Helm chart SSO support (#17205)

* Add SAML support * move extAuth below essential components * Add CAS, PAM, LDAP support * Add WEB_DOMAIN and S3_ALIAS_HOST support * SAML defaults aligned * Bump chart version * SSO & WEB_DOMAIN support added * Add OIDC support * Correct typo * Notice for OIDC support Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-02-11 09:01:40 -05:00
parent c9a52833b6
commit a131f06e12
4 changed files with 329 additions and 3 deletions
--- a/chart/values.yaml
+++ b/chart/values.yaml
@ -27,6 +27,9 @@ mastodon:
  # available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
  locale: en
  local_domain: mastodon.local
+  # Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
+  # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
+  # web_domain: mastodon.example.com
  persistence:
    assets:
      # ReadWriteOnce is more widely supported than ReadWriteMany, but limits
@ -49,6 +52,8 @@ mastodon:
    endpoint: https://us-east-1.linodeobjects.com
    hostname: us-east-1.linodeobjects.com
    region: ""
+    # If you have a caching proxy, enter its base URL here.
+    alias_host: ""
  # these must be set manually; autogenerated keys are rotated on each upgrade
  secrets:
    secret_key_base: ""
@ -136,6 +141,105 @@ service:
  type: ClusterIP
  port: 80

+externalAuth:
+  oidc:
+    # OpenID Connect support is proposed in PR #16221 and awaiting merge.
+    enabled: false
+    # display_name: "example-label"
+    # issuer: https://login.example.space/auth/realms/example-space
+    # discovery: true
+    # scope: "openid,profile"
+    # uid_field: uid
+    # client_id: mastodon
+    # client_secret: SECRETKEY
+    # redirect_uri: https://example.com/auth/auth/openid_connect/callback
+    # assume_email_is_verified: true
+    # client_auth_method: 
+    # response_type: 
+    # response_mode: 
+    # display: 
+    # prompt: 
+    # send_nonce: 
+    # send_scope_to_token_endpoint: 
+    # idp_logout_redirect_uri: 
+    # http_scheme: 
+    # host: 
+    # port: 
+    # jwks_uri: 
+    # auth_endpoint: 
+    # token_endpoint: 
+    # user_info_endpoint: 
+    # end_session_endpoint: 
+  saml:
+    enabled: false
+    # acs_url: http://mastodon.example.com/auth/auth/saml/callback
+    # issuer: mastodon
+    # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
+    # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
+    # idp_cert_fingerprint: 
+    # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+    # cert: 
+    # private_key: 
+    # want_assertion_signed: true
+    # want_assertion_encrypted: true
+    # assume_email_is_verified: true
+    # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
+    # attributes_statements: 
+    #   uid: "urn:oid:0.9.2342.19200300.100.1.1"
+    #   email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+    #   full_name: "urn:oid:2.16.840.1.113730.3.1.241"
+    #   first_name: "urn:oid:2.5.4.42"
+    #   last_name: "urn:oid:2.5.4.4"
+    #   verified: 
+    #   verified_email: 
+  oauth_global: 
+    # Force redirect local login to CAS. Does not function with SAML or LDAP.
+    oauth_redirect_at_sign_in: false
+  cas:
+    enabled: false
+    # url: https://sso.myserver.com
+    # host: sso.myserver.com
+    # port: 443
+    # ssl: true
+    # validate_url: 
+    # callback_url: 
+    # logout_url: 
+    # login_url: 
+    # uid_field: 'user'
+    # ca_path: 
+    # disable_ssl_verification: false
+    # assume_email_is_verified: true
+    # keys: 
+    #   uid: 'user'
+    #   name: 'name'
+    #   email: 'email'
+    #   nickname: 'nickname'
+    #   first_name: 'firstname'
+    #   last_name: 'lastname'
+    #   location: 'location'
+    #   image: 'image'
+    #   phone: 'phone'
+  pam: 
+    enabled: false
+    # email_domain: example.com
+    # default_service: rpam
+    # controlled_service: rpam
+  ldap:
+    enabled: false
+    # host: myservice.namespace.svc
+    # port: 389
+    # method: simple_tls
+    # base: 
+    # bind_on: 
+    # password: 
+    # uid: cn
+    # mail: mail
+    # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
+    # uid_conversion:
+    #   enabled: true
+    #   search: "., -"
+    #   replace: _
+
 # https://github.com/tootsuite/mastodon/blob/master/Dockerfile#L88
 #
 # if you manually change the UID/GID environment variables, ensure these values