#105 add ability to configure cas oidc authonticator with terraform

cloudogu · Jan 16, 2025 · e75b44f · e75b44f
1 parent cbe70f5
commit e75b44f
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 8 deletions.
diff --git a/terraform/ces-module/main.tf b/terraform/ces-module/main.tf
@@ -16,20 +16,23 @@ terraform {
 locals {
   split_fqdn = split(".", var.ces_fqdn)
   # Top Level Domain extracted from fully qualified domain name. k3ces.local is used for development mode and empty fqdn.
-  topLevelDomain = var.ces_fqdn != "" ? "${element( split(".", var.ces_fqdn), length(local.split_fqdn) - 2)}.${element(local.split_fqdn, length(local.split_fqdn) - 1)}" : "k3ces.local"
+  topLevelDomain = var.ces_fqdn != "" ?
+    "${element( split(".", var.ces_fqdn), length(local.split_fqdn) - 2)}.${element(local.split_fqdn, length(local.split_fqdn) - 1)}"
+    : "k3ces.local"
   splitComponentNamespaces = [
     for componentStr in var.components :
     {
       namespace = split("/", componentStr)[0]
-      rest      = split("/", componentStr)[1] //provoke error here, so that the build fails if no namespace or name is given
+      rest      = split("/", componentStr)[1]
+      //provoke error here, so that the build fails if no namespace or name is given
     }
   ]
   parsedComponents = [
     for namespaceAndRest in local.splitComponentNamespaces :
     {
-      namespace = namespaceAndRest.namespace
-      name      = split(":", namespaceAndRest.rest)[0]
-      version   = length(split(":", namespaceAndRest.rest)) == 2 ? split(":", namespaceAndRest.rest)[1] : "latest"
+      namespace       = namespaceAndRest.namespace
+      name            = split(":", namespaceAndRest.rest)[0]
+      version         = length(split(":", namespaceAndRest.rest)) == 2 ? split(":", namespaceAndRest.rest)[1] : "latest"
       deployNamespace = split(":", namespaceAndRest.rest)[0] != "k8s-longhorn" ? var.ces_namespace : "longhorn-system"
     }
   ]
@@ -61,7 +64,7 @@ resource "helm_release" "k8s-ces-setup" {
         "component_operator_chart"     = var.component_operator_chart
         "component_operator_crd_chart" = var.component_operator_crd_chart
         "components"                   = local.parsedComponents
-        "setup_json"                   = yamlencode(templatefile(
+        "setup_json" = yamlencode(templatefile(
           "${path.module}/setup.json.tftpl",
           {
             # https://docs.cloudogu.com/en/docs/system-components/ces-setup/operations/setup-json/
@@ -73,8 +76,22 @@ resource "helm_release" "k8s-ces-setup" {
             "fqdn"            = var.ces_fqdn
             "domain"          = local.topLevelDomain
             "certificateType" = var.ces_certificate_path == null ? "selfsigned" : "external"
-            "certificate"     = var.ces_certificate_path != null ? replace(file(var.ces_certificate_path), "\n", "\\n") : ""
-            "certificateKey"  = var.ces_certificate_key_path != null ? replace(file(var.ces_certificate_key_path), "\n", "\\n") : ""
+            "certificate"     = var.ces_certificate_path != null ? replace(file(var.ces_certificate_path), "\n", "\\n")
+              : ""
+            "certificateKey" = var.ces_certificate_key_path != null ?
+              replace(file(var.ces_certificate_key_path), "\n", "\\n") : ""
+            # Cas OIDC config values
+            "cas_oidc_enabled"= var.cas_oidc_enabled
+            "cas_oidc_discovery_uri"= var.cas_oidc_discovery_uri
+            "cas_oidc_client_id"= var.cas_oidc_client_id
+            "cas_oidc_client_secret"= var.cas_oidc_client_secret
+            "cas_oidc_display_name"= var.cas_oidc_display_name
+            "cas_oidc_optional"= var.cas_oidc_optional
+            "cas_oidc_scopes"= var.cas_oidc_scopes
+            "cas_oidc_attribute_mapping"= var.cas_oidc_attribute_mapping
+            "cas_oidc_principal_attribute"= var.cas_oidc_principal_attribute
+            "cas_oidc_allowed_groups"= var.cas_oidc_allowed_groups
+            "cas_oidc_initial_admin_usernames"= var.cas_oidc_initial_admin_usernames
           }
         ))
         "resource_patches" = var.resource_patches

diff --git a/terraform/ces-module/setup.json.tftpl b/terraform/ces-module/setup.json.tftpl
@@ -49,5 +49,28 @@
     "groupAttributeName": "",
     "groupAttributeDescription": "",
     "groupAttributeMember": ""
+  },
+  "registryConfig": {
+    "cas": {
+      "oidc": {
+        "enabled": "${cas_oidc_enabled}",
+        "discovery_uri": "${cas_oidc_discovery_uri}",
+        "client_id": "${cas_oidc_client_id}",
+        "display_name": "${cas_oidc_display_name}",
+        "optional": "${cas_oidc_optional}",
+        "scopes": "${cas_oidc_scopes}",
+        "attribute_mapping": "${cas_oidc_attribute_mapping}",
+        "pricipal_attribute": "${cas_oidc_principal_attribute}",
+        "allowed_groups": "${cas_oidc_allowed_groups}",
+        "initial_admin_usernames": "${cas_oidc_initial_admin_usernames}"
+      }
+    }
+  },
+  "registryConfigEncrypted": {
+    "cas": {
+      "oidc": {
+        "client_secret": "${cas_oidc_client_secret}"
+      }
+    }
   }
 }
diff --git a/terraform/ces-module/variables.tf b/terraform/ces-module/variables.tf
@@ -174,4 +174,90 @@ variable "is_setup_applied_matching_resource" {
     api            = "apiextensions.k8s.io/v1",
     field_selector = "metadata.name==dogus.k8s.cloudogu.com"
   }
+}
+
+variable "cas_oidc_enabled" {
+  description = "Specifies if the ecosystem should provide the possibility to log in with an external oidc authenticator."
+  type = bool
+  default = false
+}
+
+variable "cas_oidc_discovery_uri" {
+  description = <<EOT
+  Describes the URI containing the description for the target provider's OIDC protocol. Must point to the openid-connect
+  configuration. This is usually structured as follows: `https://[base-server-url]/.well-known/openid-configuration`."
+  EOT
+  type = string
+}
+
+variable "cas_oidc_client_id" {
+  description = "Contains the identifier to be used to identify the CAS to the OIDC provider."
+  type = string
+}
+
+variable "cas_oidc_client_secret" {
+  description = "Contains the secret to be used together with the client ID to identify the CAS to the OIDC provider. Encrypted."
+  type = string
+}
+
+variable "cas_oidc_display_name" {
+  description = "The display name is used for the OIDC provider on the user interface."
+  type = string
+}
+
+variable "cas_oidc_optional" {
+  description = <<EOT
+  Specifies whether authentication via the configured OIDC provider is optional. The user will be automatically
+  redirected to the OIDC provider login page if this property is set to 'false'. The 'true' entry makes authentication
+  via the OIDC provider optional. This is done by displaying an additional button for the OIDC provider on the login
+  page of the CAS, which can be used to authenticate with the OIDC provider.
+  EOT
+  type = bool
+  default = false
+}
+
+variable "cas_oidc_scopes" {
+  description = <<EOT
+  Specifies the resource to query against OIDC. Normally, this enumeration should include at least the openid, the
+  user's email, profile information, and the groups assigned to the user.
+  EOT
+  type = list(string)
+  default = jsonencode([
+    "openid",
+    "email",
+    "profile",
+    "GroupScope"
+  ])
+}
+
+variable "cas_oidc_principal_attribute" {
+  description = <<EOT
+  Specifies an attribute that should be used as principal id inside the CES. CAS uses the ID provided by the OIDC
+  provider when this property is empty.
+  EOT
+  type = string
+  default = "preferred_username"
+}
+
+variable "cas_oidc_attribute_mapping" {
+  description = <<EOT
+  The attributes provided by OIDC do not exactly match the attributes required by CAS. It is necessary to convert the
+  OIDC attributes to attributes accepted by the CAS. Therefore, this entry should contain rules for converting an
+  attribute provided by the OIDC vendor to an attribute required by the CAS. The rules should be specified in the
+  following format: email:mail,familyname:lastname'. In the given example, the OIDC attributes "email" and "family_name"
+  are converted to "mail" and "surname" respectively.
+  The CAS needs the following attributes to work properly: 'mail,surname,givenName,username,displayName'.
+  EOT
+  type = string
+  default = "email:mail,family_name:surname,given_name:givenName,preferred_username:username,name:displayName,groups:externalGroups"
+}
+
+variable "cas_oidc_allowed_groups" {
+  description  = "Specifies cloudogu platform groups whose members can use the platform login. Only relevant if platform login is enabled."
+  type         = list(string)
+}
+
+variable "cas_oidc_initial_admin_usernames" {
+  description  = "Specifies cloudogu platform usernames that are given admin rights in this CES. Only relevant if platform login is enabled."
+  type         = list(string)
 }