diff --git a/applications/base/ocis/application.libsonnet b/applications/base/ocis/application.libsonnet index 5da5292fa..25002eea1 100644 --- a/applications/base/ocis/application.libsonnet +++ b/applications/base/ocis/application.libsonnet @@ -8,7 +8,7 @@ app.new( ).withChart( name='ocis', repoURL='https://jacobcolvin.com/helm-charts', - targetRevision='1.0.0', + targetRevision='0.7.1', releaseName='ocis', values='values.yaml' ).withIgnoreDifferences([ diff --git a/applications/base/ocis/ldap-auth.yaml b/applications/base/ocis/ldap-auth.yaml new file mode 100644 index 000000000..4db0b22a7 --- /dev/null +++ b/applications/base/ocis/ldap-auth.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ocis-authentik-ns-secrets + +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: authentik-ns +spec: + provider: + kubernetes: + remoteNamespace: authentik + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + key: ca.crt + auth: + serviceAccount: + name: ocis-authentik-ns-secrets + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name ldap-bind-secrets +spec: + refreshInterval: 120s + secretStoreRef: + kind: SecretStore + name: authentik-ns + data: + - secretKey: password + remoteRef: + key: authentik-ocis + property: ocis_service_account_password + target: + name: *name + template: + engineVersion: v2 + data: + reva-ldap-bind-password: "{{ .password }}" diff --git a/applications/base/ocis/main.jsonnet b/applications/base/ocis/main.jsonnet index 27a9cebaa..43c039139 100644 --- a/applications/base/ocis/main.jsonnet +++ b/applications/base/ocis/main.jsonnet @@ -1,5 +1,6 @@ // jsonnet base//main.jsonnet -J vendor local ns = import 'namespace.libsonnet'; +local ldapAuth = std.parseYaml(importstr 'ldap-auth.yaml'); -[ns] +[ns] + ldapAuth diff --git a/applications/base/ocis/values.yaml b/applications/base/ocis/values.yaml index 9edbe3044..f47c25035 100644 --- a/applications/base/ocis/values.yaml +++ b/applications/base/ocis/values.yaml @@ -131,11 +131,11 @@ features: externalUserManagement: # -- Enables external user management (and disables internal user management). # Needs an external OpenID Connect Identity Provider and an external LDAP server. - enabled: false + enabled: true # -- Enables account auto provisioning. # It will create missing users on the LDAP server from OIDC information. - autoprovisionAccounts: true + autoprovisionAccounts: false oidc: # -- Issuer URI of the OpenID Connect Identity Provider. @@ -150,19 +150,17 @@ features: # -- Specify the client ID which the web frontend will use webClientID: ocis # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. - userIDClaim: preferred_username + userIDClaim: sub # -- Attribute mapping of for the userIDClaim. # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`. - userIDClaimAttributeMapping: username + userIDClaimAttributeMapping: userid # -- OIDC Acces Token Verify Method # Set to "jwt" or "none" accessTokenVerifyMethod: "none" - scope: "openid profile email" - # Configure OIDC role assignment. If activated, oCIS will read the role assigment from the OIDC token, see # xref:{s-path}/proxy.adoc#automatic-role-assignments[Automatic Role Assignments] roleAssignment: @@ -181,6 +179,80 @@ features: - role_name: guest claim_value: ocisGuest + # LDAP related settings. + ldap: + uri: ldap://ak-outpost-owncloud-ldap-outpost.authentik.svc + insecure: true + # -- Writeable configures if oCIS is allowed to write to the LDAP server, to eg. create or edit users. + writeable: false + # -- If the LDAP server is set to writable in general, some user attributes can be restricted to read only in the UI. + # Note: This only disables editing in the UI. The readonly permissions need to be enforced in the LDAP server itself. + readOnlyAttributes: + [] + # - user.onPremisesSamAccountName # username + # - user.displayName # display name + # - user.mail # mail + # - user.passwordProfile # password + # - user.appRoleAssignments # role + # - user.accountEnabled # login allowed + # - drive.quota # quota + # -- DN of the user to use to bind to the LDAP server. + # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. + # The user needs to have permission to list users and groups. + bindDN: uid=ocis,ou=users,dc=owncloud,dc=home,dc=macro,dc=network + # -- Signals that the LDAP server has the refint plugin enabled, which makes some actions not needed. + refintEnabled: false + # -- Use the Password Modify Extended Operation for updating user passwords. + passwordModifyExOpEnabled: false + # -- If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute. + useServerUUID: false + user: + schema: + # -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. + id: uid + # -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. + idIsOctetString: false + # -- LDAP Attribute to use for the email address of users. + mail: mail + # -- LDAP Attribute to use for the displayname of users. + displayName: displayName + # -- LDAP Attribute to use for username of users. + userName: cn + # -- LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'. + userType: ownCloudUserType + # -- Search base DN for looking up LDAP users. + baseDN: ou=users,dc=owncloud,dc=home,dc=macro,dc=network + # -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. + scope: sub + # -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches + substringFilterType: any + # -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. + filter: "(objectclass=user)" + # -- The object class to use for users in the default user search filter like `inetOrgPerson`. + objectClass: user + group: + schema: + # -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. + id: uid + # -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. + idIsOctetString: false + # -- LDAP Attribute to use for the email address of groups (can be empty). + mail: ~ + # -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). + displayName: cn + # -- LDAP Attribute to use for the name of groups. + groupName: cn + # -- LDAP Attribute that is used for group members. + member: member + # -- Search base DN for looking up LDAP groups. + baseDN: ou=groups,dc=owncloud,dc=home,dc=macro,dc=network + # -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. + scope: sub + # -- LDAP filter to add to the default filters for group searches. + filter: "(objectclass=group)" + # -- The object class to use for groups in the default group search filter like `groupOfNames`. + objectClass: group + # Define custom roles here. Note that the definition will be either or. So you cannot provide a ConfigMap name and text at once. roles: # -- Define the roles by specifying a name of a ConfigMap which already contains the the role description (might also be defined in the `extraResources` section). @@ -231,9 +303,10 @@ ingress: gethomepage.dev/enabled: "true" gethomepage.dev/name: ownCloud gethomepage.dev/group: Apps - gethomepage.dev/icon: owncloud + gethomepage.dev/icon: si-owncloud gethomepage.dev/description: File Storage and Collaboration gethomepage.dev/external: "true" + gethomepage.dev/siteMonitor: "http://proxy.ocis.svc:9205/healthz" gethomepage.dev/podSelector: "" tls: - hosts: @@ -286,7 +359,7 @@ secretRefs: # -- Reference to an existing LDAP cert secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`. ldapCertRef: "" # -- Reference to an existing LDAP bind secret (see ref:Secrets#secrets). - ldapSecretRef: "" + ldapSecretRef: "ldap-bind-secrets" # -- Reference to an existing machine auth api key secret (see ref:Secrets#secrets) machineAuthApiKeySecretRef: "" # -- Reference to an existing messaging system certificate authority secret (see ref:Secrets#secrets)