charts/yeti Add OIDC authentication (#160)

* Initial commit for yeti oidc * Update yeti system webroot * Update README.md with readme-generator-for-helm Signed-off-by: wajihyassine <wajihyassine@users.noreply.github.com> * updates to oidc * Update README.md with readme-generator-for-helm Signed-off-by: wajihyassine <wajihyassine@users.noreply.github.com> --------- Signed-off-by: wajihyassine <wajihyassine@users.noreply.github.com> Co-authored-by: wajihyassine <wajihyassine@users.noreply.github.com>
google · Jan 17, 2025 · cef2a1a · cef2a1a
1 parent ec61992
commit cef2a1a
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 7 deletions.
diff --git a/charts/yeti/Chart.yaml b/charts/yeti/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: yeti
-version: 1.0.4
+version: 1.0.5
 description: A Helm chart for Yeti Kubernetes deployments.
 keywords:
 - yeti

diff --git a/charts/yeti/README.md b/charts/yeti/README.md
@@ -137,13 +137,20 @@ kubectl delete pvc -l release=my-release
 
 ### Common Parameters
 
+| Name                         | Description                                           | Value       |
+| ---------------------------- | ----------------------------------------------------- | ----------- |
+| `serviceAccount.create`      | Specifies whether a service account should be created | `true`      |
+| `serviceAccount.annotations` | Annotations to add to the service account             | `{}`        |
+| `serviceAccount.name`        | The name of the service account to use                | `yeti`      |
+| `service.type`               | Yeti service type                                     | `ClusterIP` |
+| `service.port`               | Yeti service port                                     | `9000`      |
+
+### Yeti Configuration Parameters
+
 | Name                              | Description                                                                                                                        | Value               |
 | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
-| `serviceAccount.create`           | Specifies whether a service account should be created                                                                              | `true`              |
-| `serviceAccount.annotations`      | Annotations to add to the service account                                                                                          | `{}`                |
-| `serviceAccount.name`             | The name of the service account to use                                                                                             | `yeti`              |
-| `service.type`                    | Yeti service type                                                                                                                  | `ClusterIP`         |
-| `service.port`                    | Yeti service port                                                                                                                  | `9000`              |
+| `config.oidc.enabled`             | Enables Yeti OIDC authentication (currently only supports Google OIDC)                                                             | `false`             |
+| `config.oidc.existingSecret`      | Existing secret with the client ID, secret and cookie secret                                                                       | `""`                |
 | `metrics.enabled`                 | Enables metrics scraping                                                                                                           | `true`              |
 | `metrics.port`                    | Port to scrape metrics from                                                                                                        | `9200`              |
 | `persistence.name`                | Yeti persistent volume name                                                                                                        | `yetivolume`        |

diff --git a/charts/yeti/templates/_env.tpl b/charts/yeti/templates/_env.tpl
@@ -23,9 +23,29 @@ Worker pod upon startup.
 - name: YETI_AUTH_ALGORITHM
   value: HS256
 - name: YETI_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES
-  value: "30"
+  value: "10000"
 - name: YETI_AUTH_ENABLED
   value: "True"
+{{- if and .Values.config.oidc.enabled .Values.config.oidc.existingSecret }}
+- name: YETI_AUTH_MODULE
+  value: "oidc"
+- name: YETI_AUTH_OIDC_DISCOVERY_URL
+  value: "https://accounts.google.com/.well-known/openid-configuration"
+- name: YETI_AUTH_OIDC_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.oidc.existingSecret | quote }}
+      key: "client-id"
+- name: YETI_AUTH_OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.oidc.existingSecret | quote }}
+      key: "client-secret"
+{{- if .Values.ingress.host }}
+- name: YETI_SYSTEM_WEBROOT
+  value: {{ printf "https://%s" .Values.ingress.host | quote }}
+{{- end }}
+{{- end }}
 - name: YETI_SYSTEM_PLUGINS_PATH
   value: "./plugins"
 - name: YETI_USER_PASSWORD

diff --git a/charts/yeti/values.yaml b/charts/yeti/values.yaml
@@ -280,6 +280,19 @@ service:
   ## @param service.port Yeti service port
   ##
   port: 9000
+## @section Yeti Configuration Parameters
+## ref: https://github.com/yeti-platform/yeti/blob/main/yeti.conf.sample
+##
+config:
+  ## Yeti OIDC configuration
+  ##
+  oidc:
+    ## @param config.oidc.enabled Enables Yeti OIDC authentication (currently only supports Google OIDC)
+    ##
+    enabled: false
+    ## @param config.oidc.existingSecret Existing secret with the client ID, secret and cookie secret
+    ##
+    existingSecret: ""
 ## Metrics Parameters
 ## IMPORTANT: Yeti utilizes Prometheus to scrape metrics through annotations
 ## Please ensure the Prometheus server is also installed to the cluster for metrics to scrape properly