Skip to content

Commit

Permalink
Add advanced topics section to enterprise documentation
Browse files Browse the repository at this point in the history
Introduced a new 'Advanced Topics' page in the enterprise documentation. This page covers detailed information on OIDC customization, scopes, claims, Cluster User, User Permissions and how to customize the UI for users. It also improves the organization of our 'Getting Started' guide by breaking it down into step-by-step sections. This helps provide a clearer and better-structured journey for users.

Signed-off-by: Eneko Fernandez <[email protected]>
  • Loading branch information
enekofb committed Dec 28, 2023
1 parent 175b9da commit 2daceb0
Show file tree
Hide file tree
Showing 3 changed files with 218 additions and 187 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
---
title: Advanced Topics
hide_title: true
toc_max_heading_level: 4
pagination_prev: enterprise/getting-started/install-enterprise-getting-started-onboard
pagination_next: enterprise/getting-started/install-enterprise-getting-started-expand

---

import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
import TierLabel from "@site/docs/_components/TierLabel";
import AlphaWarning from "../../_components/_alpha_warning.mdx";
import CurlCodeBlock from "../../_components/CurlCodeBlock";
import oauthBitbucket from '/img/oauth-bitbucket.png';
import oauthAzureDevOps from '/img/oauth-azure-devops.png';
import oauthAzureDevOpsSuccess from '/img/oauth-azure-devops-success.png';

# Advanced Topics

## OIDC

### Customization

For some OIDC configurations, you may need to customise the requested [scopes](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) or [claims](https://openid.net/specs/openid-connect-core-1_0.html#Claims).

The `oidcUsernamePrefix` and `oidcGroupsPrefix` work in the same way as the Kubernetes [kube-apiserver](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) command-line options, if you need them for Kubernetes, you will likely need them here.

### Scopes

By default, the following scopes are requested: "openid","offline_access","email","groups".

The "openid" scope is **mandatory** for OpenID auth and will be added if not provided. The "email" and "groups" scopes are commonly used as unique identifiers in organisations.

"offline_access" allows us to refresh OIDC tokens to keep login sessions alive for as long as a refresh token is valid. You can, however, change the defaults.
```sh
kubectl create secret generic oidc-auth \
--namespace flux-system \
--from-literal=issuerURL=$oidc-issuer-url \
--from-literal=clientID=$client-id \
--from-literal=clientSecret=$client-secret \
--from-literal=redirectURL=redirect-url \
--from-literal=tokenDuration=token-duration \
--from-literal=customScopes=custom,scopes
```
The format for the `customScopes` key is a comma-separated list of scopes to request. In this case, "custom", "scopes", and "openid" would be requested.

### Claims

By default, the following claims are parsed from the OpenID [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken) "email" and "groups". These are presented as the `user` and `groups` when WGE communicates with your Kubernetes API server.

This is equivalent to [configuring](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server) your `kube-apiserver` with `--oidc-username-claim=email --oidc-groups-claim=groups`.

Again, you can configure these from the `oidc-auth` `Secret`.

```sh
kubectl create secret generic oidc-auth \
--namespace flux-system \
--from-literal=issuerURL=oidc-issuer-url \
--from-literal=clientID=client-id \
--from-literal=clientSecret=client-secret \
--from-literal=redirectURL=redirect-url \
--from-literal=tokenDuration=token-duration \
--from-literal=claimUsername=sub \
--from-literal=claimGroups=groups
```
There are two separate configuration keys. You can override them separately. They should match your `kube-apiserver` configuration.

## Cluster User

### Update Username or Password

To change either the username or the password, recreate the `cluster-user-auth`
with the new details.

Only one Cluster User can be created this way. To add more users, enable an OIDC provider.

### Update Permissions

If required, the permissions can be expanded with the `rbac.additionalRules` field in the
[Helm Chart](../../references/helm-reference.md).

Follow the instructions in the next section in order to configure RBAC correctly.

### Remove It

To remove the Cluster User as a login method, set the following values in the
[Helm Chart](../../references/helm-reference.md):

```yaml
#
adminUser:
create: false
#
additionalArgs:
- --auth-methods=oidc
#
```
:::caution If you are disabling an already existing Cluster User

If you are disabling an already existing Cluster User, you will need to
manually delete the Kubernetes Secret and any User Roles that were created on
the cluster.

:::

## User Permissions

This section discusses the [Kubernetes permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
needed by Weave GitOps application users and groups. At a minimum, a User should be bound to a Role in the `flux-system` namespace—which is where
Flux stores its resources by default—with the following permissions:

```yaml
rules:
# Flux Resources
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
verbs: [ "get", "list", "watch", "patch" ]

- apiGroups: ["kustomize.toolkit.fluxcd.io"]
resources: [ "kustomizations" ]
verbs: [ "get", "list", "watch", "patch" ]

- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: [ "helmreleases" ]
verbs: [ "get", "list", "watch", "patch" ]

- apiGroups: [ "notification.toolkit.fluxcd.io" ]
resources: [ "providers", "alerts" ]
verbs: [ "get", "list", "watch", "patch" ]

- apiGroups: ["infra.contrib.fluxcd.io"]
resources: ["terraforms"]
verbs: [ "get", "list", "watch", "patch" ]

# Read access for all other Kubernetes objects
- apiGroups: ["*"]
resources: ["*"]
verbs: [ "get", "list", "watch" ]
```
For a wider scope, the User can be bound to a ClusterRole with the same set.
On top of this you can add other permissions to view WGE resources like `GitOpsSets` and `Templates`.

### Flux Resources

The following table lists resources that Flux works with directly.

| API Group | Resources | Permissions |
| ------------------------------ | ----------------------------------------------------------------------- | ---------------- |
| kustomize.toolkit.fluxcd.io | kustomizations | get, list, patch |
| helm.toolkit.fluxcd.io | Helm Releases | get, list, patch |
| source.toolkit.fluxcd.io | buckets, Helm charts, Git repositories, Helm repositories, OCI repositories | get, list, patch |
| notification.toolkit.fluxcd.io | providers, alerts | get, list |
| infra.contrib.fluxcd.io | [Terraform](https://github.com/weaveworks/tf-controller) | get, list, patch |

Weave GitOps needs to be able to query the [CRDs](https://fluxcd.io/docs/components/) that Flux uses before it can accurately display Flux state. The
`get` and `list` permissions facilitate this.

The `patch` permissions are used for two features: to suspend and resume
reconciliation of a resource by modifying the 'spec' of a resource,
and to force reconciliation of a resource by modifying resource annotations. These features work in the same way that `flux suspend`,
`flux resume`, and `flux reconcile` does on the CLI.

### Resources Managed via Flux

| API Group | Resources | Permissions |
|---------------------------|--------------------------------------------------------------------------------|------------------|
| "" | configmaps, secrets, pods, services, persistent volumes, persistent volume claims | get, list, watch |
| apps | deployments, replica sets, stateful sets | get, list, watch |
| batch | jobs, cron jobs | get, list, watch |
| autoscaling | horizontal pod autoscalers | get, list, watch |
| rbac.authorization.k8s.io | roles, cluster roles, rolebindings, cluster role bindings | get, list, watch |
| networking.k8s.io | ingresses | get, list, watch |

Weave GitOps reads basic resources so that it can monitor the effect that Flux has
on what's running.

Reading `secrets` enables Weave GitOps to monitor the state of Helm releases
as that's where it stores the [state by default](https://helm.sh/docs/faq/changes_since_helm2/#secrets-as-the-default-storage-driver).
For clarity this these are the Helm release objects _not_ the Flux HelmRelease
resource (which are dealt with by the earlier section).

### Feedback from Flux

Flux communicates the status of itself primarily via events.
These events will show when reconciliations start and stop, whether they're successful,
and information as to why they're not.

## Customise the UI

### Login

The label of the OIDC button on the login screen is configurable via a feature flag environment variable.
This can give your users a more familiar experience when logging in.

Adjust the configuration in the Helm `values.yaml` file or the `spec.values` section of the Weave GitOps `HelmRelease` resource:

```yaml
extraEnvVars:
- name: WEAVE_GITOPS_FEATURE_OIDC_BUTTON_LABEL
value: "Login with ACME"
```
Loading

0 comments on commit 2daceb0

Please sign in to comment.