Adds support for exposing the meta endpoints for supabase auth with SSO SAML

charts/supabase/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.8
+version: 0.0.9
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/supabase/changelog.md

@@ -0,0 +1,3 @@
+## 0.0.9
+
+Added support for automatically exposing the needed SAML metadata and ACS routes through kong if auth.environment.GOTRUE_SAML_ENABLED is set to "true"

charts/supabase/templates/kong/config.yaml

@@ -96,6 +96,27 @@ data:
               allow:
                 - admin
                 - anon
+      {{- if eq .Values.auth.environment.GOTRUE_SAML_ENABLED "true" }}
+      - name: auth-v1-open-sso-acs
+        url: "http://{{ include "supabase.auth.fullname" . }}:{{ .Values.auth.service.port }}/sso/saml/acs"
+        routes:
+          - name: auth-v1-open-sso-acs
+            strip_path: true
+            paths:
+             - /auth/v1/sso/saml/acs
+             - /sso/saml/acs
+        plugins:
+          - name: cors
+      - name: auth-v1-open-sso-metadata
+        url: "http://{{ include "supabase.auth.fullname" . }}:{{ .Values.auth.service.port }}/sso/saml/metadata"
+        routes:
+          - name: auth-v1-open-sso-metadata
+            strip_path: true
+            paths:
+            - /auth/v1/sso/saml/metadata
+        plugins:
+              - name: cors
+       {{- end }}
     {{- end }}
     {{- if .Values.rest.enabled }}
       - name: rest-v1

charts/supabase/tests/auth/saml.yml

@@ -0,0 +1,37 @@
+suite: test kong configmap
+templates:
+  - kong/config.yaml
+tests:
+  - it: should include SAML routes when GOTRUE_SAML_ENABLED is true
+    set:
+      kong.enabled: true
+      auth.enabled: true
+      auth.environment.GOTRUE_SAML_ENABLED: "true"
+    asserts:
+      - matchRegex:
+          path: data["template.yml"]
+          pattern: "name: auth-v1-open-sso-acs"
+      - matchRegex:
+          path: data["template.yml"]
+          pattern: "url: \"http://.*:.*\\/sso\\/saml\\/acs\""
+      - matchRegex:
+          path: data["template.yml"]
+          pattern: "name: auth-v1-open-sso-metadata"
+      - matchRegex:
+          path: data["template.yml"]
+          pattern: "url: \"http://.*:.*\\/sso\\/saml\\/metadata\""
+
+
+
+  - it: should not include SAML routes when GOTRUE_SAML_ENABLED is false
+    set:
+      kong.enabled: true
+      auth.enabled: true
+      auth.environment.GOTRUE_SAML_ENABLED: "false"
+    asserts:
+      - notMatchRegex:
+          path: data["template.yml"]
+          pattern: "name: auth-v1-open-sso-acs"
+      - notMatchRegex:
+          path: data["template.yml"]
+          pattern: "name: auth-v1-open-sso-metadata"

charts/supabase/values.yaml

@@ -280,6 +280,7 @@ auth:
   service:
     type: ClusterIP
     port: 9999
+  # Used to expose
   environment:
     # Override the database hostname if using external database
     # DB_HOSTNAME: DATABASE.NAMESPACE.svc.cluster.local
@@ -295,6 +296,8 @@ auth:
     GOTRUE_DISABLE_SIGNUP: "false"
     GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
     GOTRUE_JWT_ADMIN_ROLES: service_role
+    GOTRUE_SAML_ENABLED: "false"
+    # GOTRUE_SAML_PRIVATE_KEY: <YOUR_KEY_IN_BASE64>
     GOTRUE_JWT_AUD: authenticated
     GOTRUE_JWT_EXP: "3600"
     GOTRUE_EXTERNAL_EMAIL_ENABLED: "true"