diff --git a/charts/switcher-api/Chart.yaml b/charts/switcher-api/Chart.yaml index bad5245..a3e4832 100644 --- a/charts/switcher-api/Chart.yaml +++ b/charts/switcher-api/Chart.yaml @@ -9,5 +9,5 @@ maintainers: url: https://github.com/petruki type: application -version: 1.3.4 +version: 1.3.5 appVersion: "latest" diff --git a/charts/switcher-api/README.md b/charts/switcher-api/README.md index 2da762a..0895d1a 100644 --- a/charts/switcher-api/README.md +++ b/charts/switcher-api/README.md @@ -54,6 +54,15 @@ helm uninstall switcherapi --namespace switcherapi | `api.env.switcherSlackJwtSecret` | Switcher Slack Secret | `` | | `api.env.switcherGitOpsJwtSecret` | Switcher GitOps Secret | `` | | `api.env.switcherGitOpsUrl` | Switcher GitOps URL | `` | +| `api.env.samlEntryPoint` | SAML Entry Point URL | `` | +| `api.env.samlIssuer` | SAML Issuer | `` | +| `api.env.samlCertificate` | SAML Certificate (Base64 encoded) | `` | +| `api.env.samlPrivateKey` | SAML Private Key (Base64 encoded) | `` | +| `api.env.samlSessionSecret` | SAML Session Secret (Base64 encoded) | `` | +| `api.env.samlCallbackEndpointUrl` | SAML Callback Endpoint URL | `` | +| `api.env.samlRedirectEndpointUrl` | SAML Redirect Endpoint URL | `` | +| `api.env.samlIdentifierFormat` | SAML Identifier Format | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | +| `api.env.samlAcceptedClockSkewMs` | SAML Accepted Clock Skew in ms | 5000 | ### Resolver API parameters @@ -89,6 +98,8 @@ helm uninstall switcherapi --namespace switcherapi | `management.env.switcherManagementUrl`| Management callback URL | `http://localhost:8080` | | `management.env.switcherSlackUrl` | Switcher Slack App URL | `http://localhost:5000` | | `management.env.allowHomeView` | Allow Home View | false | +| `management.env.allowInternalAuth` | Allow Internal Authentication (email/password) | true | +| `management.env.allowSamlAuth` | Allow SAML Authentication | false | | `management.env.googleRecaptcha` | Google ReCaptcha Public Key | `` | | `management.env.bitbucketClientId` | Bitbucket Client Id | `` | | `management.env.githubClientId` | GitHub Client Id | `` | @@ -108,4 +119,16 @@ helm install -f charts/switcher-api/values.yaml switcherapi ./charts/switcher-ap --set api.env.sslSecretName="[CHANGE_ME]" \ --set management.env.switcherApiUrl="https://localhost:3000" \ --set management.env.switcherManagementUrl="https://localhost:8080" +``` + +SAML Enabled +```console +helm install -f charts/switcher-api/values.yaml switcherapi ./charts/switcher-api/ \ + --namespace=switcherapi --create-namespace \ + --set management.env.allowSamlAuth=true \ + --set api.env.samlEntryPoint="https://" \ + --set api.env.samlCertificate="[BASE64_ENCODED_CERTIFICATE]" \ + --set api.env.samlSessionSecret="[BASE64_ENCODED_SESSION_SECRET]" \ + --set api.env.samlCallbackEndpointUrl="http://localhost:3000" \ + --set api.env.samlRedirectEndpointUrl="http://localhost:8080" ``` \ No newline at end of file diff --git a/charts/switcher-api/templates/api/configmap.yaml b/charts/switcher-api/templates/api/configmap.yaml index 6c6bece..e3f30c4 100644 --- a/charts/switcher-api/templates/api/configmap.yaml +++ b/charts/switcher-api/templates/api/configmap.yaml @@ -10,7 +10,7 @@ data: {{- if .Values.api.env.sslSecretName }} SSL_CERT: "/etc/certs/tls.crt" SSL_KEY: "/etc/certs/tls.key" - {{- end -}} + {{- end }} # Global settings SWITCHER_API_LOGGER: {{ .Values.api.env.switcherApiLogger | quote }} @@ -25,12 +25,22 @@ data: JWT_ADMIN_TOKEN_RENEW_INTERVAL: {{ default "5m" .Values.api.env.jwtAdminTokenRenewInterval | quote }} # Auth Integration - {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret -}} + {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret }} BITBUCKET_OAUTH_CLIENT_ID: {{ .Values.api.env.bitbucketClientId | quote }} - {{- end -}} - {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret -}} + {{- end }} + {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret }} GIT_OAUTH_CLIENT_ID: {{ .Values.api.env.githubClientId | quote }} - {{- end -}} + {{- end }} + + # SAML Integration + {{- if and .Values.api.env.samlEntryPoint .Values.api.env.samlCallbackEndpointUrl }} + SAML_ENTRY_POINT: {{ .Values.api.env.samlEntryPoint | quote }} + SAML_ISSUER: {{ .Values.api.env.samlIssuer | quote }} + SAML_CALLBACK_ENDPOINT_URL: {{ .Values.api.env.samlCallbackEndpointUrl | quote }} + SAML_REDIRECT_ENDPOINT_URL: {{ .Values.api.env.samlRedirectEndpointUrl | quote }} + SAML_IDENTIFIER_FORMAT: {{ .Values.api.env.samlIdentifierFormat | quote }} + SAML_ACCEPTED_CLOCK_SKEW_MS: {{ default 5000 .Values.api.env.samlAcceptedClockSkewMs | quote }} + {{- end }} # Switcher GitOps SWITCHER_GITOPS_URL: {{ .Values.api.env.switcherGitOpsUrl | quote }} \ No newline at end of file diff --git a/charts/switcher-api/templates/api/secret.yaml b/charts/switcher-api/templates/api/secret.yaml index e91d240..fafbd17 100644 --- a/charts/switcher-api/templates/api/secret.yaml +++ b/charts/switcher-api/templates/api/secret.yaml @@ -12,20 +12,31 @@ data: RESOURCE_SECRET: {{ default "admin" .Values.api.env.resourceSecret | b64enc | quote }} # Auth Integration - {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret -}} + {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret }} BITBUCKET_OAUTH_SECRET: {{ .Values.api.env.bitbucketClientSecret | b64enc | quote }} - {{- end -}} - {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret -}} + {{- end }} + {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret }} GIT_OAUTH_SECRET: {{ .Values.api.env.githubClientSecret | b64enc | quote }} - {{- end -}} + {{- end }} # Platform/Services Integration - {{- if .Values.api.env.googleRecaptchaSecret -}} + {{- if .Values.api.env.googleRecaptchaSecret }} GOOGLE_RECAPTCHA_SECRET: {{ .Values.api.env.googleRecaptchaSecret | b64enc | quote }} - {{- end -}} - {{- if .Values.api.env.switcherSlackJwtSecret -}} + {{- end }} + {{- if .Values.api.env.switcherSlackJwtSecret }} SWITCHER_SLACK_JWT_SECRET: {{ .Values.api.env.switcherSlackJwtSecret | b64enc | quote }} - {{- end -}} - {{- if .Values.api.env.switcherGitOpsJwtSecret -}} + {{- end }} + {{- if .Values.api.env.switcherGitOpsJwtSecret }} SWITCHER_GITOPS_JWT_SECRET: {{ .Values.api.env.switcherGitOpsJwtSecret | b64enc | quote }} - {{- end -}} \ No newline at end of file + {{- end }} + + # SAML Integration + {{- if .Values.api.env.samlCertificate }} + SAML_CERT: {{ .Values.api.env.samlCertificate | b64enc | quote }} + {{- end }} + {{- if .Values.api.env.samlPrivateKey }} + SAML_PRIVATE_KEY: {{ .Values.api.env.samlPrivateKey | b64enc | quote }} + {{- end }} + {{- if .Values.api.env.samlSessionSecret }} + SESSION_SECRET: {{ .Values.api.env.samlSessionSecret | b64enc | quote }} + {{- end }} \ No newline at end of file diff --git a/charts/switcher-api/templates/manager/configmap.yaml b/charts/switcher-api/templates/manager/configmap.yaml index e480400..72e7694 100644 --- a/charts/switcher-api/templates/manager/configmap.yaml +++ b/charts/switcher-api/templates/manager/configmap.yaml @@ -7,6 +7,8 @@ metadata: {{- include "switcher-management.labels" . | nindent 4 }} data: ALLOW_HOME_VIEW: {{ .Values.management.env.allowHomeView | quote }} + ALLOW_INTERNAL_AUTH: {{ .Values.management.env.allowInternalAuth | quote }} + ALLOW_SAML_AUTH: {{ .Values.management.env.allowSamlAuth | quote }} SWITCHERAPI_URL: {{ .Values.management.env.switcherApiUrl }} SM_IP: {{ .Values.management.env.switcherManagementUrl }} GOOGLE_RECAPTCHA: {{ .Values.management.env.googleRecaptcha }} diff --git a/charts/switcher-api/templates/resolver/configmap.yaml b/charts/switcher-api/templates/resolver/configmap.yaml index 4b28711..1c43ccd 100644 --- a/charts/switcher-api/templates/resolver/configmap.yaml +++ b/charts/switcher-api/templates/resolver/configmap.yaml @@ -10,7 +10,7 @@ data: {{- if .Values.resolver.env.sslSecretName }} SSL_CERT: "/etc/certs/tls.crt" SSL_KEY: "/etc/certs/tls.key" - {{- end -}} + {{- end }} # Global settings SWITCHER_API_LOGGER: {{ .Values.resolver.env.switcherApiLogger | quote }} diff --git a/charts/switcher-api/values.schema.json b/charts/switcher-api/values.schema.json index 96951da..d109de5 100644 --- a/charts/switcher-api/values.schema.json +++ b/charts/switcher-api/values.schema.json @@ -40,9 +40,81 @@ "mongoUri": { "type": "string" }, + "resourceSecret": { + "type": "string" + }, "permissionCacheActivated": { "type": "boolean" }, + "metricsMaxPage": { + "type": "integer" + }, + "strategyMaxOperation": { + "type": "integer" + }, + "relayBypassHttps": { + "type": "boolean" + }, + "relayBypassVerification": { + "type": "boolean" + }, + "maxRequestPerMinute": { + "type": "integer" + }, + "jwtAdminTokenRenewInterval": { + "type": "string" + }, + "googleRecaptchaSecret": { + "type": "string" + }, + "switcherSlackJwtSecret": { + "type": "string" + }, + "switcherGitOpsJwtSecret": { + "type": "string" + }, + "switcherGitOpsUrl": { + "type": "string" + }, + "bitbucketClientId": { + "type": "string" + }, + "bitbucketClientSecret": { + "type": "string" + }, + "githubClientId": { + "type": "string" + }, + "githubClientSecret": { + "type": "string" + }, + "samlEntryPoint": { + "type": "string" + }, + "samlIssuer": { + "type": "string" + }, + "samlCallbackEndpointUrl": { + "type": "string" + }, + "samlRedirectEndpointUrl": { + "type": "string" + }, + "samlIdentifierFormat": { + "type": "string" + }, + "samlAcceptedClockSkewMs": { + "type": "integer" + }, + "samlCertificate": { + "type": "string" + }, + "samlPrivateKey": { + "type": "string" + }, + "samlSessionSecret": { + "type": "string" + }, "sslSecretName": { "type": "string" }, @@ -150,6 +222,12 @@ "allowHomeView": { "type": "boolean" }, + "allowInternalAuth": { + "type": "boolean" + }, + "allowSamlAuth": { + "type": "boolean" + }, "switcherApiUrl": { "type": "string" }, @@ -158,6 +236,15 @@ }, "switcherSlackUrl": { "type": "string" + }, + "googleRecaptcha": { + "type": "string" + }, + "githubClientId": { + "type": "string" + }, + "githubClientSecret": { + "type": "string" } } }, @@ -269,11 +356,32 @@ "mongoUri": { "type": "string" }, + "resourceSecret": { + "type": "string" + }, "sslSecretName": { "type": "string" }, "switcherApiLogger": { "type": "boolean" + }, + "relayBypassHttps": { + "type": "boolean" + }, + "relayBypassVerification": { + "type": "boolean" + }, + "regexMaxTimeout": { + "type": "integer" + }, + "regexMaxBlacklist": { + "type": "integer" + }, + "maxRequestPerMinute": { + "type": "integer" + }, + "jwtClientTokenExpTime": { + "type": "string" } } }, diff --git a/charts/switcher-api/values.yaml b/charts/switcher-api/values.yaml index fa332a3..508d293 100644 --- a/charts/switcher-api/values.yaml +++ b/charts/switcher-api/values.yaml @@ -3,16 +3,47 @@ api: port: 3000 env: + # Main Configuration mongoUri: mongodb://db-mongodb.switcherapi.svc.cluster.local:27017/switcher-api + resourceSecret: "admin" switcherApiLogger: true historyActivated: true metricsActivated: true permissionCacheActivated: true googleSkipAuth: true + metricsMaxPage: 50 + strategyMaxOperation: 100 + relayBypassHttps: false + relayBypassVerification: false + maxRequestPerMinute: 1000 + jwtAdminTokenRenewInterval: "5m" + switcherGitOpsUrl: "" + + # Platform/Services Integration + googleRecaptchaSecret: "" + switcherSlackJwtSecret: "" + switcherGitOpsJwtSecret: "" # Enable SSL (tls.crt and tls.key) sslSecretName: "" + # GitHub/Bitbucket OAuth + bitbucketClientId: "" + bitbucketClientSecret: "" + githubClientId: "" + githubClientSecret: "" + + # SAML Integration + samlEntryPoint: "" + samlIssuer: "switcher-api" + samlCallbackEndpointUrl: "" + samlRedirectEndpointUrl: "" + samlIdentifierFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + samlAcceptedClockSkewMs: 5000 + samlCertificate: "" + samlPrivateKey: "" + samlSessionSecret: "" + image: repository: trackerforce/switcher-api pullPolicy: IfNotPresent @@ -63,8 +94,15 @@ resolver: env: mongoUri: mongodb://db-mongodb.switcherapi.svc.cluster.local:27017/switcher-api + resourceSecret: "admin" switcherApiLogger: true metricsActivated: true + relayBypassHttps: false + relayBypassVerification: false + regexMaxTimeout: 3000 + regexMaxBlacklist: 50 + maxRequestPerMinute: 0 + jwtClientTokenExpTime: "5m" # Enable SSL (tls.crt and tls.key) sslSecretName: "" @@ -120,9 +158,14 @@ management: env: allowHomeView: false + allowInternalAuth: true + allowSamlAuth: false switcherApiUrl: "http://localhost:3000" switcherManagementUrl: "http://localhost:8080" switcherSlackUrl: "http://localhost:5000" + googleRecaptcha: "" + githubClientId: "" + bitbucketClientId: "" image: repository: trackerforce/switcher-management