adding oidc to the helm chart (#216)

amundsen-kube-helm/templates/helm/amundsen/templates/deployment.yaml

@@ -64,14 +64,40 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
       {{- end }}
+      volumes:
+      {{- if .Values.oidcEnabled }}
+        - name: oidc-config
+          secret:
+            secretName: oidc-config
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}-{{ .Values.metadataServiceName }}
-        image: {{- if .Values.metadataServiceImage }} {{.Values.metadataServiceImage}}{{- else }} {{ .Values.dockerhubImagePath }}/{{ .Chart.Name }}-{{ .Values.metadataServiceName }}:{{ .Values.metadataImageVersion }}{{- end }}
+        {{- with .Values.metadataServiceImage }}
+        image: {{ . }}
+        {{- else }}
+        image: {{ .Values.dockerhubImagePath }}/{{ .Chart.Name }}-{{ .Values.metadataServiceName }}{{ if .Values.oidcEnabled }}-oidc{{ end }}:{{ .Values.metadataImageVersion }}
+        {{- end }}
+        imagePullPolicy: Never
         ports:
-        - containerPort: 5000  
+        - containerPort: 5000
         env:
         - name: PROXY_HOST
           value: bolt://neo4j
+        {{- if .Values.oidcEnabled }}
+        - name: FLASK_OIDC_CLIENT_SECRETS
+          value: /etc/client_secrets.json
+        - name: FLASK_OIDC_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: oidc-config
+              key: OIDC_CLIENT_SECRET
+        {{- end }}
+        volumeMounts:
+        {{- if .Values.oidcEnabled }}
+          - name: oidc-config
+            mountPath: /etc/client_secrets.json
+            subPath: client_secrets.json
+        {{- end }}
         {{- with .Values.metadata.resources }}
         resources:
 {{ toYaml . | indent 10 }}
@@ -103,16 +129,40 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
       {{- end }}
+      volumes:
+      {{- if .Values.oidcEnabled }}
+        - name: oidc-config
+          secret:
+            secretName: oidc-config
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}-{{ .Values.frontEndServiceName }}
-        image: {{- if .Values.frontEndServiceImage }} {{.Values.frontEndServiceImage}}{{- else }} {{ .Values.dockerhubImagePath }}/{{ .Chart.Name }}-{{ .Values.frontEndServiceName }}:{{ .Values.frontEndImageVersion }}{{- end }}
+        {{- with .Values.frontEndServiceImage }}
+        image: {{ . }}
+        {{- else }}
+        image: {{ .Values.dockerhubImagePath }}/{{ .Chart.Name }}-{{ .Values.frontEndServiceName }}{{ if .Values.oidcEnabled }}-oidc{{ end }}:{{ .Values.frontEndImageVersion }}
+        {{- end }}
         ports:
-        - containerPort: 5000  
+          - containerPort: 5000
         env:
-        - name: SEARCHSERVICE_BASE
-          value: http://{{ .Chart.Name }}-{{ .Values.searchServiceName }}:5001
-        - name: METADATASERVICE_BASE
-          value: http://{{ .Chart.Name }}-{{ .Values.metadataServiceName }}:5002
-        - name: FRONTEND_SVC_CONFIG_MODULE_CLASS
-          value: amundsen_application.config.TestConfig                     
----                          
+          - name: SEARCHSERVICE_BASE
+            value: http://{{ .Chart.Name }}-{{ .Values.searchServiceName }}:5001
+          - name: METADATASERVICE_BASE
+            value: http://{{ .Chart.Name }}-{{ .Values.metadataServiceName }}:5002
+          - name: LONG_RANDOM_STRING
+            value: {{ quote .Values.LONG_RANDOM_STRING }}
+        {{- if .Values.oidcEnabled }}
+          - name: FLASK_OIDC_CLIENT_SECRETS
+            value: /etc/client_secrets.json
+          - name: FLASK_OIDC_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: oidc-config
+                key: OIDC_CLIENT_SECRET
+        {{- end }}
+        volumeMounts:
+        {{- if .Values.oidcEnabled }}
+          - name: oidc-config
+            mountPath: /etc/client_secrets.json
+            subPath: client_secrets.json
+        {{- end }}

amundsen-kube-helm/templates/helm/amundsen/templates/oidc_config.yaml

+{{- if .Values.createOidcSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+    name: oidc-config
+    namespace: {{ .Release.Namespace }}
+stringData:
+  OIDC_CLIENT_SECRET: {{ .Values.OIDC_CLIENT_SECRET }}
+  client_secrets.json: |-
+    {
+      "web": {
+        "client_id": "{{ .Values.OIDC_CLIENT_ID }}",
+        "client_secret": "{{ .Values.OIDC_CLIENT_SECRET }}",
+        "auth_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/v1/authorize",
+        "token_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/v1/token",
+        "issuer": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}",
+        "userinfo_uri": "{{ .Values.OIDC_ORG_URL }}/oauth2/{{ .Values.OIDC_AUTH_SERVER_ID }}/userinfo",
+        "redirect_uris": [
+          "http://localhost/oidc_callback"
+        ]
+      }
+    }
+{{- end }}

amundsen-kube-helm/templates/helm/amundsen/values.yaml

@@ -3,6 +3,18 @@ provider: aws
 dnsZone: teamname.company.com
 dockerhubImagePath: amundsendev
 
+LONG_RANDOM_STRING: 1234
+
+# To enable auth via OIDC, set this to true. 
+oidcEnabled: false
+# OIDC needs some configuration. If you want the chart to make your secrets, set this to true and set the next four values. 
+# If you don't want to configure your secrets via helm, you can still use the oidc_config.yaml as a template
+createOidcSecret: false
+# OIDC_CLIENT_ID: 
+# OIDC_CLIENT_SECRET: 
+# OIDC_ORG_URL: 
+# OIDC_AUTH_SERVER_ID: 
+
 ## Support Node, affinity and tolerations for scheduler pod assignment
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
@@ -27,7 +39,7 @@ search:
   tolerations: []
 
 metadataServiceName: metadata
-metadataImageVersion: 1.1.5
+metadataImageVersion: 1.1.6
 metadata:
   replicas: 1
   resources:
@@ -43,7 +55,7 @@ metadata:
   tolerations: []
 
 frontEndServiceName: frontend
-frontEndImageVersion: 1.1.1
+frontEndImageVersion: 1.2.0
 frontEndServicePort: 80
 frontEnd:
   replicas: 1