WebUI authentication with Google OAuth 2.0 or OIDC
These instructions explain how to set up the Nephio WebUI to use Google OAuth 2.0 for authentication, or using OIDC backed by Google authentication.
To install the WebUI, we simply install a different kpt package. First, we pull the package locally:
kpt pkg get --for-deployment https://github.com/nephio-project/nephio-packages.git/nephio-webui@origin/v3.0.0
Before we apply it to the cluster, however, we should configure it.
By default, it expects the webui to be reached via http://localhost:7007. If you plan to expose the webui via a load balancer service instead, then you need to configure the scheme, hostname, port, and service. Note that if you wish to use HTTPS, you should set the scheme to https, but you will need to terminate the TLS at the load balancer as the container currently only supports HTTP.
This information is captured in the application ConfigMap for the webui, which is generated by a KRM function. We can
change the values in the nephio-webui/gen-configmap.yaml just using a text editor (change the hostname and port values
under params:), and those will take effect later when we run kpt fn render
. As an alternative to a text editor, you
can run these commands:
kpt fn eval nephio-webui --image gcr.io/kpt-fn/search-replace:v0.2.0 --match-kind GenConfigMap -- 'by-path=params.scheme' 'put-value=SCHEME'
kpt fn eval nephio-webui --image gcr.io/kpt-fn/search-replace:v0.2.0 --match-kind GenConfigMap -- 'by-path=params.hostname' 'put-value=HOSTNAME'
kpt fn eval nephio-webui --image gcr.io/kpt-fn/search-replace:v0.2.0 --match-kind GenConfigMap -- 'by-path=params.port' 'put-value=PORT'
If you want to expose the UI via a load balancer service, you can manually change the Service type to LoadBalancer, or run:
kpt fn eval nephio-webui --image gcr.io/kpt-fn/search-replace:v0.2.0 --match-kind Service -- 'by-path=spec.type' 'put-value=LoadBalancer'
In the default configuration, the Nephio WebUI is wide open with no authentication. The webui itself authenticates to the cluster using a static service account, which is bound to the cluster admin role. Any user accessing the webui is acting as a cluster admin.
This configuration is designed for testing and development only. You must not use this configuration in any other situation, and even for testing and development it must not be exposed on the internet (for example, via a LoadBalancer service).
Configuring authentication for the WebUI is specific to the particular cluster environment. Guides for different environments are below:
Once that configuration is updated, you can proceed with the installation (note, this uses inventory-policy=adopt
,
since in the previous steps we may have created the namespace already).
kpt fn render nephio-webui
kpt live init nephio-webui
kpt live apply nephio-webui --reconcile-timeout=15m --output=table --inventory-policy=adopt
These instructions explain how to set up the Nephio WebUI to use Google OAuth 2.0 for authentication, or using OIDC backed by Google authentication.
These instructions explain how to set up the Nephio WebUI to use OIDC with Okta for authentication.