Merge branch 'main' into helm-frozen-deps

Author: jordane

charts/lfx-platform/Chart.yaml

@@ -5,7 +5,7 @@ apiVersion: v2
 name: lfx-platform
 description: LFX Platform v2 Helm chart
 type: application
-version: 0.1.10
+version: 0.1.11
 icon: https://github.com/linuxfoundation/lfx-v2-helm/raw/main/img/lfx-logo-color.svg
 dependencies:
   - name: traefik

charts/lfx-platform/templates/whoami/deployment.yaml

@@ -0,0 +1,29 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+{{- if .Values.lfx.whoami.enabled }}
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: whoami
+  namespace: lfx
+  labels:
+    app: whoami
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - name: web
+              containerPort: 80
+{{- end }}

charts/lfx-platform/templates/whoami/httproute.yaml

@@ -0,0 +1,33 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+{{- if and .Values.lfx.whoami.enabled .Values.traefik.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami
+  namespace: {{ .Release.Namespace }}
+spec:
+  parentRefs:
+  - name: {{ .Values.traefik.gateway.name }}
+    namespace: {{ .Release.Namespace }}
+  hostnames:
+  - "lfx-api.{{ .Values.lfx.domain }}"
+  rules:
+  # Main application endpoints (with authentication)
+  - matches:
+    - path:
+        type: Exact
+        value: /whoami
+    {{- if .Values.heimdall.enabled }}
+    filters:
+    - type: ExtensionRef
+      extensionRef:
+        group: traefik.io
+        kind: Middleware
+        name: heimdall
+    {{- end }}
+    backendRefs:
+    - name: whoami
+      port: 80
+{{- end }}

charts/lfx-platform/templates/whoami/ruleset.yaml

@@ -0,0 +1,29 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+{{- if and .Values.lfx.whoami.enabled .Values.heimdall.enabled }}
+apiVersion: heimdall.dadrus.github.com/v1alpha4
+kind: RuleSet
+metadata:
+  name: lfx-whoami
+  namespace: lfx
+spec:
+  rules:
+    - id: "rule:lfx:whoami:public"
+      match:
+        methods:
+          - GET
+        routes:
+          - path: /whoami
+      execute:
+        - authenticator: oidc
+        - authenticator: anonymous_authenticator
+        {{- if .Values.lfx.use_oidc_contextualizer }}
+        - contextualizer: oidc_contextualizer
+        {{- end}}
+        - authorizer: allow_all
+        - finalizer: create_jwt
+          config:
+            values:
+              aud: whoami
+{{- end }}

charts/lfx-platform/templates/whoami/service.yaml

@@ -0,0 +1,20 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+{{- if .Values.lfx.whoami.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  namespace: lfx
+
+spec:
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+
+  selector:
+    app: whoami
+
+{{- end }}

charts/lfx-platform/values.yaml

@@ -16,6 +16,14 @@ lfx:
     name: heimdall-trust-bundle
     configKey: ca-certificates.crt
 
+  whoami:
+    enabled: true
+
+  # Tells rulesets to use the oidc_contextualizer, needed for
+  # local dev with authelia
+  use_oidc_contextualizer: true
+
+
 fga-operator:
   enabled: true
   # Non-chart value
@@ -127,7 +135,7 @@ heimdall:
         type: anonymous
         config:
           subject: "_anonymous"
-      - id: authelia
+      - id: oidc
         type: oauth2_introspection
         config:
           metadata_endpoint:
@@ -150,7 +158,7 @@ heimdall:
             # the `sub` claim should NOT be used downstream.
             id: '[username,client_id].0'
     contextualizers:
-      - id: authelia_userinfo
+      - id: oidc_contextualizer
         type: generic
         config:
           endpoint:
@@ -214,8 +222,8 @@ heimdall:
                             (list "clients@" .Subject.Attributes.client_id | join ""))
                         | quote
                       }}
-                      {{ if .Outputs.authelia_userinfo.email -}},
-                      "email": {{ quote .Outputs.authelia_userinfo.email }}
+                      {{ if .Outputs.oidc_contextualizer.email -}},
+                      "email": {{ quote .Outputs.oidc_contextualizer.email }}
                       {{ end -}}
                       {{ if .Values.aud -}},
                       "aud": {{ quote .Values.aud }}
@@ -224,7 +232,8 @@ heimdall:
 
   default_rule:
     execute:
-      - authenticator: anonymous_authenticator
+      - authenticator: oidc
+      - contextualizer: oidc_contextualizer
       - authorizer: deny_all
       - finalizer: create_jwt