k8s-ldap migration, init new repository

This commit includes:
* Repository migration
* `keycloak-proxy` replaced by `keycloak-gatekeeper`
* Add loginapp configuration in values.yaml
* Helm chart repository

.gitignore

@@ -0,0 +1 @@
+override.yaml

.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+override.yaml
+examples/
+LICENSE

Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+description: Helm chart to deploy OIDC stack for Kubernetes auth
+name: kube-oidc
+version: 1.0.0
+maintainers:
+  - email: [email protected]
+    name: fydrah
+keywords:
+  - kubernetes
+  - oidc
+  - openid
+  - keycloak
+  - loginapp

README.md

@@ -0,0 +1,43 @@
+# kube-oidc
+
+This chart deploys:
+* [dex](https://github.com/dexidp/dex): identity provider supporting multiple connectors (SAML, LDAP...)
+* [loginapp](https://github.com/fydrah/loginapp): web application for Kubernetes cli configuration with OIDC
+* [keycloak proxy](https://github.com/keycloak/keycloak-gatekeeper): OpenID / Keycloak proxy service (used for OIDC dashboard auth)
+
+## Install
+
+* From chart repository:
+
+```
+helm repo add fydrahcharts https://charts.fhardy.fr
+helm repo update
+```
+
+Override [default configuration](./values.yaml) with an `override.yaml` file.
+
+```
+helm install fydrahcharts/kube-oidc -f override.yaml
+```
+
+* From GitHub:
+
+```
+git clone https://github.com/ObjectifLibre/kube-oidc
+```
+
+Override [default configuration](./values.yaml) with an `override.yaml` file.
+
+```
+cd kube-oidc/
+helm install . -f override.yaml
+```
+
+## Configure
+
+See [values.yaml](./values.yaml).
+
+## Examples
+
+* [SAML configuration](./examples/SAML.md)
+* [Cross client configuration for k8s](./examples/cross-client.md)

examples/SAML.md

@@ -0,0 +1,53 @@
+# Example SAML config
+
+Since dex is a backend app that can support multiple [connectors](https://github.com/dexidp/dex/tree/master/Documentation/connectors), we can modify the chart in order to use SAML as the connector without modyfing the chart itself.
+
+## SAML configuration
+In most SAML Identity Providers (IP) we need to create a metadata file, which registers our application in the IP. This file can be created manually, or by the use of a UI, however the effect should be similar to this:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<ns3:EntityDescriptor xmlns:ns3="urn:oasis:names:tc:SAML:2.0:metadata" xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" ID="Sc56b5abe-07ea-471b-ac77-a956f170769e" entityID="dex.k8s.example.org">
+   <ns3:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <ns3:KeyDescriptor use="signing">
+         <KeyInfo>
+            <KeyName>dex.k8s.example.org</KeyName>
+            <X509Data>
+               <X509Certificate>IDENTITY_CERT</X509Certificate>
+            </X509Data>
+         </KeyInfo>
+      </ns3:KeyDescriptor>
+      <ns3:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dex.k8s.example.org/dex/callback" />
+   </ns3:SPSSODescriptor>
+</ns3:EntityDescriptor>
+
+```
+
+## Dex configuration
+We only need to modify the connectors part of the configuration in order to change our backend:
+
+```yaml
+dex:
+  config:
+    connectors:
+      - type: saml
+        # Required field for connector id.
+        id: APP_ID
+        # Required field for connector name.
+        name: APP_NAME
+        config:
+          # entityId taken from the metadata
+          entityIssuer: dex.k8s.example.org
+          # URL to the POST endpoint of the SSO provider
+          ssoURL: YOUR_SSO_POST_ENDPOINT
+          # Base64 of the same cert we used in the metadata
+          caData: BASE64_IDENTITY_CERT
+          # POST endpoint of DEX
+          redirectURI: https://dex.k8s.example.org/dex/callback
+          # Parameter mapping, similar to LDAP
+          usernameAttr: name
+          emailAttr: email
+          groupsAttr: groups
+          groupsDelim: ", "
+          insecureSkipSignatureValidation: true
+```

examples/cross-client.md

@@ -0,0 +1,50 @@
+### Cross client configuration for k8s
+
+A Kubernetes cluster currently allows to setup only one IdP in the configuration.
+
+You will have to configure cross-client trust for loginapp and keycloack proxy.
+
+Full explaination about cross-client trust can be found [here](https://github.com/coreos/dex/blob/master/Documentation/custom-scopes-claims-clients.md#cross-client-trust-and-authorized-party)
+
+The configuration begins on Dex:
+```
+staticClients:
+    - id: cli
+      redirectURIs:
+      - 'https://logincli.example.org/callback/cli'
+      name: 'Login Application'
+      secret: SeCrEtKeyCLI
+    - id: login
+      redirectURIs:
+      - 'https://dashboard.example.org/oauth/callback'
+      name: 'Dashboard Application'
+      secret: SeCrEtKeyDashboard
+      trustedPeers:
+      - cli
+```
+
+Then you must configure Loginapp to use cross-client:
+```
+name: "Kubernetes Auth"
+listen: "0.0.0.0:8080"
+oidc:
+  client:
+    id: "cli"
+    secret: SeCrEtKeyCLI
+    redirect_url: "https://logincli.example.org/callback"
+  issuer:
+    root_ca: "/etc/ssl/ca.pem"
+    url: "https://dex.example.org/dex"
+  extra_scopes:
+    - groups
+  offline_as_scope: true
+  cross_clients:
+  - login
+tls:
+  enabled: false
+log:
+  level: Info
+  format: json
+```
+
+*cross_client: [login]* is the important field.

templates/NOTES.txt

@@ -0,0 +1,6 @@
+{{- if .Values.loginapp.ingress.enabled }}
+Login application URL accessible at :
+{{- range .Values.loginapp.ingress.hosts }}
+  http{{ if $.Values.loginapp.ingress.tls }}s{{ end }}://{{ . }}
+{{- end -}}
+{{- end -}}

templates/_helpers.tpl

@@ -0,0 +1,49 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "k8s-ldap.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "k8s-ldap.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- $fullname := printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- default $fullname .Values.fullNameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "k8s-ldap.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Dex fully qualified app name.
+*/}}
+{{- define "k8s-ldap.dex.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name .Values.dex.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Loginapp fully qualified app name.
+*/}}
+{{- define "k8s-ldap.loginapp.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name .Values.loginapp.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Keycloak fully qualified app name.
+*/}}
+{{- define "k8s-ldap.keycloakProxy.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name .Values.keycloakProxy.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

templates/ca-cm.yaml

@@ -0,0 +1,13 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  labels:
+    app: {{ template "k8s-ldap.name" . }}
+    chart: {{ template "k8s-ldap.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: {{ .Values.loginapp.name }}
+  name: {{ .Release.Name }}-ca
+data:
+  ca.pem: |
+{{ .Values.loginapp.issuerCA | indent 4 }}

templates/dex-cm.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.dex.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: {{ template "k8s-ldap.name" . }}
+    chart: {{ template "k8s-ldap.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: {{ .Values.dex.name }}
+  name: {{ template "k8s-ldap.dex.fullname" . }}
+data:
+  config.yaml: |
+{{ toYaml .Values.dex.config | indent 4 }}
+{{- end -}}

templates/dex-cr.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.dex.enabled -}}
+{{- if .Values.dex.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "k8s-ldap.name" . }}
+    chart: {{ template "k8s-ldap.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: {{ .Values.dex.name }}
+  name: {{ template "k8s-ldap.dex.fullname" . }}
+rules:
+- apiGroups: ["dex.coreos.com"] # API group created by dex
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
+{{- end -}}
+{{- end -}}

templates/dex-crb.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.dex.enabled -}}
+{{- if .Values.dex.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: {{ template "k8s-ldap.name" . }}
+    chart: {{ template "k8s-ldap.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: {{ .Values.dex.name }}
+  name: {{ template "k8s-ldap.dex.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "k8s-ldap.dex.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "k8s-ldap.dex.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}

templates/dex-crd.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.dex.enabled }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: authcodes.dex.coreos.com
+spec:
+  group: dex.coreos.com
+  names:
+    kind: AuthCode
+    listKind: AuthCodeList
+    plural: authcodes
+    singular: authcode
+  scope: Namespaced
+  version: v1
+{{- end -}}