helm: add option to configure SSO login

new options for configuring Keycloak SSO login with third-party authentication services

closes reanahub/reana-server#513

AUTHORS.rst

@@ -11,6 +11,7 @@ The list of contributors in alphabetical order:
 - `Daniel Prelipcean <https://orcid.org/0000-0002-4855-194X>`_
 - `Diego Rodriguez <https://orcid.org/0000-0003-0649-2002>`_
 - `Dinos Kousidis <https://orcid.org/0000-0002-4914-4289>`_
+- `Domenic Gosein <https://orcid.org/0000-0002-1546-0435>`_
 - `Harri Hirvonsalo <https://orcid.org/0000-0002-5503-510X>`_
 - `Jan Okraska <https://orcid.org/0000-0002-1416-3244>`_
 - `Kenyi Hurtado-Anampa <https://orcid.org/0000-0002-9779-3566>`_

CHANGES.rst

@@ -12,6 +12,7 @@ Version 0.9.1 (UNRELEASED)
     - Adds new configuration option ``ingress.tls.hosts`` to define hosts that are present in the TLS certificate, in order to support cert-manager's automatic creation of certificates.
     - Changes uWSGI configuration to add vacuuming of generated files and sockets.
     - Fixes uWSGI memory consumption on systems with very high allowed number of open files.
+    - Adds new configuration options ``login`` and ``secrets.login`` for configuring Keycloak SSO login with third-party authentication services.
 
 Version 0.9.0 (2023-01-26)
 --------------------------

helm/reana/README.md

@@ -71,6 +71,7 @@ This Helm automatically prefixes all names using the release name to avoid colli
 | `kubernetes_jobs_max_user_memory_limit`                  | Maximum custom memory limit that users can assign to their job containers via `kubernetes_memory_limit` hint in `reana.yaml`. Exceeding this limit will terminate the container. Please see the following URL for possible values https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory. | None |
 | `kubernetes_jobs_timeout_limit`                          | Default timeout for user's jobs in *seconds*. Exceeding this time will terminate the job. Please see the following URL for more details https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup. Default value: 604800 seconds = 7 days. | 604800 |
 | `kubernetes_jobs_max_user_timeout_limit`                 | Maximum custom timeout in *seconds* that users can assign to their jobs. Please see the following URL for more details https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup. Default value: 1209600 seconds = 14 days. | 1209600 |
+| `login`                                                  | Enable and configure SSO authentication via a third-party Keycloak identity provider ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `[]` |
 | `node_label_infrastructure`                              | Define the label which identifies the nodes where the infrastructure pods should run, e.g. `reana.io/system=infrastructure`. If you are setting this configuration variable, please also set `.traefik.nodeSelector.reana.io/system=infrastructure` so the ingress controller is also deployed on the infrastructure node. By default infrastructure pods can be scheduled to any available node in the cluster. | None |
 | `node_label_infrastructuremq`                            | Define the label which identifies the node where message broker pod should run, e.g. `reana.io/system=infrastructuremq`. By default message broker pod can be scheduled to any available node in the cluster. | None |
 | `node_label_infrastructuredb`                            | Define the label which identifies the node where database pod should run, e.g. `reana.io/system=infrastructuredb`. By default the database pod can be scheduled to any available node in the cluster. | None |
@@ -95,6 +96,7 @@ This Helm automatically prefixes all names using the release name to avoid colli
 | `secrets.gitlab.REANA_GITLAB_HOST`                       | Hostname of the GitLab instance                                                      | None                                            |
 | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID`               | GitLab OAuth application id                                                          | None                                            |
 | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET`           | **[Do not use in production, use secrets instead]** GitLab OAuth application secret  | None                                            |
+| `secrets.login`                                          | **[Do not use in production, use secrets instead]** Third-party Keycloak identity provider consumer key and secret ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `{}` |
 | `secrets.reana.REANA_SECRET_KEY`                         | **[Do not use in production, use secrets instead]** REANA encryption secret key      | None                                            |
 | `serviceAccount.create`                                  | Create a service account for the REANA system user                                   | true                                            |
 | `serviceAccount.name`                                    | Service account name                                                                 | reana                                           |

helm/reana/templates/reana-config.yaml

@@ -13,6 +13,7 @@ data:
     forum_url: {{ .Values.components.reana_ui.forum_url | quote | default "null" }}
     chat_url: {{ .Values.components.reana_ui.chat_url | quote | default "null" }}
     cern_sso: {{ .Values.components.reana_ui.cern_sso | default false }}
+    login_provider_config: {{ .Values.login | toJson }}
     cern_ropo: {{ .Values.components.reana_ui.cern_ropo | default false }}
     hide_signup: {{ .Values.components.reana_ui.hide_signup | default false }}
     admin_email: {{ .Values.notifications.email_config.receiver | quote | default "null" }}

helm/reana/templates/reana-server.yaml

@@ -120,6 +120,15 @@ spec:
               secretKeyRef:
                 name: {{ include "reana.prefix" . }}-cern-sso-secrets
                 key: CERN_CONSUMER_SECRET
+          {{- if .Values.login }}
+          - name: LOGIN_PROVIDERS_CONFIGS
+            value: {{ .Values.login | toJson | quote }}
+          - name: LOGIN_PROVIDERS_SECRETS
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "reana.prefix" $ }}-login-provider-secrets
+                key: PROVIDER_SECRETS
+          {{- end }}
           - name: REANA_GITLAB_OAUTH_APP_ID
             valueFrom:
               secretKeyRef:
@@ -246,6 +255,15 @@ spec:
               name: {{ include "reana.prefix" . }}-db-secrets
               key: password
         {{- end }}
+        {{- if .Values.login }}
+        - name: LOGIN_PROVIDERS_CONFIGS
+          value: {{ .Values.login | toJson | quote }}
+        - name: LOGIN_PROVIDERS_SECRETS
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "reana.prefix" $ }}-login-provider-secrets
+              key: PROVIDER_SECRETS
+        {{- end }}
       volumes:
       - name: reana-shared-volume
         {{- if not (eq .Values.shared_storage.backend "hostpath") }}

helm/reana/templates/secrets.yaml

@@ -23,6 +23,19 @@ data:
   CERN_CONSUMER_KEY: {{ .Values.secrets.cern.sso.CERN_CONSUMER_KEY | default "cern_consumer_key" | b64enc }}
   CERN_CONSUMER_SECRET: {{ .Values.secrets.cern.sso.CERN_CONSUMER_SECRET | default "cern_consumer_secret" | b64enc }}
 ---
+{{- if .Values.login }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "reana.prefix" . }}-login-provider-secrets
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/resource-policy": keep
+type: Opaque
+data:
+  PROVIDER_SECRETS: {{ .Values.secrets.login | toJson | b64enc }}
+{{- end }}
+---
 apiVersion: v1
 kind: Secret
 metadata:

helm/reana/values.yaml

@@ -53,6 +53,10 @@ secrets:
   cern:
     sso: {}
   reana: {}
+  login: {}
+
+# Enable and configure SSO authentication via a third-party Keycloak identity provider
+login: []
 
 # External database service configuration
 db_env_config: