Move ocis to authentik ldap

MacroPower · Jun 13, 2024 · f145f19 · f145f19
1 parent 500f5cd
commit f145f19
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 10 deletions.
diff --git a/applications/base/ocis/application.libsonnet b/applications/base/ocis/application.libsonnet
@@ -8,7 +8,7 @@ app.new(
 ).withChart(
   name='ocis',
   repoURL='https://jacobcolvin.com/helm-charts',
-  targetRevision='1.0.0',
+  targetRevision='0.7.1',
   releaseName='ocis',
   values='values.yaml'
 ).withIgnoreDifferences([

diff --git a/applications/base/ocis/ldap-auth.yaml b/applications/base/ocis/ldap-auth.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ocis-authentik-ns-secrets
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: authentik-ns
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: authentik
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          key: ca.crt
+      auth:
+        serviceAccount:
+          name: ocis-authentik-ns-secrets
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name ldap-bind-secrets
+spec:
+  refreshInterval: 120s
+  secretStoreRef:
+    kind: SecretStore
+    name: authentik-ns
+  data:
+    - secretKey: password
+      remoteRef:
+        key: authentik-ocis
+        property: ocis_service_account_password
+  target:
+    name: *name
+    template:
+      engineVersion: v2
+      data:
+        reva-ldap-bind-password: "{{ .password }}"
diff --git a/applications/base/ocis/main.jsonnet b/applications/base/ocis/main.jsonnet
@@ -1,5 +1,6 @@
 // jsonnet base//main.jsonnet -J vendor
 
 local ns = import 'namespace.libsonnet';
+local ldapAuth = std.parseYaml(importstr 'ldap-auth.yaml');
 
-[ns]
+[ns] + ldapAuth
diff --git a/applications/base/ocis/values.yaml b/applications/base/ocis/values.yaml
@@ -131,11 +131,11 @@ features:
   externalUserManagement:
     # -- Enables external user management (and disables internal user management).
     # Needs an external OpenID Connect Identity Provider and an external LDAP server.
-    enabled: false
+    enabled: true
 
     # -- Enables account auto provisioning.
     # It will create missing users on the LDAP server from OIDC information.
-    autoprovisionAccounts: true
+    autoprovisionAccounts: false
 
     oidc:
       # -- Issuer URI of the OpenID Connect Identity Provider.
@@ -150,19 +150,17 @@ features:
       # -- Specify the client ID which the web frontend will use
       webClientID: ocis
       # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
-      userIDClaim: preferred_username
+      userIDClaim: sub
       # -- Attribute mapping of for the userIDClaim.
       # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
       # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in  `...ldap.user.schema.mail`.
       # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`.
-      userIDClaimAttributeMapping: username
+      userIDClaimAttributeMapping: userid
 
       # -- OIDC Acces Token Verify Method
       # Set to "jwt" or "none"
       accessTokenVerifyMethod: "none"
 
-      scope: "openid profile email"
-
       # Configure OIDC role assignment. If activated, oCIS will read the role assigment from the OIDC token, see
       # xref:{s-path}/proxy.adoc#automatic-role-assignments[Automatic Role Assignments]
       roleAssignment:
@@ -181,6 +179,80 @@ features:
           - role_name: guest
             claim_value: ocisGuest
 
+    # LDAP related settings.
+    ldap:
+      uri: ldap://ak-outpost-owncloud-ldap-outpost.authentik.svc
+      insecure: true
+      # -- Writeable configures if oCIS is allowed to write to the LDAP server, to eg. create or edit users.
+      writeable: false
+      # -- If the LDAP server is set to writable in general, some user attributes can be restricted to read only in the UI.
+      # Note: This only disables editing in the UI. The readonly permissions need to be enforced in the LDAP server itself.
+      readOnlyAttributes:
+        []
+        # - user.onPremisesSamAccountName # username
+        # - user.displayName # display name
+        # - user.mail # mail
+        # - user.passwordProfile # password
+        # - user.appRoleAssignments # role
+        # - user.accountEnabled # login allowed
+        # - drive.quota # quota
+      # -- DN of the user to use to bind to the LDAP server.
+      # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`.
+      # The user needs to have permission to list users and groups.
+      bindDN: uid=ocis,ou=users,dc=owncloud,dc=home,dc=macro,dc=network
+      # -- Signals that the LDAP server has the refint plugin enabled, which makes some actions not needed.
+      refintEnabled: false
+      # -- Use the Password Modify Extended Operation for updating user passwords.
+      passwordModifyExOpEnabled: false
+      # -- If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.
+      useServerUUID: false
+      user:
+        schema:
+          # -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.
+          id: uid
+          # -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s.
+          idIsOctetString: false
+          # -- LDAP Attribute to use for the email address of users.
+          mail: mail
+          # -- LDAP Attribute to use for the displayname of users.
+          displayName: displayName
+          # -- LDAP Attribute to use for username of users.
+          userName: cn
+          # -- LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.
+          userType: ownCloudUserType
+        # -- Search base DN for looking up LDAP users.
+        baseDN: ou=users,dc=owncloud,dc=home,dc=macro,dc=network
+        # -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`.
+        scope: sub
+        # -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches
+        substringFilterType: any
+        # -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`.
+        filter: "(objectclass=user)"
+        # -- The object class to use for users in the default user search filter like `inetOrgPerson`.
+        objectClass: user
+      group:
+        schema:
+          # -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.
+          id: uid
+          # -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s.
+          idIsOctetString: false
+          # -- LDAP Attribute to use for the email address of groups (can be empty).
+          mail: ~
+          # -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).
+          displayName: cn
+          # -- LDAP Attribute to use for the name of groups.
+          groupName: cn
+          # -- LDAP Attribute that is used for group members.
+          member: member
+        # -- Search base DN for looking up LDAP groups.
+        baseDN: ou=groups,dc=owncloud,dc=home,dc=macro,dc=network
+        # -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`.
+        scope: sub
+        # -- LDAP filter to add to the default filters for group searches.
+        filter: "(objectclass=group)"
+        # -- The object class to use for groups in the default group search filter like `groupOfNames`.
+        objectClass: group
+
   # Define custom roles here. Note that the definition will be either or. So you cannot provide a ConfigMap name and text at once.
   roles:
     # -- Define the roles by specifying a name of a ConfigMap which already contains the the role description (might also be defined in the `extraResources` section).
@@ -231,9 +303,10 @@ ingress:
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: ownCloud
     gethomepage.dev/group: Apps
-    gethomepage.dev/icon: owncloud
+    gethomepage.dev/icon: si-owncloud
     gethomepage.dev/description: File Storage and Collaboration
     gethomepage.dev/external: "true"
+    gethomepage.dev/siteMonitor: "http://proxy.ocis.svc:9205/healthz"
     gethomepage.dev/podSelector: ""
   tls:
     - hosts:
@@ -286,7 +359,7 @@ secretRefs:
   # -- Reference to an existing LDAP cert secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
   ldapCertRef: ""
   # -- Reference to an existing LDAP bind secret (see ref:Secrets#secrets).
-  ldapSecretRef: ""
+  ldapSecretRef: "ldap-bind-secrets"
   # -- Reference to an existing machine auth api key secret (see ref:Secrets#secrets)
   machineAuthApiKeySecretRef: ""
   # -- Reference to an existing messaging system certificate authority secret (see ref:Secrets#secrets)