Skip to content

web: introduce authentication (anonymous and OIDC) #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stefanprodan merged 53 commits into from
Dec 16, 2025
Merged

web: introduce authentication (anonymous and OIDC) #519

stefanprodan merged 53 commits into from
Dec 16, 2025

Conversation

@matheuscscp
Copy link
Member

@matheuscscp matheuscscp commented Dec 12, 2025
edited
Loading

Closes: #518

  • Manual tests for Anonymous authentication type
  • Manual tests for OAuth2 authentication type with OIDC provider and Dex
  • e2e tests for RBAC
  • Docs

Config is looking like this:

# flux-operator --web-config=/etc/flux-status-page/config.yaml
apiVersion: web.fluxcd.controlplane.io/v1
kind: Config
spec:
  # Optional. Required if .spec.authentication.type is OAuth2.
  baseURL: https://flux-ui.apps.${CLUSTER_DOMAIN}

  # Optional. Sets insecure behaviors, e.g. HTTP cookie 'secure' field to false.
  insecure: false # Defaults to false.

  authentication:
    type: OAuth2 # Anonymous | OAuth2

    # Type-agnostic settings.
    userCacheSize: 200 # Default: 100
    sessionDuration: 24h # Default: one week

    # Type=Anonymous settings.
    anonymous:
      username: some-user
      groups:
        - some-group
        - another-group

    # Type=OAuth2 settings.
    oauth2:
      provider: OIDC # only OIDC is implemented for now. other providers could be Google, GitHub, Microsoft...
      clientID: flux-ui
      clientSecret: flux-ui-secret
      scopes: # Optional.
        - some-scope
        - another-scope

      # OIDC-only
      issuerURL: https://dex.apps.${CLUSTER_DOMAIN} # Required if .provider is OIDC.
      variables:
        - name: username
          expression: "claims.sub"
        - name: domain
          expression: "claims.email.split('@')[1]"
        - name: departments
          expression: "claims.groups.filter(g, g.startsWith('dept:')).map(g, g.substring(5))"
      validations:
        - expression: "variables.domain == 'example.com'"
          message: "email domain not allowed"
      profile:
        name: "variables.name" # Default: "has(claims.name) ? claims.name : (has(claims.email) ? claims.email : '')"
      impersonation:
        username: "variables.username"  # Default: "has(claims.email) ? claims.email : ''"
        groups: "variables.departments" # Default: "has(claims.groups) ? claims.groups : []"

@matheuscscp matheuscscp force-pushed the web-auth branch 2 times, most recently from 63493f0 to 518e98b Compare December 12, 2025 02:23
@stefanprodan stefanprodan added area/security Security related issues and pull requests area/web-ui Flux Status Page related issues and pull requests labels Dec 12, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2025
View reviewed changes
@matheuscscp matheuscscp force-pushed the web-auth branch 4 times, most recently from d614eb4 to b102508 Compare December 12, 2025 16:36
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2025
View reviewed changes
@stefanprodan
Copy link
Member

stefanprodan commented Dec 13, 2025
edited
Loading

Login view when OIDC auth is configured:

Opera Snapshot_2025-12-13_172207_localhost

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 13, 2025
View reviewed changes
matheuscscp and others added 11 commits December 15, 2025 17:05
@matheuscscp
web: introduce authentication
eba3867 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: server auth flow with login page
a1c97ae 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: refactor auth expired server error
ad39ad7 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: fix oauth2 endpoints not redirecting to original path
e6f669d 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: fix wrong http status code on oauth2 auth
e3b4b74 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: fix comment on auth error helper
87cf62a 
Signed-off-by: Matheus Pimenta <[email protected]>
@stefanprodan @matheuscscp
web: Implement auth flow client-side
742dca9 
Signed-off-by: Stefan Prodan <[email protected]>
@matheuscscp
web: extract web kube client to dedicated package to hide private fields
d85f2b0 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: extract web auth to dedicated package
936c575 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: refactor oidc and claims processing
01779b5 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: reduce amount of calls to oidc provider
4130c97 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: improve auth error handling
f7c4658 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp matheuscscp force-pushed the web-auth branch 2 times, most recently from 307e307 to 0d07eeb Compare December 15, 2025 20:25
@matheuscscp
web: add tests for kubeclient
4713657 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: return as many events as possible on errors
eab3c7e 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: use privileged client for getting resource preferred GVK
d54197f 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: return as many resources as possible on search errors
faa67ce 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: improve error handling when listing user namespaces
2ec7a3c 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: when lisiting things, ignore RBAC errors
327417d 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: add RBAC tests for events and search
de46242 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: add RBAC tests for favorites and workloads
e3a7938 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: add RBAC tests for workload
55494a1 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp
web: add docs for config API
495678e 
Signed-off-by: Matheus Pimenta <[email protected]>
@matheuscscp matheuscscp marked this pull request as ready for review December 16, 2025 02:48
@stefanprodan stefanprodan changed the title web: introduce authentication web: introduce authentication (anonymous and OIDC) Dec 16, 2025
stefanprodan
stefanprodan approved these changes Dec 16, 2025
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @matheuscscp 🥇

@stefanprodan stefanprodan merged commit 9b3e45c into main Dec 16, 2025
7 checks passed
@stefanprodan stefanprodan deleted the web-auth branch December 16, 2025 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees

No one assigned

Labels

area/security Security related issues and pull requests area/web-ui Flux Status Page related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Web Single Sign-On with Dex and Keycloak

3 participants

@matheuscscp @stefanprodan