Expose additional fields for Neuvector SSO

To enable mapping roles/groups from Keycloak for Neuvector we need to expose additional fields from the oidcinitcfg.yaml.

Currently it is necessary to pass through additional values for group_mapped_roles and group_claim as follows:

neuvector:
  enabled: true

  sso:
    enabled: true
    client_id: neuvector
    client_secret: <client secret>
    default_role: null
    issuer: https://keycloak.bigbang.dev/auth/realms/baby-yoda

  # additional mapping required to map Keycloak roles/groups to Neuvector groups 
  values:
    controller:
      secret:
        data:
          oidcinitcfg.yaml:
            group_claim: roles # claim in token to pull groups from
            # list of groups to map to Neuvector global roles 
            group_mapped_roles:
              - group: admin 
                global_role: admin 
              - group: reader
                global_role: reader

It would be good to expose group_mapped_roles and group_claim as part of the BigBang umbrella values so that the config could be expressed as (or an abstraction around these values):

neuvector:
  enabled: true

  sso:
    enabled: true
    client_id: neuvector
    client_secret: <client secret>
    default_role: null
    issuer: https://keycloak.bigbang.dev/auth/realms/baby-yoda
    group_claim: roles
    group_mapped_roles:
      - group: admin 
        global_role: admin 
      - group: reader
        global_role: reader

See Neuvector configmap/secret init config documentation - https://open-docs.neuvector.com/deploying/production/configmap

Relavent documentation being added to Neuvector - big-bang/product/packages/neuvector!30 (diffs)

Edited Apr 11, 2023 by Rob Ferguson

Admin message

Expose additional fields for Neuvector SSO