enable oauth clients on demand

[nivemaham]

enable oauth clients

[blootsvoets]

As a question: do we want to be backwards compatible? If not, I'd propose to have a unified view, like

oauthClients:
  pRMT:
    enable: false
    resource_ids: res_gateway,res_ManagementPortal
    client_secret: ""
    scope: MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ
    authorized_grant_types: refresh_token,authorization_code
    redirect_uri: ""
    authorities: ""
    access_token_validity: 43200
    refresh_token_validity: 7948800
    additional_information: '{"dynamic_registration": true}'
    autoapprove: ""

etc... for other clients. Then the template would be something like

client_id;resource_ids;client_secret;scope;authorized_grant_types;redirect_uri;authorities;access_token_validity;refresh_token_validity;additional_information;autoapprove
{{- range $clientId, $client := .Values.oauthClients -}}
{{- if $client.enable }}
{{ $clientId }};{{ $client.resource_ids }};{{ $client.client_secret }};{{ $client.scope }};{{ $client.authorized_grant_types }};{{ $client.redirect_uri | default "" }};{{ $client.authorities | default "" }};{{ $client.access_token_validity }};{{ $client. refresh_token_validity | default "0" }};{{ $client.additional_information | default "" }};{{ $client.autoapprove | default "" }}
{{- end -}}
{{- end -}}

Then in values, you can easily enable existing clients with values

oauthClients:
  pRMT:
    enable: true
    secret: mySecret

and add your own clients as well.

[nivemaham]

I think we can do the change we suggested as well. It would be a bigger change though. I find current setup easier to maintain. Plus do we want to put the oauth client details of a specific component inside the chart ?

[keyvaann]

The suggestions from Joris seem good to me and I think we can break backward compatibility here as we don't use this project in many installations yet.

[nivemaham]

I am getting the error message below when I run helmfile -f filename template

  Error: template: management-portal/templates/deployment.yaml:19:31: executing "management-portal/templates/deployment.yaml" at <include (print $.Template.BasePath "/configmap.yaml") .>: error calling include: template: management-portal/templates/configmap.yaml:14:18: executing "management-portal/templates/configmap.yaml" at <$client.enable>: can't evaluate field enable in type interface {}
  

Any idea how to iterate through this custom model?
I think the below model would work instead, then enabling clients based on name would be tricky.

oauthClients:
  - enable: false
    resource_ids: res_gateway,res_ManagementPortal
    client_secret: ""
    scope: MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ
    authorized_grant_types: refresh_token,authorization_code
    redirect_uri: ""
    authorities: ""
    access_token_validity: 43200
    refresh_token_validity: 7948800
    additional_information: '{"dynamic_registration": true}'
    autoapprove: ""

@K1Hyve @blootsvoets Any thoughts?

[keyvaann]

@nivemaham I think you should quote the enable value and put "false" instead

[blootsvoets]

Maybe because you're using an array instead of an object? It's complaining that it can't find your object ({}). {{- range $clientId, $client := .Values.oauthClients -}} only works if the oauthClients is a map. enable should be a boolean rather than a string (as you already wrote), because it is evaluated as such.

[blootsvoets]

@K1Hyve @nivemaham refactored the PR to have fully configurable OAuth 2.0 clients. Coul you please review?