Merge branch 'feature/361-integrate-kibana-with-google-auth' into 'master'

Integrate kibana with google auth Closes #361 See merge request platform-one/big-bang/bigbang!417

Merge branch 'feature/361-integrate-kibana-with-google-auth' into 'master'
9442a13c · Ryan Garcia · 05c568cb · 2c15436b · 9442a13c · 9442a13c
Commit 9442a13c authored 3 years ago by Ryan Garcia
--- a/chart/google-auth-example-values.yaml
+++ b/chart/google-auth-example-values.yaml
@@ -3,10 +3,13 @@
 #
 # Current tested implementations and reference docs:
 #   * grafana - https://grafana.com/docs/grafana/latest/auth/google/
+#   * kibana/es - https://www.elastic.co/guide/en/elasticsearch/reference/7.12/oidc-guide-stack.html
+#               - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html#oidc
 #

 monitoring:
  sso:
+    enabled: true
    grafana:
      client_id: <client_id>
      client_secret: <client_secret>
@@ -14,4 +17,29 @@ monitoring:
      allowed_domains: <allowed_domains>
      auth_url: https://accounts.google.com/o/oauth2/auth
      token_url: https://oauth2.googleapis.com/token
-      signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
\ No newline at end of file
+      signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
+logging:
+  sso:
+    enabled: true
+    oidc:
+      realm: "Google" # optionally override the name used in the custom ES realm def and login page
+    client_secret: "<client_secret>"
+    client_id: "<client_id>"
+    # additional fields (required to override keycloak defaults)
+    issuer: "https://accounts.google.com"
+    auth_url: "https://accounts.google.com/o/oauth2/v2/auth"
+    token_url: "https://oauth2.googleapis.com/token"
+    userinfo_url: "https://openidconnect.googleapis.com/v1/userinfo"
+    jwkset_url: "https://www.googleapis.com/oauth2/v3/certs"
+    claims_principal: email
+    claims_principal_pattern: "<regex for allowed email domains>" # example: "^([^@]+)@leapfrog\\.ai$"
+    requested_scopes:
+      - openid
+      - email
+    # required for keycloak - should be empty for google)
+    signature_algorithm: ""
+    endsession_url: ""
+    claims_group: ""
+    claims_mail: ""
+  license:
+    trial: true
\ No newline at end of file
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -101,3 +101,46 @@ stringData:
  overlays: |
    {{- toYaml .package.values | nindent 4 }}
 {{- end -}}
+
+{{/* 
+bigbang.addValueIfSet can be used to nil check parameters before adding them to the values.
+  Expects a list with the following params:
+    * [0] - (string) <yaml_key_to_add>
+    * [1] - (interface{}) <value_to_check>
+  
+  No output is generated if <value> is undefined, however, explicitly set empty values 
+  (i.e. `username=""`) will be passed along. All string fields will be quoted.
+
+  Example command: 
+  - `{{ (list "name" .username) | include "bigbang.addValueIfSet" }}`
+    * When `username: Aniken`
+      -> `name: "Aniken"`
+    * When `username: ""`
+      -> `name: ""`
+    * When username is not defined
+      -> no output 
+*/}}
+{{- define "bigbang.addValueIfSet" -}}
+  {{- $key := (index . 0) }}
+  {{- $value := (index . 1) }}
+  {{- /*If the value is explicitly set (even if it's empty)*/}}
+  {{- if not (kindIs "invalid" $value) }}
+    {{- /*Handle strings*/}}
+    {{- if kindIs "string" $value }}
+      {{- printf "\n%s" $key }}: {{ $value | quote }} 
+    {{- /*Hanldle slices*/}}
+    {{- else if kindIs "slice" $value }}
+      {{- printf "\n%s" $key }}:    
+        {{- range $value }}
+          {{- if kindIs "string" . }}
+            {{- printf "\n  - %s" (. | quote) }}
+          {{- else }} 
+            {{- printf "\n  - %v" . }}
+          {{- end }}
+        {{- end }}
+    {{- /*Handle other types (no quotes)*/}}
+    {{- else }}
+      {{- printf "\n%s" $key }}: {{ $value }} 
+    {{- end }}
+  {{- end }}
+{{- end -}}
--- a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
@@ -51,4 +51,4 @@ spec:
    - name: istio
      namespace: {{ .Release.Namespace }}
    {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -7,14 +7,35 @@ hostname: {{ .Values.hostname }}
 istio:
  enabled: {{ .Values.istio.enabled }}

-{{- if .Values.logging.sso.enabled }}
+{{- with .Values.logging.sso }}
+{{- if .enabled }}
 sso:
-  enabled: {{ .Values.logging.sso.enabled }}
-  client_id: {{ .Values.logging.sso.client_id }}
-  client_secret: {{ .Values.logging.sso.client_secret | default "no-secret" }}
+  enabled: {{ .enabled }}
+  client_id: {{ .client_id | quote }}
+  client_secret: {{ .client_secret | default "no-secret" }}
  oidc:
-    host: {{ .Values.sso.oidc.host }}
-    realm: {{ .Values.sso.oidc.realm }}
+    {{- if $.Values.logging.sso.oidc }}
+    host: {{ .oidc.host | default $.Values.sso.oidc.host | quote }}
+    realm: {{ .oidc.realm | default $.Values.sso.oidc.realm | quote }}
+    {{- else }}
+    host: {{ $.Values.sso.oidc.host | quote }}
+    realm: {{ $.Values.sso.oidc.realm | quote }}
+    {{- end }}
+  {{- /* Optional fields should be nil checked */ -}}
+  {{- list "issuer" .issuer | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "auth_url" .auth_url | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "token_url" .token_url | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "userinfo_url" .userinfo_url | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "jwkset_url" .jwkset_url | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_principal" .claims_principal | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_principal_pattern" .claims_principal_pattern | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "requested_scopes" .requested_scopes | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "signature_algorithm" .signature_algorithm | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "endsession_url" .endsession_url | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_group" .claims_group | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_mail" .claims_mail | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "cert_authorities" .cert_authorities | include "bigbang.addValueIfSet" | indent 2 }}
+{{- end }}
 {{- end }}

 kibana:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -242,7 +242,7 @@ logging:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
    path: "./chart"
-    tag: "0.1.8-bb.0"
+    tag: "0.1.10-bb.2"

  # -- Flux reconciliation overrides specifically for the Logging (EFK) Package
  flux: