ocis-charts
ocis-charts copied to clipboard
owncloud
support AD FS as idp
When adding AD FS support for ocis we had to customize some of the charts. I'll put the diffs here for documentation, as well as a checklist of things to productize for AD FS support. AFAICT we only really need to make skipping the userinfo endpoint in web configurable and maybe @d7oc can enlighten me on diff no 3.
- I was using an ocis version that used SSE, but no sse service was started, yet so I disabled it:
diff --git a/charts/ocis/templates/frontend/deployment.yaml b/charts/ocis/templates/frontend/deployment.yaml
index 88e648f..5dc9639 100644
--- a/charts/ocis/templates/frontend/deployment.yaml
+++ b/charts/ocis/templates/frontend/deployment.yaml
@@ -92,6 +92,9 @@ spec:
- name: OCIS_EDITION
value: {{ .Values.features.edition | quote }}
+ - name: OCIS_DISABLE_SSE
+ value: "true"
+
- name: FRONTEND_MACHINE_AUTH_API_KEY
valueFrom:
secretKeyRef:
diff --git a/charts/ocis/templates/userlog/deployment.yaml b/charts/ocis/templates/userlog/deployment.yaml
index 29e08cf..4fb4e71 100644
--- a/charts/ocis/templates/userlog/deployment.yaml
+++ b/charts/ocis/templates/userlog/deployment.yaml
@@ -44,6 +44,9 @@ spec:
- name: USERLOG_DEBUG_PPROF
value: {{ .Values.debug.profiling | quote }}
+ - name: OCIS_DISABLE_SSE
+ value: "true"
+
- name: USERLOG_HTTP_ADDR
value: 0.0.0.0:8080
- [x] nothing to do here, more recent charts start an sse service
- For AD FS the proxy and web ui must skip calling the userinfo endpoint and read the claims from the access token:
diff --git a/charts/ocis/templates/proxy/deployment.yaml b/charts/ocis/templates/proxy/deployment.yaml
index 1a1bcb5..ede864e 100644
--- a/charts/ocis/templates/proxy/deployment.yaml
+++ b/charts/ocis/templates/proxy/deployment.yaml
@@ -57,6 +57,9 @@ spec:
value: {{ .Values.features.externalUserManagement.oidc.issuerURI | quote }}
{{- end }}
+ - name: PROXY_OIDC_SKIP_USER_INFO
+ value: "true"
+
{{- if .Values.features.externalUserManagement.enabled }}
- name: PROXY_OIDC_REWRITE_WELLKNOWN
value: "true"
diff --git a/charts/ocis/templates/web/config.yaml b/charts/ocis/templates/web/config.yaml
index 1cb848c..63f6e6b 100644
--- a/charts/ocis/templates/web/config.yaml
+++ b/charts/ocis/templates/web/config.yaml
@@ -55,3 +55,60 @@ data:
previewFileMimeTypes:
{{- toYaml . | nindent 12 }}
{{- end }}
+ config.json: >-
+ {
+ "server": "https://cloud.ocis.test",
+ "theme": "https://cloud.ocis.test/themes/owncloud/theme.json",
+ "openIdConnect": {
+ "metadata_url": "https://idp.ocis.test/adfs/.well-known/openid-configuration",
+ "authority": "https://idp.ocis.test/adfs",
+ "client_id": "https://cloud.ocis.test/",
+ "response_type": "code",
+ "scope": "openid profile email",
+ "loadUserInfo": false
+ },
+ "apps": [
+ "files",
+ "search",
+ "text-editor",
+ "pdf-viewer",
+ "external",
+ "admin-settings"
+ ],
+ "external_apps": [
+ {
+ "id": "preview",
+ "path": "web-app-preview",
+ "config": {
+ "mimeTypes": [
+ "image/tiff",
+ "image/bmp",
+ "image/x-ms-bmp"
+ ]
+ }
+ }
+ ],
+ "options": {
+ "previewFileMimeTypes": [
+ "image/gif",
+ "image/png",
+ "image/jpeg",
+ "text/plain",
+ "image/tiff",
+ "image/bmp",
+ "image/x-ms-bmp"
+ ],
+ "sharingRecipientsPerPage": 200,
+ "sidebar": {
+ "shares": {
+ "showAllOnLoad": false
+ }
+ },
+ "routing": {
+ "idBased": true
+ },
+ "contextHelpersReadMore": true,
+ "openLinksWithDefaultApp": true,
+ "tokenStorageLocal": true
+ }
+ }
diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml
index 258a5f2..4ad1ab5 100644
--- a/charts/ocis/templates/web/deployment.yaml
+++ b/charts/ocis/templates/web/deployment.yaml
@@ -71,6 +71,9 @@ spec:
- name: WEB_UI_CONFIG_SERVER
value: "https://{{ .Values.externalDomain }}"
+ - name: WEB_UI_CONFIG_FILE
+ value: /etc/ocis/config.json
+
- name: WEB_OPTION_CONTEXTHELPERS_READ_MORE
value: {{ .Values.services.web.config.contextHelpersReadMore.enabled | quote }}
- [ ] needs to be added to the external user management section in the values.yaml ... either as a transparent option or behind a feature flag? And then the question is how we make configuring the web ui less painful. Putting this huge config.json in the config.yaml is the only way for now, but maybe the web ui can always skip that endpoint? or we add a config option that adds the
"loadUserInfo": falsesetting, which is the only difference to the stock config. I prefer the latter and submitted the ocis change in https://github.com/owncloud/ocis/pull/7714
- not sure about this one. the openshift cluster is sitting behind load balancers:
diff --git a/charts/ocis/templates/proxy/ingress.yaml b/charts/ocis/templates/proxy/ingress.yaml
index acf1ebd..76fb103 100644
--- a/charts/ocis/templates/proxy/ingress.yaml
+++ b/charts/ocis/templates/proxy/ingress.yaml
@@ -22,7 +22,7 @@ spec:
{{- end }}
rules:
- host: "{{ .Values.externalDomain }}"
- https:
+ http:
paths:
- path: /
pathType: Prefix
- [ ] clarify if this even has an effect
- search did not work and I because of the older ocis version I tried to set the jwt secret
diff --git a/charts/ocis/templates/search/deployment.yaml b/charts/ocis/templates/search/deployment.yaml
index 5bdd934..7a4ce7a 100644
--- a/charts/ocis/templates/search/deployment.yaml
+++ b/charts/ocis/templates/search/deployment.yaml
@@ -84,6 +84,12 @@ spec:
- name: SEARCH_EXTRACTOR_CS3SOURCE_INSECURE
value: {{ .Values.insecure.ocisHttpApiInsecure | quote }}
+ - name: SEARCH_JWT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "secrets.jwtSecret" . }}
+ key: jwt-secret
+
- name: SEARCH_MACHINE_AUTH_API_KEY
valueFrom:
secretKeyRef:
- [x] nothing to do here, because the current charts will start the now needed auth-service pod that is now used by the search service for service accounts
- this was also a env var mismatch because of the older ocis version
diff --git a/charts/ocis/templates/users/deployment.yaml b/charts/ocis/templates/users/deployment.yaml
index 86b86c6..32addcb 100644
--- a/charts/ocis/templates/users/deployment.yaml
+++ b/charts/ocis/templates/users/deployment.yaml
@@ -74,6 +74,9 @@ spec:
- name: USERS_LDAP_GROUP_OBJECTCLASS
value: {{ .Values.features.externalUserManagement.ldap.group.objectClass | quote }}
+ - name: OCIS_LDAP_USER_SCHEMA_ID
+ value: {{ .Values.features.externalUserManagement.ldap.user.schema.id | quote }}
+
- name: USERS_LDAP_USER_SCHEMA_ID
value: {{ .Values.features.externalUserManagement.ldap.user.schema.id | quote }}
- name: USERS_LDAP_GROUP_SCHEMA_ID
- [x] nothing to do here, will just work with the most recent charts
Adding the web config.json option would make lots of other configuration options dependent on this particular option not to be set.
Exposing the configuration introduced in https://github.com/owncloud/ocis/pull/7714 is probably the easier and cleaner option in this case.
Regarding http / https in the ingress: from what I know only http is valid.
Also the chart uses http, where does your diff come from?
https://github.com/owncloud/ocis-charts/blob/ad0bcb0ffe4fdec22c5644d09cfe6b9af021e312/charts/ocis/templates/proxy/ingress.yaml#L25
Regarding http / https in the ingress: from what I know only http is valid.
Also the chart uses http, where does your diff come from?
https://github.com/owncloud/ocis-charts/blob/ad0bcb0ffe4fdec22c5644d09cfe6b9af021e312/charts/ocis/templates/proxy/ingress.yaml#L25
we did that in openstack ... but this is my impression as well. only http should be valid as per https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
we did that in openstack ...
you did use http or https for OpenShift? Because the Chart only uses http but your diff displays a change from https to http...
I don't have any information, are not working on it and even if I'd be assigned on it, I have no way to test it.
Maybe a "dumb question". Is it only about this: ??
+ - name: PROXY_OIDC_SKIP_USER_INFO
+ value: "true"