From a46baddbc45c74fb5dd1d660ba3509b3ba6e8836 Mon Sep 17 00:00:00 2001 From: Kourosh Tafreshi Date: Thu, 4 Aug 2022 19:07:51 +0300 Subject: [PATCH] Add OIDC to the HelmChart (#15469) --- helm/minio/templates/deployment.yaml | 18 ++++++++++++++++++ helm/minio/templates/statefulset.yaml | 18 ++++++++++++++++++ helm/minio/values.yaml | 15 +++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/helm/minio/templates/deployment.yaml b/helm/minio/templates/deployment.yaml index 0b2173c4d..062d141f2 100644 --- a/helm/minio/templates/deployment.yaml +++ b/helm/minio/templates/deployment.yaml @@ -118,6 +118,24 @@ spec: - name: MINIO_PROMETHEUS_AUTH_TYPE value: "public" {{- end}} + {{- if .Values.oidc.enabled }} + - name: MINIO_IDENTITY_OPENID_CONFIG_URL + value: {{ .Values.oidc.configUrl }} + - name: MINIO_IDENTITY_OPENID_CLIENT_ID + value: {{ .Values.oidc.clientId }} + - name: MINIO_IDENTITY_OPENID_CLIENTs_SECRET + value: {{ .Values.oidc.clientSecret }} + - name: MINIO_IDENTITY_OPENID_CLAIM_NAME + value: {{ .Values.oidc.claimName }} + - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX + value: {{ .Values.oidc.claimPrefix }} + - name: MINIO_IDENTITY_OPENID_SCOPES + value: {{ .Values.oidc.scopes }} + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI + value: {{ .Values.oidc.redirectUri }} + - name: MINIO_IDENTITY_OPENID_COMMENT + value: {{ .Values.oidc.comment }} + {{- end}} {{- if .Values.etcd.endpoints }} - name: MINIO_ETCD_ENDPOINTS value: {{ join "," .Values.etcd.endpoints | quote }} diff --git a/helm/minio/templates/statefulset.yaml b/helm/minio/templates/statefulset.yaml index d296e74eb..6d695ddf5 100644 --- a/helm/minio/templates/statefulset.yaml +++ b/helm/minio/templates/statefulset.yaml @@ -154,6 +154,24 @@ spec: - name: MINIO_PROMETHEUS_AUTH_TYPE value: "public" {{- end}} + {{- if .Values.oidc.enabled }} + - name: MINIO_IDENTITY_OPENID_CONFIG_URL + value: {{ .Values.oidc.configUrl }} + - name: MINIO_IDENTITY_OPENID_CLIENT_ID + value: {{ .Values.oidc.clientId }} + - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET + value: {{ .Values.oidc.clientSecret }} + - name: MINIO_IDENTITY_OPENID_CLAIM_NAME + value: {{ .Values.oidc.claimName }} + - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX + value: {{ .Values.oidc.claimPrefix }} + - name: MINIO_IDENTITY_OPENID_SCOPES + value: {{ .Values.oidc.scopes }} + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI + value: {{ .Values.oidc.redirectUri }} + - name: MINIO_IDENTITY_OPENID_COMMENT + value: {{ .Values.oidc.comment }} + {{- end}} {{- range $key, $val := .Values.environment }} - name: {{ $key }} value: {{ $val | quote }} diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml index 169697cea..769b5b24e 100644 --- a/helm/minio/values.yaml +++ b/helm/minio/values.yaml @@ -421,6 +421,21 @@ environment: ## # extraSecret: minio-extraenv +## OpenID Identity Management +## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. +## See https://docs.min.io/minio/baremetal/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.html#minio-external-identity-management-openid for a tutorial on using these variables. +oidc: + enabled: false + configUrl: "https://identity-provider-url/.well-known/openid-configuration" + clientId: "minio" + clientSecret: "" + claimName: "policy" + scopes: "openid,profile,email" + redirectUri: "https://console-endpoint-url/oauth_callback" + # Can leave empty + claimPrefix: "" + comment: "" + networkPolicy: enabled: false allowExternal: true