Merge pull request #5 from mlbiam/master

merging final charts

README.md

@@ -1,141 +1 @@
-# Operator Deployment:
-
-1. `kubectl create ns openunison`
-2. Deploy the dashboard per https://github.com/kubernetes/dashboard
-3. `cd openunison-operator`
-4. `helm install openunison . --namespace openunison`
-5. Wait for the operator pod to be running in the openunison namespace
-
-# Active Directory Login Portal
-
-First create a secret in the openunison namespace:
-
-```
-apiVersion: v1
-type: Opaque
-metadata:
-  name: orchestra-secrets-source
-  namespace: openunison
-data:
-  AD_BIND_PASSWORD: aW0gYSBzZWNyZXQ=
-  K8S_DB_SECRET: aW0gYSBzZWNyZXQ=
-  unisonKeystorePassword: aW0gYSBzZWNyZXQ=
-kind: Secret
-```
-
-| Property | Description |
-| -------- | ----------- |
-| AD_BIND_PASSWORD | The password for the ldap service account used to communicate with Active Directory/LDAP |
-| unisonKeystorePassword | The password for OpenUnison's keystore, should NOT contain an ampersand (`&`) |
-| K8S_DB_SECRET | A random string of characters used to secure the SSO process with the dashboard.  This should be long and random, with no ampersands (`&`) |
-
-Next, update `values.yaml` for your environment:
-
-| Property | Description |
-| -------- | ----------- |
-| network.openunison_host | The host name for OpenUnison.  This is what user's will put into their browser to login to Kubernetes |
-| network.dashboard_host | The host name for the dashboard.  This is what users will put into the browser to access to the dashboard. **NOTE:** `network.openunison_host` and `network.dashboard_host` Both `network.openunison_host` and `network.dashboard_host` **MUST** point to OpenUnison |
-| network.api_server_host | The host name to use for the api server reverse proxy.  This is what `kubectl` will interact with to access your cluster. **NOTE:** `network.openunison_host` and `network.dashboard_host` |
-| network.k8s_url | The URL for the Kubernetes API server | 
-| network.session_inactivity_timeout_seconds | The number of seconds of inactivity before the session is terminated, also the length of the refresh token's session |
-| active_directory.base | The search base for Active Directory |
-| active_directory.host | The host name for a domain controller or VIP.  If using SRV records to determine hosts, this should be the fully qualified domain name of the domain |
-| active_directory.port | The port to communicate with Active Directory |
-| active_directory.bind_dn | The full distinguished name (DN) of a read-only service account for working with Active Directory |
-| active_directory.con_type | `ldaps` for secure, `ldap` for plain text |
-| active_directory.srv_dns | If `true`, OpenUnison will lookup domain controllers by the domain's SRV DNS record |
-| cert_template.ou | The `OU` attribute for the forward facing certificate |
-| cert_template.o | The `O` attribute for the forward facing certificate |
-| cert_template.l | The `L` attribute for the forward facing certificate |
-| cert_template.st | The `ST` attribute for the forward facing certificate |
-| cert_template.c | The `C` attribute for the forward facing certificate |
-| certs.use_k8s_cm  | Tells the deployment system if you should use k8s' built in certificate manager.  If your distribution doesn't support this (such as Canonical and Rancher), set this to false |
-| myvd_config_path | The path to the MyVD configuration file, unless being customized, use `WEB-INF/myvd.conf` |
-| dashboard.namespace | The namespace for the dashboard.  For the 1.x dashboard this is `kube-system`, for the 2.x dashboard this is `kubernetes-dashboard` |
-| dashboard.cert_name | The name of the secret in the dashboard's namespace that stores the certificate for the dashboard |
-| dashboard.label | The label of the dashboard pod, this is used to delete the pod once new certificates are generated |
-| dashboard.service_name | The name of the service object for the dashboard |
-| k8s_cluster_name | The name of the cluster to use in the `./kube-config`.  Defaults to `kubernetes` |
-| image | The name of the image to use |
-
-Additionally, add a base 64 encoded PEM certificate to your values under `trusted_certs` for `pem_b64`.  This will allow OpenUnison to talk to Active Directory using TLS.
-
-Finally, run your helm chart:
-1. `cd openunison-k8s-login-activedirectory`
-2. `helm install  orchestra . --namespace openunison -f /path/to/values.yaml`
-
-Once the pod is deployed, continue the instructions at https://github.com/OpenUnison/openunison-k8s-login-activedirectory#using-your-own-certificate-for-tls
-
-# Active Directory Management Portal
-
-First create a secret in the openunison namespace:
-
-```
-apiVersion: v1
-type: Opaque
-metadata:
-  name: orchestra-secrets-source
-  namespace: openunison
-data:
-  AD_BIND_PASSWORD: aW0gYSBzZWNyZXQ=
-  K8S_DB_SECRET: aW0gYSBzZWNyZXQ=
-  unisonKeystorePassword: aW0gYSBzZWNyZXQ=
-  OU_JDBC_PASSWORD: aW0gYSBzZWNyZXQ=
-  SMTP_PASSWORD: aW0gYSBzZWNyZXQ=
-kind: Secret
-```
-
-| Property | Description |
-| -------- | ----------- |
-| AD_BIND_PASSWORD | The password for the ldap service account used to communicate with Active Directory/LDAP |
-| unisonKeystorePassword | The password for OpenUnison's keystore, should NOT contain an ampersand (`&`) |
-| K8S_DB_SECRET | A random string of characters used to secure the SSO process with the dashboard.  This should be long and random, with no ampersands (`&`) |
-| OU_JDBC_PASSWORD | The password for accessing the database |
-| SMTP_PASSWORD | Password for accessing the SMTP server (may be blank) |
-
-Next, update `values.yaml` for your environment:
-
-| Property | Description |
-| -------- | ----------- |
-| network.openunison_host | The host name for OpenUnison.  This is what user's will put into their browser to login to Kubernetes |
-| network.dashboard_host | The host name for the dashboard.  This is what users will put into the browser to access to the dashboard. **NOTE:** `network.openunison_host` and `network.dashboard_host` **MUST** share the same DNS suffix. Both `network.openunison_host` and `network.dashboard_host` **MUST** point to OpenUnison |
-| network.k8s_url | The URL for the Kubernetes API server | 
-| network.session_inactivity_timeout_seconds | The number of seconds of inactivity before the session is terminated, also the length of the refresh token's session |
-| active_directory.base | The search base for Active Directory |
-| active_directory.host | The host name for a domain controller or VIP.  If using SRV records to determine hosts, this should be the fully qualified domain name of the domain |
-| active_directory.port | The port to communicate with Active Directory |
-| active_directory.bind_dn | The full distinguished name (DN) of a read-only service account for working with Active Directory |
-| active_directory.con_type | `ldaps` for secure, `ldap` for plain text |
-| active_directory.srv_dns | If `true`, OpenUnison will lookup domain controllers by the domain's SRV DNS record |
-| cert_template.ou | The `OU` attribute for the forward facing certificate |
-| cert_template.o | The `O` attribute for the forward facing certificate |
-| cert_template.l | The `L` attribute for the forward facing certificate |
-| cert_template.st | The `ST` attribute for the forward facing certificate |
-| cert_template.c | The `C` attribute for the forward facing certificate |
-| certs.use_k8s_cm  | Tells the deployment system if you should use k8s' built in certificate manager.  If your distribution doesn't support this (such as Canonical and Rancher), set this to false |
-| myvd_config_path | The path to the MyVD configuration file, unless being customized, use `WEB-INF/myvd.conf` |
-| dashboard.namespace | The namespace for the dashboard.  For the 1.x dashboard this is `kube-system`, for the 2.x dashboard this is `kubernetes-dashboard` |
-| dashboard.cert_name | The name of the secret in the dashboard's namespace that stores the certificate for the dashboard |
-| dashboard.label | The label of the dashboard pod, this is used to delete the pod once new certificates are generated |
-| dashboard.service_name | The name of the service object for the dashboard |
-| k8s_cluster_name | The name of the cluster to use in the `./kube-config`.  Defaults to `kubernetes` |
-| image | The name of the image to use |
-| database.hibernate_dialect | Hibernate dialect for accessing the database.  Unless customizing for a different database do not change |
-| database.quartz_dialect | Dialect used by the Quartz Scheduler.  Unless customizing for a different database do not change  |
-| database.driver | JDBC driver for accessing the database.  Unless customizing for a different database do not change |
-| database.url | The URL for accessing the database |
-| database.user | The user for accessing the database |
-| database.validation | A query for validating database connections/ Unless customizing for a different database do not change |
-| smtp.host | Host for an email server to send notifications |
-| smtp.port | Port for an email server to send notifications |
-| smtp.user | Username for accessing the SMTP server (may be blank) |
-| smtp.from | The email address that messages from OpenUnison are addressed from |
-| smtp.tls | true or false, depending if SMTP should use start tls |
-
-Additionally, add a base 64 encoded PEM certificate to your values under `trusted_certs` for `pem_b64`.  This will allow OpenUnison to talk to Active Directory using TLS.
-
-Finally, run your helm chart:
-1. `cd openunison-k8s-activedirectory`
-2. `helm install  orchestra . --namespace openunison -f /path/to/values.yaml`
-
-Once the pod is deployed, continue the instructions at https://github.com/OpenUnison/openunison-k8s-activedirectory#complete-sso-integration-with-kubernetes
+For instuctions on how to use these charts, see the version of orchestra that you want to deploy - https://github.com/openunison

generate_packages.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+rm -rf /tmp/helm
+mkdir /tmp/helm
+
+for d in openunison-*/ ; do
+    echo "$d"
+    helm package $d
+done
+
+mv *.tgz /tmp/helm
+
+helm repo index /tmp/helm --url https://nexus.tremolo.io/repository/helm
+
+aws s3 sync /tmp/helm/ s3://tremolosecurity-maven/repository/helm/

openunison-k8s-activedirectory/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: openunison-k8s-activedirectory
-description: A chart for deploying the OpenUnison portal for Active Directory and LDAP
+description: An automation portal for Kubernetes providing authentication via Active Directory / LDAP and self service for creating namespaces and granting access to namespaces based on an approval based workflow.
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -18,4 +18,11 @@ version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 1.0.0
+appVersion: 1.0.18
+home: https://github.com/OpenUnison/openunison-k8s-activedirectory
+icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt
+sources:
+  - https://github.com/OpenUnison/openunison-k8s-activedirectory
+  - https://github.com/OpenUnison/helm-charts
+maintainers:
+  - name: mlbiam 

openunison-k8s-activedirectory/templates/openunison.yaml

@@ -1,3 +1,31 @@
+{{ if eq .Values.enable_impersonation true }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: impersonator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - users
+  - groups
+  verbs:
+  - impersonate
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: orchestra-impersonator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: impersonator
+subjects:
+- kind: ServiceAccount
+  name: openunison-orchestra
+  namespace: {{ .Release.Namespace }}
+{{ end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -111,6 +139,10 @@ spec:
       name: {{ .Values.network.openunison_host }}
     - env_var: K8S_DASHBOARD_HOST
       name: {{ .Values.network.dashboard_host }}
+    {{ if eq .Values.enable_impersonation true }}
+    - env_var: K8S_API_HOST
+      name: {{ .Values.network.api_server_host }}
+    {{ end }}
     secret_name: ou-tls-certificate
   key_store:
     update_controller:
@@ -145,6 +177,9 @@ spec:
             sign_by_k8s_ca: false
             subject_alternative_names:
               - {{ .Values.network.dashboard_host }} 
+              {{ if eq .Values.enable_impersonation true }}
+              - {{ .Values.network.api_server_host }}
+              {{ end }} 
           import_into_ks: certificate
           name: unison-ca
           tls_secret_name: ou-tls-certificate
@@ -224,7 +259,11 @@ spec:
     {{ end }}
   non_secret_data: 
     - name: K8S_URL
+      {{ if eq .Values.enable_impersonation true }}
+      value: https://{{ .Values.network.api_server_host }}
+      {{ else }}
       value: {{ .Values.network.k8s_url }}
+      {{ end }}
     - name: AD_BASE_DN
       value: {{ .Values.active_directory.base }}
     - name: AD_HOST
@@ -267,6 +306,10 @@ spec:
       value: {{ .Values.smtp.from }}
     - name: SMTP_TLS
       value: {{ .Values.smtp.tls | quote }}
+    - name: K8S_IMPERSONATION
+      value: {{ .Values.enable_impersonation | quote }}
+    - name: PROMETHEUS_SERVICE_ACCOUNT
+      value: {{ .Values.monitoring.prometheus_service_account}}
   openunison_network_configuration:
     activemq_dir: "/tmp/amq"
     allowed_client_names: []
@@ -530,4 +573,38 @@ data:
                            --oidc-username-claim=sub
                            --oidc-groups-claim=groups
                            --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    audit2rbac.liggitt.net/version: v0.7.0
+  labels:
+    audit2rbac.liggitt.net/generated: "true"
+    audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra
+  name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    audit2rbac.liggitt.net/version: v0.7.0
+  labels:
+    audit2rbac.liggitt.net/generated: "true"
+    audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra
+  name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra
+subjects:
+- kind: ServiceAccount
+  name: openunison-orchestra
+  namespace: openunison

openunison-k8s-activedirectory/values.yaml

@@ -1,8 +1,10 @@
 network:
   openunison_host: "k8sou.apps.domain.int"
   dashboard_host: "k8sdb.apps.domain.int"
+  api_server_host: "k8sapi.apps.domain.int"
   session_inactivity_timeout_seconds: 900
   k8s_url: https://k8s-installer-master.tremolo.lan:6443
+
 
 cert_template:
   ou: "Kubernetes"
@@ -15,6 +17,7 @@ image: "docker.io/tremolosecurity/openunison-k8s-activedirectory:latest"
 amq_image: "docker.io/tremolosecurity/activemq-docker:latest"
 myvd_config_path: "WEB-INF/myvd.conf"
 k8s_cluster_name: kubernetes
+enable_impersonation: true
 
 dashboard:
   namespace: "kube-system"
@@ -55,4 +58,5 @@ smtp:
   from: [email protected]
   tls: true
 
-
+monitoring:
+  prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s

openunison-k8s-login-activedirectory/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: openunison-k8s-login-activedirectory
-description: A chart for deploying the OpenUnison login portal for Active Directory and LDAP
+description: Use Active Directory or LDAP to authenticate to your cluster with kubectl and dashboard using OpenUnison Orchestra.
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -18,4 +18,11 @@ version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 1.0.0
+appVersion: 1.0.18
+home: https://github.com/OpenUnison/openunison-k8s-login-activedirectory
+icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt
+sources:
+  - https://github.com/OpenUnison/openunison-k8s-login-activedirectory
+  - https://github.com/OpenUnison/helm-charts
+maintainers:
+  - name: mlbiam