-
Notifications
You must be signed in to change notification settings - Fork 153
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add advanced topics section to enterprise documentation
Introduced a new 'Advanced Topics' page in the enterprise documentation. This page covers detailed information on OIDC customization, scopes, claims, Cluster User, User Permissions and how to customize the UI for users. It also improves the organization of our 'Getting Started' guide by breaking it down into step-by-step sections. This helps provide a clearer and better-structured journey for users. Signed-off-by: Eneko Fernandez <[email protected]>
- Loading branch information
Showing
3 changed files
with
218 additions
and
187 deletions.
There are no files selected for viewing
204 changes: 204 additions & 0 deletions
204
...terprise/getting-started/install-enterprise-getting-started-advanced-topics.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,204 @@ | ||
--- | ||
title: Advanced Topics | ||
hide_title: true | ||
toc_max_heading_level: 4 | ||
pagination_prev: enterprise/getting-started/install-enterprise-getting-started-onboard | ||
pagination_next: enterprise/getting-started/install-enterprise-getting-started-expand | ||
|
||
--- | ||
|
||
import Tabs from "@theme/Tabs"; | ||
import TabItem from "@theme/TabItem"; | ||
import TierLabel from "@site/docs/_components/TierLabel"; | ||
import AlphaWarning from "../../_components/_alpha_warning.mdx"; | ||
import CurlCodeBlock from "../../_components/CurlCodeBlock"; | ||
import oauthBitbucket from '/img/oauth-bitbucket.png'; | ||
import oauthAzureDevOps from '/img/oauth-azure-devops.png'; | ||
import oauthAzureDevOpsSuccess from '/img/oauth-azure-devops-success.png'; | ||
|
||
# Advanced Topics | ||
|
||
## OIDC | ||
|
||
### Customization | ||
|
||
For some OIDC configurations, you may need to customise the requested [scopes](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) or [claims](https://openid.net/specs/openid-connect-core-1_0.html#Claims). | ||
|
||
The `oidcUsernamePrefix` and `oidcGroupsPrefix` work in the same way as the Kubernetes [kube-apiserver](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) command-line options, if you need them for Kubernetes, you will likely need them here. | ||
|
||
### Scopes | ||
|
||
By default, the following scopes are requested: "openid","offline_access","email","groups". | ||
|
||
The "openid" scope is **mandatory** for OpenID auth and will be added if not provided. The "email" and "groups" scopes are commonly used as unique identifiers in organisations. | ||
|
||
"offline_access" allows us to refresh OIDC tokens to keep login sessions alive for as long as a refresh token is valid. You can, however, change the defaults. | ||
```sh | ||
kubectl create secret generic oidc-auth \ | ||
--namespace flux-system \ | ||
--from-literal=issuerURL=$oidc-issuer-url \ | ||
--from-literal=clientID=$client-id \ | ||
--from-literal=clientSecret=$client-secret \ | ||
--from-literal=redirectURL=redirect-url \ | ||
--from-literal=tokenDuration=token-duration \ | ||
--from-literal=customScopes=custom,scopes | ||
``` | ||
The format for the `customScopes` key is a comma-separated list of scopes to request. In this case, "custom", "scopes", and "openid" would be requested. | ||
|
||
### Claims | ||
|
||
By default, the following claims are parsed from the OpenID [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken) "email" and "groups". These are presented as the `user` and `groups` when WGE communicates with your Kubernetes API server. | ||
|
||
This is equivalent to [configuring](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server) your `kube-apiserver` with `--oidc-username-claim=email --oidc-groups-claim=groups`. | ||
|
||
Again, you can configure these from the `oidc-auth` `Secret`. | ||
|
||
```sh | ||
kubectl create secret generic oidc-auth \ | ||
--namespace flux-system \ | ||
--from-literal=issuerURL=oidc-issuer-url \ | ||
--from-literal=clientID=client-id \ | ||
--from-literal=clientSecret=client-secret \ | ||
--from-literal=redirectURL=redirect-url \ | ||
--from-literal=tokenDuration=token-duration \ | ||
--from-literal=claimUsername=sub \ | ||
--from-literal=claimGroups=groups | ||
``` | ||
There are two separate configuration keys. You can override them separately. They should match your `kube-apiserver` configuration. | ||
|
||
## Cluster User | ||
|
||
### Update Username or Password | ||
|
||
To change either the username or the password, recreate the `cluster-user-auth` | ||
with the new details. | ||
|
||
Only one Cluster User can be created this way. To add more users, enable an OIDC provider. | ||
|
||
### Update Permissions | ||
|
||
If required, the permissions can be expanded with the `rbac.additionalRules` field in the | ||
[Helm Chart](../../references/helm-reference.md). | ||
|
||
Follow the instructions in the next section in order to configure RBAC correctly. | ||
|
||
### Remove It | ||
|
||
To remove the Cluster User as a login method, set the following values in the | ||
[Helm Chart](../../references/helm-reference.md): | ||
|
||
```yaml | ||
# | ||
adminUser: | ||
create: false | ||
# | ||
additionalArgs: | ||
- --auth-methods=oidc | ||
# | ||
``` | ||
:::caution If you are disabling an already existing Cluster User | ||
|
||
If you are disabling an already existing Cluster User, you will need to | ||
manually delete the Kubernetes Secret and any User Roles that were created on | ||
the cluster. | ||
|
||
::: | ||
|
||
## User Permissions | ||
|
||
This section discusses the [Kubernetes permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) | ||
needed by Weave GitOps application users and groups. At a minimum, a User should be bound to a Role in the `flux-system` namespace—which is where | ||
Flux stores its resources by default—with the following permissions: | ||
|
||
```yaml | ||
rules: | ||
# Flux Resources | ||
- apiGroups: ["source.toolkit.fluxcd.io"] | ||
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ] | ||
verbs: [ "get", "list", "watch", "patch" ] | ||
|
||
- apiGroups: ["kustomize.toolkit.fluxcd.io"] | ||
resources: [ "kustomizations" ] | ||
verbs: [ "get", "list", "watch", "patch" ] | ||
|
||
- apiGroups: ["helm.toolkit.fluxcd.io"] | ||
resources: [ "helmreleases" ] | ||
verbs: [ "get", "list", "watch", "patch" ] | ||
|
||
- apiGroups: [ "notification.toolkit.fluxcd.io" ] | ||
resources: [ "providers", "alerts" ] | ||
verbs: [ "get", "list", "watch", "patch" ] | ||
|
||
- apiGroups: ["infra.contrib.fluxcd.io"] | ||
resources: ["terraforms"] | ||
verbs: [ "get", "list", "watch", "patch" ] | ||
|
||
# Read access for all other Kubernetes objects | ||
- apiGroups: ["*"] | ||
resources: ["*"] | ||
verbs: [ "get", "list", "watch" ] | ||
``` | ||
For a wider scope, the User can be bound to a ClusterRole with the same set. | ||
On top of this you can add other permissions to view WGE resources like `GitOpsSets` and `Templates`. | ||
|
||
### Flux Resources | ||
|
||
The following table lists resources that Flux works with directly. | ||
|
||
| API Group | Resources | Permissions | | ||
| ------------------------------ | ----------------------------------------------------------------------- | ---------------- | | ||
| kustomize.toolkit.fluxcd.io | kustomizations | get, list, patch | | ||
| helm.toolkit.fluxcd.io | Helm Releases | get, list, patch | | ||
| source.toolkit.fluxcd.io | buckets, Helm charts, Git repositories, Helm repositories, OCI repositories | get, list, patch | | ||
| notification.toolkit.fluxcd.io | providers, alerts | get, list | | ||
| infra.contrib.fluxcd.io | [Terraform](https://github.com/weaveworks/tf-controller) | get, list, patch | | ||
|
||
Weave GitOps needs to be able to query the [CRDs](https://fluxcd.io/docs/components/) that Flux uses before it can accurately display Flux state. The | ||
`get` and `list` permissions facilitate this. | ||
|
||
The `patch` permissions are used for two features: to suspend and resume | ||
reconciliation of a resource by modifying the 'spec' of a resource, | ||
and to force reconciliation of a resource by modifying resource annotations. These features work in the same way that `flux suspend`, | ||
`flux resume`, and `flux reconcile` does on the CLI. | ||
|
||
### Resources Managed via Flux | ||
|
||
| API Group | Resources | Permissions | | ||
|---------------------------|--------------------------------------------------------------------------------|------------------| | ||
| "" | configmaps, secrets, pods, services, persistent volumes, persistent volume claims | get, list, watch | | ||
| apps | deployments, replica sets, stateful sets | get, list, watch | | ||
| batch | jobs, cron jobs | get, list, watch | | ||
| autoscaling | horizontal pod autoscalers | get, list, watch | | ||
| rbac.authorization.k8s.io | roles, cluster roles, rolebindings, cluster role bindings | get, list, watch | | ||
| networking.k8s.io | ingresses | get, list, watch | | ||
|
||
Weave GitOps reads basic resources so that it can monitor the effect that Flux has | ||
on what's running. | ||
|
||
Reading `secrets` enables Weave GitOps to monitor the state of Helm releases | ||
as that's where it stores the [state by default](https://helm.sh/docs/faq/changes_since_helm2/#secrets-as-the-default-storage-driver). | ||
For clarity this these are the Helm release objects _not_ the Flux HelmRelease | ||
resource (which are dealt with by the earlier section). | ||
|
||
### Feedback from Flux | ||
|
||
Flux communicates the status of itself primarily via events. | ||
These events will show when reconciliations start and stop, whether they're successful, | ||
and information as to why they're not. | ||
|
||
## Customise the UI | ||
|
||
### Login | ||
|
||
The label of the OIDC button on the login screen is configurable via a feature flag environment variable. | ||
This can give your users a more familiar experience when logging in. | ||
|
||
Adjust the configuration in the Helm `values.yaml` file or the `spec.values` section of the Weave GitOps `HelmRelease` resource: | ||
|
||
```yaml | ||
extraEnvVars: | ||
- name: WEAVE_GITOPS_FEATURE_OIDC_BUTTON_LABEL | ||
value: "Login with ACME" | ||
``` |
Oops, something went wrong.