add cluster authentication

1 year ago · 8bf110b009
5 changed files with 160 additions and 0 deletions
--- a/authentication/Chart.yaml
+++ b/authentication/Chart.yaml
@ -0,0 +1,5 @@
 apiVersion: v2
 name: auth
 type: application
 version: 0.0.1
 appVersion: "0.0.1"
--- a/authentication/README.md
+++ b/authentication/README.md
@ -0,0 +1,30 @@
 # Workshop Users
 ```sh
 helm template auth . --set masterKey=RivieraDev2024 | oc apply -f -
 ```
 Get the name of the generated secret:
 ```sh
 oc get secret -n openshift-config |grep ^htpasswd
 ```
 Update oauth/cluster with:
 ```yaml
 apiVersion: config.openshift.io/v1
 kind: OAuth
 metadata:
  name: cluster
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
 spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpasswd-
    mappingMethod: claim
    name: WorkshopUser
    type: HTPasswd
 ```
--- a/authentication/templates/_helpers.tpl
+++ b/authentication/templates/_helpers.tpl
@ -0,0 +1,21 @@
 {{/* vim: set filetype=mustache: */}}
 {{- define "openshift-users" -}}
 {{- $stash := dict "result" (list)  -}}
 {{- range $user := .Values.openshift.users }}
 {{- $_ := printf "%s" $user | append $stash.result | set $stash "result" -}}
 {{- end -}}
 {{- toJson $stash.result -}}
 {{- end -}}
 {{- define "openshift-htpasswd" -}}
 {{- range (include "openshift-users" . | fromJsonArray) }}
 {{ htpasswd . (trunc 8 (sha256sum (cat $.Values.masterKey "openshift-htpasswd" .))) }}
 {{- end -}}
 {{- end -}}
 {{- define "openshift-users-txt" -}}
 {{- range (include "openshift-users" . | fromJsonArray) }}
 {{ . }}:{{ trunc 8 (sha256sum (cat $.Values.masterKey "openshift-htpasswd" .)) }}
 {{- end -}}
 {{- end -}}
--- a/authentication/templates/cluster-auth.yaml
+++ b/authentication/templates/cluster-auth.yaml
@ -0,0 +1,62 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: htpasswd-{{ trunc 8 (include "openshift-users-txt" . | sha256sum) }}
  namespace: openshift-config
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
    argocd.argoproj.io/compare-options: IgnoreExtraneous
 type: Opaque
 data:
  htpasswd: {{ include "openshift-htpasswd" . | b64enc | quote }}
  users.txt: {{ include "openshift-users-txt" . | b64enc | quote }}
 {{- range (include "openshift-users" . | fromJsonArray) }}
 ---
 kind: Namespace
 apiVersion: v1
 metadata:
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
  labels:
    env: test
  name: {{ (printf "%s-test" .) | quote }}
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ (printf "%s-admin" .) | quote }}
  namespace: {{ (printf "%s-test" .) | quote }}
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
 subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: {{ . | quote }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
 ---
 kind: Namespace
 apiVersion: v1
 metadata:
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
  name: {{ . | quote }}
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ (printf "%s-admin" .) | quote }}
  namespace: {{ . | quote }}
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
 subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: {{ . | quote }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
 {{- end }}
--- a/authentication/values.yaml
+++ b/authentication/values.yaml
@ -0,0 +1,42 @@
 openshift:
  users:
  - user1
  - user2
  - user3
  - user4
  - user5
  - user6
  - user7
  - user8
  - user9
  - user10
  - user11
  - user12
  - user13
  - user14
  - user15
  - user16
  - user17
  - user18
  - user19
  - user20
  - user21
  - user22
  - user23
  - user24
  - user25
  - user26
  - user27
  - user28
  - user29
  - user30
  - user31
  - user32
  - user33
  - user34
  - user35
  - user36
  - user37
  - user38
  - user39
  - user40