added security section to Helm chart #3779

mercedes-benz · Jan 8, 2025 · a1bb836 · a1bb836
1 parent 013b494
commit a1bb836
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 26 deletions.
diff --git a/sechub-solution/helm/sechub-server/Chart.yaml b/sechub-solution/helm/sechub-server/Chart.yaml
@@ -9,4 +9,4 @@ type: application
 # This is the chart version.
 # This version number should be incremented each time you make changes to the chart and its templates.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.4.0
+version: 2.5.0
diff --git a/sechub-solution/helm/sechub-server/templates/deployment.yaml b/sechub-solution/helm/sechub-server/templates/deployment.yaml
@@ -473,22 +473,58 @@ spec:
         - name: SERVER_TOMCAT_ACCESSLOG_PATTERN
           value: "{{ .Values.server.spring.embeddedTomcat.logging.accessLogFormat }}"
 {{- end }}
-{{- if .Values.oauth2.enabled }}
 # ----------------------------------------------------------------------------------------------#
-# - Scope: Oauth2
+# - Scope: security
 # --------------------------------------------------------------------------------------------- #
         # See https://mercedes-benz.github.io/sechub/latest/sechub-operations.html#section-general-configuration
-        - name: SECHUB_SECURITY_OAUTH2_MODE
-          value: "{{ .Values.oauth2.mode }}"
-        - name: SECHUB_SECURITY_OAUTH2_JWK_SET_URI
-          value: "{{ .Values.oauth2.jwt.uri }}"
-        - name: SECHUB_SECURITY_OAUTH2_OPAQUE_TOKEN_CLIENT_ID
-          value: "{{ .Values.oauth2.opaque_token.client_id }}"
-        - name: SECHUB_SECURITY_OAUTH2_OPAQUE_TOKEN_CLIENT_SECRET
-          value: "{{ .Values.oauth2.opaque_token.client_secret }}"
-        - name: SECHUB_SECURITY_OAUTH2_OPAQUE_TOKEN_INTROSPECTION_URI
-          value: "{{ .Values.oauth2.opaque_token.introspection_uri }}"
+        - name: SECHUB_SECURITY_SERVER_MODES
+          value: "{{ .Values.security.resourceServer.modes }}"
+        - name: SECHUB_SECURITY_SERVER_OAUTH2_MODE
+          value: "{{ .Values.security.resourceServer.oauth2.mode }}"
+        # OAuth2 mode can be either 'jwt' or 'opaque-token'. Exactly one must be active.
+{{- if eq .Values.security.resourceServer.oauth2.mode "jwt" }}
+        - name: SECHUB_SECURITY_SERVER_OAUTH2_JWT_JWK_SET_URI
+          value: "{{ .Values.security.resourceServer.oauth2.jwt.jwkSetUri }}"
+{{- else if eq .Values.security.resourceServer.oauth2.mode "opaque-token" }}
+        - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_CLIENT_ID
+          value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.clientId }}"
+        - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_CLIENT_SECRET
+          value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.clientSecret }}"
+        - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_INTROSPECTION_URI
+          value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.introspectionUri }}"
 {{- end }}
+        - name: SECHUB_SECURITY_LOGIN_ENABLED
+          value: "{{ .Values.security.login.enabled }}"
+{{- if .Values.security.login.enabled }}
+        - name: SECHUB_SECURITY_LOGIN_LOGIN_PAGE
+          value: "{{ .Values.security.login.loginPage }}"
+        - name: SECHUB_SECURITY_LOGIN_REDIRECT_URI
+          value: "{{ .Values.security.login.redirectUri }}"
+        - name: SECHUB_SECURITY_LOGIN_MODES
+          value: "{{ .Values.security.login.modes }}"
+  {{- if contains "oauth2" .Values.security.login.modes }}
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENT_ID
+          value: "{{ .Values.security.login.oauth2.clientId }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENT_SECRET
+          value: "{{ .Values.security.login.oauth2.clientSecret }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_PROVIDER
+          value: "{{ .Values.security.login.oauth2.provider }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_AUTHORIZATION_URI
+          value: "{{ .Values.security.login.oauth2.uri.authorization }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_ISSUER_URI
+          value: "{{ .Values.security.login.oauth2.uri.issuer }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_JWK_SET_URI
+          value: "{{ .Values.security.login.oauth2.uri.jwkSet }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_REDIRECT_URI
+          value: "{{ .Values.security.login.oauth2.uri.redirect }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_TOKEN_URI
+          value: "{{ .Values.security.login.oauth2.uri.token }}"
+        - name: SECHUB_SECURITY_LOGIN_OAUTH2_USER_INFO_URI
+          value: "{{ .Values.security.login.oauth2.uri.userInfo }}"
+  {{- end }}
+{{- end }}
+        - name: SECHUB_SECURITY_ENCRYPTION_SECRET_KEY
+          value: "{{ .Values.security.encryption.secretKey }}"
 # ----------------------------------------------------------------------------------------------#
 # - Scope: storage
 # --------------------------------------------------------------------------------------------- #

diff --git a/sechub-solution/helm/sechub-server/values.yaml b/sechub-solution/helm/sechub-server/values.yaml
@@ -155,19 +155,63 @@ go_mmproxy:
   # Choose a "go-mmproxy" docker image. See e.g. https://hub.docker.com/search?q=go-mmproxy
   image: "example.org/go-mmproxy:2.1.0"
 
-oauth2:
-  # Enable Oauth2 authentication
-  # Explanation of the modes and parameters: Search for 'oauth2' in documentation
-  # https://mercedes-benz.github.io/sechub/latest/sechub-operations.html#section-general-configuration
-  enabled: false
-  # Choose either 'JWT' or 'OPAQUE_TOKEN'
-  mode: JWT
-  jwt:
-    uri: https://sso.example.org/JWKS
-  opaque_token:
-    client_id: insert_your_client_id_here
-    client_secret: insert_your_client_secret_here
-    introspection_uri: https://sso.example.org/introspect.oauth2
+security:
+  # This section configures the application (or server) to be able to authorize incoming requests
+  resourceServer:
+    # The authorization can be configured in 'classic' or 'oauth2' mode. While both are possible, at least
+    # one must be active. Classic mode enables SecHub API Token authorization via basic auth.
+    modes: classic,oauth2
+    # classic: ... (To be implemented)
+    oauth2:
+      # OAuth2 authorization can be either 'jwt' or 'opaque-token'. Exactly one must be active.
+      mode: jwt
+      jwt:
+        # The location of the Json Web Key file. This is a meta data file necessary for JWT token validation.
+        jwkSetUri: https://sso.example.org/JWKS
+      opaqueToken:
+        # Client ID to use for token introspection. May be not the same client used for authentication.
+        clientId: insert_your_introspection_client_id_here
+        # Client secret to use for token introspection.
+        clientSecret: insert_your_introspection_client_secret_here
+        # This is the introspection endpoint of the IDP. For every incoming request this endpoint will be called.
+        introspectionUri: https://sso.example.org/introspect.oauth2
+  # This config defines everything necessary for the application (or server) to be able to offer user authentication.
+  # With this a login page will be available on the application.
+  login:
+    # Whether or not the login is enabled or not
+    enabled: false
+    # Path under which the login page will be hosted on the application (or server).
+    # Must not collide with other existing paths.
+    loginPage: /login
+    # Defines the URI to which the user is redirected after successful login.
+    redirectUri: https://sechub-web.example.org/index.html
+    # The authentication can be configured in 'classic' or 'oauth2' mode.
+    # While both are possible, at least one must be active when login is enabled.
+    modes: classic,oauth2
+    # classic: ... (To be implemented)
+    oauth2:
+      # Client credentials for authentication
+      clientId: insert_your_client_id_here
+      clientSecret: insert_your_client_secret_here
+      # Name of your IDP provider
+      provider: keycloak
+      uri:
+        # The endpoint where users are redirected to authenticate. Usually hosted by the IDP.
+        authorization: https://sso.example.org/authorization.oauth2
+        # Represents the issuing authority
+        issuer: https://sso.example.org/
+        # The endpoint that provides the JSON Web Key Set (JWKS) for verifying token signatures.
+        jwkSet: https://sso.example.org/realms/local-realm/protocol/openid-connect/certs
+        # The URL to which your IDP will redirect the user after they authenticate. This is an endpoint on the application.
+        redirect: https://sso.example.org/login/oauth2/code/keycloak
+        # The endpoint where the application exchanges an authorization code for an access token.
+        token: https://sso.example.org/realms/local-realm/protocol/openid-connect/token
+        # The endpoint used to retrieve user details (e.g., name, email, roles) based on the access token.
+        userInfo: https://sso.example.org/realms/local-realm/protocol/openid-connect/userinfo
+  encryption:
+    # Secret key used to encrypt the access token which is sent back to the user after sucessful authentication (or login).
+    # Must be AES256 compatible (256 bit / 32 byte)
+    secretKey: Insert-your-32-byte-string-here.
 
 storage:
   local: