chore(charts): allow local oidc provider (#938)

* chore(charts): allow local oidc provider

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(charts): bump chart version

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* docs(charts): document oidc.provider.sameCluster and oidc.provider.port

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

* chore(charts): remove alpha version

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

---------

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

charts/substra-backend/CHANGELOG.md

@@ -1,16 +1,21 @@
 # Changelog
 
 <!-- towncrier release notes start -->
+## [26.7.4] - 2024-06-28
+
+### Added
+
+- Enable egress connections from server to an oidc client when deployed in the same cluster.
+
 ## [26.7.3] - 2024-06-20
 
 ### Fixed
 
 - Allow egress connections from worker to the internet. This is needed for deployment when all organizations are not in the same cluster, and the worker then need to download images from other organizations
 
-### Removed 
+### Removed
 
 - Network policy `xxx-registry-remote-egress` as it is now covered by `role-internet-egress: 'true'`
-
 
 ## [26.7.2] - 2024-06-13
 
@@ -59,7 +64,7 @@
 
 ### Fixed
 
-- Open ingress for `docker-registry` when `containerRegistry.local` is `true` as it it is necessary on some infrastructure (#916)
+- Open ingress for `docker-registry` when `containerRegistry.local` is `true` as it is necessary on some infrastructure (#916)
 
 ## [26.6.4] - 2024-05-27
 

charts/substra-backend/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 26.7.3
+version: 26.7.4
 appVersion: 0.47.0
 kubeVersion: ">= 1.19.0-0"
 description: Main package for Substra

charts/substra-backend/README.md

@@ -357,7 +357,9 @@ Else, you must strike a balance: longer durations are more convenient, but risk
 | `oidc.enabled`                          | Whether to enable OIDC authentication                                                                                                                           | `false` |
 | `oidc.clientSecretName`                 | The name of a secret containing the keys `OIDC_RP_CLIENT_ID` and `OIDC_RP_CLIENT_SECRET` (client ID and secret, typically issued by the provider)               | `nil`   |
 | `oidc.provider.url`                     | The identity provider URL (with scheme).                                                                                                                        | `nil`   |
+| `oidc.provider.port`                    | The identity provider port                                                                                                                                      | `443`   |
 | `oidc.provider.displayName`             | The name of the provider as displayed in the interface ("Sign in with X")                                                                                       | `nil`   |
+| `oidc.provider.sameCluster`             | Turn this setting to on when the OIDC client is hosted on the same cluster to allow a more relaxed network policy                                               | `false` |
 | `oidc.provider.endpoints.authorization` | Typically https://provider/auth                                                                                                                                 | `nil`   |
 | `oidc.provider.endpoints.token`         | Typically https://provider/token                                                                                                                                | `nil`   |
 | `oidc.provider.endpoints.user`          | Typically https://provider/me                                                                                                                                   | `nil`   |

charts/substra-backend/templates/networkpolicy-server.yaml

@@ -25,6 +25,9 @@ kind: NetworkPolicy
 metadata:
   name: {{ template "substra.name" . }}-server-egress
 spec:
+  podSelector:
+    matchLabels:
+      role-server-client: 'true'
   egress:
   - ports:
     - port: {{ .Values.server.service.port }}
@@ -38,11 +41,22 @@ spec:
     # Allow communication between backends in same cluster
     - ipBlock:
         cidr: 10.0.0.0/8
+    - ipBlock:
+        cidr: 192.168.0.0/16
     - ipBlock:
         cidr: 172.16.0.0/20
       {{- end }}
-  podSelector:
-    matchLabels:
-      role-server-client: 'true'
+  {{- if .Values.oidc.provider.sameCluster }}
+  - ports:
+    - port: {{ .Values.oidc.provider.port }}
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: 10.0.0.0/8
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    - ipBlock:
+        cidr: 172.16.0.0/20
+    {{- end }}
   policyTypes:
   - Egress

charts/substra-backend/values.yaml

@@ -881,8 +881,12 @@ oidc:
   provider:
     ## @param oidc.provider.url The identity provider URL (with scheme).
     url: null
+    ## @param oidc.provider.port The identity provider port
+    port: 443
     ## @param oidc.provider.displayName The name of the provider as displayed in the interface ("Sign in with X")
     displayName: null
+    ## @param oidc.provider.sameCluster Turn this setting to on when the OIDC client is hosted on the same cluster to allow a more relaxed network policy
+    sameCluster: false
     # @param oidc.provider.endpoints The endpoints are appended to the given provider domain. If not given, they are read from `/.well-known/openid-configuration` at startup.
     endpoints:
       ## @param oidc.provider.endpoints.authorization Typically https://provider/auth