From 8bf110b009d48037d54470eefd74611084444f03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Thu, 4 Jul 2024 14:35:42 +0200 Subject: [PATCH] add cluster authentication --- authentication/Chart.yaml | 5 ++ authentication/README.md | 30 +++++++++++ authentication/templates/_helpers.tpl | 21 ++++++++ authentication/templates/cluster-auth.yaml | 62 ++++++++++++++++++++++ authentication/values.yaml | 42 +++++++++++++++ 5 files changed, 160 insertions(+) create mode 100644 authentication/Chart.yaml create mode 100644 authentication/README.md create mode 100644 authentication/templates/_helpers.tpl create mode 100644 authentication/templates/cluster-auth.yaml create mode 100644 authentication/values.yaml diff --git a/authentication/Chart.yaml b/authentication/Chart.yaml new file mode 100644 index 0000000..96111ff --- /dev/null +++ b/authentication/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: auth +type: application +version: 0.0.1 +appVersion: "0.0.1" \ No newline at end of file diff --git a/authentication/README.md b/authentication/README.md new file mode 100644 index 0000000..faf4494 --- /dev/null +++ b/authentication/README.md @@ -0,0 +1,30 @@ +# Workshop Users + +```sh +helm template auth . --set masterKey=RivieraDev2024 | oc apply -f - +``` + +Get the name of the generated secret: + +```sh +oc get secret -n openshift-config |grep ^htpasswd +``` + +Update oauth/cluster with: + +```yaml +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: Prune=false +spec: + identityProviders: + - htpasswd: + fileData: + name: htpasswd- + mappingMethod: claim + name: WorkshopUser + type: HTPasswd +``` diff --git a/authentication/templates/_helpers.tpl b/authentication/templates/_helpers.tpl new file mode 100644 index 0000000..c9bac12 --- /dev/null +++ b/authentication/templates/_helpers.tpl @@ -0,0 +1,21 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "openshift-users" -}} +{{- $stash := dict "result" (list) -}} +{{- range $user := .Values.openshift.users }} +{{- $_ := printf "%s" $user | append $stash.result | set $stash "result" -}} +{{- end -}} +{{- toJson $stash.result -}} +{{- end -}} + +{{- define "openshift-htpasswd" -}} +{{- range (include "openshift-users" . | fromJsonArray) }} +{{ htpasswd . (trunc 8 (sha256sum (cat $.Values.masterKey "openshift-htpasswd" .))) }} +{{- end -}} +{{- end -}} + +{{- define "openshift-users-txt" -}} +{{- range (include "openshift-users" . | fromJsonArray) }} +{{ . }}:{{ trunc 8 (sha256sum (cat $.Values.masterKey "openshift-htpasswd" .)) }} +{{- end -}} +{{- end -}} diff --git a/authentication/templates/cluster-auth.yaml b/authentication/templates/cluster-auth.yaml new file mode 100644 index 0000000..1eed574 --- /dev/null +++ b/authentication/templates/cluster-auth.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Secret +metadata: + name: htpasswd-{{ trunc 8 (include "openshift-users-txt" . | sha256sum) }} + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: Prune=false + argocd.argoproj.io/compare-options: IgnoreExtraneous +type: Opaque +data: + htpasswd: {{ include "openshift-htpasswd" . | b64enc | quote }} + users.txt: {{ include "openshift-users-txt" . | b64enc | quote }} +{{- range (include "openshift-users" . | fromJsonArray) }} +--- +kind: Namespace +apiVersion: v1 +metadata: + annotations: + argocd.argoproj.io/sync-options: Prune=false + labels: + env: test + name: {{ (printf "%s-test" .) | quote }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ (printf "%s-admin" .) | quote }} + namespace: {{ (printf "%s-test" .) | quote }} + annotations: + argocd.argoproj.io/sync-options: Prune=false +subjects: + - kind: User + apiGroup: rbac.authorization.k8s.io + name: {{ . | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +--- +kind: Namespace +apiVersion: v1 +metadata: + annotations: + argocd.argoproj.io/sync-options: Prune=false + name: {{ . | quote }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ (printf "%s-admin" .) | quote }} + namespace: {{ . | quote }} + annotations: + argocd.argoproj.io/sync-options: Prune=false +subjects: + - kind: User + apiGroup: rbac.authorization.k8s.io + name: {{ . | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +{{- end }} diff --git a/authentication/values.yaml b/authentication/values.yaml new file mode 100644 index 0000000..220c674 --- /dev/null +++ b/authentication/values.yaml @@ -0,0 +1,42 @@ +openshift: + users: + - user1 + - user2 + - user3 + - user4 + - user5 + - user6 + - user7 + - user8 + - user9 + - user10 + - user11 + - user12 + - user13 + - user14 + - user15 + - user16 + - user17 + - user18 + - user19 + - user20 + - user21 + - user22 + - user23 + - user24 + - user25 + - user26 + - user27 + - user28 + - user29 + - user30 + - user31 + - user32 + - user33 + - user34 + - user35 + - user36 + - user37 + - user38 + - user39 + - user40