Expose additional fields for Neuvector SSO
To enable mapping roles/groups from Keycloak for Neuvector we need to expose additional fields from the oidcinitcfg.yaml
.
Currently it is necessary to pass through additional values for group_mapped_roles
and group_claim
as follows:
neuvector:
enabled: true
sso:
enabled: true
client_id: neuvector
client_secret: <client secret>
default_role: null
issuer: https://keycloak.bigbang.dev/auth/realms/baby-yoda
# additional mapping required to map Keycloak roles/groups to Neuvector groups
values:
controller:
secret:
data:
oidcinitcfg.yaml:
group_claim: roles # claim in token to pull groups from
# list of groups to map to Neuvector global roles
group_mapped_roles:
- group: admin
global_role: admin
- group: reader
global_role: reader
It would be good to expose group_mapped_roles
and group_claim
as part of the BigBang umbrella values so that the config could be expressed as (or an abstraction around these values):
neuvector:
enabled: true
sso:
enabled: true
client_id: neuvector
client_secret: <client secret>
default_role: null
issuer: https://keycloak.bigbang.dev/auth/realms/baby-yoda
group_claim: roles
group_mapped_roles:
- group: admin
global_role: admin
- group: reader
global_role: reader
See Neuvector configmap/secret init config documentation - https://open-docs.neuvector.com/deploying/production/configmap
Relavent documentation being added to Neuvector - big-bang/product/packages/neuvector!30 (diffs)