add cluster authentication

1 year ago · 8bf110b009
5 changed files with 160 additions and 0 deletions
--- a/authentication/Chart.yaml
+++ b/authentication/Chart.yaml
@ -0,0 +1,5 @@
+apiVersion: v2
+name: auth
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
--- a/authentication/README.md
+++ b/authentication/README.md
@ -0,0 +1,30 @@
+# Workshop Users
+
+```sh
+helm template auth . --set masterKey=RivieraDev2024 | oc apply -f -
+```
+
+Get the name of the generated secret:
+
+```sh
+oc get secret -n openshift-config |grep ^htpasswd
+```
+
+Update oauth/cluster with:
+
+```yaml
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+  annotations:
+    argocd.argoproj.io/sync-options: Prune=false
+spec:
+  identityProviders:
+  - htpasswd:
+      fileData:
+        name: htpasswd-
+    mappingMethod: claim
+    name: WorkshopUser
+    type: HTPasswd
+```
--- a/authentication/templates/_helpers.tpl
+++ b/authentication/templates/_helpers.tpl
@ -0,0 +1,21 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "openshift-users" -}}
+{{- $stash := dict "result" (list)  -}}
+{{- range $user := .Values.openshift.users }}
+{{- $_ := printf "%s" $user | append $stash.result | set $stash "result" -}}
+{{- end -}}
+{{- toJson $stash.result -}}
+{{- end -}}
+
+{{- define "openshift-htpasswd" -}}
+{{- range (include "openshift-users" . | fromJsonArray) }}
+{{ htpasswd . (trunc 8 (sha256sum (cat $.Values.masterKey "openshift-htpasswd" .))) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "openshift-users-txt" -}}
+{{- range (include "openshift-users" . | fromJsonArray) }}
+{{ . }}:{{ trunc 8 (sha256sum (cat $.Values.masterKey "openshift-htpasswd" .)) }}
+{{- end -}}
+{{- end -}}
--- a/authentication/templates/cluster-auth.yaml
+++ b/authentication/templates/cluster-auth.yaml
@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: htpasswd-{{ trunc 8 (include "openshift-users-txt" . | sha256sum) }}
+  namespace: openshift-config
+  annotations:
+    argocd.argoproj.io/sync-options: Prune=false
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+type: Opaque
+data:
+  htpasswd: {{ include "openshift-htpasswd" . | b64enc | quote }}
+  users.txt: {{ include "openshift-users-txt" . | b64enc | quote }}
+{{- range (include "openshift-users" . | fromJsonArray) }}
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: Prune=false
+  labels:
+    env: test
+  name: {{ (printf "%s-test" .) | quote }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ (printf "%s-admin" .) | quote }}
+  namespace: {{ (printf "%s-test" .) | quote }}
+  annotations:
+    argocd.argoproj.io/sync-options: Prune=false
+subjects:
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: {{ . | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: Prune=false
+  name: {{ . | quote }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ (printf "%s-admin" .) | quote }}
+  namespace: {{ . | quote }}
+  annotations:
+    argocd.argoproj.io/sync-options: Prune=false
+subjects:
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: {{ . | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+{{- end }}
--- a/authentication/values.yaml
+++ b/authentication/values.yaml
@ -0,0 +1,42 @@
+openshift:
+  users:
+  - user1
+  - user2
+  - user3
+  - user4
+  - user5
+  - user6
+  - user7
+  - user8
+  - user9
+  - user10
+  - user11
+  - user12
+  - user13
+  - user14
+  - user15
+  - user16
+  - user17
+  - user18
+  - user19
+  - user20
+  - user21
+  - user22
+  - user23
+  - user24
+  - user25
+  - user26
+  - user27
+  - user28
+  - user29
+  - user30
+  - user31
+  - user32
+  - user33
+  - user34
+  - user35
+  - user36
+  - user37
+  - user38
+  - user39
+  - user40