From 77a28b6a4c3e0b9d7ae02e3f3bfa7b7583d21589 Mon Sep 17 00:00:00 2001 From: Stefan Hausotte Date: Wed, 28 Jan 2026 20:44:06 +0100 Subject: [PATCH] feat: add OpenIdConnect/OAuth2 support --- charts/kellnr/templates/config.yaml | 26 ++++++++++++++++++ charts/kellnr/templates/deployment.yaml | 5 ++++ charts/kellnr/templates/secret-config.yaml | 26 ++++++++++++++++++ charts/kellnr/values.yaml | 31 ++++++++++++++++++++++ 4 files changed, 88 insertions(+) diff --git a/charts/kellnr/templates/config.yaml b/charts/kellnr/templates/config.yaml index 243cce8..d8d270c 100644 --- a/charts/kellnr/templates/config.yaml +++ b/charts/kellnr/templates/config.yaml @@ -55,3 +55,29 @@ data: KELLNR_S3__ALLOW_HTTP: {{ .Values.kellnr.s3.allowHttp | quote }} KELLNR_S3__CRATES_BUCKET: {{ .Values.kellnr.s3.crates_bucket | quote }} KELLNR_S3__CRATESIO_BUCKET: {{ .Values.kellnr.s3.cratesio_bucket | quote }} + # OAuth2/OpenID Connect + KELLNR_OAUTH2__ENABLED: {{ .Values.kellnr.oauth2.enabled | quote }} +{{- if .Values.kellnr.oauth2.issuerUrl }} + KELLNR_OAUTH2__ISSUER_URL: {{ .Values.kellnr.oauth2.issuerUrl | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.clientId }} + KELLNR_OAUTH2__CLIENT_ID: {{ .Values.kellnr.oauth2.clientId | quote }} +{{- end }} +{{- if and .Values.kellnr.oauth2.clientSecret (not .Values.kellnr.oauth2.clientSecretRef.name) }} + KELLNR_OAUTH2__CLIENT_SECRET: {{ .Values.kellnr.oauth2.clientSecret | quote }} +{{- end }} + KELLNR_OAUTH2__SCOPES: {{ .Values.kellnr.oauth2.scopes | quote }} + KELLNR_OAUTH2__AUTO_PROVISION_USERS: {{ .Values.kellnr.oauth2.autoProvisionUsers | quote }} +{{- if .Values.kellnr.oauth2.adminGroupClaim }} + KELLNR_OAUTH2__ADMIN_GROUP_CLAIM: {{ .Values.kellnr.oauth2.adminGroupClaim | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.adminGroupValue }} + KELLNR_OAUTH2__ADMIN_GROUP_VALUE: {{ .Values.kellnr.oauth2.adminGroupValue | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.readOnlyGroupClaim }} + KELLNR_OAUTH2__READ_ONLY_GROUP_CLAIM: {{ .Values.kellnr.oauth2.readOnlyGroupClaim | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.readOnlyGroupValue }} + KELLNR_OAUTH2__READ_ONLY_GROUP_VALUE: {{ .Values.kellnr.oauth2.readOnlyGroupValue | quote }} +{{- end }} + KELLNR_OAUTH2__BUTTON_TEXT: {{ .Values.kellnr.oauth2.buttonText | quote }} diff --git a/charts/kellnr/templates/deployment.yaml b/charts/kellnr/templates/deployment.yaml index c358edf..79e6cf1 100644 --- a/charts/kellnr/templates/deployment.yaml +++ b/charts/kellnr/templates/deployment.yaml @@ -82,6 +82,11 @@ spec: valueFrom: secretKeyRef: {{ toYaml .Values.kellnr.postgres.pwdSecretRef | nindent 16 }} {{- end }} + {{- if and .Values.kellnr.oauth2.enabled .Values.kellnr.oauth2.clientSecretRef.name }} + - name: KELLNR_OAUTH2__CLIENT_SECRET + valueFrom: + secretKeyRef: {{ toYaml .Values.kellnr.oauth2.clientSecretRef | nindent 16 }} + {{- end }} envFrom: {{- if .Values.secret.enabled }} - secretRef: diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml index 15e2fa6..a7500bb 100644 --- a/charts/kellnr/templates/secret-config.yaml +++ b/charts/kellnr/templates/secret-config.yaml @@ -50,4 +50,30 @@ stringData: KELLNR_S3__ALLOW_HTTP: {{ .Values.kellnr.s3.allowHttp | quote }} KELLNR_S3__CRATES_BUCKET: {{ .Values.kellnr.s3.crates_bucket | quote }} KELLNR_S3__CRATESIO_BUCKET: {{ .Values.kellnr.s3.cratesio_bucket | quote }} + # OAuth2/OpenID Connect + KELLNR_OAUTH2__ENABLED: {{ .Values.kellnr.oauth2.enabled | quote }} +{{- if .Values.kellnr.oauth2.issuerUrl }} + KELLNR_OAUTH2__ISSUER_URL: {{ .Values.kellnr.oauth2.issuerUrl | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.clientId }} + KELLNR_OAUTH2__CLIENT_ID: {{ .Values.kellnr.oauth2.clientId | quote }} +{{- end }} +{{- if and .Values.kellnr.oauth2.clientSecret (not .Values.kellnr.oauth2.clientSecretRef.name) }} + KELLNR_OAUTH2__CLIENT_SECRET: {{ .Values.kellnr.oauth2.clientSecret | quote }} +{{- end }} + KELLNR_OAUTH2__SCOPES: {{ .Values.kellnr.oauth2.scopes | quote }} + KELLNR_OAUTH2__AUTO_PROVISION_USERS: {{ .Values.kellnr.oauth2.autoProvisionUsers | quote }} +{{- if .Values.kellnr.oauth2.adminGroupClaim }} + KELLNR_OAUTH2__ADMIN_GROUP_CLAIM: {{ .Values.kellnr.oauth2.adminGroupClaim | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.adminGroupValue }} + KELLNR_OAUTH2__ADMIN_GROUP_VALUE: {{ .Values.kellnr.oauth2.adminGroupValue | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.readOnlyGroupClaim }} + KELLNR_OAUTH2__READ_ONLY_GROUP_CLAIM: {{ .Values.kellnr.oauth2.readOnlyGroupClaim | quote }} +{{- end }} +{{- if .Values.kellnr.oauth2.readOnlyGroupValue }} + KELLNR_OAUTH2__READ_ONLY_GROUP_VALUE: {{ .Values.kellnr.oauth2.readOnlyGroupValue | quote }} +{{- end }} + KELLNR_OAUTH2__BUTTON_TEXT: {{ .Values.kellnr.oauth2.buttonText | quote }} {{- end }} diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml index 71f0436..107681a 100644 --- a/charts/kellnr/values.yaml +++ b/charts/kellnr/values.yaml @@ -129,6 +129,37 @@ kellnr: crates_bucket: "kellnr-crates" cratesio_bucket: "kellnr-cratesio" + # OAuth2/OpenID Connect authentication + # See https://kellnr.io/documentation for details + oauth2: + enabled: false + # OIDC issuer URL (discovery URL) + # Example: "https://authentik.example.com/application/o/kellnr/" + issuerUrl: "" + # OAuth2 client ID + clientId: "" + # OAuth2 client secret - prefer using clientSecretRef for production + clientSecret: "" + # Reference to an existing Kubernetes secret containing the client secret + # When set, this takes precedence over clientSecret + clientSecretRef: + name: "" + key: "client-secret" + # OAuth2 scopes to request (comma-separated) + scopes: "openid,profile,email" + # Automatically create local user accounts for new OAuth2 users + autoProvisionUsers: true + # Claim name to check for admin group membership (e.g., "groups") + adminGroupClaim: "" + # Value in the admin group claim that grants admin privileges (e.g., "kellnr-admins") + adminGroupValue: "" + # Claim name to check for read-only group membership (e.g., "groups") + readOnlyGroupClaim: "" + # Value in the read-only group claim that grants read-only access (e.g., "kellnr-readonly") + readOnlyGroupValue: "" + # Text displayed on the OAuth2 login button + buttonText: "Login with SSO" + service: api: type: ClusterIP