Allow standalone Kubernetes applications (#848)

* Support configuring OIDC auth for Azimuth

* Support for configuring a realm and OIDC client using CRDs

* Initial configuration for standalone apps

* Remove template generation + additional config options

* Only migrate CaaS clusters when they are enabled

* Pick up apps operator version with fixed metrics

* Add sealed secrets to deployment

* Propagate Zenith connection info to apps operator

* Pick up version that supports Zenith operator

* Add dependency updates for new components

* bumped dev charts

* updated dependencies

* azimuth fix

* null provider fix

* Update main.yml

* Update main.yml

* Update main.yml

---------

Co-authored-by: Matt Pryor <[email protected]>
Co-authored-by: John Garbutt <[email protected]>

Author: 3 people

.github/workflows/update-dependencies.yml

@@ -51,6 +51,12 @@ jobs:
             prereleases: "yes"
             version_jsonpath: azimuth_chart_version
 
+          - key: azimuth-apps-operator
+            path: ./roles/azimuth_apps_operator/defaults/main.yml
+            repository: azimuth-cloud/azimuth-apps-operator
+            prereleases: "yes"
+            version_jsonpath: azimuth_apps_operator_chart_version
+
           - key: azimuth-caas-operator
             path: ./roles/azimuth_caas_operator/defaults/main.yml
             repository: azimuth-cloud/azimuth-caas-operator
@@ -280,6 +286,12 @@ jobs:
             chart_name_jsonpath: velero_csi_snapshot_controller_chart_name
             chart_version_jsonpath: velero_csi_snapshot_controller_chart_version
 
+          - key: sealed-secrets
+            path: ./roles/sealed_secrets/defaults/main.yml
+            chart_repo_jsonpath: sealed_secrets_chart_repo
+            chart_name_jsonpath: sealed_secrets_chart_name
+            chart_version_jsonpath: sealed_secrets_chart_version
+
           - key: velero
             path: ./roles/velero/defaults/main.yml
             chart_repo_jsonpath: velero_chart_repo

playbooks/deploy.yml

@@ -11,6 +11,7 @@
         alertmanager_config_slack_webhook_url
     - role: azimuth_cloud.azimuth_ops.flux
       when: flux_enabled
+    - role: azimuth_cloud.azimuth_ops.sealed_secrets
     - role: azimuth_cloud.azimuth_ops.certmanager
       when: certmanager_enabled or azimuth_kubernetes_enabled
     - role: azimuth_cloud.azimuth_ops.kubernetes_dashboard
@@ -40,6 +41,8 @@
       when: azimuth_apps_enabled
     - role: azimuth_cloud.azimuth_ops.azimuth_capi_operator
       when: azimuth_kubernetes_enabled
+    - role: azimuth_cloud.azimuth_ops.azimuth_apps_operator
+      when: azimuth_apps_enabled
     - azimuth_cloud.azimuth_ops.azimuth
   # Ensure that Consul is uninstalled
   post_tasks:

playbooks/provision_cluster.yml

@@ -69,6 +69,7 @@
 
     - include_role:
         name: azimuth_cloud.azimuth_ops.community_images
+      when: community_images_enabled is not defined or community_images_enabled
 
     # For a single node install, we put the monitoring and ingress controller on the K3S cluster
     - block:

roles/azimuth/defaults/main.yml

@@ -94,6 +94,62 @@ azimuth_curated_sizes: []
   #   description: >-
   #     {% raw %}{{ cpus }} CPUs, {{ ram }} RAM, {{ disk }} disk, {{ ephemeral_disk }} ephemeral disk{% endraw %}
 
+# The authentication type to use - oidc and openstack are supported
+azimuth_authentication_type: openstack
+
+# Settings for OIDC authentication
+#   The name of the identity realm to create for Azimuth users
+#   This will result in a realm in Keycloak named {namespace}-{name}, e.g. azimuth-users
+#   Only used if azimuth_oidc_issuer_url is not given
+azimuth_oidc_users_realm_name: users
+#   The OIDC issuer URL (must support the OIDC discovery specification)
+#   If not given, this is set to the issuer URL for the identity realm
+azimuth_oidc_issuer_url:
+#   The OIDC client ID
+#   If an identity realm is being used and no client secret is given, a client is created
+#   with this ID using the spec that follows
+azimuth_oidc_client_id: azimuth-portal
+#   The spec for the OIDC client
+#   Used to create an OIDC client when no client secret is given
+azimuth_oidc_client_spec:
+  # Use the realm that we created
+  realmName: "{{ azimuth_oidc_users_realm_name }}"
+  # Azimuth uses a confidential client with the authcode grant
+  public: false
+  grantTypes: [AuthorizationCode]
+  redirectUris:
+    - >-
+        {{
+          "{}://{}/auth/oidc/complete/".format(
+            'https' if azimuth_ingress_tls_enabled else 'http',
+            azimuth_ingress_host
+          )
+        }}
+#   The client secret
+#   If not given and an identity realm is being used, a client is created - see above
+azimuth_oidc_client_secret: "{{ undef(hint = 'azimuth_oidc_client_secret is required') }}"
+#   The scope to use when requesting tokens
+azimuth_oidc_scope: "openid profile email groups"
+#   The claims to use for the user ID, username, email and groups respectively
+azimuth_oidc_userid_claim: sub
+azimuth_oidc_username_claim: preferred_username
+azimuth_oidc_email_claim: email
+azimuth_oidc_groups_claim: groups
+#   Indicates whether to verify SSL when talking to the OIDC provider
+azimuth_oidc_verify_ssl: true
+#   The aggregated settings object for OIDC authentication
+azimuth_oidc_authentication:
+  issuerUrl: "{{ azimuth_oidc_issuer_url }}"
+  scope: "{{ azimuth_oidc_scope }}"
+  claims:
+    userid: "{{ azimuth_oidc_userid_claim }}"
+    username: "{{ azimuth_oidc_username_claim }}"
+    email: "{{ azimuth_oidc_email_claim }}"
+    groups: "{{ azimuth_oidc_groups_claim }}"
+  clientID: "{{ azimuth_oidc_client_id }}"
+  clientSecret: "{{ azimuth_oidc_client_secret }}"
+  verifySsl: "{{ azimuth_oidc_verify_ssl }}"
+
 # Settings for OpenStack authentication
 #   The Keystone auth URL
 azimuth_openstack_auth_url: "{{ undef(hint = 'azimuth_openstack_auth_url is required') }}"
@@ -147,62 +203,81 @@ azimuth_authenticator_federated_identity_providers:
     provider: "{{ azimuth_authenticator_federated_provider }}"
     # A human-readble label for the identity provider, used in the selection form
     label: "{{ azimuth_authenticator_federated_label }}"
-# The authentication settings, structured as defaults + overrides
-azimuth_authentication_defaults:
-  type: openstack
-  openstack: >-
-    {{-
-      {
-        "authUrl": azimuth_openstack_auth_url,
-        "interface": azimuth_openstack_interface,
-        "verifySsl": azimuth_openstack_verify_ssl,
-        "appcred": {
-          "hidden": azimuth_authenticator_appcred_hidden,
-        },
-        "password": {
-          "enabled": azimuth_authenticator_password_enabled,
-        },
-        "federated": {
-          "enabled": azimuth_authenticator_federated_enabled,
-        },
-      } |
-        combine(
-          { "region": azimuth_openstack_region }
-          if azimuth_openstack_region
+#   The aggregated settings object for OpenStack auth
+azimuth_openstack_authentication: >-
+  {{-
+    {
+      "authUrl": azimuth_openstack_auth_url,
+      "interface": azimuth_openstack_interface,
+      "verifySsl": azimuth_openstack_verify_ssl,
+      "appcred": {
+        "hidden": azimuth_authenticator_appcred_hidden,
+      },
+      "password": {
+        "enabled": azimuth_authenticator_password_enabled,
+      },
+      "federated": {
+        "enabled": azimuth_authenticator_federated_enabled,
+      },
+    } |
+      combine(
+        { "region": azimuth_openstack_region }
+        if azimuth_openstack_region
+        else {}
+      ) |
+      combine(
+        (
+          {
+            "password": {
+              "domains": azimuth_authenticator_password_domains,
+            },
+          }
+          if azimuth_authenticator_password_enabled
           else {}
-        ) |
-        combine(
-          (
-            {
-              "password": {
-                "domains": azimuth_authenticator_password_domains,
-              },
-            }
-            if azimuth_authenticator_password_enabled
-            else {}
-          ),
-          recursive = True
-        ) |
-        combine(
-          (
-            {
-              "federated": {
-                "identityProviders": azimuth_authenticator_federated_identity_providers,
-              },
-            }
-            if azimuth_authenticator_federated_enabled
-            else {}
-          ),
-          recursive = True
-        )
-    }}
+        ),
+        recursive = True
+      ) |
+      combine(
+        (
+          {
+            "federated": {
+              "identityProviders": azimuth_authenticator_federated_identity_providers,
+            },
+          }
+          if azimuth_authenticator_federated_enabled
+          else {}
+        ),
+        recursive = True
+      )
+  }}
+
+# The authentication settings, structured as defaults + overrides
+azimuth_authentication_defaults: >-
+  {{-
+    { "type": azimuth_authentication_type } |
+      combine(
+        { "openstack": azimuth_openstack_authentication }
+        if azimuth_authentication_type == "openstack"
+        else {}
+      ) |
+      combine(
+        { "oidc": azimuth_oidc_authentication }
+        if azimuth_authentication_type == "oidc"
+        else {}
+      )
+  }}
 azimuth_authentication_overrides: {}
 azimuth_authentication: >-
   {{-
     azimuth_authentication_defaults |
       combine(azimuth_authentication_overrides, recursive = True)
   }}
 
+# The type of provider to use
+#   Setting this to "null" disables all cloud functionality, only retaining support
+#   for deploying onto a pre-configured Kubernetes cluster for each tenant
+azimuth_cloud_provider_type: openstack
+
 # OpenStack provider settings
 #   The template to use when searching for the internal network
 #   Only used if the internal network is not tagged
@@ -222,7 +297,6 @@ azimuth_openstack_create_internal_net: true
 azimuth_openstack_internal_net_cidr: 192.168.3.0/24
 #   The nameservers to set on auto-created tenant internal networks
 azimuth_openstack_internal_net_dns_nameservers: []
-
 # Azimuth OpenStack provider configuration
 azimuth_openstack_provider: >-
   {{-
@@ -367,8 +441,15 @@ azimuth_release_defaults:
     supportUrl: "{{ azimuth_support_url }}"
     curatedSizes: "{{ azimuth_curated_sizes }}"
   authentication: "{{ azimuth_authentication }}"
-  provider:
-    openstack: "{{ azimuth_openstack_provider }}"
+  provider: >-
+    {{-
+      { "type": azimuth_cloud_provider_type } |
+        combine(
+          { "openstack": azimuth_openstack_provider }
+          if azimuth_cloud_provider_type == "openstack"
+          else {}
+        )
+    }}
   apps: >-
     {{-
       {

roles/azimuth/tasks/main.yml

@@ -34,6 +34,112 @@
         tls.key: "{{ azimuth_ingress_tls_key }}"
   when: azimuth_ingress_tls_certificate
 
+- block:
+    - name: Ensure identity realm exists for Azimuth users
+      command: kubectl apply -f -
+      args:
+        stdin: "{{ azimuth_oidc_users_realm_definition | to_nice_yaml }}"
+      vars:
+        azimuth_oidc_users_realm_definition:
+          apiVersion: identity.azimuth.stackhpc.com/v1alpha1
+          kind: Realm
+          metadata:
+            name: "{{ azimuth_oidc_users_realm_name }}"
+            namespace: "{{ azimuth_release_namespace }}"
+
+    - name: Wait for Azimuth users realm to become ready
+      command: >-
+        kubectl wait realm {{ azimuth_oidc_users_realm_name }}
+          --for=jsonpath='{.status.phase}'=Ready
+          --namespace {{ azimuth_release_namespace }}
+          --timeout=0
+      changed_when: false
+      register: azimuth_oidc_users_realm_ready
+      until: azimuth_oidc_users_realm_ready is succeeded
+      # Retry every 5s for 5m
+      retries: 60
+      delay: 5
+
+    - block:
+        - name: Ensure OIDC client exists for Azimuth
+          command: kubectl apply -f -
+          args:
+            stdin: "{{ azimuth_oidc_users_realm_definition | to_nice_yaml }}"
+          vars:
+            azimuth_oidc_users_realm_definition:
+              apiVersion: identity.azimuth.stackhpc.com/v1alpha1
+              kind: OIDCClient
+              metadata:
+                name: "{{ azimuth_oidc_client_id }}"
+                namespace: "{{ azimuth_release_namespace }}"
+              spec: "{{ azimuth_oidc_client_spec }}"
+
+        - name: Wait for Azimuth OIDC client to become ready
+          command: >-
+            kubectl wait oidcclient {{ azimuth_oidc_client_id }}
+              --for=jsonpath='{.status.phase}'=Ready
+              --namespace {{ azimuth_release_namespace }}
+              --timeout=0
+          changed_when: false
+          register: azimuth_oidc_users_realm_ready
+          until: azimuth_oidc_users_realm_ready is succeeded
+          # Retry every 5s for 5m
+          retries: 60
+          delay: 5
+
+        - name: Get credentials secret name for Azimuth OIDC client
+          command: >-
+            kubectl get oidcclient {{ azimuth_oidc_client_id }}
+              --namespace {{ azimuth_release_namespace }}
+              --output go-template={% raw %}'{{.status.credentialsSecretName}}'{% endraw %}
+          register: azimuth_oidc_client_credentials_secret_name
+          changed_when: false
+
+        - name: Get credentials secret data for Azimuth OIDC client
+          command: >-
+            kubectl get secret {{ azimuth_oidc_client_credentials_secret_name.stdout }}
+              --namespace {{ azimuth_release_namespace }}
+              --output json
+          register: azimuth_oidc_client_credentials_secret_data
+          changed_when: false
+
+        - name: Set Azimuth OIDC client and secret facts
+          set_fact:
+            azimuth_oidc_client_id: >-
+              {{-
+                azimuth_oidc_client_credentials_secret_data.stdout |
+                  from_json |
+                  json_query('data."client-id"') |
+                  b64decode
+              }}
+            azimuth_oidc_client_secret: >-
+              {{-
+                azimuth_oidc_client_credentials_secret_data.stdout |
+                  from_json |
+                  json_query('data."client-secret"') |
+                  b64decode
+              }}
+      when:
+        - azimuth_oidc_client_secret is not defined
+
+    - name: Get issuer URL for Azimuth users realm
+      command: >-
+        kubectl get realm {{ azimuth_oidc_users_realm_name }}
+          --namespace {{ azimuth_release_namespace }}
+          --output go-template={% raw %}'{{.status.oidcIssuerUrl}}'{% endraw %}
+      register: azimuth_oidc_users_realm_issuer_url
+      changed_when: false
+
+    # This MUST be the last task in the block as it makes the block condition false
+    # which means all subsequent tasks in the block are skipped, because a block is
+    # just syntactic sugar for adding a condition to all the tasks
+    - name: Set Azimuth OIDC issuer URL fact
+      set_fact:
+        azimuth_oidc_issuer_url: "{{ azimuth_oidc_users_realm_issuer_url.stdout }}"
+  when:
+    - azimuth_authentication_type == "oidc"
+    - not azimuth_oidc_issuer_url
+
 - name: Install Azimuth on target Kubernetes cluster
   kubernetes.core.helm:
     chart_ref: "{{ azimuth_chart_name }}"