Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allowing for multiple existingSecrets for vouch and change all parameters to camelCase #4

Merged
merged 11 commits into from
Aug 13, 2023
Merged

allowing for multiple existingSecrets for vouch and change all parameters to camelCase #4

merged 11 commits into from
Aug 13, 2023

Conversation

jessebot
Copy link
Collaborator

@jessebot jessebot commented Aug 13, 2023
edited
Loading

You can now specify a seperate secret for both oauth and vouch domains/emails. Both use specific keys in the secret instead of overwriting the entire vouch config, though you can still do that too, though the parameter for that has changed from config.existingSecretName to config.overrideConfigExistingSecretName. More details below:

Using Existing Kubernetes Secrets for Private Info

Existing Secret for the Oauth config

In your values.yaml specify the name of the of the secret and then the names of the keys that will store the sensitive info:

config:
  # https://console.developers.google.com/apis/credentials
  oauth:
    # -- existingSecret for clientId, clientSecret, authUrl, tokenUrl,userInfoUrl, callbackUrls, and preferredDomain.
    # If this value is not empty, we will ignore all of those plain text values and only use your secret keys
    existingSecret: 'my-vouch-oauth-secret'
    # keys in oauth.existingSecret to use for Oauth2 config
    secretKeys:
      # -- key in existingSecret for the clientID from your provider
      clientId: 'clientId'
      # -- key in existingSecret for clientSecret from your provider
      clientSecret: 'clientSecret'
      # -- key in existingSecret for authentication url from your oidc provider
      authUrl: 'authUrl'
      # -- key in existingSecret for token url from your oidc provider
      tokenUrl: 'tokenUrl'
      # -- key in existingSecret for userInfoUrl from your oidc provider
      userInfoUrl: 'userInfoUrl'
      # -- key in oauth.existingSecret for comma seperated list of valid
      # callback urls to use, example value for your key in your existing secert:
      # 'https://vouch.example.com/auth,https://vouch.example.com/login'
      callbackUrls: 'callbackUrls'
      # -- secret key in oauth.existingSecret for your preferred domain
      preferredDomain: 'preferredDomain'

Example secret:

apiVersion: v1
kind: Secret
metadata:
  name: my-vouch-oauth-secret
# "stringData" doesn't have to be used, but if you use "data", you have to base64 encode the string values below
stringData:
  clientId: 'vouch'
  clientSecret: '6f7dag78dagr4bcfydsuoivh9a8fh89'
  authUrl: 'https://iam.example.com/realms/demo-realm/protocol/openid-connect/auth'
  tokenUrl: 'https://iam.example.com/realms/master/protocol/openid-connect/token'
  userInfoUrl: 'https://iam.example.com/realms/master/protocol/openid-connect/userinfo'
  callbackUrls: 'https://vouch.example.com/auth'

Existing Secret for vouch allowed domains and allowed emails

In your values.yaml specify the name of the of the secret and then the names of the keys that will store the sensitive info:

config:
  vouch:
    # -- existingSecret for domains, whiteList, and jwtSecret. If this value is
    # not empty, we ignore vouch.domains, vouch.whiteList, and vouch.jwt.secret
    existingSecret: 'my-vouch-config-secret'
    # keys in vouch.existingSecret to use for vouch config
    secretKeys:
      # -- secret key in vouch.existingSecret with comma seperated list of
      # domains you'd like to allow access from.
      domains: 'domains'
      # -- secret key in vouch.existingSecret with comma seperated list of emails
      # for users that allowed to use SSO via vouch.
      whiteList: 'whiteList'
      # -- secret key in vouch.existingSecret to pass in a secret to used for cookies
      jwtSecret: 'jwtSecret'

Make sure that config.vouch.secretKeys.domains and config.vouch.secretKeys.whiteList are both comma seperated lists.

Example secret:

apiVersion: v1
kind: Secret
metadata:
  name: my-vouch-config-secret
# "stringData" doesn't have to be used, but if you use "data", you have to base64 encode the string values below
stringData:
  domains: "coolcats.com,cooldogs.com"
  whiteList: "not-a-dog@gmail.com,cat@coolcats.com"

Overriding the entire config.yaml for vouch-proxy

You can configure your values.yml for vouch to use an existing Kubernetes Secret for it's ENTIRE config file.

Example values.yaml:

config:
  # -- Allow overriding the config value with an existing secret, like a sealed secret
  overrideConfigExistingSecret: "vouch-existing-secret"

Example of setting an existing Secret via the helm cli:

helm install vouch/vouch vouch --set existingSecretName=vouch-existing-secret

Here's a Kubernetes Secret containing a Vouch config that uses keycloak as the OIDC provider:

apiVersion: v1
kind: Secret
metadata:
  name: vouch-existing-secret
stringData:
  config.yaml: |
    vouch:
      logLevel: debug
      testing: false
      domains:
      - example.com
      whiteList:
      - myuser@myemaildomain.com
      allowAllUsers: false
      cookie:
        maxAge: 900
        secure: true
        domain: example.com
    oauth:
      provider: oidc
      client_id: vouch
      client_secret: 8943hncds9aavy89hn39ncdsa89y79vh79as
      auth_url: https://iam.example.com/realms/master/protocol/openid-connect/auth
      token_url: https://iam.example.com/realms/master/protocol/openid-connect/token
      user_info_url: https://iam.example.com/realms/master/protocol/openid-connect/userinfo
      scopes:
        - openid
        - email
        - profile
      callback_urls:
        - https://vouch.example.com/auth
      preferredDomain:

@jessebot
allowing for multiple existingSecrets for vouch
f61490a 
you can now specify a seperate secret for both oauth and vouch domains/emails. Both use specific keys in the secret instead of overwriting the entire vouch config, though you can still do that too
@jessebot jessebot self-assigned this Aug 13, 2023
@jessebot jessebot changed the title allowing for multiple existingSecrets for vouch allowing for multiple existingSecrets for vouch and change all parameters to camelCase Aug 13, 2023
@jessebot jessebot merged commit 2a7c15c into main Aug 13, 2023
1 check failed
@jessebot jessebot deleted the allow_individual_secrets branch August 13, 2023 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jessebot jessebot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jessebot