Auth Secret Injection

Introduction

This guide outlines the steps to manually create scaleops-auth-config secret used to store ScaleOps auth configuration.

If you follow this guide, do not include authProvider in your helm values.

Option 1: Configure `scaleops-auth-config` secret

Fill in the correct fields with the relevant authentication provider, and apply the following secret definition:

Built-In Authentication


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 7,
      "builtInAuth": {
        "enabled": "true"
      }
    }

Azure


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 1,
      "authorization": {
        "enabled": true
      },
      "defaultAdminUsers": ["<DEFAULT-ADMIN-USER>"],
      "defaultAdminGroups": ["<AZURE-GROUP-OBJECT-ID>"],
      "defaultViewerGroups": ["<AZURE-GROUP-OBJECT-ID>"],
      "oauth2": {
        "clientID": "<CLIENT-ID>",
        "clientSecret": "<CLIENT-SECRET>",
        "issuerUrl": "<ISSUER-URL>",
        "scopes": ["openid", "profile", "email", "offline_access"],
        "audiences": ["00000002-0000-0000-c000-000000000000"],
        "skipIssuerCheck": true,
        "groupsClaim": "groups"
      }
    }

Google


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 2,
      "authorization": {
        "enabled": true
        },
      "defaultAdminUsers": ["<DEFAULT-ADMIN-USER>"],
      "defaultAdminGroups": ["<GROUP-ID>"],
      "defaultViewerGroups": ["<GROUP-ID>"],
      "google": {
        "clientID": "<CLIENT-ID>",
        "clientSecret": "<CLIENT-SECRET>",
        "credentials": "<SERVICE-ACCOUNT-CREDENTIALS-AS-JSON>"
      }
    }

Github


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 3,
      "authorization": {
        "enabled": true
      },
      "defaultAdminUsers": ["<DEFAULT-ADMIN-USER>"],
      "defaultAdminGroups": ["<GROUP-ID>"],
      "defaultViewerGroups": ["<GROUP-ID>"],
      "github": {
        "clientID": "<CLIENT-ID>",
        "clientSecret": "<CLIENT-SECRET>"
      }
    }

OpenShift


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 4,
      "authorization": {
        "enabled": true
      },
      "defaultAdminGroup": "<DEFAULT-ADMIN-GROUP>",
      "defaultViewerGroup": "<DEFAULT-VIEWER-GROUP>",
      "openshift": {
        "clientID": "<CLIENT-ID>",
        "clientSecret": "<CLIENT-SECRET>"
      }
    }

OIDC


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 1,
      "authorization": {
        "enabled": true
      },
      "defaultAdminUsers": ["<DEFAULT-ADMIN-USER>"],
      "defaultAdminGroups": ["<GROUP-ID>"],
      "defaultViewerGroups": ["<GROUP-ID>"],
      "oauth2": {
        "clientID": "<CLIENT-ID>",
        "clientSecret": "<CLIENT-SECRET>",
        "issuerUrl": "<ISSUER-URL>",
        "scopes": ["openid", "profile", "email", "offline_access"],
        "groupsClaim": "<JWT-CLAIM-NAME-TO-USE>"
      }
    }

LDAP


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 8,
      "authorization": {
        "enabled": true
      },
      "defaultAdminUsers": ["<DEFAULT-ADMIN-USER>"],
      "defaultAdminGroups": ["<GROUP-ID>"],
      "defaultViewerGroups": ["<GROUP-ID>"],
      "ldap": {
        "server": "<LDAP-SERVER>",
        "baseDN": "<BASE-DN>",
        "port": 636,
        "insecureSkipVerify": false,
        "bindUserName": "<BIND-USER-NAME>",
        "bindUserPassword": "<BIND-USER-PASSWORD>"
      }
    }

Okta


apiVersion: v1
kind: Secret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
type: Opaque
stringData:
  auth: >-
    {
      "type": 1,
      "authorization": {
        "enabled": true
      },
      "defaultAdminUsers": ["<DEFAULT-ADMIN-USER>"],
      "defaultAdminGroups": ["<GROUP-ID>"],
      "defaultViewerGroups": ["<GROUP-ID>"],
      "oauth2": {
        "clientID": "<CLIENT-ID>",
        "clientSecret": "<CLIENT-SECRET>",
        "issuerUrl": "<ISSUER-URL>",
        "scopes": ["openid", "profile", "email", "offline_access"],
        "groupsClaim": "groups"
      }
    }

Option 2: Helm template to retrieve secret

Run helm template with correct values of the relevant authentication provider to retrieve secret definition:


helm template ... --show-only templates/dashboards-api/secret-oauth2.yaml

Option 3: External Secret

Store auth data json from previous steps on your secret provider, and reference it in the following ExternalSecret definition:


apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: scaleops-auth-config
  namespace: scaleops-system
spec:
  secretStoreRef:
    name: SECRET_STORE_NAME # Replace with your secret store name
    kind: ClusterSecretStore # Replace with your secret store kind
  target:
    name: scaleops-auth-config
    template:
      data:
        auth: "{{ .scaleops_auth }}"
  data:
    - secretKey: scaleops_auth
      remoteRef:
        key: path/to/secret # Replace with your secret path