.externalUserManagement.ldap.group.filter | string | `nil` | LDAP filter to add to the default filters for group searches. |
| features.externalUserManagement.ldap.group.objectClass | string | `"groupOfNames"` | The object class to use for groups in the default group search filter like `groupOfNames`. |
| features.externalUserManagement.ldap.group.schema.displayName | string | `"cn"` | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). |
| features.externalUserManagement.ldap.group.schema.groupName | string | `"cn"` | LDAP Attribute to use for the name of groups. |
| features.externalUserManagement.ldap.group.schema.id | string | `"ownclouduuid"` | LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. |
| features.externalUserManagement.ldap.group.schema.idIsOctetString | bool | `false` | Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. |
| features.externalUserManagement.ldap.group.schema.mail | string | `"mail"` | LDAP Attribute to use for the email address of groups (can be empty). |
| features.externalUserManagement.ldap.group.schema.member | string | `"member"` | LDAP Attribute that is used for group members. |
| features.externalUserManagement.ldap.group.scope | string | `"sub"` | LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. |
| features.externalUserManagement.ldap.insecure | bool | `false` | For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations. |
| features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. |
| features.externalUserManagement.ldap.user.baseDN | string | `"ou=users,dc=owncloud,dc=com"` | Search base DN for looking up LDAP users. |
| features.externalUserManagement.ldap.user.filter | string | `nil` | LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. |
| features.externalUserManagement.ldap.user.objectClass | string | `"inetOrgPerson"` | The object class to use for users in the default user search filter like `inetOrgPerson`. |
| features.externalUserManagement.ldap.user.schema.displayName | string | `"displayname"` | LDAP Attribute to use for the displayname of users. |
| features.externalUserManagement.ldap.user.schema.id | string | `"ownclouduuid"` | LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. |
| features.externalUserManagement.ldap.user.schema.idIsOctetString | bool | `false` | Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. |
| features.externalUserManagement.ldap.user.schema.mail | string | `"mail"` | LDAP Attribute to use for the email address of users. |
| features.externalUserManagement.ldap.user.schema.userName | string | `"uid"` | LDAP Attribute to use for username of users. |
| features.externalUserManagement.ldap.user.scope | string | `"sub"` | LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. |
| features.externalUserManagement.ldap.user.substringFilterType | string | `"any"` | Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches |
| features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. |
| features.externalUserManagement.oidc.userIDClaim | string | `"ocis.user.uuid"` | Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. |
| features.externalUserManagement.oidc.userIDClaimAttributeMapping | string | `"userid"` | Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"owncloud/ocis"` | Image repository |
| image.sha | string | `""` | Image sha / digest (optional). |
Expand Down Expand Up @@ -204,7 +232,7 @@ This chart only supports following oCIS versions:
| services.storageUsers.persistence.storageClassName | string | `nil` | Storage class to use. Uses the default storage class if not set. |
| services.storageUsers.storageBackend.driver | string | `"ocis"` | Configures the storage driver. Possible values are "ocis" and "s3ng". The oCIS driver stores all data in the persistent volume if persistence is enabled. The S3NG driver stores all metadata in the persistent volume and uploads blobs to s3 if persistence is enabled. |
| services.storageUsers.storageBackend.driverConfig.s3ng.accessKey | string | `"lorem-ipsum"` | S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.bucket | string | `"example-bucket"` | - S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.bucket | string | `"example-bucket"` | S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.endpoint | string | `"https://localhost:1234"` | S3 endpoint to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.region | string | `"default"` | S3 region to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.secretKey | string | `"lorem-ipsum"` | S3 secret key to use for the S3NG driver. Only used if driver is set to "s3ng". |
Expand Down Expand Up @@ -254,59 +282,6 @@ data:
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
jwt-secret: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -397,6 +372,8 @@ data:
thumbnails-transfer-secret: XXXXXXXXXXXXX
```

#### Notifications related secrets

If you set `features.emailNotifications` to `true` you also need to configure a SMTP email server secret:

```yaml
Expand All @@ -415,7 +392,95 @@ data:
smtp-port: 1025
# Password of the SMTP host to connect to.
smtp-password: XXXXXXXXXXXXX
```

#### User management related secrets

If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX
```

If you're using an external user managment (`features.externalUserManagement.enabled` == `true`),
you need to set the LDAP bind password into a secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# Base64 encoded password for the LDAP bind user.
reva-ldap-bind-password: XXXXXXXXXXXXX
```

If your LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`),
you need to set your LDAP CA (Certificate Authority) certificate in following secret:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# Base64 encoded certificate of the CA that issued the LDAP server certificate.
ldap-ca.crt: XXXXXXXXXXXXX
```

### Example with NGINX ingress and certificate issued by cert-manager
Expand Down
145 changes: 91 additions & 54 deletions charts/ocis/README.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,60 +146,6 @@ data:
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
jwt-secret: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX


---
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -290,6 +236,8 @@ data:
thumbnails-transfer-secret: XXXXXXXXXXXXX
```

#### Notifications related secrets

If you set `features.emailNotifications` to `true` you also need to configure a SMTP email server secret:

```yaml
Expand All @@ -308,9 +256,98 @@ data:
smtp-port: 1025
# Password of the SMTP host to connect to.
smtp-password: XXXXXXXXXXXXX
```

#### User management related secrets

If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX
```

If you're using an external user managment (`features.externalUserManagement.enabled` == `true`),
you need to set the LDAP bind password into a secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# Base64 encoded password for the LDAP bind user.
reva-ldap-bind-password: XXXXXXXXXXXXX
```

If your LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`),
you need to set your LDAP CA (Certificate Authority) certificate in following secret:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# Base64 encoded certificate of the CA that issued the LDAP server certificate.
ldap-ca.crt: XXXXXXXXXXXXX
```


### Example with NGINX ingress and certificate issued by cert-manager

To make this work you need to have NGINX ingress and cert-manager installed in your cluster.
Expand Down
Loading