feat(deployment): run development mode with dex (#1155)

Signed-off-by: Miguel <[email protected]>

app/controlplane/configs/config.devel.yaml

@@ -56,7 +56,6 @@ data:
 auth:
   oidc:
     domain: "http://0.0.0.0:5556/dex"
-    redirect_url_scheme: "http"
     client_id: "chainloop-dev"
     client_secret: "ZXhhbXBsZS1hcHAtc2VjcmV0"
 

app/controlplane/configs/samples/config.yaml

@@ -7,7 +7,6 @@ server:
 auth:
   # Development credentials for the SSO authentication roundtrip
   oauth:
-    redirect_url_scheme: "http"
     client_id: MYID
     client_secret: SECRET
   # HMAC key used to sign the JWTs generated by the controlplane

app/controlplane/internal/conf/controlplane/config/v1/conf.proto

@@ -18,8 +18,8 @@ syntax = "proto3";
 package controlplane.config.v1;
 
 import "buf/validate/validate.proto";
-import "credentials/v1/config.proto";
 import "controlplane/config/v1/config.proto";
+import "credentials/v1/config.proto";
 import "google/protobuf/duration.proto";
 
 option go_package = "github.com/chainloop-dev/chainloop/app/controlplane/internal/conf/controlplane/config/v1;conf";
@@ -125,7 +125,6 @@ message Auth {
     string domain = 1;
     string client_id = 2;
     string client_secret = 3;
-    string redirect_url_scheme = 4;
     // Optional login URL that will be used by the CLI to start the OIDC flow
     // If not provided, it will default to [controlplane domain]/login
     string login_url_override = 5;

deployment/chainloop/Chart.yaml

@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.83.0
+version: 1.83.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.95.0
 

deployment/chainloop/README.md

@@ -22,11 +22,7 @@ Compatibility with the following Ingress Controllers has been verified, other co
 Deploy Chainloop in [development mode](#development) by running
 
 ```console
-helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
-    --set development=true \
-    --set controlplane.auth.oidc.url=[OIDC URL] \
-    --set controlplane.auth.oidc.clientID=[clientID] \
-    --set controlplane.auth.oidc.clientSecret=[clientSecret]
+helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop --set development=true
 ```
 
 > **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead.
@@ -152,25 +148,16 @@ The Helm Chart in this mode includes
 - Chainloop [Artifact proxy](https://github.com/chainloop-dev/chainloop/tree/main/app/artifact-cas)
 - A PostgreSQL dependency enabled by default
 - **A pre-configured Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure)**
+- **A pre-configured Dex OIDC instance. You can find pre-setup usernames in values.yaml file**
 
 > **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead.
 
-During installation, you'll need to provide
-
-- Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information)
-- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~
-- ~~ECDSA (ES512) key-pair used for Controlplane to CAS Authentication~~
-
 #### Installation examples for development mode
 
 Deploy by leveraging built-in Vault and PostgreSQL instances
 
 ```console
-helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
-    --set development=true \
-    --set controlplane.auth.oidc.url=[OIDC URL] \
-    --set controlplane.auth.oidc.clientID=[clientID] \
-    --set controlplane.auth.oidc.clientSecret=[clientSecret]
+helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop --set development=true
 ```
 
 ## AirGap and Relocation Support

deployment/chainloop/templates/_helpers.tpl

@@ -170,6 +170,31 @@ Selector labels
 app.kubernetes.io/component: controlplane
 {{- end }}
 
+{{/*
+OIDC settings, will fallback to development settings if needed
+*/}}
+{{- define "controlplane.oidc_settings" -}}
+  {{- if .Values.development }}
+    {{- with .Values.controlplane.auth }}
+    domain: "{{ coalesce .oidc.url "http://chainloop-dex:5556/dex" }}"
+    clientID: "{{ coalesce .oidc.clientID "chainloop-dev" }}"
+    clientSecret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}"
+    {{- if .oidc.loginURLOverride }}
+    login_url_override: "{{ .oidc.loginURLOverride }}"
+    {{- end }}
+    {{- end }}
+  {{- else }}
+    {{- with .Values.controlplane.auth }}
+    domain: "{{ required "oidc URL endpoint required" .oidc.url }}"
+    client_id: "{{ required "oidc clientID required" .oidc.clientID }}"
+    client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}"
+    {{- if .oidc.loginURLOverride }}
+    login_url_override: "{{ .oidc.loginURLOverride }}"
+    {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

deployment/chainloop/templates/controlplane/config.secret.yaml

@@ -55,16 +55,7 @@ stringData:
     credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }}
 
     auth:
-      oidc:
-        {{- with .Values.controlplane.auth }}
-        redirect_url_scheme: {{ .redirectURLScheme }}
-        domain: "{{ required "oidc URL endpoint required" .oidc.url }}"
-        client_id: "{{ required "oidc clientID required" .oidc.clientID }}"
-        client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}"
-        {{- if .oidc.loginURLOverride }}
-        login_url_override: "{{ .oidc.loginURLOverride }}"
-        {{- end }}
-        {{- end }}
+      oidc: {{- include "controlplane.oidc_settings" . | indent 4 }}
 
       # HMAC key used to sign the JWTs generated by the controlplane
       # The helper returns the base64 quoted value of the secret