diff --git a/README.md b/README.md index bf348b4..5a8349e 100644 --- a/README.md +++ b/README.md @@ -1,141 +1 @@ -# Operator Deployment: - -1. `kubectl create ns openunison` -2. Deploy the dashboard per https://github.com/kubernetes/dashboard -3. `cd openunison-operator` -4. `helm install openunison . --namespace openunison` -5. Wait for the operator pod to be running in the openunison namespace - -# Active Directory Login Portal - -First create a secret in the openunison namespace: - -``` -apiVersion: v1 -type: Opaque -metadata: - name: orchestra-secrets-source - namespace: openunison -data: - AD_BIND_PASSWORD: aW0gYSBzZWNyZXQ= - K8S_DB_SECRET: aW0gYSBzZWNyZXQ= - unisonKeystorePassword: aW0gYSBzZWNyZXQ= -kind: Secret -``` - -| Property | Description | -| -------- | ----------- | -| AD_BIND_PASSWORD | The password for the ldap service account used to communicate with Active Directory/LDAP | -| unisonKeystorePassword | The password for OpenUnison's keystore, should NOT contain an ampersand (`&`) | -| K8S_DB_SECRET | A random string of characters used to secure the SSO process with the dashboard. This should be long and random, with no ampersands (`&`) | - -Next, update `values.yaml` for your environment: - -| Property | Description | -| -------- | ----------- | -| network.openunison_host | The host name for OpenUnison. This is what user's will put into their browser to login to Kubernetes | -| network.dashboard_host | The host name for the dashboard. This is what users will put into the browser to access to the dashboard. **NOTE:** `network.openunison_host` and `network.dashboard_host` Both `network.openunison_host` and `network.dashboard_host` **MUST** point to OpenUnison | -| network.api_server_host | The host name to use for the api server reverse proxy. This is what `kubectl` will interact with to access your cluster. **NOTE:** `network.openunison_host` and `network.dashboard_host` | -| network.k8s_url | The URL for the Kubernetes API server | -| network.session_inactivity_timeout_seconds | The number of seconds of inactivity before the session is terminated, also the length of the refresh token's session | -| active_directory.base | The search base for Active Directory | -| active_directory.host | The host name for a domain controller or VIP. If using SRV records to determine hosts, this should be the fully qualified domain name of the domain | -| active_directory.port | The port to communicate with Active Directory | -| active_directory.bind_dn | The full distinguished name (DN) of a read-only service account for working with Active Directory | -| active_directory.con_type | `ldaps` for secure, `ldap` for plain text | -| active_directory.srv_dns | If `true`, OpenUnison will lookup domain controllers by the domain's SRV DNS record | -| cert_template.ou | The `OU` attribute for the forward facing certificate | -| cert_template.o | The `O` attribute for the forward facing certificate | -| cert_template.l | The `L` attribute for the forward facing certificate | -| cert_template.st | The `ST` attribute for the forward facing certificate | -| cert_template.c | The `C` attribute for the forward facing certificate | -| certs.use_k8s_cm | Tells the deployment system if you should use k8s' built in certificate manager. If your distribution doesn't support this (such as Canonical and Rancher), set this to false | -| myvd_config_path | The path to the MyVD configuration file, unless being customized, use `WEB-INF/myvd.conf` | -| dashboard.namespace | The namespace for the dashboard. For the 1.x dashboard this is `kube-system`, for the 2.x dashboard this is `kubernetes-dashboard` | -| dashboard.cert_name | The name of the secret in the dashboard's namespace that stores the certificate for the dashboard | -| dashboard.label | The label of the dashboard pod, this is used to delete the pod once new certificates are generated | -| dashboard.service_name | The name of the service object for the dashboard | -| k8s_cluster_name | The name of the cluster to use in the `./kube-config`. Defaults to `kubernetes` | -| image | The name of the image to use | - -Additionally, add a base 64 encoded PEM certificate to your values under `trusted_certs` for `pem_b64`. This will allow OpenUnison to talk to Active Directory using TLS. - -Finally, run your helm chart: -1. `cd openunison-k8s-login-activedirectory` -2. `helm install orchestra . --namespace openunison -f /path/to/values.yaml` - -Once the pod is deployed, continue the instructions at https://github.com/OpenUnison/openunison-k8s-login-activedirectory#using-your-own-certificate-for-tls - -# Active Directory Management Portal - -First create a secret in the openunison namespace: - -``` -apiVersion: v1 -type: Opaque -metadata: - name: orchestra-secrets-source - namespace: openunison -data: - AD_BIND_PASSWORD: aW0gYSBzZWNyZXQ= - K8S_DB_SECRET: aW0gYSBzZWNyZXQ= - unisonKeystorePassword: aW0gYSBzZWNyZXQ= - OU_JDBC_PASSWORD: aW0gYSBzZWNyZXQ= - SMTP_PASSWORD: aW0gYSBzZWNyZXQ= -kind: Secret -``` - -| Property | Description | -| -------- | ----------- | -| AD_BIND_PASSWORD | The password for the ldap service account used to communicate with Active Directory/LDAP | -| unisonKeystorePassword | The password for OpenUnison's keystore, should NOT contain an ampersand (`&`) | -| K8S_DB_SECRET | A random string of characters used to secure the SSO process with the dashboard. This should be long and random, with no ampersands (`&`) | -| OU_JDBC_PASSWORD | The password for accessing the database | -| SMTP_PASSWORD | Password for accessing the SMTP server (may be blank) | - -Next, update `values.yaml` for your environment: - -| Property | Description | -| -------- | ----------- | -| network.openunison_host | The host name for OpenUnison. This is what user's will put into their browser to login to Kubernetes | -| network.dashboard_host | The host name for the dashboard. This is what users will put into the browser to access to the dashboard. **NOTE:** `network.openunison_host` and `network.dashboard_host` **MUST** share the same DNS suffix. Both `network.openunison_host` and `network.dashboard_host` **MUST** point to OpenUnison | -| network.k8s_url | The URL for the Kubernetes API server | -| network.session_inactivity_timeout_seconds | The number of seconds of inactivity before the session is terminated, also the length of the refresh token's session | -| active_directory.base | The search base for Active Directory | -| active_directory.host | The host name for a domain controller or VIP. If using SRV records to determine hosts, this should be the fully qualified domain name of the domain | -| active_directory.port | The port to communicate with Active Directory | -| active_directory.bind_dn | The full distinguished name (DN) of a read-only service account for working with Active Directory | -| active_directory.con_type | `ldaps` for secure, `ldap` for plain text | -| active_directory.srv_dns | If `true`, OpenUnison will lookup domain controllers by the domain's SRV DNS record | -| cert_template.ou | The `OU` attribute for the forward facing certificate | -| cert_template.o | The `O` attribute for the forward facing certificate | -| cert_template.l | The `L` attribute for the forward facing certificate | -| cert_template.st | The `ST` attribute for the forward facing certificate | -| cert_template.c | The `C` attribute for the forward facing certificate | -| certs.use_k8s_cm | Tells the deployment system if you should use k8s' built in certificate manager. If your distribution doesn't support this (such as Canonical and Rancher), set this to false | -| myvd_config_path | The path to the MyVD configuration file, unless being customized, use `WEB-INF/myvd.conf` | -| dashboard.namespace | The namespace for the dashboard. For the 1.x dashboard this is `kube-system`, for the 2.x dashboard this is `kubernetes-dashboard` | -| dashboard.cert_name | The name of the secret in the dashboard's namespace that stores the certificate for the dashboard | -| dashboard.label | The label of the dashboard pod, this is used to delete the pod once new certificates are generated | -| dashboard.service_name | The name of the service object for the dashboard | -| k8s_cluster_name | The name of the cluster to use in the `./kube-config`. Defaults to `kubernetes` | -| image | The name of the image to use | -| database.hibernate_dialect | Hibernate dialect for accessing the database. Unless customizing for a different database do not change | -| database.quartz_dialect | Dialect used by the Quartz Scheduler. Unless customizing for a different database do not change | -| database.driver | JDBC driver for accessing the database. Unless customizing for a different database do not change | -| database.url | The URL for accessing the database | -| database.user | The user for accessing the database | -| database.validation | A query for validating database connections/ Unless customizing for a different database do not change | -| smtp.host | Host for an email server to send notifications | -| smtp.port | Port for an email server to send notifications | -| smtp.user | Username for accessing the SMTP server (may be blank) | -| smtp.from | The email address that messages from OpenUnison are addressed from | -| smtp.tls | true or false, depending if SMTP should use start tls | - -Additionally, add a base 64 encoded PEM certificate to your values under `trusted_certs` for `pem_b64`. This will allow OpenUnison to talk to Active Directory using TLS. - -Finally, run your helm chart: -1. `cd openunison-k8s-activedirectory` -2. `helm install orchestra . --namespace openunison -f /path/to/values.yaml` - -Once the pod is deployed, continue the instructions at https://github.com/OpenUnison/openunison-k8s-activedirectory#complete-sso-integration-with-kubernetes \ No newline at end of file +For instuctions on how to use these charts, see the version of orchestra that you want to deploy - https://github.com/openunison \ No newline at end of file diff --git a/generate_packages.sh b/generate_packages.sh new file mode 100644 index 0000000..906284a --- /dev/null +++ b/generate_packages.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +rm -rf /tmp/helm +mkdir /tmp/helm + +for d in openunison-*/ ; do + echo "$d" + helm package $d +done + +mv *.tgz /tmp/helm + +helm repo index /tmp/helm --url https://nexus.tremolo.io/repository/helm + +aws s3 sync /tmp/helm/ s3://tremolosecurity-maven/repository/helm/ \ No newline at end of file diff --git a/openunison-k8s-activedirectory/Chart.yaml b/openunison-k8s-activedirectory/Chart.yaml index ee843f6..e0f702d 100644 --- a/openunison-k8s-activedirectory/Chart.yaml +++ b/openunison-k8s-activedirectory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: openunison-k8s-activedirectory -description: A chart for deploying the OpenUnison portal for Active Directory and LDAP +description: An automation portal for Kubernetes providing authentication via Active Directory / LDAP and self service for creating namespaces and granting access to namespaces based on an approval based workflow. # A chart can be either an 'application' or a 'library' chart. # @@ -18,4 +18,11 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.0.0 +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-activedirectory +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-activedirectory + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-activedirectory/templates/openunison.yaml b/openunison-k8s-activedirectory/templates/openunison.yaml index edbdbb3..b74a578 100644 --- a/openunison-k8s-activedirectory/templates/openunison.yaml +++ b/openunison-k8s-activedirectory/templates/openunison.yaml @@ -1,3 +1,31 @@ +{{ if eq .Values.enable_impersonation true }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator +rules: +- apiGroups: + - "" + resources: + - users + - groups + verbs: + - impersonate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: orchestra-impersonator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: impersonator +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +{{ end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -111,6 +139,10 @@ spec: name: {{ .Values.network.openunison_host }} - env_var: K8S_DASHBOARD_HOST name: {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - env_var: K8S_API_HOST + name: {{ .Values.network.api_server_host }} + {{ end }} secret_name: ou-tls-certificate key_store: update_controller: @@ -145,6 +177,9 @@ spec: sign_by_k8s_ca: false subject_alternative_names: - {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - {{ .Values.network.api_server_host }} + {{ end }} import_into_ks: certificate name: unison-ca tls_secret_name: ou-tls-certificate @@ -224,7 +259,11 @@ spec: {{ end }} non_secret_data: - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} value: {{ .Values.network.k8s_url }} + {{ end }} - name: AD_BASE_DN value: {{ .Values.active_directory.base }} - name: AD_HOST @@ -267,6 +306,10 @@ spec: value: {{ .Values.smtp.from }} - name: SMTP_TLS value: {{ .Values.smtp.tls | quote }} + - name: K8S_IMPERSONATION + value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} openunison_network_configuration: activemq_dir: "/tmp/amq" allowed_client_names: [] @@ -530,4 +573,38 @@ data: --oidc-username-claim=sub --oidc-groups-claim=groups --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison diff --git a/openunison-k8s-activedirectory/values.yaml b/openunison-k8s-activedirectory/values.yaml index a98fb75..b68fc63 100644 --- a/openunison-k8s-activedirectory/values.yaml +++ b/openunison-k8s-activedirectory/values.yaml @@ -1,8 +1,10 @@ network: openunison_host: "k8sou.apps.domain.int" dashboard_host: "k8sdb.apps.domain.int" + api_server_host: "k8sapi.apps.domain.int" session_inactivity_timeout_seconds: 900 k8s_url: https://k8s-installer-master.tremolo.lan:6443 + cert_template: ou: "Kubernetes" @@ -15,6 +17,7 @@ image: "docker.io/tremolosecurity/openunison-k8s-activedirectory:latest" amq_image: "docker.io/tremolosecurity/activemq-docker:latest" myvd_config_path: "WEB-INF/myvd.conf" k8s_cluster_name: kubernetes +enable_impersonation: true dashboard: namespace: "kube-system" @@ -55,4 +58,5 @@ smtp: from: donotreply@domain.com tls: true - \ No newline at end of file +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s \ No newline at end of file diff --git a/openunison-k8s-login-activedirectory/Chart.yaml b/openunison-k8s-login-activedirectory/Chart.yaml index 233a003..9a02b78 100644 --- a/openunison-k8s-login-activedirectory/Chart.yaml +++ b/openunison-k8s-login-activedirectory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: openunison-k8s-login-activedirectory -description: A chart for deploying the OpenUnison login portal for Active Directory and LDAP +description: Use Active Directory or LDAP to authenticate to your cluster with kubectl and dashboard using OpenUnison Orchestra. # A chart can be either an 'application' or a 'library' chart. # @@ -18,4 +18,11 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.0.0 +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-login-activedirectory +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-login-activedirectory + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-login-activedirectory/templates/openunison.yaml b/openunison-k8s-login-activedirectory/templates/openunison.yaml index 25d0f06..2ee2048 100644 --- a/openunison-k8s-login-activedirectory/templates/openunison.yaml +++ b/openunison-k8s-login-activedirectory/templates/openunison.yaml @@ -190,7 +190,11 @@ spec: {{ end }} non_secret_data: - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} value: {{ .Values.network.k8s_url }} + {{ end }} - name: AD_BASE_DN value: {{ .Values.active_directory.base }} - name: AD_HOST @@ -213,6 +217,8 @@ spec: value: {{ .Values.k8s_cluster_name }} - name: K8S_IMPERSONATION value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} openunison_network_configuration: activemq_dir: "/tmp/amq" allowed_client_names: [] @@ -253,4 +259,38 @@ data: --oidc-username-claim=sub --oidc-groups-claim=groups --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison \ No newline at end of file diff --git a/openunison-k8s-login-activedirectory/values.yaml b/openunison-k8s-login-activedirectory/values.yaml index 3f9687a..22a0c57 100644 --- a/openunison-k8s-login-activedirectory/values.yaml +++ b/openunison-k8s-login-activedirectory/values.yaml @@ -29,6 +29,9 @@ trusted_certs: - name: ldaps pem_b64: SDFGSDFGHDFHSDFGSDGSDFGDS +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s + active_directory: base: cn=users,dc=ent2k12,dc=domain,dc=com host: "192.168.2.75" diff --git a/openunison-k8s-login-github/.helmignore b/openunison-k8s-login-github/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/openunison-k8s-login-github/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openunison-k8s-login-github/Chart.yaml b/openunison-k8s-login-github/Chart.yaml new file mode 100644 index 0000000..4beaebd --- /dev/null +++ b/openunison-k8s-login-github/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: openunison-k8s-login-github +description: Use GitHub to authenticate to your cluster with kubectl and dashboard using OpenUnison Orchestra. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-login-github +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-login-github + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-login-github/templates/openunison.yaml b/openunison-k8s-login-github/templates/openunison.yaml new file mode 100644 index 0000000..647af3e --- /dev/null +++ b/openunison-k8s-login-github/templates/openunison.yaml @@ -0,0 +1,317 @@ +{{ if eq .Values.enable_impersonation true }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator +rules: +- apiGroups: + - "" + resources: + - users + - groups + verbs: + - impersonate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: orchestra-impersonator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: impersonator +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +{{ end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Values.dashboard.namespace }} + name: orchestra-dashboard +rules: +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - "*" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-dashboard + namespace: {{ .Values.dashboard.namespace }} +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: orchestra-dashboard + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - "*" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: orchestra-certs + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: openunison.tremolo.io/v1 +kind: OpenUnison +metadata: + name: orchestra + namespace: {{ .Release.Namespace }} +spec: + dest_secret: orchestra + enable_activemq: false + hosts: + - ingress_name: openunison + names: + - env_var: OU_HOST + name: {{ .Values.network.openunison_host }} + - env_var: K8S_DASHBOARD_HOST + name: {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - env_var: K8S_API_HOST + name: {{ .Values.network.api_server_host }} + {{ end }} + secret_name: ou-tls-certificate + key_store: + update_controller: + image: docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0 + schedule: 0 2 * * * + days_to_expire: 10 + key_pairs: + create_keypair_template: + - name: ou + value: {{ .Values.cert_template.ou }} + - name: o + value: {{ .Values.cert_template.o }} + - name: l + value: {{ .Values.cert_template.l }} + - name: st + value: {{ .Values.cert_template.st }} + - name: c + value: {{ .Values.cert_template.c }} + keys: + - create_data: + ca_cert: true + key_size: 2048 + server_name: openunison.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + import_into_ks: keypair + name: unison-tls + - create_data: + ca_cert: true + key_size: 2048 + server_name: {{ .Values.network.openunison_host }} + sign_by_k8s_ca: false + subject_alternative_names: + - {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - {{ .Values.network.api_server_host }} + {{ end }} + import_into_ks: certificate + name: unison-ca + tls_secret_name: ou-tls-certificate + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: {{ .Values.dashboard.service_name }}.{{ .Values.dashboard.namespace }}.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + target_namespace: {{ .Values.dashboard.namespace }} + secret_info: + type_of_secret: Opaque + cert_name: dashboard.crt + key_name: dashboard.key + delete_pods_labels: + - {{ .Values.dashboard.label }} + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: kubernetes-dashboard + tls_secret_name: {{ .Values.dashboard.cert_name }} + replace_if_exists: true + - create_data: + ca_cert: true + key_size: 2048 + server_name: unison-saml2-rp-sig + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: unison-saml2-rp-sig + static_keys: + - name: session-unison + version: 1 + - name: lastmile-oidc + version: 1 + + {{ $length := len .Values.trusted_certs }} + {{ if eq $length 0 }} + trusted_certificates: [] + {{ else }} + trusted_certificates: {{ range .Values.trusted_certs }} + - name: {{ .name }} + pem_data: {{ .pem_b64 }} {{ end }} + {{ end }} + non_secret_data: + - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} + value: {{ .Values.network.k8s_url }} + {{ end }} + - name: SESSION_INACTIVITY_TIMEOUT_SECONDS + value: {{ .Values.network.session_inactivity_timeout_seconds | quote }} + - name: MYVD_CONFIG_PATH + value: {{ .Values.myvd_config_path }} + - name: K8S_DASHBOARD_NAMESPACE + value: {{ .Values.dashboard.namespace }} + - name: K8S_CLUSTER_NAME + value: {{ .Values.k8s_cluster_name }} + - name: K8S_IMPERSONATION + value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} + - name: GITHUB_CLIENT_ID + value: {{ .Values.github.client_id }} + - name: GITHUB_TEAMS + value: {{ .Values.github.teams }} + + openunison_network_configuration: + activemq_dir: "/tmp/amq" + allowed_client_names: [] + ciphers: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + client_auth: none + force_to_secure: true + open_external_port: 80 + open_port: 8080 + path_to_deployment: "/usr/local/openunison/work" + path_to_env_file: "/etc/openunison/ou.env" + quartz_dir: "/tmp/quartz" + secure_external_port: 443 + secure_key_alias: unison-tls + secure_port: 8443 + replicas: 1 + secret_data: + - K8S_DB_SECRET + - unisonKeystorePassword + - GITHUB_SECRET_ID + source_secret: orchestra-secrets-source + image: {{ .Values.image }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: api-server-config + namespace: openunison +data: + oidc-api-server-flags: |- + --oidc-issuer-url=https://{{ .Values.network.openunison_host }}/auth/idp/k8sIdp + --oidc-client-id=kubernetes + --oidc-username-claim=sub + --oidc-groups-claim=groups + --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: openunison-cr-update + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - openunison.tremolo.io + resources: + - openunisons + - users + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openunison-cr-update + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openunison-cr-update +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/openunison-k8s-login-github/values.yaml b/openunison-k8s-login-github/values.yaml new file mode 100644 index 0000000..c8c1be4 --- /dev/null +++ b/openunison-k8s-login-github/values.yaml @@ -0,0 +1,36 @@ +network: + openunison_host: "k8sou.apps.domain.int" + dashboard_host: "k8sdb.apps.domain.int" + api_server_host: "k8sapi.apps.domain.int" + session_inactivity_timeout_seconds: 900 + k8s_url: https://k8s-installer-master.tremolo.lan:6443 + +cert_template: + ou: "Kubernetes" + o: "MyOrg" + l: "My Cluster" + st: "State of Cluster" + c: "MyCountry" + +image: "docker.io/tremolosecurity/openunison-k8s-login-github:latest" +myvd_config_path: "WEB-INF/myvd.conf" +k8s_cluster_name: kubernetes +enable_impersonation: false + +dashboard: + namespace: "kube-system" + cert_name: "kubernetes-dashboard-certs" + label: "k8s-app=kubernetes-dashboard" + service_name: kubernetes-dashboard +certs: + use_k8s_cm: false + +trusted_certs: [] + +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s + +github: + client_id: sdfsdfsfsdfsdf + teams: MyOrg/ + \ No newline at end of file diff --git a/openunison-k8s-login-oidc/.helmignore b/openunison-k8s-login-oidc/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/openunison-k8s-login-oidc/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openunison-k8s-login-oidc/Chart.yaml b/openunison-k8s-login-oidc/Chart.yaml new file mode 100644 index 0000000..9839361 --- /dev/null +++ b/openunison-k8s-login-oidc/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: openunison-k8s-login-oidc +description: Use OpnID Connect to authenticate to your cluster with kubectl and dashboard using OpenUnison Orchestra. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-login-oidc +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-login-oidc + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-login-oidc/templates/openunison.yaml b/openunison-k8s-login-oidc/templates/openunison.yaml new file mode 100644 index 0000000..44a0e3c --- /dev/null +++ b/openunison-k8s-login-oidc/templates/openunison.yaml @@ -0,0 +1,338 @@ +{{ if eq .Values.enable_impersonation true }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator +rules: +- apiGroups: + - "" + resources: + - users + - groups + verbs: + - impersonate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: orchestra-impersonator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: impersonator +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +{{ end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Values.dashboard.namespace }} + name: orchestra-dashboard +rules: +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - "*" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-dashboard + namespace: {{ .Values.dashboard.namespace }} +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: orchestra-dashboard + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - "*" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: orchestra-certs + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: openunison.tremolo.io/v1 +kind: OpenUnison +metadata: + name: orchestra + namespace: {{ .Release.Namespace }} +spec: + dest_secret: orchestra + enable_activemq: false + hosts: + - ingress_name: openunison + names: + - env_var: OU_HOST + name: {{ .Values.network.openunison_host }} + - env_var: K8S_DASHBOARD_HOST + name: {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - env_var: K8S_API_HOST + name: {{ .Values.network.api_server_host }} + {{ end }} + secret_name: ou-tls-certificate + key_store: + update_controller: + image: docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0 + schedule: 0 2 * * * + days_to_expire: 10 + key_pairs: + create_keypair_template: + - name: ou + value: {{ .Values.cert_template.ou }} + - name: o + value: {{ .Values.cert_template.o }} + - name: l + value: {{ .Values.cert_template.l }} + - name: st + value: {{ .Values.cert_template.st }} + - name: c + value: {{ .Values.cert_template.c }} + keys: + - create_data: + ca_cert: true + key_size: 2048 + server_name: openunison.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + import_into_ks: keypair + name: unison-tls + - create_data: + ca_cert: true + key_size: 2048 + server_name: {{ .Values.network.openunison_host }} + sign_by_k8s_ca: false + subject_alternative_names: + - {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - {{ .Values.network.api_server_host }} + {{ end }} + import_into_ks: certificate + name: unison-ca + tls_secret_name: ou-tls-certificate + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: {{ .Values.dashboard.service_name }}.{{ .Values.dashboard.namespace }}.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + target_namespace: {{ .Values.dashboard.namespace }} + secret_info: + type_of_secret: Opaque + cert_name: dashboard.crt + key_name: dashboard.key + delete_pods_labels: + - {{ .Values.dashboard.label }} + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: kubernetes-dashboard + tls_secret_name: {{ .Values.dashboard.cert_name }} + replace_if_exists: true + - create_data: + ca_cert: true + key_size: 2048 + server_name: unison-saml2-rp-sig + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: unison-saml2-rp-sig + static_keys: + - name: session-unison + version: 1 + - name: lastmile-oidc + version: 1 + + {{ $length := len .Values.trusted_certs }} + {{ if eq $length 0 }} + trusted_certificates: [] + {{ else }} + trusted_certificates: {{ range .Values.trusted_certs }} + - name: {{ .name }} + pem_data: {{ .pem_b64 }} {{ end }} + {{ end }} + non_secret_data: + - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} + value: {{ .Values.network.k8s_url }} + {{ end }} + - name: SESSION_INACTIVITY_TIMEOUT_SECONDS + value: {{ .Values.network.session_inactivity_timeout_seconds | quote }} + - name: MYVD_CONFIG_PATH + value: {{ .Values.myvd_config_path }} + - name: K8S_DASHBOARD_NAMESPACE + value: {{ .Values.dashboard.namespace }} + - name: K8S_CLUSTER_NAME + value: {{ .Values.k8s_cluster_name }} + - name: K8S_IMPERSONATION + value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} + - name: OIDC_CLIENT_ID + value: {{ .Values.oidc.client_id }} + - name: OIDC_IDP_AUTH_URL + value: {{ .Values.oidc.auth_url }} + - name: OIDC_IDP_TOKEN_URL + value: {{ .Values.oidc.token_url }} + - name: OIDC_IDP_LIMIT_DOMAIN + value: {{ .Values.oidc.domain | quote }} + - name: SUB_CLAIM + value: {{ .Values.oidc.claims.sub }} + - name: EMAIL_CLAIM + value: {{ .Values.oidc.claims.email }} + - name: GIVEN_NAME_CLAIM + value: {{ .Values.oidc.claims.given_name }} + - name: FAMILY_NAME_CLAIM + value: {{ .Values.oidc.claims.family_name }} + - name: DISPLAY_NAME_CLAIM + value: {{ .Values.oidc.claims.display_name }} + - name: GROUPS_CLAIM + value: {{ .Values.oidc.claims.groups }} + - name: OIDC_USER_IN_IDTOKEN + value: {{ .Values.oidc.user_in_idtoken | quote}} + - name: OIDC_IDP_USER_URL + value: {{ .Values.oidc.userinfo_url | quote }} + - name: OIDC_SCOPES + value: {{ .Values.oidc.scopes }} + openunison_network_configuration: + activemq_dir: "/tmp/amq" + allowed_client_names: [] + ciphers: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + client_auth: none + force_to_secure: true + open_external_port: 80 + open_port: 8080 + path_to_deployment: "/usr/local/openunison/work" + path_to_env_file: "/etc/openunison/ou.env" + quartz_dir: "/tmp/quartz" + secure_external_port: 443 + secure_key_alias: unison-tls + secure_port: 8443 + replicas: 1 + secret_data: + - K8S_DB_SECRET + - unisonKeystorePassword + - OIDC_CLIENT_SECRET + source_secret: orchestra-secrets-source + image: {{ .Values.image }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: api-server-config + namespace: openunison +data: + oidc-api-server-flags: |- + --oidc-issuer-url=https://{{ .Values.network.openunison_host }}/auth/idp/k8sIdp + --oidc-client-id=kubernetes + --oidc-username-claim=sub + --oidc-groups-claim=groups + --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: openunison-cr-update + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - openunison.tremolo.io + resources: + - openunisons + - users + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openunison-cr-update + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openunison-cr-update +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/openunison-k8s-login-oidc/values.yaml b/openunison-k8s-login-oidc/values.yaml new file mode 100644 index 0000000..17f2b27 --- /dev/null +++ b/openunison-k8s-login-oidc/values.yaml @@ -0,0 +1,50 @@ +network: + openunison_host: "k8sou.apps.domain.int" + dashboard_host: "k8sdb.apps.domain.int" + api_server_host: "k8sapi.apps.domain.int" + session_inactivity_timeout_seconds: 900 + k8s_url: https://k8s-installer-master.tremolo.lan:6443 + +cert_template: + ou: "Kubernetes" + o: "MyOrg" + l: "My Cluster" + st: "State of Cluster" + c: "MyCountry" + +image: "docker.io/tremolosecurity/openunison-k8s-login-oidc:latest" +myvd_config_path: "WEB-INF/myvd.conf" +k8s_cluster_name: kubernetes +enable_impersonation: false + +dashboard: + namespace: "kube-system" + cert_name: "kubernetes-dashboard-certs" + label: "k8s-app=kubernetes-dashboard" + service_name: kubernetes-dashboard +certs: + use_k8s_cm: false + +trusted_certs: + - name: idp + pem_b64: SDFGSDFGHDFHSDFGSDGSDFGDS + +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s + +oidc: + client_id: myid + auth_url: https://www.myoidc.com/auth + token_url: https://www.myoidc.com/token + user_in_idtoken: false + userinfo_url: https://www.myoidc.com/token/userinfo + domain: "" + scopes: openid email profile groups + claims: + sub: sub + email: email + given_name: given_name + family_name: family_name + display_name: name + groups: groups + \ No newline at end of file diff --git a/openunison-k8s-login-saml2/.helmignore b/openunison-k8s-login-saml2/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/openunison-k8s-login-saml2/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openunison-k8s-login-saml2/Chart.yaml b/openunison-k8s-login-saml2/Chart.yaml new file mode 100644 index 0000000..31600c1 --- /dev/null +++ b/openunison-k8s-login-saml2/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: openunison-k8s-login-saml2 +description: Use SAML2 to authenticate to your cluster with kubectl and dashboard using OpenUnison Orchestra. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-login-saml2 +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-login-saml2 + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-login-saml2/templates/openunison.yaml b/openunison-k8s-login-saml2/templates/openunison.yaml new file mode 100644 index 0000000..705b34e --- /dev/null +++ b/openunison-k8s-login-saml2/templates/openunison.yaml @@ -0,0 +1,324 @@ +{{ if eq .Values.enable_impersonation true }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator +rules: +- apiGroups: + - "" + resources: + - users + - groups + verbs: + - impersonate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: orchestra-impersonator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: impersonator +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +{{ end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Values.dashboard.namespace }} + name: orchestra-dashboard +rules: +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - "*" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-dashboard + namespace: {{ .Values.dashboard.namespace }} +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: orchestra-dashboard + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - "*" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: orchestra-certs + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: openunison.tremolo.io/v1 +kind: OpenUnison +metadata: + name: orchestra + namespace: {{ .Release.Namespace }} +spec: + dest_secret: orchestra + enable_activemq: false + hosts: + - ingress_name: openunison + names: + - env_var: OU_HOST + name: {{ .Values.network.openunison_host }} + - env_var: K8S_DASHBOARD_HOST + name: {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - env_var: K8S_API_HOST + name: {{ .Values.network.api_server_host }} + {{ end }} + secret_name: ou-tls-certificate + key_store: + update_controller: + image: docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0 + schedule: 0 2 * * * + days_to_expire: 10 + key_pairs: + create_keypair_template: + - name: ou + value: {{ .Values.cert_template.ou }} + - name: o + value: {{ .Values.cert_template.o }} + - name: l + value: {{ .Values.cert_template.l }} + - name: st + value: {{ .Values.cert_template.st }} + - name: c + value: {{ .Values.cert_template.c }} + keys: + - create_data: + ca_cert: true + key_size: 2048 + server_name: openunison.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + import_into_ks: keypair + name: unison-tls + - create_data: + ca_cert: true + key_size: 2048 + server_name: {{ .Values.network.openunison_host }} + sign_by_k8s_ca: false + subject_alternative_names: + - {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - {{ .Values.network.api_server_host }} + {{ end }} + import_into_ks: certificate + name: unison-ca + tls_secret_name: ou-tls-certificate + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: {{ .Values.dashboard.service_name }}.{{ .Values.dashboard.namespace }}.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + target_namespace: {{ .Values.dashboard.namespace }} + secret_info: + type_of_secret: Opaque + cert_name: dashboard.crt + key_name: dashboard.key + delete_pods_labels: + - {{ .Values.dashboard.label }} + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: kubernetes-dashboard + tls_secret_name: {{ .Values.dashboard.cert_name }} + replace_if_exists: true + - create_data: + ca_cert: true + key_size: 2048 + server_name: unison-saml2-rp-sig + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: unison-saml2-rp-sig + static_keys: + - name: session-unison + version: 1 + - name: lastmile-oidc + version: 1 + + {{ $length := len .Values.trusted_certs }} + {{ if eq $length 0 }} + trusted_certificates: [] + {{ else }} + trusted_certificates: {{ range .Values.trusted_certs }} + - name: {{ .name }} + pem_data: {{ .pem_b64 }} {{ end }} + {{ end }} + non_secret_data: + - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} + value: {{ .Values.network.k8s_url }} + {{ end }} + - name: SESSION_INACTIVITY_TIMEOUT_SECONDS + value: {{ .Values.network.session_inactivity_timeout_seconds | quote }} + - name: MYVD_CONFIG_PATH + value: {{ .Values.myvd_config_path }} + - name: K8S_DASHBOARD_NAMESPACE + value: {{ .Values.dashboard.namespace }} + - name: K8S_CLUSTER_NAME + value: {{ .Values.k8s_cluster_name }} + - name: K8S_IMPERSONATION + value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} + openunison_network_configuration: + activemq_dir: "/tmp/amq" + allowed_client_names: [] + ciphers: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + client_auth: none + force_to_secure: true + open_external_port: 80 + open_port: 8080 + path_to_deployment: "/usr/local/openunison/work" + path_to_env_file: "/etc/openunison/ou.env" + quartz_dir: "/tmp/quartz" + secure_external_port: 443 + secure_key_alias: unison-tls + secure_port: 8443 + replicas: 1 + secret_data: + - K8S_DB_SECRET + - unisonKeystorePassword + source_secret: orchestra-secrets-source + image: {{ .Values.image }} + saml_remote_idp: + - mapping: + encryption_cert_alias: idp-saml2-enc + entity_id: IDP_ENTITY_ID + logout_url: IDP_LOGOUT + post_url: IDP_POST + redirect_url: IDP_REDIR + signing_cert_alias: idp-saml2-sig + source: {{ $length := len .Values.saml.idp_url }} {{ if gt $length 0 }} + url: {{ .Values.saml.idp_url }} +{{ else }} + xml: {{ .Values.saml.metadata_xml_b64 }} +{{ end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: api-server-config + namespace: openunison +data: + oidc-api-server-flags: |- + --oidc-issuer-url=https://{{ .Values.network.openunison_host }}/auth/idp/k8sIdp + --oidc-client-id=kubernetes + --oidc-username-claim=sub + --oidc-groups-claim=groups + --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: openunison-cr-update + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - openunison.tremolo.io + resources: + - openunisons + - users + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openunison-cr-update + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openunison-cr-update +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/openunison-k8s-login-saml2/values.yaml b/openunison-k8s-login-saml2/values.yaml new file mode 100644 index 0000000..33fd6d9 --- /dev/null +++ b/openunison-k8s-login-saml2/values.yaml @@ -0,0 +1,38 @@ +network: + openunison_host: "k8sou.apps.domain.int" + dashboard_host: "k8sdb.apps.domain.int" + api_server_host: "k8sapi.apps.domain.int" + session_inactivity_timeout_seconds: 900 + k8s_url: https://k8s-installer-master.tremolo.lan:6443 + +cert_template: + ou: "Kubernetes" + o: "MyOrg" + l: "My Cluster" + st: "State of Cluster" + c: "MyCountry" + +image: "docker.io/tremolosecurity/openunison-k8s-login-saml2:latest" +myvd_config_path: "WEB-INF/myvd.conf" +k8s_cluster_name: kubernetes +enable_impersonation: false + +dashboard: + namespace: "kube-system" + cert_name: "kubernetes-dashboard-certs" + label: "k8s-app=kubernetes-dashboard" + service_name: kubernetes-dashboard +certs: + use_k8s_cm: false + +trusted_certs: + - name: idp + pem_b64: SDFGSDFGHDFHSDFGSDGSDFGDS + +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s + +saml: + idp_url: "https://xyz/" + metadata_xml_b64: SDFSFgsdSDFSDf= + \ No newline at end of file diff --git a/openunison-k8s-oidc/.helmignore b/openunison-k8s-oidc/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/openunison-k8s-oidc/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openunison-k8s-oidc/Chart.yaml b/openunison-k8s-oidc/Chart.yaml new file mode 100644 index 0000000..866854f --- /dev/null +++ b/openunison-k8s-oidc/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: openunison-k8s-oidc +description: An automation portal for Kubernetes providing authentication via OpenID Connect and self service for creating namespaces and granting access to namespaces based on an approval based workflow. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-idm-oidc +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-idm-oidc + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-oidc/templates/openunison.yaml b/openunison-k8s-oidc/templates/openunison.yaml new file mode 100644 index 0000000..9fc6a2f --- /dev/null +++ b/openunison-k8s-oidc/templates/openunison.yaml @@ -0,0 +1,624 @@ +{{ if eq .Values.enable_impersonation true }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator +rules: +- apiGroups: + - "" + resources: + - users + - groups + verbs: + - impersonate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: orchestra-impersonator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: impersonator +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +{{ end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openunison-orchestra-cluster-administrators +subjects: +- kind: Group + name: k8s-cluster-administrators + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: list-namespaces +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openunison-cluster-list-namespaces +subjects: +- kind: Group + name: users + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: list-namespaces + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Values.dashboard.namespace }} + name: orchestra-dashboard +rules: +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - "*" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-dashboard + namespace: {{ .Values.dashboard.namespace }} +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: orchestra-dashboard + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - "*" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: orchestra-certs + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: openunison.tremolo.io/v1 +kind: OpenUnison +metadata: + name: orchestra + namespace: {{ .Release.Namespace }} +spec: + dest_secret: orchestra + enable_activemq: true + activemq_image: {{ .Values.amq_image }} + hosts: + - ingress_name: openunison + names: + - env_var: OU_HOST + name: {{ .Values.network.openunison_host }} + - env_var: K8S_DASHBOARD_HOST + name: {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - env_var: K8S_API_HOST + name: {{ .Values.network.api_server_host }} + {{ end }} + secret_name: ou-tls-certificate + key_store: + update_controller: + image: docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0 + schedule: 0 2 * * * + days_to_expire: 10 + key_pairs: + create_keypair_template: + - name: ou + value: {{ .Values.cert_template.ou }} + - name: o + value: {{ .Values.cert_template.o }} + - name: l + value: {{ .Values.cert_template.l }} + - name: st + value: {{ .Values.cert_template.st }} + - name: c + value: {{ .Values.cert_template.c }} + keys: + - create_data: + ca_cert: true + key_size: 2048 + server_name: openunison.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + import_into_ks: keypair + name: unison-tls + - create_data: + ca_cert: true + key_size: 2048 + server_name: {{ .Values.network.openunison_host }} + sign_by_k8s_ca: false + subject_alternative_names: + - {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - {{ .Values.network.api_server_host }} + {{ end }} + import_into_ks: certificate + name: unison-ca + tls_secret_name: ou-tls-certificate + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: {{ .Values.dashboard.service_name }}.{{ .Values.dashboard.namespace }}.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + target_namespace: {{ .Values.dashboard.namespace }} + secret_info: + type_of_secret: Opaque + cert_name: dashboard.crt + key_name: dashboard.key + delete_pods_labels: + - {{ .Values.dashboard.label }} + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: kubernetes-dashboard + tls_secret_name: {{ .Values.dashboard.cert_name }} + replace_if_exists: true + - create_data: + ca_cert: true + key_size: 2048 + server_name: unison-saml2-rp-sig + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: unison-saml2-rp-sig + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: amq.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: amq-server + replace_if_exists: true + tls_secret_name: orchestra-amq-server + - create_data: + ca_cert: true + key_size: 2048 + server_name: amq-client + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: amq-client + tls_secret_name: orchestra-amq-client + static_keys: + - name: session-unison + version: 1 + - name: lastmile-oidc + version: 1 + + {{ $length := len .Values.trusted_certs }} + {{ if eq $length 0 }} + trusted_certificates: [] + {{ else }} + trusted_certificates: {{ range .Values.trusted_certs }} + - name: {{ .name }} + pem_data: {{ .pem_b64 }} {{ end }} + {{ end }} + non_secret_data: + - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} + value: {{ .Values.network.k8s_url }} + {{ end }} + - name: SESSION_INACTIVITY_TIMEOUT_SECONDS + value: {{ .Values.network.session_inactivity_timeout_seconds | quote }} + - name: MYVD_CONFIG_PATH + value: {{ .Values.myvd_config_path }} + - name: K8S_DASHBOARD_NAMESPACE + value: {{ .Values.dashboard.namespace }} + - name: K8S_CLUSTER_NAME + value: {{ .Values.k8s_cluster_name }} + - name: OU_HIBERNATE_DIALECT + value: {{ .Values.database.hibernate_dialect }} + - name: OU_QUARTZ_DIALECT + value: {{ .Values.database.quartz_dialect }} + - name: OU_JDBC_DRIVER + value: {{ .Values.database.driver }} + - name: OU_JDBC_URL + value: {{ .Values.database.url }} + - name: OU_JDBC_USER + value: {{ .Values.database.user }} + - name: OU_JDBC_VALIDATION + value: {{ .Values.database.validation }} + - name: SMTP_HOST + value: {{ .Values.smtp.host }} + - name: SMTP_PORT + value: {{ .Values.smtp.port | quote }} + - name: SMTP_USER + value: {{ .Values.smtp.user }} + - name: SMTP_FROM + value: {{ .Values.smtp.from }} + - name: SMTP_TLS + value: {{ .Values.smtp.tls | quote }} + - name: K8S_IMPERSONATION + value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} + - name: OIDC_CLIENT_ID + value: {{ .Values.oidc.client_id }} + - name: OIDC_IDP_AUTH_URL + value: {{ .Values.oidc.auth_url }} + - name: OIDC_IDP_TOKEN_URL + value: {{ .Values.oidc.token_url }} + - name: OIDC_IDP_LIMIT_DOMAIN + value: {{ .Values.oidc.domain | quote }} + - name: SUB_CLAIM + value: {{ .Values.oidc.claims.sub }} + - name: EMAIL_CLAIM + value: {{ .Values.oidc.claims.email }} + - name: GIVEN_NAME_CLAIM + value: {{ .Values.oidc.claims.given_name }} + - name: FAMILY_NAME_CLAIM + value: {{ .Values.oidc.claims.family_name }} + - name: DISPLAY_NAME_CLAIM + value: {{ .Values.oidc.claims.display_name }} + - name: GROUPS_CLAIM + value: {{ .Values.oidc.claims.groups }} + - name: OIDC_USER_IN_IDTOKEN + value: {{ .Values.oidc.user_in_idtoken | quote}} + - name: OIDC_IDP_USER_URL + value: {{ .Values.oidc.userinfo_url | quote }} + - name: OIDC_SCOPES + value: {{ .Values.oidc.scopes }} + openunison_network_configuration: + activemq_dir: "/tmp/amq" + allowed_client_names: [] + ciphers: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + client_auth: none + force_to_secure: true + open_external_port: 80 + open_port: 8080 + path_to_deployment: "/usr/local/openunison/work" + path_to_env_file: "/etc/openunison/ou.env" + quartz_dir: "/tmp/quartz" + secure_external_port: 443 + secure_key_alias: unison-tls + secure_port: 8443 + replicas: 1 + secret_data: + - OIDC_CLIENT_SECRET + - K8S_DB_SECRET + - unisonKeystorePassword + - SMTP_PASSWORD + - OU_JDBC_PASSWORD + source_secret: orchestra-secrets-source + image: {{ .Values.image }} + run_sql: |- + # By: Ron Cordell - roncordell + # I didn't see this anywhere, so I thought I'd post it here. This is the script from Quartz to create the tables in a MySQL database, modified to use INNODB instead of MYISAM. + + + # make sure you have UTF-8 collaction for best .NET interoperability + # CREATE DATABASE quartznet CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; + + DROP TABLE IF EXISTS QRTZ_FIRED_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_PAUSED_TRIGGER_GRPS; + DROP TABLE IF EXISTS QRTZ_SCHEDULER_STATE; + DROP TABLE IF EXISTS QRTZ_LOCKS; + DROP TABLE IF EXISTS QRTZ_SIMPLE_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_SIMPROP_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_CRON_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_BLOB_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_JOB_DETAILS; + DROP TABLE IF EXISTS QRTZ_CALENDARS; + + CREATE TABLE QRTZ_JOB_DETAILS( + SCHED_NAME VARCHAR(120) NOT NULL, + JOB_NAME VARCHAR(200) NOT NULL, + JOB_GROUP VARCHAR(200) NOT NULL, + DESCRIPTION VARCHAR(250) NULL, + JOB_CLASS_NAME VARCHAR(250) NOT NULL, + IS_DURABLE BOOLEAN NOT NULL, + IS_NONCONCURRENT BOOLEAN NOT NULL, + IS_UPDATE_DATA BOOLEAN NOT NULL, + REQUESTS_RECOVERY BOOLEAN NOT NULL, + JOB_DATA BLOB NULL, + PRIMARY KEY (SCHED_NAME,JOB_NAME,JOB_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + JOB_NAME VARCHAR(200) NOT NULL, + JOB_GROUP VARCHAR(200) NOT NULL, + DESCRIPTION VARCHAR(250) NULL, + NEXT_FIRE_TIME BIGINT(19) NULL, + PREV_FIRE_TIME BIGINT(19) NULL, + PRIORITY INTEGER NULL, + TRIGGER_STATE VARCHAR(16) NOT NULL, + TRIGGER_TYPE VARCHAR(8) NOT NULL, + START_TIME BIGINT(19) NOT NULL, + END_TIME BIGINT(19) NULL, + CALENDAR_NAME VARCHAR(200) NULL, + MISFIRE_INSTR SMALLINT(2) NULL, + JOB_DATA BLOB NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,JOB_NAME,JOB_GROUP) + REFERENCES QRTZ_JOB_DETAILS(SCHED_NAME,JOB_NAME,JOB_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_SIMPLE_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + REPEAT_COUNT BIGINT(7) NOT NULL, + REPEAT_INTERVAL BIGINT(12) NOT NULL, + TIMES_TRIGGERED BIGINT(10) NOT NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_CRON_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + CRON_EXPRESSION VARCHAR(120) NOT NULL, + TIME_ZONE_ID VARCHAR(80), + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_SIMPROP_TRIGGERS + ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + STR_PROP_1 VARCHAR(512) NULL, + STR_PROP_2 VARCHAR(512) NULL, + STR_PROP_3 VARCHAR(512) NULL, + INT_PROP_1 INT NULL, + INT_PROP_2 INT NULL, + LONG_PROP_1 BIGINT NULL, + LONG_PROP_2 BIGINT NULL, + DEC_PROP_1 NUMERIC(13,4) NULL, + DEC_PROP_2 NUMERIC(13,4) NULL, + BOOL_PROP_1 BOOLEAN NULL, + BOOL_PROP_2 BOOLEAN NULL, + TIME_ZONE_ID VARCHAR(80) NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_BLOB_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + BLOB_DATA BLOB NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + INDEX (SCHED_NAME,TRIGGER_NAME, TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_CALENDARS ( + SCHED_NAME VARCHAR(120) NOT NULL, + CALENDAR_NAME VARCHAR(200) NOT NULL, + CALENDAR BLOB NOT NULL, + PRIMARY KEY (SCHED_NAME,CALENDAR_NAME)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_PAUSED_TRIGGER_GRPS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_FIRED_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + ENTRY_ID VARCHAR(140) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + INSTANCE_NAME VARCHAR(200) NOT NULL, + FIRED_TIME BIGINT(19) NOT NULL, + SCHED_TIME BIGINT(19) NOT NULL, + PRIORITY INTEGER NOT NULL, + STATE VARCHAR(16) NOT NULL, + JOB_NAME VARCHAR(200) NULL, + JOB_GROUP VARCHAR(200) NULL, + IS_NONCONCURRENT BOOLEAN NULL, + REQUESTS_RECOVERY BOOLEAN NULL, + PRIMARY KEY (SCHED_NAME,ENTRY_ID)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_SCHEDULER_STATE ( + SCHED_NAME VARCHAR(120) NOT NULL, + INSTANCE_NAME VARCHAR(200) NOT NULL, + LAST_CHECKIN_TIME BIGINT(19) NOT NULL, + CHECKIN_INTERVAL BIGINT(19) NOT NULL, + PRIMARY KEY (SCHED_NAME,INSTANCE_NAME)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_LOCKS ( + SCHED_NAME VARCHAR(120) NOT NULL, + LOCK_NAME VARCHAR(40) NOT NULL, + PRIMARY KEY (SCHED_NAME,LOCK_NAME)) + ENGINE=InnoDB; + + CREATE INDEX IDX_QRTZ_J_REQ_RECOVERY ON QRTZ_JOB_DETAILS(SCHED_NAME,REQUESTS_RECOVERY); + CREATE INDEX IDX_QRTZ_J_GRP ON QRTZ_JOB_DETAILS(SCHED_NAME,JOB_GROUP); + + CREATE INDEX IDX_QRTZ_T_J ON QRTZ_TRIGGERS(SCHED_NAME,JOB_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_T_JG ON QRTZ_TRIGGERS(SCHED_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_T_C ON QRTZ_TRIGGERS(SCHED_NAME,CALENDAR_NAME); + CREATE INDEX IDX_QRTZ_T_G ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_GROUP); + CREATE INDEX IDX_QRTZ_T_STATE ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_N_STATE ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_N_G_STATE ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_GROUP,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_NEXT_FIRE_TIME ON QRTZ_TRIGGERS(SCHED_NAME,NEXT_FIRE_TIME); + CREATE INDEX IDX_QRTZ_T_NFT_ST ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_STATE,NEXT_FIRE_TIME); + CREATE INDEX IDX_QRTZ_T_NFT_MISFIRE ON QRTZ_TRIGGERS(SCHED_NAME,MISFIRE_INSTR,NEXT_FIRE_TIME); + CREATE INDEX IDX_QRTZ_T_NFT_ST_MISFIRE ON QRTZ_TRIGGERS(SCHED_NAME,MISFIRE_INSTR,NEXT_FIRE_TIME,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_NFT_ST_MISFIRE_GRP ON QRTZ_TRIGGERS(SCHED_NAME,MISFIRE_INSTR,NEXT_FIRE_TIME,TRIGGER_GROUP,TRIGGER_STATE); + + CREATE INDEX IDX_QRTZ_FT_TRIG_INST_NAME ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,INSTANCE_NAME); + CREATE INDEX IDX_QRTZ_FT_INST_JOB_REQ_RCVRY ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,INSTANCE_NAME,REQUESTS_RECOVERY); + CREATE INDEX IDX_QRTZ_FT_J_G ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,JOB_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_FT_JG ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_FT_T_G ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP); + CREATE INDEX IDX_QRTZ_FT_TG ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,TRIGGER_GROUP); + + DROP TABLE IF EXISTS ACTIVEMQ_ACKS; + DROP TABLE IF EXISTS ACTIVEMQ_LOCK; + DROP TABLE IF EXISTS ACTIVEMQ_MSGS; + + + CREATE TABLE `ACTIVEMQ_ACKS` ( + `CONTAINER` varchar(250) NOT NULL, + `SUB_DEST` varchar(250) DEFAULT NULL, + `CLIENT_ID` varchar(250) NOT NULL, + `SUB_NAME` varchar(250) NOT NULL, + `SELECTOR` varchar(250) DEFAULT NULL, + `LAST_ACKED_ID` bigint(20) DEFAULT NULL, + `PRIORITY` bigint(20) NOT NULL DEFAULT '5', + `XID` varchar(250) DEFAULT NULL, + PRIMARY KEY (`CONTAINER`,`CLIENT_ID`,`SUB_NAME`,`PRIORITY`), + KEY `ACTIVEMQ_ACKS_XIDX` (`XID`) + ); + + CREATE TABLE `ACTIVEMQ_LOCK` ( + `ID` bigint(20) NOT NULL, + `TIME` bigint(20) DEFAULT NULL, + `BROKER_NAME` varchar(250) DEFAULT NULL, + PRIMARY KEY (`ID`) + ); + + CREATE TABLE `ACTIVEMQ_MSGS` ( + `ID` bigint(20) NOT NULL, + `CONTAINER` varchar(250) NOT NULL, + `MSGID_PROD` varchar(250) DEFAULT NULL, + `MSGID_SEQ` bigint(20) DEFAULT NULL, + `EXPIRATION` bigint(20) DEFAULT NULL, + `MSG` mediumblob, + `PRIORITY` bigint(20) DEFAULT NULL, + `XID` varchar(250) DEFAULT NULL, + PRIMARY KEY (`ID`), + KEY `ACTIVEMQ_MSGS_MIDX` (`MSGID_PROD`,`MSGID_SEQ`), + KEY `ACTIVEMQ_MSGS_CIDX` (`CONTAINER`), + KEY `ACTIVEMQ_MSGS_EIDX` (`EXPIRATION`), + KEY `ACTIVEMQ_MSGS_PIDX` (`PRIORITY`), + KEY `ACTIVEMQ_MSGS_XIDX` (`XID`) + ); + commit; +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: api-server-config + namespace: openunison +data: + oidc-api-server-flags: |- + --oidc-issuer-url=https://{{ .Values.network.openunison_host }}/auth/idp/k8sIdp + --oidc-client-id=kubernetes + --oidc-username-claim=sub + --oidc-groups-claim=groups + --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison diff --git a/openunison-k8s-oidc/values.yaml b/openunison-k8s-oidc/values.yaml new file mode 100644 index 0000000..43c0ef8 --- /dev/null +++ b/openunison-k8s-oidc/values.yaml @@ -0,0 +1,67 @@ +network: + openunison_host: "k8sou.apps.domain.int" + dashboard_host: "k8sdb.apps.domain.int" + api_server_host: "k8sapi.apps.domain.int" + session_inactivity_timeout_seconds: 900 + k8s_url: https://k8s-installer-master.tremolo.lan:6443 + +cert_template: + ou: "Kubernetes" + o: "MyOrg" + l: "My Cluster" + st: "State of Cluster" + c: "MyCountry" + +image: "docker.io/tremolosecurity/openunison-k8s-idm-oidc:latest" +amq_image: "docker.io/tremolosecurity/activemq-docker:latest" +myvd_config_path: "WEB-INF/myvd.conf" +k8s_cluster_name: kubernetes +enable_impersonation: false + +dashboard: + namespace: "kube-system" + cert_name: "kubernetes-dashboard-certs" + label: "k8s-app=kubernetes-dashboard" + service_name: kubernetes-dashboard +certs: + use_k8s_cm: false + +#trusted_certs: [] + +trusted_certs: + - name: idp-tls + pem_b64: SDFGSDFGHDFHSDFGSDGSDFGDS + +oidc: + client_id: myid + auth_url: https://www.myoidc.com/auth + token_url: https://www.myoidc.com/token + user_in_idtoken: false + userinfo_url: https://www.myoidc.com/token/userinfo + domain: "" + scopes: openid email profile groups + claims: + sub: sub + email: email + given_name: given_name + family_name: family_name + display_name: name + groups: groups + +database: + hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect + quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate + driver: com.mysql.jdbc.Driver + url: jdbc:mysql://dbs.tremolo.lan:3308/unison + user: root + validation: SELECT 1 + +smtp: + host: smtp.gmail.com + port: 587 + user: donotreply@domain.com + from: donotreply@domain.com + tls: true + +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s \ No newline at end of file diff --git a/openunison-k8s-saml2/.helmignore b/openunison-k8s-saml2/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/openunison-k8s-saml2/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openunison-k8s-saml2/Chart.yaml b/openunison-k8s-saml2/Chart.yaml new file mode 100644 index 0000000..46d2bf5 --- /dev/null +++ b/openunison-k8s-saml2/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: openunison-k8s-saml2 +description: An automation portal for Kubernetes providing authentication via SAML2 and self service for creating namespaces and granting access to namespaces based on an approval based workflow. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.0.18 +home: https://github.com/OpenUnison/openunison-k8s-saml2 +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/OpenUnison/openunison-k8s-saml2 + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam diff --git a/openunison-k8s-saml2/templates/openunison.yaml b/openunison-k8s-saml2/templates/openunison.yaml new file mode 100644 index 0000000..8e333b8 --- /dev/null +++ b/openunison-k8s-saml2/templates/openunison.yaml @@ -0,0 +1,610 @@ +{{ if eq .Values.enable_impersonation true }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator +rules: +- apiGroups: + - "" + resources: + - users + - groups + verbs: + - impersonate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: orchestra-impersonator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: impersonator +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +{{ end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openunison-orchestra-cluster-administrators +subjects: +- kind: Group + name: k8s-cluster-administrators + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: openunison-orchestra + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: list-namespaces +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openunison-cluster-list-namespaces +subjects: +- kind: Group + name: users + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: list-namespaces + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Values.dashboard.namespace }} + name: orchestra-dashboard +rules: +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - "*" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-dashboard + namespace: {{ .Values.dashboard.namespace }} +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: orchestra-dashboard + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - "*" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: orchestra-certs +subjects: +- kind: ServiceAccount + name: openunison-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: orchestra-certs + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: openunison.tremolo.io/v1 +kind: OpenUnison +metadata: + name: orchestra + namespace: {{ .Release.Namespace }} +spec: + dest_secret: orchestra + enable_activemq: true + activemq_image: {{ .Values.amq_image }} + hosts: + - ingress_name: openunison + names: + - env_var: OU_HOST + name: {{ .Values.network.openunison_host }} + - env_var: K8S_DASHBOARD_HOST + name: {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - env_var: K8S_API_HOST + name: {{ .Values.network.api_server_host }} + {{ end }} + secret_name: ou-tls-certificate + key_store: + update_controller: + image: docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0 + schedule: 0 2 * * * + days_to_expire: 10 + key_pairs: + create_keypair_template: + - name: ou + value: {{ .Values.cert_template.ou }} + - name: o + value: {{ .Values.cert_template.o }} + - name: l + value: {{ .Values.cert_template.l }} + - name: st + value: {{ .Values.cert_template.st }} + - name: c + value: {{ .Values.cert_template.c }} + keys: + - create_data: + ca_cert: true + key_size: 2048 + server_name: openunison.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + import_into_ks: keypair + name: unison-tls + - create_data: + ca_cert: true + key_size: 2048 + server_name: {{ .Values.network.openunison_host }} + sign_by_k8s_ca: false + subject_alternative_names: + - {{ .Values.network.dashboard_host }} + {{ if eq .Values.enable_impersonation true }} + - {{ .Values.network.api_server_host }} + {{ end }} + import_into_ks: certificate + name: unison-ca + tls_secret_name: ou-tls-certificate + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: {{ .Values.dashboard.service_name }}.{{ .Values.dashboard.namespace }}.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + target_namespace: {{ .Values.dashboard.namespace }} + secret_info: + type_of_secret: Opaque + cert_name: dashboard.crt + key_name: dashboard.key + delete_pods_labels: + - {{ .Values.dashboard.label }} + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: kubernetes-dashboard + tls_secret_name: {{ .Values.dashboard.cert_name }} + replace_if_exists: true + - create_data: + ca_cert: true + key_size: 2048 + server_name: unison-saml2-rp-sig + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: unison-saml2-rp-sig + - create_data: + {{ if .Values.certs.use_k8s_cm }} + ca_cert: false + {{ else }} + ca_cert: true + {{ end }} + key_size: 2048 + server_name: amq.openunison.svc.cluster.local + sign_by_k8s_ca: {{ .Values.certs.use_k8s_cm }} + subject_alternative_names: [] + {{ if .Values.certs.use_k8s_cm }} + import_into_ks: "none" + {{ else }} + import_into_ks: "certificate" + {{ end }} + name: amq-server + replace_if_exists: true + tls_secret_name: orchestra-amq-server + - create_data: + ca_cert: true + key_size: 2048 + server_name: amq-client + sign_by_k8s_ca: false + subject_alternative_names: [] + import_into_ks: keypair + name: amq-client + tls_secret_name: orchestra-amq-client + static_keys: + - name: session-unison + version: 1 + - name: lastmile-oidc + version: 1 + + {{ $length := len .Values.trusted_certs }} + {{ if eq $length 0 }} + trusted_certificates: [] + {{ else }} + trusted_certificates: {{ range .Values.trusted_certs }} + - name: {{ .name }} + pem_data: {{ .pem_b64 }} {{ end }} + {{ end }} + non_secret_data: + - name: K8S_URL + {{ if eq .Values.enable_impersonation true }} + value: https://{{ .Values.network.api_server_host }} + {{ else }} + value: {{ .Values.network.k8s_url }} + {{ end }} + - name: SESSION_INACTIVITY_TIMEOUT_SECONDS + value: {{ .Values.network.session_inactivity_timeout_seconds | quote }} + - name: MYVD_CONFIG_PATH + value: {{ .Values.myvd_config_path }} + - name: K8S_DASHBOARD_NAMESPACE + value: {{ .Values.dashboard.namespace }} + - name: K8S_CLUSTER_NAME + value: {{ .Values.k8s_cluster_name }} + - name: OU_HIBERNATE_DIALECT + value: {{ .Values.database.hibernate_dialect }} + - name: OU_QUARTZ_DIALECT + value: {{ .Values.database.quartz_dialect }} + - name: OU_JDBC_DRIVER + value: {{ .Values.database.driver }} + - name: OU_JDBC_URL + value: {{ .Values.database.url }} + - name: OU_JDBC_USER + value: {{ .Values.database.user }} + - name: OU_JDBC_VALIDATION + value: {{ .Values.database.validation }} + - name: SMTP_HOST + value: {{ .Values.smtp.host }} + - name: SMTP_PORT + value: {{ .Values.smtp.port | quote }} + - name: SMTP_USER + value: {{ .Values.smtp.user }} + - name: SMTP_FROM + value: {{ .Values.smtp.from }} + - name: SMTP_TLS + value: {{ .Values.smtp.tls | quote }} + - name: K8S_IMPERSONATION + value: {{ .Values.enable_impersonation | quote }} + - name: PROMETHEUS_SERVICE_ACCOUNT + value: {{ .Values.monitoring.prometheus_service_account}} + openunison_network_configuration: + activemq_dir: "/tmp/amq" + allowed_client_names: [] + ciphers: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + client_auth: none + force_to_secure: true + open_external_port: 80 + open_port: 8080 + path_to_deployment: "/usr/local/openunison/work" + path_to_env_file: "/etc/openunison/ou.env" + quartz_dir: "/tmp/quartz" + secure_external_port: 443 + secure_key_alias: unison-tls + secure_port: 8443 + replicas: 1 + secret_data: + - K8S_DB_SECRET + - unisonKeystorePassword + - SMTP_PASSWORD + - OU_JDBC_PASSWORD + saml_remote_idp: + - mapping: + encryption_cert_alias: idp-saml2-enc + entity_id: IDP_ENTITY_ID + logout_url: IDP_LOGOUT + post_url: IDP_POST + redirect_url: IDP_REDIR + signing_cert_alias: idp-saml2-sig + source: {{ $length := len .Values.saml.idp_url }} {{ if gt $length 0 }} + url: {{ .Values.saml.idp_url }} +{{ else }} + xml: {{ .Values.saml.metadata_xml_b64 }} +{{ end }} + source_secret: orchestra-secrets-source + image: {{ .Values.image }} + run_sql: |- + # By: Ron Cordell - roncordell + # I didn't see this anywhere, so I thought I'd post it here. This is the script from Quartz to create the tables in a MySQL database, modified to use INNODB instead of MYISAM. + + + # make sure you have UTF-8 collaction for best .NET interoperability + # CREATE DATABASE quartznet CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; + + DROP TABLE IF EXISTS QRTZ_FIRED_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_PAUSED_TRIGGER_GRPS; + DROP TABLE IF EXISTS QRTZ_SCHEDULER_STATE; + DROP TABLE IF EXISTS QRTZ_LOCKS; + DROP TABLE IF EXISTS QRTZ_SIMPLE_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_SIMPROP_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_CRON_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_BLOB_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_TRIGGERS; + DROP TABLE IF EXISTS QRTZ_JOB_DETAILS; + DROP TABLE IF EXISTS QRTZ_CALENDARS; + + CREATE TABLE QRTZ_JOB_DETAILS( + SCHED_NAME VARCHAR(120) NOT NULL, + JOB_NAME VARCHAR(200) NOT NULL, + JOB_GROUP VARCHAR(200) NOT NULL, + DESCRIPTION VARCHAR(250) NULL, + JOB_CLASS_NAME VARCHAR(250) NOT NULL, + IS_DURABLE BOOLEAN NOT NULL, + IS_NONCONCURRENT BOOLEAN NOT NULL, + IS_UPDATE_DATA BOOLEAN NOT NULL, + REQUESTS_RECOVERY BOOLEAN NOT NULL, + JOB_DATA BLOB NULL, + PRIMARY KEY (SCHED_NAME,JOB_NAME,JOB_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + JOB_NAME VARCHAR(200) NOT NULL, + JOB_GROUP VARCHAR(200) NOT NULL, + DESCRIPTION VARCHAR(250) NULL, + NEXT_FIRE_TIME BIGINT(19) NULL, + PREV_FIRE_TIME BIGINT(19) NULL, + PRIORITY INTEGER NULL, + TRIGGER_STATE VARCHAR(16) NOT NULL, + TRIGGER_TYPE VARCHAR(8) NOT NULL, + START_TIME BIGINT(19) NOT NULL, + END_TIME BIGINT(19) NULL, + CALENDAR_NAME VARCHAR(200) NULL, + MISFIRE_INSTR SMALLINT(2) NULL, + JOB_DATA BLOB NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,JOB_NAME,JOB_GROUP) + REFERENCES QRTZ_JOB_DETAILS(SCHED_NAME,JOB_NAME,JOB_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_SIMPLE_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + REPEAT_COUNT BIGINT(7) NOT NULL, + REPEAT_INTERVAL BIGINT(12) NOT NULL, + TIMES_TRIGGERED BIGINT(10) NOT NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_CRON_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + CRON_EXPRESSION VARCHAR(120) NOT NULL, + TIME_ZONE_ID VARCHAR(80), + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_SIMPROP_TRIGGERS + ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + STR_PROP_1 VARCHAR(512) NULL, + STR_PROP_2 VARCHAR(512) NULL, + STR_PROP_3 VARCHAR(512) NULL, + INT_PROP_1 INT NULL, + INT_PROP_2 INT NULL, + LONG_PROP_1 BIGINT NULL, + LONG_PROP_2 BIGINT NULL, + DEC_PROP_1 NUMERIC(13,4) NULL, + DEC_PROP_2 NUMERIC(13,4) NULL, + BOOL_PROP_1 BOOLEAN NULL, + BOOL_PROP_2 BOOLEAN NULL, + TIME_ZONE_ID VARCHAR(80) NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_BLOB_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + BLOB_DATA BLOB NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP), + INDEX (SCHED_NAME,TRIGGER_NAME, TRIGGER_GROUP), + FOREIGN KEY (SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP) + REFERENCES QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_CALENDARS ( + SCHED_NAME VARCHAR(120) NOT NULL, + CALENDAR_NAME VARCHAR(200) NOT NULL, + CALENDAR BLOB NOT NULL, + PRIMARY KEY (SCHED_NAME,CALENDAR_NAME)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_PAUSED_TRIGGER_GRPS ( + SCHED_NAME VARCHAR(120) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + PRIMARY KEY (SCHED_NAME,TRIGGER_GROUP)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_FIRED_TRIGGERS ( + SCHED_NAME VARCHAR(120) NOT NULL, + ENTRY_ID VARCHAR(140) NOT NULL, + TRIGGER_NAME VARCHAR(200) NOT NULL, + TRIGGER_GROUP VARCHAR(200) NOT NULL, + INSTANCE_NAME VARCHAR(200) NOT NULL, + FIRED_TIME BIGINT(19) NOT NULL, + SCHED_TIME BIGINT(19) NOT NULL, + PRIORITY INTEGER NOT NULL, + STATE VARCHAR(16) NOT NULL, + JOB_NAME VARCHAR(200) NULL, + JOB_GROUP VARCHAR(200) NULL, + IS_NONCONCURRENT BOOLEAN NULL, + REQUESTS_RECOVERY BOOLEAN NULL, + PRIMARY KEY (SCHED_NAME,ENTRY_ID)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_SCHEDULER_STATE ( + SCHED_NAME VARCHAR(120) NOT NULL, + INSTANCE_NAME VARCHAR(200) NOT NULL, + LAST_CHECKIN_TIME BIGINT(19) NOT NULL, + CHECKIN_INTERVAL BIGINT(19) NOT NULL, + PRIMARY KEY (SCHED_NAME,INSTANCE_NAME)) + ENGINE=InnoDB; + + CREATE TABLE QRTZ_LOCKS ( + SCHED_NAME VARCHAR(120) NOT NULL, + LOCK_NAME VARCHAR(40) NOT NULL, + PRIMARY KEY (SCHED_NAME,LOCK_NAME)) + ENGINE=InnoDB; + + CREATE INDEX IDX_QRTZ_J_REQ_RECOVERY ON QRTZ_JOB_DETAILS(SCHED_NAME,REQUESTS_RECOVERY); + CREATE INDEX IDX_QRTZ_J_GRP ON QRTZ_JOB_DETAILS(SCHED_NAME,JOB_GROUP); + + CREATE INDEX IDX_QRTZ_T_J ON QRTZ_TRIGGERS(SCHED_NAME,JOB_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_T_JG ON QRTZ_TRIGGERS(SCHED_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_T_C ON QRTZ_TRIGGERS(SCHED_NAME,CALENDAR_NAME); + CREATE INDEX IDX_QRTZ_T_G ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_GROUP); + CREATE INDEX IDX_QRTZ_T_STATE ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_N_STATE ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_N_G_STATE ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_GROUP,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_NEXT_FIRE_TIME ON QRTZ_TRIGGERS(SCHED_NAME,NEXT_FIRE_TIME); + CREATE INDEX IDX_QRTZ_T_NFT_ST ON QRTZ_TRIGGERS(SCHED_NAME,TRIGGER_STATE,NEXT_FIRE_TIME); + CREATE INDEX IDX_QRTZ_T_NFT_MISFIRE ON QRTZ_TRIGGERS(SCHED_NAME,MISFIRE_INSTR,NEXT_FIRE_TIME); + CREATE INDEX IDX_QRTZ_T_NFT_ST_MISFIRE ON QRTZ_TRIGGERS(SCHED_NAME,MISFIRE_INSTR,NEXT_FIRE_TIME,TRIGGER_STATE); + CREATE INDEX IDX_QRTZ_T_NFT_ST_MISFIRE_GRP ON QRTZ_TRIGGERS(SCHED_NAME,MISFIRE_INSTR,NEXT_FIRE_TIME,TRIGGER_GROUP,TRIGGER_STATE); + + CREATE INDEX IDX_QRTZ_FT_TRIG_INST_NAME ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,INSTANCE_NAME); + CREATE INDEX IDX_QRTZ_FT_INST_JOB_REQ_RCVRY ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,INSTANCE_NAME,REQUESTS_RECOVERY); + CREATE INDEX IDX_QRTZ_FT_J_G ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,JOB_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_FT_JG ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,JOB_GROUP); + CREATE INDEX IDX_QRTZ_FT_T_G ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,TRIGGER_NAME,TRIGGER_GROUP); + CREATE INDEX IDX_QRTZ_FT_TG ON QRTZ_FIRED_TRIGGERS(SCHED_NAME,TRIGGER_GROUP); + + DROP TABLE IF EXISTS ACTIVEMQ_ACKS; + DROP TABLE IF EXISTS ACTIVEMQ_LOCK; + DROP TABLE IF EXISTS ACTIVEMQ_MSGS; + + + CREATE TABLE `ACTIVEMQ_ACKS` ( + `CONTAINER` varchar(250) NOT NULL, + `SUB_DEST` varchar(250) DEFAULT NULL, + `CLIENT_ID` varchar(250) NOT NULL, + `SUB_NAME` varchar(250) NOT NULL, + `SELECTOR` varchar(250) DEFAULT NULL, + `LAST_ACKED_ID` bigint(20) DEFAULT NULL, + `PRIORITY` bigint(20) NOT NULL DEFAULT '5', + `XID` varchar(250) DEFAULT NULL, + PRIMARY KEY (`CONTAINER`,`CLIENT_ID`,`SUB_NAME`,`PRIORITY`), + KEY `ACTIVEMQ_ACKS_XIDX` (`XID`) + ); + + CREATE TABLE `ACTIVEMQ_LOCK` ( + `ID` bigint(20) NOT NULL, + `TIME` bigint(20) DEFAULT NULL, + `BROKER_NAME` varchar(250) DEFAULT NULL, + PRIMARY KEY (`ID`) + ); + + CREATE TABLE `ACTIVEMQ_MSGS` ( + `ID` bigint(20) NOT NULL, + `CONTAINER` varchar(250) NOT NULL, + `MSGID_PROD` varchar(250) DEFAULT NULL, + `MSGID_SEQ` bigint(20) DEFAULT NULL, + `EXPIRATION` bigint(20) DEFAULT NULL, + `MSG` mediumblob, + `PRIORITY` bigint(20) DEFAULT NULL, + `XID` varchar(250) DEFAULT NULL, + PRIMARY KEY (`ID`), + KEY `ACTIVEMQ_MSGS_MIDX` (`MSGID_PROD`,`MSGID_SEQ`), + KEY `ACTIVEMQ_MSGS_CIDX` (`CONTAINER`), + KEY `ACTIVEMQ_MSGS_EIDX` (`EXPIRATION`), + KEY `ACTIVEMQ_MSGS_PIDX` (`PRIORITY`), + KEY `ACTIVEMQ_MSGS_XIDX` (`XID`) + ); + commit; +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: api-server-config + namespace: openunison +data: + oidc-api-server-flags: |- + --oidc-issuer-url=https://{{ .Values.network.openunison_host }}/auth/idp/k8sIdp + --oidc-client-id=kubernetes + --oidc-username-claim=sub + --oidc-groups-claim=groups + --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + audit2rbac.liggitt.net/version: v0.7.0 + labels: + audit2rbac.liggitt.net/generated: "true" + audit2rbac.liggitt.net/user: system-serviceaccount-openunison-openunison-orchestra + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: audit2rbac:system:serviceaccount:openunison:openunison-orchestra +subjects: +- kind: ServiceAccount + name: openunison-orchestra + namespace: openunison diff --git a/openunison-k8s-saml2/values.yaml b/openunison-k8s-saml2/values.yaml new file mode 100644 index 0000000..5d6862b --- /dev/null +++ b/openunison-k8s-saml2/values.yaml @@ -0,0 +1,57 @@ +network: + openunison_host: "k8sou.apps.domain.int" + dashboard_host: "k8sdb.apps.domain.int" + api_server_host: "k8sapi.apps.domain.int" + session_inactivity_timeout_seconds: 900 + k8s_url: https://k8s-installer-master.tremolo.lan:6443 + +cert_template: + ou: "Kubernetes" + o: "MyOrg" + l: "My Cluster" + st: "State of Cluster" + c: "MyCountry" + +image: "docker.io/tremolosecurity/openunison-k8s-saml2:latest" +amq_image: "docker.io/tremolosecurity/activemq-docker:latest" +myvd_config_path: "WEB-INF/myvd.conf" +k8s_cluster_name: kubernetes +enable_impersonation: false + +dashboard: + namespace: "kube-system" + cert_name: "kubernetes-dashboard-certs" + label: "k8s-app=kubernetes-dashboard" + service_name: kubernetes-dashboard +certs: + use_k8s_cm: false + +#trusted_certs: [] + +trusted_certs: + - name: adfs-sig + pem_b64: SDFGSDFGHDFHSDFGSDGSDFGDS + - name: ldaps2 + pem_b64: SDFGSDFGDHSDRT#$%#$%SDSDTF + +saml: + idp_url: "https://xyz/" + metadata_xml_b64: SDFSFgsdSDFSDf= + +database: + hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect + quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate + driver: com.mysql.jdbc.Driver + url: jdbc:mysql://dbs.tremolo.lan:3308/unison + user: root + validation: SELECT 1 + +smtp: + host: smtp.gmail.com + port: 587 + user: donotreply@domain.com + from: donotreply@domain.com + tls: true + +monitoring: + prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s \ No newline at end of file diff --git a/openunison-operator/Chart.yaml b/openunison-operator/Chart.yaml index 4e62cbf..ff716c2 100644 --- a/openunison-operator/Chart.yaml +++ b/openunison-operator/Chart.yaml @@ -19,3 +19,12 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. appVersion: 1.0.0 + +appVersion: 1.0.18 +home: https://github.com/TremoloSecurity/openunison-k8s-operator +icon: https://drive.google.com/open?id=1k3mhr9cVcFbDTRSSMRo_eKFfKISRVPwt +sources: + - https://github.com/TremoloSecurity/openunison-k8s-operator + - https://github.com/OpenUnison/helm-charts +maintainers: + - name: mlbiam \ No newline at end of file