Skip to content

Commit

Permalink
feat: Add provision for OIDC Confidential client configurations
Browse files Browse the repository at this point in the history
  • Loading branch information
@akash-jain-10
akash-jain-10 committed Apr 8, 2024
1 parent ce38052 commit 503ee90
Show file tree
Hide file tree
Showing 5 changed files with 153 additions and 1 deletion.
21 changes: 20 additions & 1 deletion charts/openmetadata/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
| Key | Type | Default | Conf/Openmetadata.yaml |
|-----|------|---------| ---------------------- |
| openmetadata.config.authentication.enabled | bool | `true` | |
| openmetadata.config.authentication.clientType | string | `public` | AUTHENTICATION_CLIENT_TYPE |
| openmetadata.config.authentication.provider | string | `basic` | AUTHENTICATION_PROVIDER |
| openmetadata.config.authentication.publicKeys | list | `[http://openmetadata:8585/api/v1/system/config/jwks]` | AUTHENTICATION_PUBLIC_KEYS |
| openmetadata.config.authentication.authority | string | `https://accounts.google.com` | AUTHENTICATION_AUTHORITY |
Expand Down Expand Up @@ -70,6 +71,24 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
| openmetadata.config.authentication.ldapConfiguration.trustStoreConfig.hostNameConfig.acceptableHostNames | string | `[Empty String]` | AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES |
| openmetadata.config.authentication.ldapConfiguration.trustStoreConfig.jvmDefaultConfig.verifyHostname | string | `Empty String` | AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST |
| openmetadata.config.authentication.ldapConfiguration.trustStoreConfig.trustAllConfig.examineValidityDates | bool | `true` | AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES |
| openmetadata.config.authentication.oidcConfiguration.callbackUrl | string | `http://openmetadata:8585/callback` | OIDC_CALLBACK |
| openmetadata.config.authentication.oidcConfiguration.clientAuthenticationMethod | string | `client_secret_post` | OIDC_CLIENT_AUTH_METHOD |
| openmetadata.config.authentication.oidcConfiguration.clientId.secretKey | string | `openmetadata-oidc-client-id` | OIDC_CLIENT_ID |
| openmetadata.config.authentication.oidcConfiguration.clientId.secretRef | string | `oidc-secrets` | OIDC_CLIENT_ID |
| openmetadata.config.authentication.oidcConfiguration.clientSecret.secretKey | string | `openmetadata-oidc-client-secret` | OIDC_CLIENT_SECRET |
| openmetadata.config.authentication.oidcConfiguration.clientSecret.secretRef | string | `oidc-secrets` | OIDC_CLIENT_SECRET |
| openmetadata.config.authentication.oidcConfiguration.customParams | string | `Empty` | OIDC_CUSTOM_PARAMS |
| openmetadata.config.authentication.oidcConfiguration.disablePkce | bool | true | OIDC_DISABLE_PKCE |
| openmetadata.config.authentication.oidcConfiguration.discoveryUri | string | `Empty` | OIDC_DISCOVERY_URI |
| openmetadata.config.authentication.oidcConfiguration.enabled | bool | false | |
| openmetadata.config.authentication.oidcConfiguration.maxClockSkew | string | `Empty` | OIDC_MAX_CLOCK_SKEW |
| openmetadata.config.authentication.oidcConfiguration.oidcType | string | `Empty` | OIDC_TYPE |
| openmetadata.config.authentication.oidcConfiguration.preferredJwsAlgorithm | string | `RS256` | OIDC_PREFERRED_JWS |
| openmetadata.config.authentication.oidcConfiguration.responseType | string | `code` | OIDC_RESPONSE_TYPE |
| openmetadata.config.authentication.oidcConfiguration.scope | string | `openid email profile` | OIDC_SCOPE |
| openmetadata.config.authentication.oidcConfiguration.serverUrl | string | `http://openmetadata:8585` | OIDC_SERVER_URL |
| openmetadata.config.authentication.oidcConfiguration.tenant | string | `Empty` | OIDC_TENANT |
| openmetadata.config.authentication.oidcConfiguration.useNonce | bool | `true` | OIDC_USE_NONCE |
| openmetadata.config.authentication.saml.debugMode | bool | false | SAML_DEBUG_MODE |
| openmetadata.config.authentication.saml.idp.entityId | string | `Empty` | SAML_IDP_ENTITY_ID |
| openmetadata.config.authentication.saml.idp.ssoLoginUrl | string | `Empty` | SAML_IDP_SSO_LOGIN_URL |
Expand Down Expand Up @@ -235,7 +254,7 @@ helm install openmetadata open-metadata/openmetadata --values <<path-to-values-f
| fullnameOverride | string | `"openmetadata"` |
| image.pullPolicy | string | `"Always"` |
| image.repository | string | `"docker.getcollate.io/openmetadata/server"` |
| image.tag | string | `1.3.1` |
| image.tag | string | `1.3.2` |
| imagePullSecrets | list | `[]` |
| ingress.annotations | object | `{}` |
| ingress.className | string | `""` |
Expand Down
16 changes: 16 additions & 0 deletions charts/openmetadata/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,22 @@ OpenMetadata Configurations Environment Variables*/}}
key: {{ .secretKey }}
{{- end }}
{{- end }}
{{- if and (eq .Values.openmetadata.config.authentication.clientType "confidential") (.Values.openmetadata.config.authentication.oidcConfiguration.enabled) }}
{{- with .Values.openmetadata.config.authentication.oidcConfiguration.clientId }}
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .secretRef }}
key: {{ .secretKey }}
{{- end }}
{{- with .Values.openmetadata.config.authentication.oidcConfiguration.clientSecret }}
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .secretRef }}
key: {{ .secretKey }}
{{- end }}
{{- end }}
{{- if eq .Values.openmetadata.config.authentication.provider "ldap" }}
{{- if .Values.openmetadata.config.authentication.ldapConfiguration.dnAdminPassword.secretRef }}
{{- with .Values.openmetadata.config.authentication.ldapConfiguration.dnAdminPassword }}
Expand Down
16 changes: 16 additions & 0 deletions charts/openmetadata/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,8 +217,24 @@ data:
AUTHENTICATION_RESPONSE_TYPE: {{ .responseType | quote | b64enc }}
AUTHENTICATION_AUTHORITY: {{ .authority | quote | b64enc }}
AUTHENTICATION_CLIENT_ID: {{ .clientId | quote | b64enc }}
AUTHENTICATION_CLIENT_TYPE: {{ .clientType | quote | b64enc }}
AUTHENTICATION_CALLBACK_URL: {{ .callbackUrl | quote | b64enc }}
AUTHENTICATION_ENABLE_SELF_SIGNUP: {{ .enableSelfSignup | quote | b64enc }}
{{- if and (eq .clientType "confidential") (.oidcConfiguration.enabled) }}
OIDC_TYPE: {{ .oidcConfiguration.oidcType | quote | b64enc }}
OIDC_SCOPE: {{ .oidcConfiguration.scope | quote | b64enc }}
OIDC_DISCOVERY_URI: {{ .oidcConfiguration.discoveryUri | quote | b64enc }}
OIDC_USE_NONCE: {{ .oidcConfiguration.useNonce | quote | b64enc }}
OIDC_PREFERRED_JWS: {{ .oidcConfiguration.preferredJwsAlgorithm | quote | b64enc }}
OIDC_RESPONSE_TYPE: {{ .oidcConfiguration.responseType | quote | b64enc }}
OIDC_DISABLE_PKCE: {{ .oidcConfiguration.disablePkce | quote | b64enc }}
OIDC_CALLBACK: {{ .oidcConfiguration.callbackUrl | quote | b64enc }}
OIDC_SERVER_URL: {{ .oidcConfiguration.serverUrl | quote | b64enc }}
OIDC_CLIENT_AUTH_METHOD: {{ .oidcConfiguration.clientAuthenticationMethod | quote | b64enc }}
OIDC_TENANT: {{ .oidcConfiguration.tenant | quote | b64enc }}
OIDC_MAX_CLOCK_SKEW: {{ .oidcConfiguration.maxClockSkew | quote | b64enc }}
OIDC_CUSTOM_PARAMS: {{ .oidcConfiguration.customParams | quote | b64enc }}
{{ end }}
{{- if eq .provider "ldap" }}
AUTHENTICATION_LDAP_HOST: {{ .ldapConfiguration.host | b64enc }}
AUTHENTICATION_LDAP_PORT: {{ .ldapConfiguration.port | quote | b64enc }}
Expand Down
79 changes: 79 additions & 0 deletions charts/openmetadata/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,13 @@
"clientId": {
"type": "string"
},
"clientType": {
"type": "string",
"enum": [
"public",
"confidential"
]
},
"enableSelfSignup": {
"type": "boolean"
},
Expand Down Expand Up @@ -284,6 +291,78 @@
"responseType": {
"type": "string"
},
"oidcConfiguration": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean"
},
"oidcType": {
"type": "string"
},
"clientId": {
"type": "object",
"additionalProperties": false,
"properties": {
"secretRef": {
"type": "string"
},
"secretKey": {
"type": "string"
}
}
},
"clientSecret": {
"type": "object",
"additionalProperties": false,
"properties": {
"secretRef": {
"type": "string"
},
"secretKey": {
"type": "string"
}
}
},
"scope": {
"type": "string"
},
"discoveryUri": {
"type": "string"
},
"useNonce": {
"type": "boolean"
},
"preferredJwsAlgorithm": {
"type": "string"
},
"responseType": {
"type": "string"
},
"disablePkce": {
"type": "boolean"
},
"callbackUrl": {
"type": "string"
},
"serverUrl": {
"type": "string"
},
"clientAuthenticationMethod": {
"type": "string"
},
"tenant": {
"type": "string"
},
"maxClockSkew": {
"type": "string"
},
"customParams": {
"type": "string"
}
}
},
"ldapConfiguration": {
"type": "object",
"additionalProperties": false,
Expand Down
22 changes: 22 additions & 0 deletions charts/openmetadata/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ openmetadata:
enableSecureSocketConnection: false
authentication:
enabled: true
clientType: public
provider: "basic"
publicKeys:
- "http://openmetadata:8585/api/v1/system/config/jwks"
Expand All @@ -108,6 +109,27 @@ openmetadata:
- "preferred_username"
- "sub"
enableSelfSignup: true
oidcConfiguration:
enabled: false
oidcType: ""
clientId:
secretRef: oidc-secrets
secretKey: openmetadata-oidc-client-id
clientSecret:
secretRef: oidc-secrets
secretKey: openmetadata-oidc-client-secret
scope: "openid email profile"
discoveryUri: ""
useNonce: true
preferredJwsAlgorithm: RS256
responseType: code
disablePkce: true
callbackUrl: http://openmetadata:8585/callback
serverUrl: http://openmetadata:8585
clientAuthenticationMethod: client_secret_post
tenant: ""
maxClockSkew: ""
customParams: ""
ldapConfiguration:
host: localhost
port: 10636
Expand Down

0 comments on commit 503ee90

Please sign in to comment.