Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 34 additions & 2 deletions book/src/configuration/configurability.md
Original file line number Diff line number Diff line change
Expand Up @@ -399,8 +399,40 @@ oauth2_client_id = "nico-api"
allowed_access_groups = ["nico-operators", "nico-admins"]
```

The chart supports overriding any `[auth.web]` field via
`nico-api.extraEnv` (see [`helm/README.md` → OAuth2 / SSO Setup](../../../helm/README.md#oauth2--sso-setup)).
The deployed WebUI authentication mode is configured with
`nico-api.webAuth.mode` (`basic`, `oauth2`, or `none`) and defaults to Basic
Auth with a generated password Secret. When `webAuth.mode: oauth2` is selected,
provide the endpoints, client credentials, and allowed groups through
`nico-api.extraEnv`:

```yaml
nico-api:
webAuth:
mode: oauth2
extraEnv:
- name: CARBIDE_WEB_OAUTH2_AUTH_ENDPOINT
value: "https://keycloak.example.com/realms/nico/protocol/openid-connect/auth"
- name: CARBIDE_WEB_OAUTH2_TOKEN_ENDPOINT
value: "https://keycloak.example.com/realms/nico/protocol/openid-connect/token"
- name: CARBIDE_WEB_OAUTH2_CLIENT_ID
value: "nico-api"
- name: CARBIDE_WEB_OAUTH2_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: nico-web-oauth2-client
key: client_secret
- name: CARBIDE_WEB_ALLOWED_ACCESS_GROUPS
value: "nico-operators,nico-admins"
- name: CARBIDE_WEB_ALLOWED_ACCESS_GROUPS_ID_LIST
value: "<operators-group-id>,<admins-group-id>"
```

`extraEnv` accepts normal Kubernetes `env` entries, including `valueFrom`
references. An existing `CARBIDE_WEB_AUTH_TYPE` entry there takes precedence
over `webAuth.mode` for backward compatibility, but new configurations should
use `webAuth.mode` to select the mode. See
[`helm/README.md` → OAuth2 / SSO Setup](../../../helm/README.md#oauth2--sso-setup)
for the complete Helm guidance.

`[auth.acls]` defines per-principal HTTP method+path allow/deny rules
(used by `nico-bmc-proxy` and other authenticating proxies). The example
Expand Down
2 changes: 2 additions & 0 deletions crates/api-web/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ carbide-health-report = { path = "../health-report" }
carbide-measured-boot = { path = "../measured-boot", features = ["sqlx"] }
carbide-rpc = { path = "../rpc", features = ["sqlx", "model"] }
carbide-rpc-utils = { path = "../rpc-utils" }
carbide-utils = { path = "../utils" }
carbide-uuid = { path = "../uuid", features = ["sqlx"] }
carbide-version = { path = "../version" }
config-version = { path = "../config-version", features = ["sqlx"] }
Expand All @@ -61,6 +62,7 @@ itertools = { workspace = true }
lazy_static = { workspace = true }
mac_address = { workspace = true }
oauth2 = { workspace = true, default-features = false }
rand = { workspace = true }
regex = { workspace = true }
reqwest = { workspace = true, default-features = false, features = [
"rustls",
Expand Down
3 changes: 2 additions & 1 deletion crates/api-web/src/auth.rs
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ pub async fn callback(
AxumState(_state): AxumState<Arc<Api>>,
request_headers: HeaderMap,
Query(query): Query<AuthRequest>,
Extension(oauth2_layer): Extension<Option<Oauth2Layer>>,
Extension(oauth2_layer): Extension<Option<Arc<Oauth2Layer>>>,
) -> AuthCallbackResponse {
use AuthCallbackError::*;
let Some(oauth2_layer) = oauth2_layer else {
Expand All @@ -85,6 +85,7 @@ pub async fn callback(
// which includes an access token.
let _ = match oauth2_layer
.client
.clone()
.set_client_secret(ClientSecret::new(client_secret.to_string()))
.exchange_client_credentials()
.add_scope(Scope::new(format!("{client_id}/.default")))
Expand Down
Loading
Loading