Feat add authorization options #542
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
As I recall, you can pass it via |
robholland
approved these changes
Sep 2, 2024
Ah, I tried it this way and I either had an older build of the CLI or was doing it wrong. I ended up getting auth working by passing |
mihaelabalas84
added a commit
to fairmoney/temporal-helm-charts
that referenced
this pull request
Oct 2, 2024
* update ui image to 2.25.0 (temporalio#478) Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io> * Allow forcing a specific chart version. (temporalio#479) This is useful for patch releases on older release lines. * Update Chart to 0.37.0, Temporal v1.23.1 * Ensure appVersion is used by default as the server image tag. (temporalio#488) * Bumps server version to the specified appVersion * Use chart.appversion instead of image.tag from values in deployment spec * Allow overriding deployment spec with image.tag --------- Co-authored-by: Kshitij <kshitij.tulsyan@observe.ai> * Update Chart to 0.38.1, Temporal v1.23.1 * [Bug] Allow and document configuring Web UI via values.yaml (temporalio#394) 1. remove web ui config in values.yaml 2. remove web config volume in web-deployment.yaml 3. remove web-config config map 4. remove line 280 since the install bash didn't configure web ui auth 5. update the document for web ui configuration with env variable Co-authored-by: Rob Holland <rob.holland@gmail.com> * fix(imageTag): Fix default type in values for imageTag (temporalio#489) * Update Chart to 0.39.0, Temporal v1.24.0 * Update README.md * Update Chart to 0.39.1, Temporal v1.24.1 * Switch to devrel. * Support new admintools image tag format (temporalio#493) * Require tags for server, admintools and ui. Don't use server tag for admintools, it's versioned separately now. * Update Chart to 0.40.0. * fix: add support for pre upgrade. (temporalio#476) * adding missing ImagePullSecrets section to web deployment * Whitespace. * fix: Use visibility server when defining visibility config (temporalio#436) Co-authored-by: Rob Holland <rob@temporal.io> * fix: sidecarContainers should be an array, not a dict * Use tplvalues.render for templating inside values (temporalio#492) Allow templated values inside the values.yaml for web annotations * Apply security context regardless of persistence engine. (temporalio#494) Replaces temporalio#308. * Update Chart to 0.40.1. * Allow to skip database creation (temporalio#480) Signed-off-by: Valentin Zayash <valioozz@gmail.com> * Update Cassandra host URLs to remove the ".cluster.local" suffix (temporalio#485) * Update Cassandra host URLs to remove the ".cluster.local" suffix * Configure SQL TLS environment variables in server-job (temporalio#411) * Configure SQL_TLS environment variables in server-job * Update Chart to 0.41.0. * Fix weird helm lint false alarm. Fixes temporalio#284. * Helm 2 compat. Fixes temporalio#187. * Update codeowners. * Revert "Update Cassandra host URLs to remove the ".cluster.local" suffix (temporalio#485)" (temporalio#500) This reverts commit b25c4fc. * Update Chart to 0.41.1. * Adds a PodDisruptionBudget and topologySpreadConstraints to web (temporalio#409) * Adds a PodDisruptionBudget and topologySpreadConstraints to web * fixing type on topologySpreadConstraints topologySpreadConstraints should be a list instead of map * Update Chart to 0.42.0. * Update README to mention you cannot do Cassandra only anymore. (temporalio#499) Related: temporalio#470. * Remove invalid line. (temporalio#502) Fixes temporalio#426 * Service account should be set when present, even if not creating. (temporalio#498) Fixes temporalio#403. * Correct outdated port config. (temporalio#497) Fixes temporalio#333 and temporalio#149. Context: temporalio/temporal#650 * Update Chart to 0.43.0. * ElasticSearch -> Elasticsearch * fix: Escape ES credentials (temporalio#505) * feat: updated grafana and prometheus helm dependencies (temporalio#424) * feat: bump grafana and prometheus charts versions Signed-off-by: David Calvert <david@0xdc.me> * Remove hard coded cluster.local references. (temporalio#501) Switch check-cassandra-service init container to use nc. nslookup in recent busybox images is broken and doesn't obey resolv.conf, meaning it won't check k8s search domains. * Enable HTTP API for Nexus (temporalio#511) * Enable HTTP API for Nexus * Update charts/temporal/templates/server-service.yaml * Add FE Ingress (temporalio#435) * Add ingress for frontend * Add CONTRIBUTING. * Note contributing in README. * Note slack channel. * Use a shared config map for all services. (temporalio#514) Remove helpers in favour of defaults via values file. Remove unused Elasticsearch environment variables. Stop switching between es-visibility and visibility for store names. * Pass `ct lint` * Lint chart on PR. * Setup for `ci install`. (temporalio#522) * Setup for `ci install`. Adds a test so that `helm test` now checks that the cluster is healthy after the system is deployed. Refactors server-job to remove the use of helm hooks which cause lot of users pain and don't work with --wait, or the mechanism that helm test uses. Improve the handling of elasticsearch by treating it just like the other drivers. Correctly handle the schema.createDatabase setting which previously had edge cases. * Secret key fixes. * Fix missed ES quoting issue. * Add postgres-es test. * Fix branch reference. * Update Chart to 0.44.0. * Update README to use repo. (temporalio#531) * Update README to use repo. Fixes temporalio#458 --------- Co-authored-by: Alex Garnett <axfelix@gmail.com> * Check for pgx driver as well as plain postgres. (temporalio#546) Fixes temporalio#532 * Templatize resourceLabels for standardization (temporalio#539) * Templatize resourceLabels for standardization * Feat add authorization options (temporalio#542) Server authorization config. * Quote sql password for default store in the same way as the visibility store (temporalio#551) * Update Chart to 0.45.0. * Update Chart to 0.45.1. * Update UI version description (temporalio#556) * Use admintools-env and secret for ES password consistent with e.g. jobs (temporalio#530) * Provide option to create default namespace (temporalio#550) * Provide option to create default namespace * Create multiple namespaces with optional retention --------- Co-authored-by: Manan Mangal <mmangal@paloaltonetworks.com> * add Job annotations and labels (temporalio#536) * add job labels and annotations Signed-off-by: André Bauer <andre.bauer@staffbase.com> Co-authored-by: Rob Holland <rob.holland@gmail.com> --------- Signed-off-by: André Bauer <andre.bauer@staffbase.com> Co-authored-by: Rob Holland <rob.holland@gmail.com> * Config to specify tags to be excluded in prometheus metrics (temporalio#566) * Config to specify tags to be excluded in prometheus metrics --------- Co-authored-by: Rob Holland <rob@temporal.io> * Update Chart to 0.46.0. * Ensure we use global for includes. (temporalio#568) Some call sites used . which was sometimes not the global context. * Update Chart to 0.46.1. * Update _helpers.tpl to avoid nested custom resource label (temporalio#576) * Update Chart to 0.46.2. * fix identation --------- Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io> Signed-off-by: Valentin Zayash <valioozz@gmail.com> Signed-off-by: David Calvert <david@0xdc.me> Signed-off-by: André Bauer <andre.bauer@staffbase.com> Co-authored-by: Tihomir Surdilovic <tihomir@temporal.io> Co-authored-by: Rob Holland <rob.holland@gmail.com> Co-authored-by: Temporal Data <commander-data@temporal.io> Co-authored-by: Kshitij Tulsyan <ktulsyan1990@gmail.com> Co-authored-by: Kshitij <kshitij.tulsyan@observe.ai> Co-authored-by: Jingyu <56581242+washanhanzi@users.noreply.github.com> Co-authored-by: Theo REY <account@reyth.dev> Co-authored-by: Alex Shtin <alex@shtin.com> Co-authored-by: Rob Holland <rob@temporal.io> Co-authored-by: Punit Kulal <punitkulal1996@gmail.com> Co-authored-by: Gerardo Enrique Mora Salazar <gerardo@ibm.com> Co-authored-by: Giovanny Gutiérrez <giovanny.gutierrez@commure.com> Co-authored-by: vogre <334187+vogre@users.noreply.github.com> Co-authored-by: Valentin Zayash <VLZZZ@users.noreply.github.com> Co-authored-by: Chris Taylor <taylor.cj@gmail.com> Co-authored-by: Grzegorz Kołakowski <grzegorz8@gmail.com> Co-authored-by: Prathyush PV <prathyushpv@gmail.com> Co-authored-by: sringel <903498+sringel@users.noreply.github.com> Co-authored-by: Alex Shtin <alex@temporal.io> Co-authored-by: David Calvert <david@0xdc.me> Co-authored-by: Roey Berman <roey@temporal.io> Co-authored-by: Rahul Kumar <rahulcomp24@gmail.com> Co-authored-by: Alex Garnett <axfelix@gmail.com> Co-authored-by: Sahil Vazirani <sahilvv@gmail.com> Co-authored-by: Quinn <116631861+qs-synth@users.noreply.github.com> Co-authored-by: Kristian Nordman <kristian@limber.no> Co-authored-by: Alex Tideman <alex.tideman@gmail.com> Co-authored-by: Csaba Tűz <124735422+csabatuz-chess@users.noreply.github.com> Co-authored-by: Manan Mangal <mananmangal@gmail.com> Co-authored-by: Manan Mangal <mmangal@paloaltonetworks.com> Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What was changed
authorizationblock to templates to specify Authorizer and ClaimMapper settingsWhy?
This was done to allow overriding the noOp Authorizer and ClaimMapper when deploying via helm in the same way that the docker config_template.yaml handles overriding these values.
Checklist
Closes [Feature Request] Allow setting authorization via helm values #540
How was this tested:
I have deployed a simple service based on the DefaultAuthorizer and JWT issuer example within the same cluster as my helm deployment. Once deployed, I was able to issue a token with the steps from the JWT Issuer example and access temporal using tctl to list namespaces.
The latest version of Temporal CLI, does not appear to support passing an authorization token though.
I have updated the values file to include a commented example of the fields available. This matches what was implemented for
tlsfield.