From 76cb313006bb424dbc7ecde2963bc6fa81a71cb4 Mon Sep 17 00:00:00 2001 From: Christian Bandowski Date: Thu, 16 May 2024 14:05:01 +0200 Subject: [PATCH] Added OAuth 2.0 support to Helm chart v2 --- charts/dremio_v2/config/dremio.conf | 5 ++++ charts/dremio_v2/config/oauth.json | 11 +++++++++ charts/dremio_v2/values.yaml | 37 +++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 charts/dremio_v2/config/oauth.json diff --git a/charts/dremio_v2/config/dremio.conf b/charts/dremio_v2/config/dremio.conf index 22a2c201..473faa37 100644 --- a/charts/dremio_v2/config/dremio.conf +++ b/charts/dremio_v2/config/dremio.conf @@ -102,3 +102,8 @@ services.flight.ssl.enabled: true services.flight.ssl.auto-certificate.enabled: false services.flight.ssl.keyStore: "/opt/dremio/tls/flight.pkcs12" {{- end }} + +{{- if $.Values.coordinator.web.oauth.enabled }} +services.coordinator.web.auth.type: "oauth" +services.coordinator.web.auth.config: "/opt/dremio/conf/oauth.json" +{{- end }} diff --git a/charts/dremio_v2/config/oauth.json b/charts/dremio_v2/config/oauth.json new file mode 100644 index 00000000..65ffe748 --- /dev/null +++ b/charts/dremio_v2/config/oauth.json @@ -0,0 +1,11 @@ +{{- if $.Values.coordinator.web.oauth.enabled }} +{ + "clientId": {{ required "OAuth 2.0 Client ID required" $.Values.coordinator.web.oauth.clientId | quote }}, + "clientSecret": {{ required "OAuth 2.0 Client Secret required" $.Values.coordinator.web.oauth.clientSecret | quote }}, + "redirectUrl": {{ required "OAuth 2.0 Redirect URL required" $.Values.coordinator.web.oauth.redirectUrl | quote }}, + "authorityUrl": {{ required "OAuth 2.0 Authority URL required" $.Values.coordinator.web.oauth.authorityUrl | quote }}, + "scope": {{ required "OAuth 2.0 Scopes required" $.Values.coordinator.web.oauth.scope | join " " | quote }}, + "jwtClaims": {{ $.Values.coordinator.web.oauth.jwtClaims | default dict | toJson }}, + "parameters": {{ $.Values.coordinator.web.oauth.parameters | default list | toJson }} +} +{{- end }} \ No newline at end of file diff --git a/charts/dremio_v2/values.yaml b/charts/dremio_v2/values.yaml index acb0a740..b109716a 100644 --- a/charts/dremio_v2/values.yaml +++ b/charts/dremio_v2/values.yaml @@ -104,6 +104,43 @@ coordinator: # To create a TLS secret, use the following command: # kubectl create secret tls ${TLS_SECRET_NAME} --key ${KEY_FILE} --cert ${CERT_FILE} secret: dremio-tls-secret-ui + + oauth: + # To enable OAuth 2.0 for the web UI, set the enabled flag to true and provide + # the following required information + enabled: false + + # required, it is based on the OpenID provider. + #clientId: "" + + # required, it is based on the OpenID provider. + # NOTE: In Dremio 24+, clientSecret can be encrypted using the dremio-admin encrypt CLI command. + #clientSecret: "" + + # required, the URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider. + # typically ends with /sso (e. g. https:///sso) + #redirectUrl: "" + + # required, the location where Dremio can find the OpenID discovery document. For example, Google’s location + # is https://accounts.google.com/.well-known/openid-configuration and the authorityUrl therefore to use is + # https://accounts.google.com, the base location of the well-known directory. + #authorityUrl: "" + + # optional, it is based on the OpenID provider. openid scope is always required, other scopes can vary by provider. + # defaults to openid + scope: + - openid + + # optional, maps fields from the JWT token to fields Dremio requires. The only field currently required + # is userName, which you should set to the field in JWT that contains the user’s username. + # defaults to using the email as the userName + jwtClaims: + userName: email + + # optional, any additional parameters required by the OpenID providers. + #parameters: + #- name: access_type + # value: offline # ODBC/JDBC Client client: