From 7b39a8ac270c9054a79ea0997c5b25c0031db3f7 Mon Sep 17 00:00:00 2001 From: petruki <31597636+petruki@users.noreply.github.com> Date: Sun, 14 Sep 2025 16:50:13 -0700 Subject: [PATCH 1/2] Added SAML settings for switcher-api chart --- charts/switcher-api/Chart.yaml | 2 +- charts/switcher-api/README.md | 9 ++ .../switcher-api/templates/api/configmap.yaml | 10 ++ charts/switcher-api/templates/api/secret.yaml | 11 ++ charts/switcher-api/values.schema.json | 102 ++++++++++++++++++ charts/switcher-api/values.yaml | 41 +++++++ 6 files changed, 174 insertions(+), 1 deletion(-) diff --git a/charts/switcher-api/Chart.yaml b/charts/switcher-api/Chart.yaml index bad5245..a3e4832 100644 --- a/charts/switcher-api/Chart.yaml +++ b/charts/switcher-api/Chart.yaml @@ -9,5 +9,5 @@ maintainers: url: https://github.com/petruki type: application -version: 1.3.4 +version: 1.3.5 appVersion: "latest" diff --git a/charts/switcher-api/README.md b/charts/switcher-api/README.md index 2da762a..f85bdc8 100644 --- a/charts/switcher-api/README.md +++ b/charts/switcher-api/README.md @@ -54,6 +54,15 @@ helm uninstall switcherapi --namespace switcherapi | `api.env.switcherSlackJwtSecret` | Switcher Slack Secret | `` | | `api.env.switcherGitOpsJwtSecret` | Switcher GitOps Secret | `` | | `api.env.switcherGitOpsUrl` | Switcher GitOps URL | `` | +| `api.env.samlEntryPoint` | SAML Entry Point URL | `` | +| `api.env.samlIssuer` | SAML Issuer | `` | +| `api.env.samlCertificate` | SAML Certificate (Base64 encoded) | `` | +| `api.env.samlPrivateKey` | SAML Private Key (Base64 encoded) | `` | +| `api.env.samlSessionSecret` | SAML Session Secret (Base64 encoded) | `` | +| `api.env.samlCallbackEndpointUrl` | SAML Callback Endpoint URL | `` | +| `api.env.samlRedirectEndpointUrl` | SAML Redirect Endpoint URL | `` | +| `api.env.samlIdentifierFormat` | SAML Identifier Format | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | +| `api.env.samlAcceptedClockSkewMs` | SAML Accepted Clock Skew in ms | 5000 | ### Resolver API parameters diff --git a/charts/switcher-api/templates/api/configmap.yaml b/charts/switcher-api/templates/api/configmap.yaml index 6c6bece..26b744e 100644 --- a/charts/switcher-api/templates/api/configmap.yaml +++ b/charts/switcher-api/templates/api/configmap.yaml @@ -32,5 +32,15 @@ data: GIT_OAUTH_CLIENT_ID: {{ .Values.api.env.githubClientId | quote }} {{- end -}} + # SAML Integration + {{- if and .Values.api.env.samlEntryPoint .Values.api.env.samlCallbackEndpointUrl -}} + SAML_ENTRY_POINT: {{ .Values.api.env.samlEntryPoint | quote }} + SAML_ISSUER: {{ .Values.api.env.samlIssuer | quote }} + SAML_CALLBACK_ENDPOINT_URL: {{ .Values.api.env.samlCallbackEndpointUrl | quote }} + SAML_REDIRECT_ENDPOINT_URL: {{ .Values.api.env.samlRedirectEndpointUrl | quote }} + SAML_IDENTIFIER_FORMAT: {{ .Values.api.env.samlIdentifierFormat | quote }} + SAML_ACCEPTED_CLOCK_SKEW_MS: {{ default 5000 .Values.api.env.samlAcceptedClockSkewMs | quote }} + {{- end -}} + # Switcher GitOps SWITCHER_GITOPS_URL: {{ .Values.api.env.switcherGitOpsUrl | quote }} \ No newline at end of file diff --git a/charts/switcher-api/templates/api/secret.yaml b/charts/switcher-api/templates/api/secret.yaml index e91d240..0fb84bc 100644 --- a/charts/switcher-api/templates/api/secret.yaml +++ b/charts/switcher-api/templates/api/secret.yaml @@ -28,4 +28,15 @@ data: {{- end -}} {{- if .Values.api.env.switcherGitOpsJwtSecret -}} SWITCHER_GITOPS_JWT_SECRET: {{ .Values.api.env.switcherGitOpsJwtSecret | b64enc | quote }} + {{- end -}} + + # SAML Integration + {{- if and .Values.api.env.samlCertificate -}} + SAML_CERT: {{ .Values.api.env.samlCertificate | b64enc | quote }} + {{- end -}} + {{- if and .Values.api.env.samlPrivateKey -}} + SAML_PRIVATE_KEY: {{ .Values.api.env.samlPrivateKey | b64enc | quote }} + {{- end -}} + {{- if and .Values.api.env.samlSessionSecret -}} + SESSION_SECRET: {{ .Values.api.env.samlSessionSecret | b64enc | quote }} {{- end -}} \ No newline at end of file diff --git a/charts/switcher-api/values.schema.json b/charts/switcher-api/values.schema.json index 96951da..8027096 100644 --- a/charts/switcher-api/values.schema.json +++ b/charts/switcher-api/values.schema.json @@ -40,9 +40,81 @@ "mongoUri": { "type": "string" }, + "resourceSecret": { + "type": "string" + }, "permissionCacheActivated": { "type": "boolean" }, + "metricsMaxPage": { + "type": "integer" + }, + "strategyMaxOperation": { + "type": "integer" + }, + "relayBypassHttps": { + "type": "boolean" + }, + "relayBypassVerification": { + "type": "boolean" + }, + "maxRequestPerMinute": { + "type": "integer" + }, + "jwtAdminTokenRenewInterval": { + "type": "string" + }, + "googleRecaptchaSecret": { + "type": "string" + }, + "switcherSlackJwtSecret": { + "type": "string" + }, + "switcherGitOpsJwtSecret": { + "type": "string" + }, + "switcherGitOpsUrl": { + "type": "string" + }, + "bitbucketClientId": { + "type": "string" + }, + "bitbucketClientSecret": { + "type": "string" + }, + "githubClientId": { + "type": "string" + }, + "githubClientSecret": { + "type": "string" + }, + "samlEntryPoint": { + "type": "string" + }, + "samlIssuer": { + "type": "string" + }, + "samlCallbackEndpointUrl": { + "type": "string" + }, + "samlRedirectEndpointUrl": { + "type": "string" + }, + "samlIdentifierFormat": { + "type": "string" + }, + "samlAcceptedClockSkewMs": { + "type": "integer" + }, + "samlCertificate": { + "type": "string" + }, + "samlPrivateKey": { + "type": "string" + }, + "samlSessionSecret": { + "type": "string" + }, "sslSecretName": { "type": "string" }, @@ -158,6 +230,15 @@ }, "switcherSlackUrl": { "type": "string" + }, + "googleRecaptcha": { + "type": "string" + }, + "githubClientId": { + "type": "string" + }, + "githubClientSecret": { + "type": "string" } } }, @@ -269,11 +350,32 @@ "mongoUri": { "type": "string" }, + "resourceSecret": { + "type": "string" + }, "sslSecretName": { "type": "string" }, "switcherApiLogger": { "type": "boolean" + }, + "relayBypassHttps": { + "type": "boolean" + }, + "relayBypassVerification": { + "type": "boolean" + }, + "regexMaxTimeout": { + "type": "integer" + }, + "regexMaxBlacklist": { + "type": "integer" + }, + "maxRequestPerMinute": { + "type": "integer" + }, + "jwtClientTokenExpTime": { + "type": "string" } } }, diff --git a/charts/switcher-api/values.yaml b/charts/switcher-api/values.yaml index fa332a3..a148986 100644 --- a/charts/switcher-api/values.yaml +++ b/charts/switcher-api/values.yaml @@ -3,16 +3,47 @@ api: port: 3000 env: + # Main Configuration mongoUri: mongodb://db-mongodb.switcherapi.svc.cluster.local:27017/switcher-api + resourceSecret: "admin" switcherApiLogger: true historyActivated: true metricsActivated: true permissionCacheActivated: true googleSkipAuth: true + metricsMaxPage: 50 + strategyMaxOperation: 100 + relayBypassHttps: false + relayBypassVerification: false + maxRequestPerMinute: 1000 + jwtAdminTokenRenewInterval: "5m" + switcherGitOpsUrl: "" + + # Platform/Services Integration + googleRecaptchaSecret: "" + switcherSlackJwtSecret: "" + switcherGitOpsJwtSecret: "" # Enable SSL (tls.crt and tls.key) sslSecretName: "" + # GitHub/Bitbucket OAuth + bitbucketClientId: "" + bitbucketClientSecret: "" + githubClientId: "" + githubClientSecret: "" + + # SAML Integration + samlEntryPoint: "" + samlIssuer: "switcher-api" + samlCallbackEndpointUrl: "" + samlRedirectEndpointUrl: "" + samlIdentifierFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + samlAcceptedClockSkewMs: 5000 + samlCertificate: "" + samlPrivateKey: "" + samlSessionSecret: "" + image: repository: trackerforce/switcher-api pullPolicy: IfNotPresent @@ -63,8 +94,15 @@ resolver: env: mongoUri: mongodb://db-mongodb.switcherapi.svc.cluster.local:27017/switcher-api + resourceSecret: "admin" switcherApiLogger: true metricsActivated: true + relayBypassHttps: false + relayBypassVerification: false + regexMaxTimeout: 3000 + regexMaxBlacklist: 50 + maxRequestPerMinute: 0 + jwtClientTokenExpTime: "5m" # Enable SSL (tls.crt and tls.key) sslSecretName: "" @@ -123,6 +161,9 @@ management: switcherApiUrl: "http://localhost:3000" switcherManagementUrl: "http://localhost:8080" switcherSlackUrl: "http://localhost:5000" + googleRecaptcha: "" + githubClientId: "" + bitbucketClientId: "" image: repository: trackerforce/switcher-management From e04af1a85172c34af52663784d9a7bcb5088a5e7 Mon Sep 17 00:00:00 2001 From: petruki <31597636+petruki@users.noreply.github.com> Date: Sun, 14 Sep 2025 18:17:51 -0700 Subject: [PATCH 2/2] Added manager settings for SAML auth, fixed CM, secrets --- charts/switcher-api/README.md | 14 ++++++++ .../switcher-api/templates/api/configmap.yaml | 14 ++++---- charts/switcher-api/templates/api/secret.yaml | 32 +++++++++---------- .../templates/manager/configmap.yaml | 2 ++ .../templates/resolver/configmap.yaml | 2 +- charts/switcher-api/values.schema.json | 6 ++++ charts/switcher-api/values.yaml | 2 ++ 7 files changed, 48 insertions(+), 24 deletions(-) diff --git a/charts/switcher-api/README.md b/charts/switcher-api/README.md index f85bdc8..0895d1a 100644 --- a/charts/switcher-api/README.md +++ b/charts/switcher-api/README.md @@ -98,6 +98,8 @@ helm uninstall switcherapi --namespace switcherapi | `management.env.switcherManagementUrl`| Management callback URL | `http://localhost:8080` | | `management.env.switcherSlackUrl` | Switcher Slack App URL | `http://localhost:5000` | | `management.env.allowHomeView` | Allow Home View | false | +| `management.env.allowInternalAuth` | Allow Internal Authentication (email/password) | true | +| `management.env.allowSamlAuth` | Allow SAML Authentication | false | | `management.env.googleRecaptcha` | Google ReCaptcha Public Key | `` | | `management.env.bitbucketClientId` | Bitbucket Client Id | `` | | `management.env.githubClientId` | GitHub Client Id | `` | @@ -117,4 +119,16 @@ helm install -f charts/switcher-api/values.yaml switcherapi ./charts/switcher-ap --set api.env.sslSecretName="[CHANGE_ME]" \ --set management.env.switcherApiUrl="https://localhost:3000" \ --set management.env.switcherManagementUrl="https://localhost:8080" +``` + +SAML Enabled +```console +helm install -f charts/switcher-api/values.yaml switcherapi ./charts/switcher-api/ \ + --namespace=switcherapi --create-namespace \ + --set management.env.allowSamlAuth=true \ + --set api.env.samlEntryPoint="https://" \ + --set api.env.samlCertificate="[BASE64_ENCODED_CERTIFICATE]" \ + --set api.env.samlSessionSecret="[BASE64_ENCODED_SESSION_SECRET]" \ + --set api.env.samlCallbackEndpointUrl="http://localhost:3000" \ + --set api.env.samlRedirectEndpointUrl="http://localhost:8080" ``` \ No newline at end of file diff --git a/charts/switcher-api/templates/api/configmap.yaml b/charts/switcher-api/templates/api/configmap.yaml index 26b744e..e3f30c4 100644 --- a/charts/switcher-api/templates/api/configmap.yaml +++ b/charts/switcher-api/templates/api/configmap.yaml @@ -10,7 +10,7 @@ data: {{- if .Values.api.env.sslSecretName }} SSL_CERT: "/etc/certs/tls.crt" SSL_KEY: "/etc/certs/tls.key" - {{- end -}} + {{- end }} # Global settings SWITCHER_API_LOGGER: {{ .Values.api.env.switcherApiLogger | quote }} @@ -25,22 +25,22 @@ data: JWT_ADMIN_TOKEN_RENEW_INTERVAL: {{ default "5m" .Values.api.env.jwtAdminTokenRenewInterval | quote }} # Auth Integration - {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret -}} + {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret }} BITBUCKET_OAUTH_CLIENT_ID: {{ .Values.api.env.bitbucketClientId | quote }} - {{- end -}} - {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret -}} + {{- end }} + {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret }} GIT_OAUTH_CLIENT_ID: {{ .Values.api.env.githubClientId | quote }} - {{- end -}} + {{- end }} # SAML Integration - {{- if and .Values.api.env.samlEntryPoint .Values.api.env.samlCallbackEndpointUrl -}} + {{- if and .Values.api.env.samlEntryPoint .Values.api.env.samlCallbackEndpointUrl }} SAML_ENTRY_POINT: {{ .Values.api.env.samlEntryPoint | quote }} SAML_ISSUER: {{ .Values.api.env.samlIssuer | quote }} SAML_CALLBACK_ENDPOINT_URL: {{ .Values.api.env.samlCallbackEndpointUrl | quote }} SAML_REDIRECT_ENDPOINT_URL: {{ .Values.api.env.samlRedirectEndpointUrl | quote }} SAML_IDENTIFIER_FORMAT: {{ .Values.api.env.samlIdentifierFormat | quote }} SAML_ACCEPTED_CLOCK_SKEW_MS: {{ default 5000 .Values.api.env.samlAcceptedClockSkewMs | quote }} - {{- end -}} + {{- end }} # Switcher GitOps SWITCHER_GITOPS_URL: {{ .Values.api.env.switcherGitOpsUrl | quote }} \ No newline at end of file diff --git a/charts/switcher-api/templates/api/secret.yaml b/charts/switcher-api/templates/api/secret.yaml index 0fb84bc..fafbd17 100644 --- a/charts/switcher-api/templates/api/secret.yaml +++ b/charts/switcher-api/templates/api/secret.yaml @@ -12,31 +12,31 @@ data: RESOURCE_SECRET: {{ default "admin" .Values.api.env.resourceSecret | b64enc | quote }} # Auth Integration - {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret -}} + {{- if and .Values.api.env.bitbucketClientId .Values.api.env.bitbucketClientSecret }} BITBUCKET_OAUTH_SECRET: {{ .Values.api.env.bitbucketClientSecret | b64enc | quote }} - {{- end -}} - {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret -}} + {{- end }} + {{- if and .Values.api.env.githubClientId .Values.api.env.githubClientSecret }} GIT_OAUTH_SECRET: {{ .Values.api.env.githubClientSecret | b64enc | quote }} - {{- end -}} + {{- end }} # Platform/Services Integration - {{- if .Values.api.env.googleRecaptchaSecret -}} + {{- if .Values.api.env.googleRecaptchaSecret }} GOOGLE_RECAPTCHA_SECRET: {{ .Values.api.env.googleRecaptchaSecret | b64enc | quote }} - {{- end -}} - {{- if .Values.api.env.switcherSlackJwtSecret -}} + {{- end }} + {{- if .Values.api.env.switcherSlackJwtSecret }} SWITCHER_SLACK_JWT_SECRET: {{ .Values.api.env.switcherSlackJwtSecret | b64enc | quote }} - {{- end -}} - {{- if .Values.api.env.switcherGitOpsJwtSecret -}} + {{- end }} + {{- if .Values.api.env.switcherGitOpsJwtSecret }} SWITCHER_GITOPS_JWT_SECRET: {{ .Values.api.env.switcherGitOpsJwtSecret | b64enc | quote }} - {{- end -}} + {{- end }} # SAML Integration - {{- if and .Values.api.env.samlCertificate -}} + {{- if .Values.api.env.samlCertificate }} SAML_CERT: {{ .Values.api.env.samlCertificate | b64enc | quote }} - {{- end -}} - {{- if and .Values.api.env.samlPrivateKey -}} + {{- end }} + {{- if .Values.api.env.samlPrivateKey }} SAML_PRIVATE_KEY: {{ .Values.api.env.samlPrivateKey | b64enc | quote }} - {{- end -}} - {{- if and .Values.api.env.samlSessionSecret -}} + {{- end }} + {{- if .Values.api.env.samlSessionSecret }} SESSION_SECRET: {{ .Values.api.env.samlSessionSecret | b64enc | quote }} - {{- end -}} \ No newline at end of file + {{- end }} \ No newline at end of file diff --git a/charts/switcher-api/templates/manager/configmap.yaml b/charts/switcher-api/templates/manager/configmap.yaml index e480400..72e7694 100644 --- a/charts/switcher-api/templates/manager/configmap.yaml +++ b/charts/switcher-api/templates/manager/configmap.yaml @@ -7,6 +7,8 @@ metadata: {{- include "switcher-management.labels" . | nindent 4 }} data: ALLOW_HOME_VIEW: {{ .Values.management.env.allowHomeView | quote }} + ALLOW_INTERNAL_AUTH: {{ .Values.management.env.allowInternalAuth | quote }} + ALLOW_SAML_AUTH: {{ .Values.management.env.allowSamlAuth | quote }} SWITCHERAPI_URL: {{ .Values.management.env.switcherApiUrl }} SM_IP: {{ .Values.management.env.switcherManagementUrl }} GOOGLE_RECAPTCHA: {{ .Values.management.env.googleRecaptcha }} diff --git a/charts/switcher-api/templates/resolver/configmap.yaml b/charts/switcher-api/templates/resolver/configmap.yaml index 4b28711..1c43ccd 100644 --- a/charts/switcher-api/templates/resolver/configmap.yaml +++ b/charts/switcher-api/templates/resolver/configmap.yaml @@ -10,7 +10,7 @@ data: {{- if .Values.resolver.env.sslSecretName }} SSL_CERT: "/etc/certs/tls.crt" SSL_KEY: "/etc/certs/tls.key" - {{- end -}} + {{- end }} # Global settings SWITCHER_API_LOGGER: {{ .Values.resolver.env.switcherApiLogger | quote }} diff --git a/charts/switcher-api/values.schema.json b/charts/switcher-api/values.schema.json index 8027096..d109de5 100644 --- a/charts/switcher-api/values.schema.json +++ b/charts/switcher-api/values.schema.json @@ -222,6 +222,12 @@ "allowHomeView": { "type": "boolean" }, + "allowInternalAuth": { + "type": "boolean" + }, + "allowSamlAuth": { + "type": "boolean" + }, "switcherApiUrl": { "type": "string" }, diff --git a/charts/switcher-api/values.yaml b/charts/switcher-api/values.yaml index a148986..508d293 100644 --- a/charts/switcher-api/values.yaml +++ b/charts/switcher-api/values.yaml @@ -158,6 +158,8 @@ management: env: allowHomeView: false + allowInternalAuth: true + allowSamlAuth: false switcherApiUrl: "http://localhost:3000" switcherManagementUrl: "http://localhost:8080" switcherSlackUrl: "http://localhost:5000"