Files
kubeshark/kubernetes/config.go
Serhii Ponomarenko a8dd332ff8 SAML integration prototype (#1475)
* 🔨 Add `AUTH_TYPE` field to `ConfigMap`

* 🔨 Add `AUTH_SAML_IDP_METADATA_URL` field to `ConfigMap`

* 🔨 Add `AUTH_SAML_X509_CRT` field to `Secret`

* 🔨 Add `AUTH_SAML_X509_KEY` field to `Secret`

* 🔨  Mount SAML X.509 key pair into `hub`

* 🔨 Add `REACT_APP_AUTH_TYPE` environment variable to `front`

* 🔧 Add Nginx path rewrite for `/saml`

* 🔧 Raise request size to accept big SAML responses

* 🔨 Add `REACT_APP_AUTH_TYPE` environment default value

* 📝 Update `README.md`

* 📝 Update `README.md`

* 🔨 Add `AUTH_TYPE` config map key

* 🔨 Add `AUTH_SAML_IDP_METADATA_URL` config map key

* ☸ Set `CONFIG_AUTH_TYPE` from `TapConfig`

* ☸ Set `CONFIG_AUTH_SAML_IDP_METADATA_URL` from `TapConfig`

*  Create `SamlConfig` in `TapConfig.AuthConfig`

* 🔨 Use updated `tap.auth.saml.idpMetadataUrl` tap config field

* 📝 Update `README.md`

* 🔨 Add `tap.insgress.enabled/host` to `ConfigMap`

* 🔨 Add `tap.proxy.front.port` to `ConfigMap`

* 🔨 Add `REACT_APP_AUTH_SAML_IDP_METADATA_URL` env to `front`

* 🔧 Supply `auth.saml` fields to `helm-chart/values.yaml`

* 🐛 Fix indentation for X.509 secrets

* 📝 Provide SAML setup docs

* 📝 Update SAML setup docs

* 📝 Update SAML setup docs

* Added callback URL indication

* 💥 Disable standard `Descope` auth

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2024-01-23 10:47:29 -08:00

75 lines
2.4 KiB
Go

package kubernetes
import (
"context"
"github.com/kubeshark/kubeshark/config"
"github.com/rs/zerolog/log"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
SUFFIX_SECRET = "secret"
SUFFIX_CONFIG_MAP = "config-map"
SECRET_LICENSE = "LICENSE"
CONFIG_POD_REGEX = "POD_REGEX"
CONFIG_NAMESPACES = "NAMESPACES"
CONFIG_SCRIPTING_ENV = "SCRIPTING_ENV"
CONFIG_INGRESS_ENABLED = "INGRESS_ENABLED"
CONFIG_INGRESS_HOST = "INGRESS_HOST"
CONFIG_PROXY_FRONT_PORT = "PROXY_FRONT_PORT"
CONFIG_AUTH_ENABLED = "AUTH_ENABLED"
CONFIG_AUTH_TYPE = "AUTH_TYPE"
CONFIG_AUTH_APPROVED_EMAILS = "AUTH_APPROVED_EMAILS"
CONFIG_AUTH_APPROVED_DOMAINS = "AUTH_APPROVED_DOMAINS"
CONFIG_AUTH_APPROVED_TENANTS = "AUTH_APPROVED_TENANTS"
CONFIG_AUTH_SAML_IDP_METADATA_URL = "AUTH_SAML_IDP_METADATA_URL"
)
func SetSecret(provider *Provider, key string, value string) (updated bool, err error) {
var secret *v1.Secret
secret, err = provider.clientSet.CoreV1().Secrets(config.Config.Tap.Release.Namespace).Get(context.TODO(), SELF_RESOURCES_PREFIX+SUFFIX_SECRET, metav1.GetOptions{})
if err != nil {
return
}
if secret.StringData[key] != value {
updated = true
}
secret.Data[key] = []byte(value)
_, err = provider.clientSet.CoreV1().Secrets(config.Config.Tap.Release.Namespace).Update(context.TODO(), secret, metav1.UpdateOptions{})
if err == nil {
if updated {
log.Info().Str("secret", key).Str("value", value).Msg("Updated:")
}
} else {
log.Error().Str("secret", key).Err(err).Send()
}
return
}
func SetConfig(provider *Provider, key string, value string) (updated bool, err error) {
var configMap *v1.ConfigMap
configMap, err = provider.clientSet.CoreV1().ConfigMaps(config.Config.Tap.Release.Namespace).Get(context.TODO(), SELF_RESOURCES_PREFIX+SUFFIX_CONFIG_MAP, metav1.GetOptions{})
if err != nil {
return
}
if configMap.Data[key] != value {
updated = true
}
configMap.Data[key] = value
_, err = provider.clientSet.CoreV1().ConfigMaps(config.Config.Tap.Release.Namespace).Update(context.TODO(), configMap, metav1.UpdateOptions{})
if err == nil {
if updated {
log.Info().Str("config", key).Str("value", value).Msg("Updated:")
}
} else {
log.Error().Str("config", key).Err(err).Send()
}
return
}