From c8f975d231806aba38eab50f3476f1aef11a8ac4 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 26 Jun 2025 10:47:29 +0300 Subject: [PATCH 01/25] Fluffy EOL --- charts/lakefs/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index e68b94d..2330efb 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application -version: 1.4.19 +version: 1.4.20 appVersion: 1.61.0 home: https://lakefs.io From 5e91bdd4046a85141fa9fc657ca3940958b17c21 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 12:11:53 +0300 Subject: [PATCH 02/25] WIP --- charts/lakefs/templates/_env.tpl | 42 ++-- charts/lakefs/templates/_fluffy.tpl | 209 ------------------ charts/lakefs/templates/_helpers.tpl | 12 +- charts/lakefs/templates/deployment.yaml | 16 +- charts/lakefs/templates/dev-postgresql.yaml | 2 +- charts/lakefs/templates/fluffy-configmap.yaml | 11 - .../lakefs/templates/fluffy-deployment.yaml | 119 ---------- charts/lakefs/templates/fluffy-secret.yaml | 47 ---- charts/lakefs/templates/fluffy-service.yaml | 35 --- charts/lakefs/templates/ingress.yaml | 3 - charts/lakefs/templates/secret.yaml | 21 ++ charts/lakefs/values.yaml | 61 ++++- examples/lakefs/enterprise/README.md | 10 - examples/lakefs/enterprise/values-adfs.yaml | 78 ------- .../enterprise/values-external-aws.yaml | 44 ---- examples/lakefs/enterprise/values-ldap.yaml | 58 ----- examples/lakefs/enterprise/values-oidc.yaml | 64 ------ 17 files changed, 114 insertions(+), 718 deletions(-) delete mode 100644 charts/lakefs/templates/_fluffy.tpl delete mode 100644 charts/lakefs/templates/fluffy-configmap.yaml delete mode 100644 charts/lakefs/templates/fluffy-deployment.yaml delete mode 100644 charts/lakefs/templates/fluffy-secret.yaml delete mode 100644 charts/lakefs/templates/fluffy-service.yaml delete mode 100644 examples/lakefs/enterprise/README.md delete mode 100644 examples/lakefs/enterprise/values-adfs.yaml delete mode 100644 examples/lakefs/enterprise/values-external-aws.yaml delete mode 100644 examples/lakefs/enterprise/values-ldap.yaml delete mode 100644 examples/lakefs/enterprise/values-oidc.yaml diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index f2f669a..06062c0 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -29,40 +29,39 @@ env: - name: LAKEFS_AUTH_ENCRYPT_SECRET_KEY value: asdjfhjaskdhuioaweyuiorasdsjbaskcbkj {{- end }} - {{- if (.Values.fluffy).enabled }} + {{- if .Values.enterprise.enabled }} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" - {{- if (.Values.fluffy.sso).enabled }} - - name: LAKEFS_AUTH_AUTHENTICATION_API_ENDPOINT - value: {{ printf "http://%s/api/v1" (include "fluffy.ssoServiceName" .) | quote }} - {{- if and .Values.ingress.enabled (.Values.fluffy.sso.saml).enabled }} + {{- if .Values.auth.saml.enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL - value: {{ printf "%s/sso/login-saml" .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} + value: /sso/login-saml - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL - value: {{ printf "%s/sso/logout-saml" .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} + value: /sso/logout-saml + - name: LAKEFS_AUTH_LOGOUT_REDIRECT_URL + value: / + - name: LAKEFS_AUTH_PROVIDERS_SAML_POST_LOGIN_REDIRECT_URL + value: / + - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_ROOT_URL + value: / + - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_KEY_PATH + value: '/etc/saml_certs/rsa_saml_private.key' + - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH + value: '/etc/saml_certs/rsa_saml_public.pem' {{- end }} - {{- if (.Values.fluffy.sso.oidc).enabled }} + {{- if .Values.auth.oidc.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL value: '/oidc/login' - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' {{- end }} - {{- if (.Values.fluffy.sso.ldap).enabled }} - - name: LAKEFS_AUTH_REMOTE_AUTHENTICATOR_ENDPOINT - value: {{ default (printf "http://%s/api/v1/ldap/login" (include "fluffy.ssoServiceName" .) | quote) (.Values.fluffy.sso.ldap).endpointOverride }} + {{- if .Values.auth.ldap.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} {{- end }} - {{- if (.Values.fluffy.rbac).enabled }} - - name: LAKEFS_AUTH_API_ENDPOINT - value: {{ printf "http://%s/api/v1" (include "fluffy.rbacServiceName" .) | quote }} - - name: LAKEFS_AUTH_UI_CONFIG_RBAC - value: internal - {{- end }} - {{- end }} + {{- if .Values.s3Fallback.enabled }} - name: LAKEFS_GATEWAYS_S3_FALLBACK_URL value: http://localhost:7001 @@ -72,7 +71,7 @@ env: value: /lakefs/cache {{- end }} {{- if .Values.useDevPostgres }} - {{- if and (.Values.fluffy).enabled (.Values.fluffy.rbac).enabled }} + {{- if .Values.auth.rbac.enabled }} - name: LAKEFS_DATABASE_TYPE value: postgres - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING @@ -108,4 +107,9 @@ envFrom: - key: config.yaml path: config.yaml {{- end }} +{{- if .Values.auth.saml.enabled }} +- name: secret-volume + secret: + secretName: saml-certificates +{{- end }} {{- end }} diff --git a/charts/lakefs/templates/_fluffy.tpl b/charts/lakefs/templates/_fluffy.tpl deleted file mode 100644 index 29c0acc..0000000 --- a/charts/lakefs/templates/_fluffy.tpl +++ /dev/null @@ -1,209 +0,0 @@ -{{/* -fluffy resource full name -*/}} -{{- define "fluffy.fullname" -}} -{{- $name := include "lakefs.fullname" . }} -{{- printf "%s-fluffy" $name | trunc 63 }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "fluffy.labels" -}} -helm.sh/chart: {{ include "lakefs.chart" . }} -{{ include "fluffy.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "fluffy.selectorLabels" -}} -app.kubernetes.io/name: {{ include "lakefs.name" . }}-fluffy -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "fluffy.serviceAccountName" -}} -{{- $lakeFSAcc := include "lakefs.serviceAccountName" . }} -{{- default $lakeFSAcc .Values.fluffy.serviceAccountName }} -{{- end }} - -{{/* -fluffy SSO service name -*/}} -{{- define "fluffy.ssoServiceName" -}} -{{- printf "fluffy-sso" }} -{{- end }} - -{{/* -fluffy Authorization service name -*/}} -{{- define "fluffy.rbacServiceName" -}} -{{- printf "fluffy-rbac" }} -{{- end }} - - -{{/* -Fluffy environment variables -*/}} - -{{- define "fluffy.env" -}} -env: - {{- if (.Values.fluffy.sso).enabled }} - {{- if and .Values.ingress.enabled (.Values.fluffy.sso.saml).enabled }} - - name: FLUFFY_AUTH_SAML_ENABLED - value: "true" - - name: FLUFFY_AUTH_LOGOUT_REDIRECT_URL - value: {{ .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} - - name: FLUFFY_AUTH_POST_LOGIN_REDIRECT_URL - value: {{ .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} - - name: FLUFFY_AUTH_SAML_SP_ROOT_URL - value: {{ .Values.fluffy.sso.saml.lakeFSServiceProviderIngress }} - - name: FLUFFY_AUTH_SAML_SP_X509_KEY_PATH - value: '/etc/saml_certs/rsa_saml_private.key' - - name: FLUFFY_AUTH_SAML_SP_X509_CERT_PATH - value: '/etc/saml_certs/rsa_saml_public.pem' - {{- end }} - {{- if (.Values.fluffy.sso.oidc).enabled }} - - name: FLUFFY_AUTH_POST_LOGIN_REDIRECT_URL - value: '/' - {{- if (.Values.fluffy.sso.oidc).client_secret }} - - name: FLUFFY_AUTH_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ include "fluffy.fullname" . }} - key: oidc_client_secret - {{- end }} - {{- end }} - {{- if (.Values.fluffy.sso.ldap).enabled }} - - name: FLUFFY_AUTH_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "fluffy.fullname" . }} - key: ldap_bind_password - {{- end }} - {{- end }} - {{- if .Values.existingSecret }} - - name: FLUFFY_AUTH_ENCRYPT_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.existingSecret }} - key: {{ .Values.secretKeys.authEncryptSecretKey }} - {{- else if and .Values.secrets (.Values.secrets).authEncryptSecretKey }} - - name: FLUFFY_AUTH_ENCRYPT_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ include "lakefs.fullname" . }} - key: auth_encrypt_secret_key - {{- else }} - - name: FLUFFY_AUTH_ENCRYPT_SECRET_KEY - value: asdjfhjaskdhuioaweyuiorasdsjbaskcbkj - {{- end }} - {{- if and (.Values.fluffy.rbac).enabled }} - - name: FLUFFY_AUTH_SERVE_LISTEN_ADDRESS - value: {{ printf ":%s" (include "fluffy.rbac.containerPort" .) }} - {{- end }} - {{- if and .Values.existingSecret .Values.secretKeys.databaseConnectionString }} - - name: FLUFFY_DATABASE_POSTGRES_CONNECTION_STRING - valueFrom: - secretKeyRef: - name: {{ .Values.existingSecret }} - key: {{ .Values.secretKeys.databaseConnectionString }} - {{- else if and .Values.secrets (.Values.secrets).databaseConnectionString }} - - name: FLUFFY_DATABASE_POSTGRES_CONNECTION_STRING - valueFrom: - secretKeyRef: - name: {{ include "lakefs.fullname" . }} - key: database_connection_string - {{- else if and .Values.useDevPostgres (.Values.fluffy.rbac).enabled }} - - name: FLUFFY_DATABASE_TYPE - value: postgres - - name: FLUFFY_DATABASE_POSTGRES_CONNECTION_STRING - value: 'postgres://lakefs:lakefs@postgres-server:5432/postgres?sslmode=disable' - {{- end }} - {{- if .Values.fluffy.extraEnvVars }} - {{- toYaml .Values.fluffy.extraEnvVars | nindent 2 }} - {{- end }} -{{- if .Values.fluffy.extraEnvVarsSecret }} -envFrom: - - secretRef: - name: {{ .Values.fluffy.extraEnvVarsSecret }} -{{- end }} -{{- end }} - -{{- define "fluffy.volumes" -}} -{{- if .Values.fluffy.extraVolumes }} -{{ toYaml .Values.fluffy.extraVolumes }} -{{- end }} -{{- if not .Values.fluffy.fluffyConfig }} -- name: {{ .Chart.Name }}-local-data -{{- end}} -{{- if (.Values.fluffy.sso.saml).enabled }} -- name: secret-volume - secret: - secretName: saml-certificates -{{- end }} -{{- if .Values.fluffy.fluffyConfig }} -- name: {{ include "fluffy.fullname" . }}-config - configMap: - name: {{ include "fluffy.fullname" . }}-config - items: - - key: config.yaml - path: config.yaml -{{- end }} -{{- end }} - -{{- define "fluffy.ingressOverrides" -}} -{{- $serviceName := include "fluffy.ssoServiceName" . -}} -{{- $gitVersion := .Capabilities.KubeVersion.GitVersion -}} -{{- $pathsOverrides := list "/oidc/" "/api/v1/oidc/" "/saml/" "/sso/" "/api/v1/ldap/" }} -{{- range $pathsOverrides }} -- path: {{ . }} -{{- if semverCompare ">=1.19-0" $gitVersion }} - pathType: Prefix - backend: - service: - name: {{ $serviceName }} - port: - number: 80 -{{- else }} - backend: - serviceName: {{ $serviceName }} - servicePort: 80 -{{- end }} -{{- end }} -{{- end }} - -{{- define "fluffy.dockerConfigJson" }} -{{- $token := .Values.fluffy.image.privateRegistry.secretToken }} -{{- $username := "externallakefs" }} -{{- $registry := "https://index.docker.io/v1/" }} -{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" $registry $username $token (printf "%s:%s" $username $token | b64enc) | b64enc }} -{{- end }} - -{{- define "fluffy.sso.serviceType" }} -{{- default "ClusterIP" (.Values.fluffy.sso.service).type }} -{{- end }} -{{- define "fluffy.rbac.serviceType" }} -{{- default "ClusterIP" (.Values.fluffy.rbac.service).type }} -{{- end }} - -{{- define "fluffy.sso.port" }} -{{- default 80 (.Values.fluffy.sso.service).port }} -{{- end }} -{{- define "fluffy.rbac.port" }} -{{- default 80 (.Values.fluffy.rbac.service).port }} -{{- end }} - -{{- define "fluffy.sso.containerPort" }} -{{- default 8000 (.Values.fluffy.sso.service).containerPort }} -{{- end }} -{{- define "fluffy.rbac.containerPort" }} -{{- default 9000 (.Values.fluffy.rbac.service).containerPort }} -{{- end }} diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index 43c14f2..722adfc 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -66,12 +66,12 @@ Create the name of the service account to use {{/* Define which repository to use according to the following: 1. Explicitly defined -2. Otherwise if fluffy is enabled - take enterprise image +2. Otherwise if enterprise is enabled - take enterprise image 3. Otherwise use OSS image */}} {{- define "lakefs.repository" -}} {{- if not .Values.image.repository }} -{{- if (.Values.fluffy).enabled }} +{{- if .Values.enterprise.enabled }} {{- default "treeverse/lakefs-enterprise" .Values.image.repository }} {{- else }} {{- default "treeverse/lakefs" .Values.image.repository }} @@ -79,4 +79,10 @@ Define which repository to use according to the following: {{- else }} {{- default .Values.image.repository }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{- define "lakefs.checkDeprecated" -}} +{{- if .Values.fluffy -}} +{{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration. See migration guide." -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index 42cf842..4c9e26c 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- include "lakefs.checkDeprecated" . -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -19,16 +20,6 @@ spec: labels: {{- include "lakefs.selectorLabels" . | nindent 8 }} spec: - {{- if eq ( include "lakefs.repository" .) "treeverse/lakefs-enterprise" }} - {{- if (.Values.fluffy.image.privateRegistry).enabled }} - imagePullSecrets: - {{- if (.Values.fluffy.image.privateRegistry).secretToken }} - - name: "docker-registry" - {{- else }} - - name: {{ .Values.fluffy.image.privateRegistry.secretName }} - {{- end }} - {{- end }} - {{- end }} serviceAccountName: {{ include "lakefs.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -99,6 +90,11 @@ spec: - name: {{ .Chart.Name }}-local-data mountPath: "/lakefs/data" {{- end }} + {{- if and .Values.auth.saml.enabled }} + - name: secret-volume + readOnly: true + mountPath: /etc/saml_certs/ + {{- end }} {{- include "lakefs.env" . | nindent 10 }} {{- include "lakefs.s3proxyContainer" . | nindent 8}} {{- include "lakefs.gcpProxyContainer" . | nindent 8}} diff --git a/charts/lakefs/templates/dev-postgresql.yaml b/charts/lakefs/templates/dev-postgresql.yaml index a99432c..01e759c 100644 --- a/charts/lakefs/templates/dev-postgresql.yaml +++ b/charts/lakefs/templates/dev-postgresql.yaml @@ -1,5 +1,5 @@ {{- if .Values.useDevPostgres }} -{{- if and (.Values.fluffy).enabled (.Values.fluffy.rbac).enabled }} +{{- if .Values.auth.rbac.enabled }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/lakefs/templates/fluffy-configmap.yaml b/charts/lakefs/templates/fluffy-configmap.yaml deleted file mode 100644 index 014c84f..0000000 --- a/charts/lakefs/templates/fluffy-configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if (.Values.fluffy).enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "fluffy.fullname" . }}-config -{{- with .Values.fluffy.fluffyConfig }} -data: - config.yaml: - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end}} \ No newline at end of file diff --git a/charts/lakefs/templates/fluffy-deployment.yaml b/charts/lakefs/templates/fluffy-deployment.yaml deleted file mode 100644 index 176ae42..0000000 --- a/charts/lakefs/templates/fluffy-deployment.yaml +++ /dev/null @@ -1,119 +0,0 @@ -{{- if (.Values.fluffy).enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "fluffy.fullname" . }} - labels: - {{- include "fluffy.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.fluffy.replicaCount }} - selector: - matchLabels: - {{- include "fluffy.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/fluffy-configmap.yaml") . | sha256sum }} - {{- with .Values.fluffy.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "fluffy.selectorLabels" . | nindent 8 }} - spec: - {{- if .Values.fluffy.image.privateRegistry.enabled }} - imagePullSecrets: - {{- if .Values.fluffy.image.privateRegistry.secretToken }} - - name: "docker-registry" - {{- else }} - - name: {{ .Values.fluffy.image.privateRegistry.secretName }} - {{- end }} - {{- end }} - serviceAccountName: {{ include "fluffy.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - args: - - run - {{ range (.Values.fluffy).additionalArguments }} - - {{ . }} - {{ end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.fluffy.image.repository }}:{{ .Values.fluffy.image.tag }}" - imagePullPolicy: {{ .Values.fluffy.image.pullPolicy }} - ports: - - name: http-sso - containerPort: {{ include "fluffy.sso.containerPort" . }} - protocol: TCP - - name: http-rbac - containerPort: {{ include "fluffy.rbac.containerPort" . }} - protocol: TCP - readinessProbe: - {{- if ((.Values.readinessProbe).failureThreshold) }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - {{- if ((.Values.readinessProbe).periodSeconds) }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- end }} - {{- if ((.Values.readinessProbe).successThreshold) }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - {{- end }} - {{- if ((.Values.readinessProbe).timeoutSeconds) }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - {{- end }} - httpGet: - path: /_health - port: http-sso - livenessProbe: - {{- if ((.Values.livenessProbe).failureThreshold) }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if ((.Values.livenessProbe).periodSeconds) }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - {{- end }} - {{- if ((.Values.livenessProbe).successThreshold) }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - {{- end }} - {{- if ((.Values.livenessProbe).timeoutSeconds) }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - {{- end }} - {{- if ((.Values.livenessProbe).initialDelaySeconds) }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - {{- end }} - httpGet: - path: /_health - port: http-sso - resources: - {{- toYaml .Values.fluffy.resources | nindent 12 }} - volumeMounts: - {{- if .Values.fluffy.extraVolumeMounts }} - {{ toYaml .Values.fluffy.extraVolumeMounts | nindent 12 }} - {{- end }} - - name: {{ include "fluffy.fullname" . }}-config - mountPath: /etc/fluffy/ - {{- if and .Values.fluffy.sso.enabled (.Values.fluffy.sso.saml).enabled }} - - name: secret-volume - readOnly: true - mountPath: /etc/saml_certs/ - {{- end }} - {{- include "fluffy.env" . | nindent 10 }} - volumes: - {{- include "fluffy.volumes" . | nindent 8 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end}} diff --git a/charts/lakefs/templates/fluffy-secret.yaml b/charts/lakefs/templates/fluffy-secret.yaml deleted file mode 100644 index 3150f5a..0000000 --- a/charts/lakefs/templates/fluffy-secret.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if (.Values.fluffy).enabled }} -{{- if (.Values.fluffy.secrets).create }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "fluffy.fullname" . }} - labels: - {{- include "fluffy.labels" . | nindent 4 }} -type: Opaque -data: -{{- if and .Values.fluffy.sso.enabled (.Values.fluffy.sso.oidc).client_secret }} - oidc_client_secret: {{ .Values.fluffy.sso.oidc.client_secret | b64enc }} -{{- end}} -{{- if and .Values.fluffy.sso.enabled (.Values.fluffy.sso.ldap).bind_password }} - ldap_bind_password: {{ .Values.fluffy.sso.ldap.bind_password | b64enc }} -{{- end}} -{{- end}} - ---- -# docker-registry secret for image pull - -{{- if and .Values.fluffy.image.privateRegistry.enabled .Values.fluffy.image.privateRegistry.secretToken }} -apiVersion: v1 -kind: Secret -metadata: - name: docker-registry -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ template "fluffy.dockerConfigJson" . }} -{{- end }} - ---- -# certificates to use with SAML SSO against server such as AD FS - -{{- if and (.Values.fluffy.sso).enabled (.Values.fluffy.sso.saml).enabled }} -{{- if .Values.fluffy.sso.saml.createSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: saml-certificates -data: - rsa_saml_public.pem: '{{ .Values.fluffy.sso.saml.certificate.saml_rsa_public_cert | b64enc }}' - rsa_saml_private.key: '{{ .Values.fluffy.sso.saml.certificate.saml_rsa_private_key | b64enc }}' -{{- end }} -{{- end }} - -{{- end}} \ No newline at end of file diff --git a/charts/lakefs/templates/fluffy-service.yaml b/charts/lakefs/templates/fluffy-service.yaml deleted file mode 100644 index 942d421..0000000 --- a/charts/lakefs/templates/fluffy-service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if (.Values.fluffy).enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "fluffy.ssoServiceName" . }} - labels: - {{- include "fluffy.labels" . | nindent 4 }} -spec: - type: {{ include "fluffy.sso.serviceType" . }} - ports: - - port: {{ include "fluffy.sso.port" . }} - targetPort: http-sso - protocol: TCP - name: http-sso - selector: - {{- include "fluffy.selectorLabels" . | nindent 4 }} ---- -{{- if .Values.fluffy.rbac.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "fluffy.rbacServiceName" . }} - labels: - {{- include "fluffy.labels" . | nindent 4 }} -spec: - type: {{ include "fluffy.rbac.serviceType" . }} - ports: - - port: {{ include "fluffy.rbac.port" . }} - targetPort: http-rbac - protocol: TCP - name: http-rbac - selector: - {{- include "fluffy.selectorLabels" . | nindent 4 }} -{{- end }} -{{- end}} \ No newline at end of file diff --git a/charts/lakefs/templates/ingress.yaml b/charts/lakefs/templates/ingress.yaml index 0191fb2..76fbc82 100644 --- a/charts/lakefs/templates/ingress.yaml +++ b/charts/lakefs/templates/ingress.yaml @@ -56,9 +56,6 @@ spec: servicePort: {{ $svcPort }} {{- end }} {{- end }} - {{- if ($.Values.fluffy).enabled }} - {{- include "fluffy.ingressOverrides" $root | nindent 10 }} - {{- end }} {{- if (.pathsOverrides) }} {{- range .pathsOverrides }} - path: {{ .path }} diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 33e18d2..7534c9f 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,4 +13,25 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} +{{- if .Values.auth.oidc.clientSecret }} + oidc_client_secret: {{ .Values.auth.oidc.clientSecret | b64enc }} +{{- end}} +{{- if .Values.auth.ldap.bindPassword }} + ldap_bind_password: {{ .Values.auth.ldap.bindPassword | b64enc }} +{{- end}} +{{- end }} +--- + +# certificates to use with SAML SSO against server such as AD FS + +{{- if .Values.auth.saml.enabled }} +{{- if .Values.auth.saml.createSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: saml-certificates +data: + rsa_saml_public.pem: '{{ .Values.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' + rsa_saml_private.key: '{{ .Values.auth.saml.certificate.saml_rsa_private_key | b64enc }}' +{{- end }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 3c19d50..1f7fc48 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -105,13 +105,6 @@ extraEnvVars: # timeoutSeconds: 1 # initialDelaySeconds: 5 -# Everything under fluffy stanza is for lakeFS enterprise only https://docs.lakefs.io/enterprise/ -fluffy: - enabled: false - image: - repository: treeverse/fluffy - tag: '0.13.2' - pullPolicy: IfNotPresent # Start local postgres pod for quick start, not for production useDevPostgres: true @@ -124,3 +117,57 @@ secretKeys: authEncryptSecretKey: auth_encrypt_secret_key # Use the following to fetch PostgreSQL connection string from an existing secret: databaseConnectionString: null + +# Enterprise Auth configuration +enterprise: + enabled: false + +auth: + rbac: + enabled: false + ldap: + enabled: false + serverEndpoint: null + bindDN: null + bindPassword: null + usernameAttribute: null + userBaseDN: null + userFilter: null + connectionTimeoutSeconds: null + requestTimeoutSeconds: null + + oidc: + enabled: false + url: null + clientId: null + clientSecret: null + callbackBaseUrl: null + callbackBaseUrls: null + authorizeEndpointQueryParameters: null + logoutEndpointQueryParameters: null + logoutClientIdQueryParameter: null + additionalScopeClaims: null + + saml: + enabled: false + createSecret: false + spRootUrl: null + spX509KeyPath: null + spX509CertPath: null + spSignRequest: null + spSignatureMethod: null + idpMetadataUrl: null + idpSkipVerifyTlsCert: null + idpAuthnNameIdFormat: null + idpRequestTimeout: null + certificate: + # certificates for AD FS IDP (e.g Azure AD) + saml_rsa_public_cert: null + saml_rsa_private_key: null + external: + awsAuth: + enabled: false + getCallerIdentityMaxAge: null + requiredHeaders: null + optionalHeaders: null + validStsHosts: null \ No newline at end of file diff --git a/examples/lakefs/enterprise/README.md b/examples/lakefs/enterprise/README.md deleted file mode 100644 index f4fef88..0000000 --- a/examples/lakefs/enterprise/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Examples for lakeFS enterprise - - -The following example are minimal required configuration use start working with the helm lakeFS chart. -Learn more about [lakeFS for enterprise](https://docs.lakefs.io/enterprise/). - -### What is fluffy - -AAA Server for lakeFS enterprise. -Access to resources is traditionally guarded by three-headed dogs. The first and best three-headed guard dog is Kerberos. But that canine has an associated security product. So we named ours after the three-headed dog in [Harry Potter Fluffy](https://harrypotter.fandom.com/wiki/Fluffy). \ No newline at end of file diff --git a/examples/lakefs/enterprise/values-adfs.yaml b/examples/lakefs/enterprise/values-adfs.yaml deleted file mode 100644 index 5857c88..0000000 --- a/examples/lakefs/enterprise/values-adfs.yaml +++ /dev/null @@ -1,78 +0,0 @@ -lakefsConfig: | - logging: - level: "INFO" - audit_log_level: "INFO" - blockstore: - type: local - auth: - cookie_auth_verification: - # claim name to display user in the UI - friendly_name_claim_name: displayName - # claim name from IDP to use as the uniqueue user name - external_user_id_claim_name: samName - default_initial_groups: - - "Developers" - ui_config: - login_cookie_names: - - internal_auth_session - - saml_auth_session -ingress: - enabled: true - ingressClassName: - hosts: - - host: - paths: - - / - -################################################## -########### lakeFS enterprise - FLUFFY ########### -################################################## - -fluffy: - enabled: true - image: - privateRegistry: - enabled: true - secretToken: - fluffyConfig: | - logging: - level: "INFO" - auth: - # logout_redirect_url: https:// - # post_login_redirect_url: https:// - saml: - sp_sign_request: true - # depends on IDP - sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" - # url to the metadata of the IDP - idp_metadata_url: "https:///federationmetadata/2007-06/federationmetadata.xml" - # IDP SAML claims format default unspecified - # idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" - # claim name from IDP to use as the uniqueue user name - external_user_id_claim_name: samName - # depending on IDP setup, if CA certs are self signed and not trusted by a known CA - idp_skip_verify_tls_cert: true - - secrets: - create: true - - sso: - enabled: true - saml: - enabled: true - createSecret: true - lakeFSServiceProviderIngress: https:// - certificate: - # certificates for AD FS IDP (e.g Azure AD) - saml_rsa_public_cert: | - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - saml_rsa_private_key: | - -----BEGIN PRIVATE KEY----- - ... - -----END PRIVATE KEY----- - rbac: - enabled: true - -useDevPostgres: true diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml deleted file mode 100644 index 0133c81..0000000 --- a/examples/lakefs/enterprise/values-external-aws.yaml +++ /dev/null @@ -1,44 +0,0 @@ -lakefsConfig: | - auth: - authentication_api: - external_principals_enabled: true -ingress: - enabled: true - ingressClassName: - hosts: - # the ingress that will be created for lakeFS - - host: - paths: - - / - -################################################## -########### lakeFS enterprise - FLUFFY ########### -################################################## - -fluffy: - enabled: true - image: - repository: treeverse/fluffy - pullPolicy: IfNotPresent - privateRegistry: - enabled: true - secretToken: - fluffyConfig: | - auth: - external: - aws_auth: - enabled: true - # the maximum age in seconds for the GetCallerIdentity request - #get_caller_identity_max_age: 60 - # headers that must be present by the client when doing login request - required_headers: - # same host as the lakeFS server ingress - X-LakeFS-Server-ID: - secrets: - create: true - sso: - enabled: true - rbac: - enabled: true - -useDevPostgres: true diff --git a/examples/lakefs/enterprise/values-ldap.yaml b/examples/lakefs/enterprise/values-ldap.yaml deleted file mode 100644 index 20a2db9..0000000 --- a/examples/lakefs/enterprise/values-ldap.yaml +++ /dev/null @@ -1,58 +0,0 @@ -lakefsConfig: | - logging: - level: "INFO" - blockstore: - type: local - auth: - remote_authenticator: - enabled: true - # RBAC group for first time users - default_user_group: "Developers" - ui_config: - login_cookie_names: - - internal_auth_session - -ingress: - enabled: true - ingressClassName: - hosts: - - host: - paths: - - / - -################################################## -########### lakeFS enterprise - FLUFFY ########### -################################################## - -fluffy: - enabled: true - image: - privateRegistry: - enabled: true - secretToken: - fluffyConfig: | - logging: - level: "INFO" - auth: - post_login_redirect_url: / - ldap: - server_endpoint: 'ldaps://ldap.company.com:636' - bind_dn: uid=,ou=Users,o=,dc=,dc=com - username_attribute: uid - user_base_dn: ou=Users,o=,dc=,dc=com - user_filter: (objectClass=inetOrgPerson) - connection_timeout_seconds: 15 - request_timeout_seconds: 17 - - secrets: - create: true - - sso: - enabled: true - ldap: - enabled: true - bind_password: - rbac: - enabled: true - -useDevPostgres: true diff --git a/examples/lakefs/enterprise/values-oidc.yaml b/examples/lakefs/enterprise/values-oidc.yaml deleted file mode 100644 index 5fb8920..0000000 --- a/examples/lakefs/enterprise/values-oidc.yaml +++ /dev/null @@ -1,64 +0,0 @@ -lakefsConfig: | - logging: - level: "INFO" - blockstore: - type: local - auth: - oidc: - # the claim that's provided by the OIDC provider (e.g Okta) that will be used as the username according to OIDC provider claims provided after successfull authentication - friendly_name_claim_name: "" - default_initial_groups: ["Developers"] - ui_config: - login_cookie_names: - - internal_auth_session - - oidc_auth_session -ingress: - enabled: true - ingressClassName: - hosts: - # the ingress that will be created for lakeFS - - host: - paths: - - / - -################################################## -########### lakeFS enterprise - FLUFFY ########### -################################################## - -fluffy: - enabled: true - image: - repository: treeverse/fluffy - pullPolicy: IfNotPresent - privateRegistry: - enabled: true - secretToken: - fluffyConfig: | - logging: - format: "json" - level: "INFO" - auth: - logout_redirect_url: https://oidc-provider-url.com/logout/example - oidc: - enabled: true - url: https://oidc-provider-url.com/ - client_id: - callback_base_url: https:// - # the claim name that represents the client identifier in the OIDC provider (e.g Okta) - logout_client_id_query_parameter: client_id - # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout - logout_endpoint_query_parameters: - - returnTo - - https:///oidc/login - secrets: - create: true - sso: - enabled: true - oidc: - enabled: true - # secret given by the OIDC provider (e.g auth0, Okta, etc) - client_secret: - rbac: - enabled: true - -useDevPostgres: true From 8c9753921739cd538aff39fcbf9b65ad3a839032 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 12:18:32 +0300 Subject: [PATCH 03/25] WIP --- charts/lakefs/templates/_env.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 06062c0..f61ed7d 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -60,6 +60,10 @@ env: - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} + {{- if .Values.auth.rbac.enabled }} + - name: LAKEFS_AUTH_UI_CONFIG_RBAC + value: internal + {{- end }} {{- end }} {{- if .Values.s3Fallback.enabled }} From 306926ce799335e3d7d56c073514410c0892d648 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 12:46:06 +0300 Subject: [PATCH 04/25] WIP --- charts/lakefs/templates/_env.tpl | 12 +-- charts/lakefs/templates/deployment.yaml | 12 ++- charts/lakefs/templates/dev-postgresql.yaml | 2 +- charts/lakefs/templates/secret.yaml | 16 +-- charts/lakefs/values.yaml | 107 ++++++++++---------- 5 files changed, 82 insertions(+), 67 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index f61ed7d..2cc0890 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -32,7 +32,7 @@ env: {{- if .Values.enterprise.enabled }} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" - {{- if .Values.auth.saml.enabled }} + {{- if .Values.enterprise.auth.saml.enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL @@ -50,17 +50,17 @@ env: - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH value: '/etc/saml_certs/rsa_saml_public.pem' {{- end }} - {{- if .Values.auth.oidc.enabled }} + {{- if .Values.enterprise.auth.oidc.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL value: '/oidc/login' - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' {{- end }} - {{- if .Values.auth.ldap.enabled }} + {{- if .Values.enterprise.auth.ldap.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} - {{- if .Values.auth.rbac.enabled }} + {{- if .Values.enterprise.auth.rbac.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_RBAC value: internal {{- end }} @@ -75,7 +75,7 @@ env: value: /lakefs/cache {{- end }} {{- if .Values.useDevPostgres }} - {{- if .Values.auth.rbac.enabled }} + {{- if .Values.enterprise.auth.rbac.enabled }} - name: LAKEFS_DATABASE_TYPE value: postgres - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING @@ -111,7 +111,7 @@ envFrom: - key: config.yaml path: config.yaml {{- end }} -{{- if .Values.auth.saml.enabled }} +{{- if .Values.enterprise.auth.saml.enabled }} - name: secret-volume secret: secretName: saml-certificates diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index 4c9e26c..41bcac7 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -20,6 +20,16 @@ spec: labels: {{- include "lakefs.selectorLabels" . | nindent 8 }} spec: + {{- if eq ( include "lakefs.repository" .) "treeverse/lakefs-enterprise" }} + {{- if (.Values.enterprise.image.privateRegistry).enabled }} + imagePullSecrets: + {{- if (.Values.enterprise.image.privateRegistry).secretToken }} + - name: "docker-registry" + {{- else }} + - name: {{ .Values.enterprise.image.privateRegistry.secretName }} + {{- end }} + {{- end }} + {{- end }} serviceAccountName: {{ include "lakefs.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -90,7 +100,7 @@ spec: - name: {{ .Chart.Name }}-local-data mountPath: "/lakefs/data" {{- end }} - {{- if and .Values.auth.saml.enabled }} + {{- if and .Values.enterprise.auth.saml.enabled }} - name: secret-volume readOnly: true mountPath: /etc/saml_certs/ diff --git a/charts/lakefs/templates/dev-postgresql.yaml b/charts/lakefs/templates/dev-postgresql.yaml index 01e759c..5f2b287 100644 --- a/charts/lakefs/templates/dev-postgresql.yaml +++ b/charts/lakefs/templates/dev-postgresql.yaml @@ -1,5 +1,5 @@ {{- if .Values.useDevPostgres }} -{{- if .Values.auth.rbac.enabled }} +{{- if .Values.enterprise.auth.rbac.enabled }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 7534c9f..b671634 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,25 +13,25 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} -{{- if .Values.auth.oidc.clientSecret }} - oidc_client_secret: {{ .Values.auth.oidc.clientSecret | b64enc }} +{{- if .Values.enterprise.auth.oidc.clientSecret }} + oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} {{- end}} -{{- if .Values.auth.ldap.bindPassword }} - ldap_bind_password: {{ .Values.auth.ldap.bindPassword | b64enc }} +{{- if .Values.enterprise.auth.ldap.bindPassword }} + ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} {{- end}} {{- end }} --- # certificates to use with SAML SSO against server such as AD FS -{{- if .Values.auth.saml.enabled }} -{{- if .Values.auth.saml.createSecret }} +{{- if .Values.enterprise.auth.saml.enabled }} +{{- if .Values.enterprise.auth.saml.createSecret }} apiVersion: v1 kind: Secret metadata: name: saml-certificates data: - rsa_saml_public.pem: '{{ .Values.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' - rsa_saml_private.key: '{{ .Values.auth.saml.certificate.saml_rsa_private_key | b64enc }}' + rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' + rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' {{- end }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 1f7fc48..363cdd0 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -118,56 +118,61 @@ secretKeys: # Use the following to fetch PostgreSQL connection string from an existing secret: databaseConnectionString: null -# Enterprise Auth configuration +# Enterprise configuration enterprise: - enabled: false - -auth: - rbac: - enabled: false - ldap: - enabled: false - serverEndpoint: null - bindDN: null - bindPassword: null - usernameAttribute: null - userBaseDN: null - userFilter: null - connectionTimeoutSeconds: null - requestTimeoutSeconds: null - - oidc: - enabled: false - url: null - clientId: null - clientSecret: null - callbackBaseUrl: null - callbackBaseUrls: null - authorizeEndpointQueryParameters: null - logoutEndpointQueryParameters: null - logoutClientIdQueryParameter: null - additionalScopeClaims: null - - saml: - enabled: false - createSecret: false - spRootUrl: null - spX509KeyPath: null - spX509CertPath: null - spSignRequest: null - spSignatureMethod: null - idpMetadataUrl: null - idpSkipVerifyTlsCert: null - idpAuthnNameIdFormat: null - idpRequestTimeout: null - certificate: - # certificates for AD FS IDP (e.g Azure AD) - saml_rsa_public_cert: null - saml_rsa_private_key: null - external: - awsAuth: + enabled: false + image: + privateRegistry: + enabled: false + secretToken: null + secretName: null + + auth: + rbac: + enabled: false + ldap: + enabled: false + serverEndpoint: null + bindDN: null + bindPassword: null + usernameAttribute: null + userBaseDN: null + userFilter: null + connectionTimeoutSeconds: null + requestTimeoutSeconds: null + + oidc: + enabled: false + url: null + clientId: null + clientSecret: null + callbackBaseUrl: null + callbackBaseUrls: null + authorizeEndpointQueryParameters: null + logoutEndpointQueryParameters: null + logoutClientIdQueryParameter: null + additionalScopeClaims: null + + saml: enabled: false - getCallerIdentityMaxAge: null - requiredHeaders: null - optionalHeaders: null - validStsHosts: null \ No newline at end of file + createSecret: false + spRootUrl: null + spX509KeyPath: null + spX509CertPath: null + spSignRequest: null + spSignatureMethod: null + idpMetadataUrl: null + idpSkipVerifyTlsCert: null + idpAuthnNameIdFormat: null + idpRequestTimeout: null + certificate: + # certificates for AD FS IDP (e.g Azure AD) + saml_rsa_public_cert: null + saml_rsa_private_key: null + external: + awsAuth: + enabled: false + getCallerIdentityMaxAge: null + requiredHeaders: null + optionalHeaders: null + validStsHosts: null From d5842df9b91d42eec25fa8005da9b39d0d2d60f5 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 14:09:02 +0300 Subject: [PATCH 05/25] WIP --- charts/lakefs/templates/_env.tpl | 12 ++-- charts/lakefs/templates/deployment.yaml | 2 +- charts/lakefs/templates/dev-postgresql.yaml | 2 +- charts/lakefs/templates/secret.yaml | 16 ++--- charts/lakefs/values.yaml | 68 ++++++--------------- 5 files changed, 35 insertions(+), 65 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 2cc0890..f61ed7d 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -32,7 +32,7 @@ env: {{- if .Values.enterprise.enabled }} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" - {{- if .Values.enterprise.auth.saml.enabled }} + {{- if .Values.auth.saml.enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL @@ -50,17 +50,17 @@ env: - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH value: '/etc/saml_certs/rsa_saml_public.pem' {{- end }} - {{- if .Values.enterprise.auth.oidc.enabled }} + {{- if .Values.auth.oidc.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL value: '/oidc/login' - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' {{- end }} - {{- if .Values.enterprise.auth.ldap.enabled }} + {{- if .Values.auth.ldap.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} - {{- if .Values.enterprise.auth.rbac.enabled }} + {{- if .Values.auth.rbac.enabled }} - name: LAKEFS_AUTH_UI_CONFIG_RBAC value: internal {{- end }} @@ -75,7 +75,7 @@ env: value: /lakefs/cache {{- end }} {{- if .Values.useDevPostgres }} - {{- if .Values.enterprise.auth.rbac.enabled }} + {{- if .Values.auth.rbac.enabled }} - name: LAKEFS_DATABASE_TYPE value: postgres - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING @@ -111,7 +111,7 @@ envFrom: - key: config.yaml path: config.yaml {{- end }} -{{- if .Values.enterprise.auth.saml.enabled }} +{{- if .Values.auth.saml.enabled }} - name: secret-volume secret: secretName: saml-certificates diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index 41bcac7..ca32fe1 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -100,7 +100,7 @@ spec: - name: {{ .Chart.Name }}-local-data mountPath: "/lakefs/data" {{- end }} - {{- if and .Values.enterprise.auth.saml.enabled }} + {{- if and .Values.auth.saml.enabled }} - name: secret-volume readOnly: true mountPath: /etc/saml_certs/ diff --git a/charts/lakefs/templates/dev-postgresql.yaml b/charts/lakefs/templates/dev-postgresql.yaml index 5f2b287..01e759c 100644 --- a/charts/lakefs/templates/dev-postgresql.yaml +++ b/charts/lakefs/templates/dev-postgresql.yaml @@ -1,5 +1,5 @@ {{- if .Values.useDevPostgres }} -{{- if .Values.enterprise.auth.rbac.enabled }} +{{- if .Values.auth.rbac.enabled }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index b671634..7534c9f 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,25 +13,25 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} -{{- if .Values.enterprise.auth.oidc.clientSecret }} - oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} +{{- if .Values.auth.oidc.clientSecret }} + oidc_client_secret: {{ .Values.auth.oidc.clientSecret | b64enc }} {{- end}} -{{- if .Values.enterprise.auth.ldap.bindPassword }} - ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} +{{- if .Values.auth.ldap.bindPassword }} + ldap_bind_password: {{ .Values.auth.ldap.bindPassword | b64enc }} {{- end}} {{- end }} --- # certificates to use with SAML SSO against server such as AD FS -{{- if .Values.enterprise.auth.saml.enabled }} -{{- if .Values.enterprise.auth.saml.createSecret }} +{{- if .Values.auth.saml.enabled }} +{{- if .Values.auth.saml.createSecret }} apiVersion: v1 kind: Secret metadata: name: saml-certificates data: - rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' - rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' + rsa_saml_public.pem: '{{ .Values.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' + rsa_saml_private.key: '{{ .Values.auth.saml.certificate.saml_rsa_private_key | b64enc }}' {{- end }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 363cdd0..f276161 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -127,52 +127,22 @@ enterprise: secretToken: null secretName: null - auth: - rbac: - enabled: false - ldap: - enabled: false - serverEndpoint: null - bindDN: null - bindPassword: null - usernameAttribute: null - userBaseDN: null - userFilter: null - connectionTimeoutSeconds: null - requestTimeoutSeconds: null - - oidc: - enabled: false - url: null - clientId: null - clientSecret: null - callbackBaseUrl: null - callbackBaseUrls: null - authorizeEndpointQueryParameters: null - logoutEndpointQueryParameters: null - logoutClientIdQueryParameter: null - additionalScopeClaims: null - - saml: - enabled: false - createSecret: false - spRootUrl: null - spX509KeyPath: null - spX509CertPath: null - spSignRequest: null - spSignatureMethod: null - idpMetadataUrl: null - idpSkipVerifyTlsCert: null - idpAuthnNameIdFormat: null - idpRequestTimeout: null - certificate: - # certificates for AD FS IDP (e.g Azure AD) - saml_rsa_public_cert: null - saml_rsa_private_key: null - external: - awsAuth: - enabled: false - getCallerIdentityMaxAge: null - requiredHeaders: null - optionalHeaders: null - validStsHosts: null +# Auth configuration +auth: + rbac: + enabled: false + ldap: + enabled: false + bindPassword: null + + oidc: + enabled: false + clientSecret: null + + saml: + enabled: false + createSecret: false + certificate: + # certificates for AD FS IDP (e.g Azure AD) + saml_rsa_public_cert: null + saml_rsa_private_key: null From 86077daacd01be2d94ed97371bc829ca041b5824 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 14:11:12 +0300 Subject: [PATCH 06/25] WIP --- charts/lakefs/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index 2330efb..fd2e78c 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application -version: 1.4.20 +version: 1.5.0 appVersion: 1.61.0 home: https://lakefs.io From c0e76ba9609d3020a938f1e4afce5ecc05edde52 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 14:19:16 +0300 Subject: [PATCH 07/25] WIP --- charts/lakefs/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index f276161..98860ec 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -131,6 +131,8 @@ enterprise: auth: rbac: enabled: false + +# LDAP, OIDC and SAML configuration are relevant only for lakeFS Enterprise ldap: enabled: false bindPassword: null From 4ce283b3581b1b26fbd3ec4322ba0a79ca4e123c Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 16:27:37 +0300 Subject: [PATCH 08/25] PR review --- charts/lakefs/templates/_env.tpl | 14 +++++++------- charts/lakefs/templates/_helpers.tpl | 2 +- charts/lakefs/templates/deployment.yaml | 6 +++--- charts/lakefs/templates/dev-postgresql.yaml | 2 +- charts/lakefs/templates/secret.yaml | 8 ++++---- charts/lakefs/values.yaml | 9 ++++----- 6 files changed, 20 insertions(+), 21 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index f61ed7d..b49a454 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -29,10 +29,10 @@ env: - name: LAKEFS_AUTH_ENCRYPT_SECRET_KEY value: asdjfhjaskdhuioaweyuiorasdsjbaskcbkj {{- end }} - {{- if .Values.enterprise.enabled }} + {{- if (.Values.enterprise).enabled}} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" - {{- if .Values.auth.saml.enabled }} + {{- if ((.Values.auth).saml).enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL @@ -50,17 +50,17 @@ env: - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH value: '/etc/saml_certs/rsa_saml_public.pem' {{- end }} - {{- if .Values.auth.oidc.enabled }} + {{- if ((.Values.auth).oidc).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL value: '/oidc/login' - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' {{- end }} - {{- if .Values.auth.ldap.enabled }} + {{- if ((.Values.auth).ldap).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} - {{- if .Values.auth.rbac.enabled }} + {{- if ((.Values.auth).rbac).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_RBAC value: internal {{- end }} @@ -75,7 +75,7 @@ env: value: /lakefs/cache {{- end }} {{- if .Values.useDevPostgres }} - {{- if .Values.auth.rbac.enabled }} + {{- if ((.Values.auth).rbac).enabled }} - name: LAKEFS_DATABASE_TYPE value: postgres - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING @@ -111,7 +111,7 @@ envFrom: - key: config.yaml path: config.yaml {{- end }} -{{- if .Values.auth.saml.enabled }} +{{- if ((.Values.auth).saml).enabled }} - name: secret-volume secret: secretName: saml-certificates diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index 722adfc..6563f01 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -71,7 +71,7 @@ Define which repository to use according to the following: */}} {{- define "lakefs.repository" -}} {{- if not .Values.image.repository }} -{{- if .Values.enterprise.enabled }} +{{- if (.Values.enterprise).enabled }} {{- default "treeverse/lakefs-enterprise" .Values.image.repository }} {{- else }} {{- default "treeverse/lakefs" .Values.image.repository }} diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index ca32fe1..50b3436 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -21,12 +21,12 @@ spec: {{- include "lakefs.selectorLabels" . | nindent 8 }} spec: {{- if eq ( include "lakefs.repository" .) "treeverse/lakefs-enterprise" }} - {{- if (.Values.enterprise.image.privateRegistry).enabled }} + {{- if (.Values.image.privateRegistry).enabled }} imagePullSecrets: - {{- if (.Values.enterprise.image.privateRegistry).secretToken }} + {{- if (.Values.image.privateRegistry).secretToken }} - name: "docker-registry" {{- else }} - - name: {{ .Values.enterprise.image.privateRegistry.secretName }} + - name: {{ .Values.image.privateRegistry.secretName }} {{- end }} {{- end }} {{- end }} diff --git a/charts/lakefs/templates/dev-postgresql.yaml b/charts/lakefs/templates/dev-postgresql.yaml index 01e759c..48505ef 100644 --- a/charts/lakefs/templates/dev-postgresql.yaml +++ b/charts/lakefs/templates/dev-postgresql.yaml @@ -1,5 +1,5 @@ {{- if .Values.useDevPostgres }} -{{- if .Values.auth.rbac.enabled }} +{{- if ((.Values.auth).rbac).enabled }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 7534c9f..47acf14 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,10 +13,10 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} -{{- if .Values.auth.oidc.clientSecret }} +{{- if ((.Values.auth).oidc).clientSecret }} oidc_client_secret: {{ .Values.auth.oidc.clientSecret | b64enc }} {{- end}} -{{- if .Values.auth.ldap.bindPassword }} +{{- if ((.Values.auth).ldap).bindPassword }} ldap_bind_password: {{ .Values.auth.ldap.bindPassword | b64enc }} {{- end}} {{- end }} @@ -24,8 +24,8 @@ data: # certificates to use with SAML SSO against server such as AD FS -{{- if .Values.auth.saml.enabled }} -{{- if .Values.auth.saml.createSecret }} +{{- if ((.Values.auth).saml).enabled }} +{{- if ((.Values.auth).saml).createSecret }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 98860ec..25664c0 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -6,6 +6,10 @@ replicaCount: 1 image: pullPolicy: IfNotPresent + privateRegistry: + enabled: false + secretToken: null + secretName: null nameOverride: "" fullnameOverride: "" @@ -121,11 +125,6 @@ secretKeys: # Enterprise configuration enterprise: enabled: false - image: - privateRegistry: - enabled: false - secretToken: null - secretName: null # Auth configuration auth: From d6de4f1564096bcfd361d3b94366d05f33724d14 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 16:45:15 +0300 Subject: [PATCH 09/25] Disagree and commit... --- charts/lakefs/templates/_env.tpl | 12 +++--- charts/lakefs/templates/deployment.yaml | 2 +- charts/lakefs/templates/dev-postgresql.yaml | 2 +- charts/lakefs/templates/secret.yaml | 16 ++++---- charts/lakefs/values.yaml | 41 ++++++++++----------- 5 files changed, 36 insertions(+), 37 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index b49a454..48ad9cf 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -32,7 +32,7 @@ env: {{- if (.Values.enterprise).enabled}} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" - {{- if ((.Values.auth).saml).enabled }} + {{- if (((.Values.enterprise).auth).saml).enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL @@ -50,17 +50,17 @@ env: - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH value: '/etc/saml_certs/rsa_saml_public.pem' {{- end }} - {{- if ((.Values.auth).oidc).enabled }} + {{- if (((.Values.enterprise).auth).oidc).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL value: '/oidc/login' - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' {{- end }} - {{- if ((.Values.auth).ldap).enabled }} + {{- if (((.Values.enterprise).auth).ldap).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout {{- end }} - {{- if ((.Values.auth).rbac).enabled }} + {{- if (((.Values.enterprise).auth).rbac).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_RBAC value: internal {{- end }} @@ -75,7 +75,7 @@ env: value: /lakefs/cache {{- end }} {{- if .Values.useDevPostgres }} - {{- if ((.Values.auth).rbac).enabled }} + {{- if (((.Values.enterprise).auth).rbac).enabled }} - name: LAKEFS_DATABASE_TYPE value: postgres - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING @@ -111,7 +111,7 @@ envFrom: - key: config.yaml path: config.yaml {{- end }} -{{- if ((.Values.auth).saml).enabled }} +{{- if (((.Values.enterprise).auth).saml).enabled }} - name: secret-volume secret: secretName: saml-certificates diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index 50b3436..c16f937 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -100,7 +100,7 @@ spec: - name: {{ .Chart.Name }}-local-data mountPath: "/lakefs/data" {{- end }} - {{- if and .Values.auth.saml.enabled }} + {{- if and .Values.enterprise.auth.saml.enabled }} - name: secret-volume readOnly: true mountPath: /etc/saml_certs/ diff --git a/charts/lakefs/templates/dev-postgresql.yaml b/charts/lakefs/templates/dev-postgresql.yaml index 48505ef..e23c87d 100644 --- a/charts/lakefs/templates/dev-postgresql.yaml +++ b/charts/lakefs/templates/dev-postgresql.yaml @@ -1,5 +1,5 @@ {{- if .Values.useDevPostgres }} -{{- if ((.Values.auth).rbac).enabled }} +{{- if (((.Values.enterprise).auth).rbac).enabled }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 47acf14..7480282 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,25 +13,25 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} -{{- if ((.Values.auth).oidc).clientSecret }} - oidc_client_secret: {{ .Values.auth.oidc.clientSecret | b64enc }} +{{- if (((.Values.enterprise).auth).oidc).clientSecret }} + oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} {{- end}} -{{- if ((.Values.auth).ldap).bindPassword }} - ldap_bind_password: {{ .Values.auth.ldap.bindPassword | b64enc }} +{{- if (((.Values.enterprise).auth).ldap).bindPassword }} + ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} {{- end}} {{- end }} --- # certificates to use with SAML SSO against server such as AD FS -{{- if ((.Values.auth).saml).enabled }} -{{- if ((.Values.auth).saml).createSecret }} +{{- if (((.Values.enterprise).auth).saml).enabled }} +{{- if (((.Values.enterprise).auth).saml).createSecret }} apiVersion: v1 kind: Secret metadata: name: saml-certificates data: - rsa_saml_public.pem: '{{ .Values.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' - rsa_saml_private.key: '{{ .Values.auth.saml.certificate.saml_rsa_private_key | b64enc }}' + rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' + rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' {{- end }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 25664c0..de9feeb 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -126,24 +126,23 @@ secretKeys: enterprise: enabled: false -# Auth configuration -auth: - rbac: - enabled: false - -# LDAP, OIDC and SAML configuration are relevant only for lakeFS Enterprise - ldap: - enabled: false - bindPassword: null - - oidc: - enabled: false - clientSecret: null - - saml: - enabled: false - createSecret: false - certificate: - # certificates for AD FS IDP (e.g Azure AD) - saml_rsa_public_cert: null - saml_rsa_private_key: null +# Enterprise auth configuration + auth: + rbac: + enabled: false + + ldap: + enabled: false + bindPassword: null + + oidc: + enabled: false + clientSecret: null + + saml: + enabled: false + createSecret: false + certificate: + # certificates for AD FS IDP (e.g Azure AD) + saml_rsa_public_cert: null + saml_rsa_private_key: null From 20199e62bf8b22a5846e5af97ac90c1d0ad277e5 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 16:50:19 +0300 Subject: [PATCH 10/25] Refactor --- charts/lakefs/templates/deployment.yaml | 2 +- charts/lakefs/templates/secret.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index c16f937..67d01a4 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -100,7 +100,7 @@ spec: - name: {{ .Chart.Name }}-local-data mountPath: "/lakefs/data" {{- end }} - {{- if and .Values.enterprise.auth.saml.enabled }} + {{- if (((.Values.enterprise).auth).saml).enabled }} - name: secret-volume readOnly: true mountPath: /etc/saml_certs/ diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 7480282..4a29a9c 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -24,8 +24,7 @@ data: # certificates to use with SAML SSO against server such as AD FS -{{- if (((.Values.enterprise).auth).saml).enabled }} -{{- if (((.Values.enterprise).auth).saml).createSecret }} +{{- if and (((.Values.enterprise).auth).saml).enabled (((.Values.enterprise).auth).saml).createSecret }} apiVersion: v1 kind: Secret metadata: @@ -34,4 +33,3 @@ data: rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' {{- end }} -{{- end }} From 36631b8adb1476a110ed4eb42faaf6e5e1b45f05 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 18:23:41 +0300 Subject: [PATCH 11/25] Refactor --- charts/lakefs/templates/_env.tpl | 2 -- charts/lakefs/templates/_helpers.tpl | 2 +- charts/lakefs/templates/deployment.yaml | 8 +++----- charts/lakefs/templates/dev-postgresql.yaml | 2 -- charts/lakefs/templates/ingress.yaml | 1 - charts/lakefs/templates/secret.yaml | 8 +++++++- charts/lakefs/values.yaml | 4 ++-- 7 files changed, 13 insertions(+), 14 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 48ad9cf..1961c43 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -75,13 +75,11 @@ env: value: /lakefs/cache {{- end }} {{- if .Values.useDevPostgres }} - {{- if (((.Values.enterprise).auth).rbac).enabled }} - name: LAKEFS_DATABASE_TYPE value: postgres - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING value: 'postgres://lakefs:lakefs@postgres-server:5432/postgres?sslmode=disable' {{- end }} - {{- end }} {{- if .Values.extraEnvVars }} {{- toYaml .Values.extraEnvVars | nindent 2 }} {{- end }} diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index 6563f01..4a8a245 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -83,6 +83,6 @@ Define which repository to use according to the following: {{- define "lakefs.checkDeprecated" -}} {{- if .Values.fluffy -}} -{{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration. See migration guide." -}} +{{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration and use treeverse/lakefs-enterprise docker image. See migration guide." -}} {{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/lakefs/templates/deployment.yaml b/charts/lakefs/templates/deployment.yaml index 67d01a4..5fc0627 100644 --- a/charts/lakefs/templates/deployment.yaml +++ b/charts/lakefs/templates/deployment.yaml @@ -20,14 +20,12 @@ spec: labels: {{- include "lakefs.selectorLabels" . | nindent 8 }} spec: - {{- if eq ( include "lakefs.repository" .) "treeverse/lakefs-enterprise" }} - {{- if (.Values.image.privateRegistry).enabled }} + {{- if (.Values.image.privateRegistry).enabled }} imagePullSecrets: - {{- if (.Values.image.privateRegistry).secretToken }} + {{- if (.Values.image.privateRegistry).secretToken }} - name: "docker-registry" - {{- else }} + {{- else }} - name: {{ .Values.image.privateRegistry.secretName }} - {{- end }} {{- end }} {{- end }} serviceAccountName: {{ include "lakefs.serviceAccountName" . }} diff --git a/charts/lakefs/templates/dev-postgresql.yaml b/charts/lakefs/templates/dev-postgresql.yaml index e23c87d..5cb50c0 100644 --- a/charts/lakefs/templates/dev-postgresql.yaml +++ b/charts/lakefs/templates/dev-postgresql.yaml @@ -1,5 +1,4 @@ {{- if .Values.useDevPostgres }} -{{- if (((.Values.enterprise).auth).rbac).enabled }} apiVersion: apps/v1 kind: Deployment @@ -43,4 +42,3 @@ spec: app: postgres-lakefs {{- end}} -{{- end}} \ No newline at end of file diff --git a/charts/lakefs/templates/ingress.yaml b/charts/lakefs/templates/ingress.yaml index 76fbc82..9275ab3 100644 --- a/charts/lakefs/templates/ingress.yaml +++ b/charts/lakefs/templates/ingress.yaml @@ -1,5 +1,4 @@ {{- if .Values.ingress.enabled -}} - {{- $root := . -}} {{- $fullName := include "lakefs.fullname" . -}} {{- $svcPort := .Values.service.port -}} {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}} diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 4a29a9c..c34ec2b 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,6 +13,7 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} +{{- if (.Values.enterprise).enabled }} {{- if (((.Values.enterprise).auth).oidc).clientSecret }} oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} {{- end}} @@ -20,11 +21,14 @@ data: ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} {{- end}} {{- end }} +{{- end }} --- # certificates to use with SAML SSO against server such as AD FS -{{- if and (((.Values.enterprise).auth).saml).enabled (((.Values.enterprise).auth).saml).createSecret }} +{{- if (.Values.enterprise).enabled }} +{{- if (((.Values.enterprise).auth).saml).enabled }} +{{- if (((.Values.enterprise).auth).saml).createSecret }} apiVersion: v1 kind: Secret metadata: @@ -33,3 +37,5 @@ data: rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index de9feeb..45b7acc 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -111,7 +111,7 @@ extraEnvVars: # Start local postgres pod for quick start, not for production -useDevPostgres: true +useDevPostgres: false # Name of existing secret to use existingSecret: null @@ -129,7 +129,7 @@ enterprise: # Enterprise auth configuration auth: rbac: - enabled: false + enabled: true ldap: enabled: false From a2b0f4747444cb1152a7e881fa0130ffef042fe6 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 18:28:30 +0300 Subject: [PATCH 12/25] Private docker repo secret --- charts/lakefs/templates/_helpers.tpl | 9 ++++++++- charts/lakefs/templates/secret.yaml | 11 +++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index 4a8a245..fb1a488 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -85,4 +85,11 @@ Define which repository to use according to the following: {{- if .Values.fluffy -}} {{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration and use treeverse/lakefs-enterprise docker image. See migration guide." -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "lakefs.dockerConfigJson" }} +{{- $token := .Values.image.privateRegistry.secretToken }} +{{- $username := "externallakefs" }} +{{- $registry := "https://index.docker.io/v1/" }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" $registry $username $token (printf "%s:%s" $username $token | b64enc) | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index c34ec2b..9d91fd5 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -38,4 +38,15 @@ data: rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' {{- end }} {{- end }} +{{- end }} +--- + +{{- if and .Values.image.privateRegistry.enabled .Values.image.privateRegistry.secretToken }} +apiVersion: v1 +kind: Secret +metadata: + name: docker-registry +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "lakefs.dockerConfigJson" . }} {{- end }} \ No newline at end of file From a468d82a47acd5eb17619a9acabd9d8aef05eb0e Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 29 Jun 2025 18:28:51 +0300 Subject: [PATCH 13/25] Lint --- charts/lakefs/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index fb1a488..a60b79c 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -92,4 +92,4 @@ Define which repository to use according to the following: {{- $username := "externallakefs" }} {{- $registry := "https://index.docker.io/v1/" }} {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" $registry $username $token (printf "%s:%s" $username $token | b64enc) | b64enc }} -{{- end }} \ No newline at end of file +{{- end }} From 10f043b5f967e390fe1c490e0517d3c62006d581 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Tue, 1 Jul 2025 18:36:04 +0300 Subject: [PATCH 14/25] Works --- charts/lakefs/templates/_env.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 1961c43..bf73644 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -32,6 +32,8 @@ env: {{- if (.Values.enterprise).enabled}} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" + - name: LAKEFS_FEATURES_LOCAL_RBAC + value: "true" {{- if (((.Values.enterprise).auth).saml).enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml @@ -43,8 +45,6 @@ env: value: / - name: LAKEFS_AUTH_PROVIDERS_SAML_POST_LOGIN_REDIRECT_URL value: / - - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_ROOT_URL - value: / - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_KEY_PATH value: '/etc/saml_certs/rsa_saml_private.key' - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH From eb5f91effd09141d7f26d69cb97a583bdf023f81 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 3 Jul 2025 19:23:21 +0300 Subject: [PATCH 15/25] Pr review + examples --- charts/lakefs/templates/_env.tpl | 22 +++++- charts/lakefs/templates/secret.yaml | 6 +- charts/lakefs/values.yaml | 6 +- .../enterprise/external-enterprise.yaml | 24 +++++++ .../lakefs/enterprise/external-fluffy.yaml | 41 +++++++++++ .../lakefs/enterprise/ldap-enterprise.yaml | 42 ++++++++++++ examples/lakefs/enterprise/ldap-fluffy.yaml | 48 +++++++++++++ .../lakefs/enterprise/oidc-enterprise.yaml | 46 +++++++++++++ examples/lakefs/enterprise/oidc-fluffy.yaml | 57 ++++++++++++++++ .../lakefs/enterprise/saml-enterprise.yaml | 60 ++++++++++++++++ examples/lakefs/enterprise/saml-fluffy.yaml | 68 +++++++++++++++++++ 11 files changed, 412 insertions(+), 8 deletions(-) create mode 100644 examples/lakefs/enterprise/external-enterprise.yaml create mode 100644 examples/lakefs/enterprise/external-fluffy.yaml create mode 100644 examples/lakefs/enterprise/ldap-enterprise.yaml create mode 100644 examples/lakefs/enterprise/ldap-fluffy.yaml create mode 100644 examples/lakefs/enterprise/oidc-enterprise.yaml create mode 100644 examples/lakefs/enterprise/oidc-fluffy.yaml create mode 100644 examples/lakefs/enterprise/saml-enterprise.yaml create mode 100644 examples/lakefs/enterprise/saml-fluffy.yaml diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index bf73644..772af60 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -32,8 +32,10 @@ env: {{- if (.Values.enterprise).enabled}} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" + {{- if (((.Values.enterprise).auth).rbac).enabled }} - name: LAKEFS_FEATURES_LOCAL_RBAC value: "true" + {{- end }} {{- if (((.Values.enterprise).auth).saml).enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml @@ -41,8 +43,8 @@ env: value: /sso/login-saml - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /sso/logout-saml - - name: LAKEFS_AUTH_LOGOUT_REDIRECT_URL - value: / + - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME + value: "internal_auth_session, saml_auth_session" - name: LAKEFS_AUTH_PROVIDERS_SAML_POST_LOGIN_REDIRECT_URL value: / - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_KEY_PATH @@ -55,10 +57,26 @@ env: value: '/oidc/login' - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' + - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME + value: "internal_auth_session, oidc_auth_session" + {{- if (((.Values.enterprise).auth).oidc).clientSecret }} + - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "lakefs.fullname" . }} + key: oidc_client_secret + {{- end }} {{- end }} {{- if (((.Values.enterprise).auth).ldap).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout + {{- if (((.Values.enterprise).auth).ldap).bindPassword }} + - name: LAKEFS_AUTH_PROVIDERS_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "lakefs.fullname" . }} + key: ldap_bind_password + {{- end }} {{- end }} {{- if (((.Values.enterprise).auth).rbac).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_RBAC diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 9d91fd5..3b26e84 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -28,14 +28,14 @@ data: {{- if (.Values.enterprise).enabled }} {{- if (((.Values.enterprise).auth).saml).enabled }} -{{- if (((.Values.enterprise).auth).saml).createSecret }} +{{- if (((.Values.enterprise).auth).saml).createCertificateSecret }} apiVersion: v1 kind: Secret metadata: name: saml-certificates data: - rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_public_cert | b64enc }}' - rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.saml_rsa_private_key | b64enc }}' + rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.samlRsaPublicCert | b64enc }}' + rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.samlRsaPrivateKey | b64enc }}' {{- end }} {{- end }} {{- end }} diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 45b7acc..24ae01c 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -141,8 +141,8 @@ enterprise: saml: enabled: false - createSecret: false + createCertificateSecret: false certificate: # certificates for AD FS IDP (e.g Azure AD) - saml_rsa_public_cert: null - saml_rsa_private_key: null + samlRsaPublicCert: null + samlRsaPrivateKey: null diff --git a/examples/lakefs/enterprise/external-enterprise.yaml b/examples/lakefs/enterprise/external-enterprise.yaml new file mode 100644 index 0000000..804dfed --- /dev/null +++ b/examples/lakefs/enterprise/external-enterprise.yaml @@ -0,0 +1,24 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +useDevPostgres: true + +lakefsConfig: | + auth: + external_aws_auth: + enabled: true + # the maximum age in seconds for the GetCallerIdentity request + #get_caller_identity_max_age: 60 + # headers that must be present by the client when doing login request + required_headers: + # same host as the lakeFS server ingress + X-LakeFS-Server-ID: + + + diff --git a/examples/lakefs/enterprise/external-fluffy.yaml b/examples/lakefs/enterprise/external-fluffy.yaml new file mode 100644 index 0000000..724bbd0 --- /dev/null +++ b/examples/lakefs/enterprise/external-fluffy.yaml @@ -0,0 +1,41 @@ +lakefsConfig: | + auth: + authentication_api: + external_principals_enabled: true +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +fluffy: + enabled: true + image: + repository: treeverse/fluffy + pullPolicy: IfNotPresent + privateRegistry: + enabled: true + secretToken: + fluffyConfig: | + auth: + external: + aws_auth: + enabled: true + # the maximum age in seconds for the GetCallerIdentity request + #get_caller_identity_max_age: 60 + # headers that must be present by the client when doing login request + required_headers: + # same host as the lakeFS server ingress + X-LakeFS-Server-ID: + secrets: + create: true + sso: + enabled: true + rbac: + enabled: true + +useDevPostgres: true + diff --git a/examples/lakefs/enterprise/ldap-enterprise.yaml b/examples/lakefs/enterprise/ldap-enterprise.yaml new file mode 100644 index 0000000..2c32447 --- /dev/null +++ b/examples/lakefs/enterprise/ldap-enterprise.yaml @@ -0,0 +1,42 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +enterprise: + enabled: true + auth: + ldap: + enabled: true + bind_password: + +image: + privateRegistry: + enabled: true + secretToken: + +lakefsConfig: | + blockstore: + type: local + features: + local_rbac: true + auth: + ui_config: + login_cookie_names: + - internal_auth_session + providers: + ldap: + server_endpoint: ldaps://ldap.company.com:636 + bind_dn: uid=,ou=Users,o=,dc=,dc=com + username_attribute: uid + user_base_dn: ou=Users,o=,dc=,dc=com + user_filter: (objectClass=inetOrgPerson) + default_user_group: "Developers" + connection_timeout_seconds: 15 + request_timeout_seconds: 7 + +useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/ldap-fluffy.yaml b/examples/lakefs/enterprise/ldap-fluffy.yaml new file mode 100644 index 0000000..20e5996 --- /dev/null +++ b/examples/lakefs/enterprise/ldap-fluffy.yaml @@ -0,0 +1,48 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +fluffy: + enabled: true + image: + privateRegistry: + enabled: true + secretToken: + fluffyConfig: | + auth: + post_login_redirect_url: / + ldap: + server_endpoint: ldaps://ldap.company.com:636 + bind_dn: uid=,ou=Users,o=,dc=,dc=com + username_attribute: uid + user_base_dn: ou=Users,o=,dc=,dc=com + user_filter: (objectClass=inetOrgPerson) + connection_timeout_seconds: 15 + request_timeout_seconds: 7 + + secrets: + create: true + + sso: + enabled: true + ldap: + enabled: true + bind_password: + rbac: + enabled: true + +lakefsConfig: | + blockstore: + type: local + auth: + remote_authenticator: + enabled: true + default_user_group: "Developers" + ui_config: + login_cookie_names: + - internal_auth_session \ No newline at end of file diff --git a/examples/lakefs/enterprise/oidc-enterprise.yaml b/examples/lakefs/enterprise/oidc-enterprise.yaml new file mode 100644 index 0000000..fd50018 --- /dev/null +++ b/examples/lakefs/enterprise/oidc-enterprise.yaml @@ -0,0 +1,46 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +enterprise: + enabled: true + auth: + oidc: + enabled: true + # secret given by the OIDC provider (e.g auth0, Okta, etc) + client_secret: + +image: + privateRegistry: + enabled: true + secretToken: + +lakefsConfig: | + blockstore: + type: local + features: + local_rbac: true + auth: + logout_redirect_url: https://oidc-provider-url.com/logout/example + oidc: + friendly_name_claim_name: + default_initial_groups: ["Developers"] + providers: + oidc: + post_login_redirect_url: / + url: https://oidc-provider-url.com/ + client_id: + callback_base_url: https:// + # the claim name that represents the client identifier in the OIDC provider (e.g Okta) + logout_client_id_query_parameter: client_id + # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout + logout_endpoint_query_parameters: + - returnTo + - https:///oidc/login + +useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/oidc-fluffy.yaml b/examples/lakefs/enterprise/oidc-fluffy.yaml new file mode 100644 index 0000000..0249b1d --- /dev/null +++ b/examples/lakefs/enterprise/oidc-fluffy.yaml @@ -0,0 +1,57 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +fluffy: + enabled: true + image: + privateRegistry: + enabled: true + secretToken: + fluffyConfig: | + auth: + logout_redirect_url: https://oidc-provider-url.com/logout/example + oidc: + enabled: true + url: https://oidc-provider-url.com/ + client_id: + callback_base_url: https:// + # the claim name that represents the client identifier in the OIDC provider (e.g Okta) + logout_client_id_query_parameter: client_id + # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout + logout_endpoint_query_parameters: + - returnTo + - https:///oidc/login + secrets: + create: true + sso: + enabled: true + oidc: + enabled: true + # secret given by the OIDC provider (e.g auth0, Okta, etc) + client_secret: + rbac: + enabled: true + +lakefsConfig: | + database: + type: local + blockstore: + type: local + features: + local_rbac: true + auth: + ui_config: + login_cookie_names: + - internal_auth_session + - oidc_auth_session + oidc: + friendly_name_claim_name: + default_initial_groups: ["Developers"] + +useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/saml-enterprise.yaml b/examples/lakefs/enterprise/saml-enterprise.yaml new file mode 100644 index 0000000..8ad6371 --- /dev/null +++ b/examples/lakefs/enterprise/saml-enterprise.yaml @@ -0,0 +1,60 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +enterprise: + enabled: true + auth: + saml: + enabled: true + createCertificateSecret: true + certificate: + samlRsaPublicCert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + samlRsaPrivateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + +image: + privateRegistry: + enabled: true + secretToken: + +lakefsConfig: | + blockstore: + type: local + features: + local_rbac: true + auth: + # logout_redirect_url: https:// + # post_login_redirect_url: https:// + cookie_auth_verification: + auth_source: saml + # claim name to display user in the UI + friendly_name_claim_name: displayName + # claim name from IDP to use as the uniqueue user name + external_user_id_claim_name: samName + default_initial_groups: + - "Developers" + providers: + saml: + sp_root_url: https:// + sp_sign_request: true + # depends on IDP + sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" + # url to the metadata of the IDP + idp_metadata_url: "https://login.microsoftonline.com/70ff2bb8-06f0-4d1f-8d12-b170294bf4a0/federationmetadata/2007-06/federationmetadata.xml?appid=b41a2142-3fc3-444d-a057-0cf6adee26ba" + # IDP SAML claims format default unspecified + # idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + # depending on IDP setup, if CA certs are self signed and not trusted by a known CA + idp_skip_verify_tls_cert: true + +useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/saml-fluffy.yaml b/examples/lakefs/enterprise/saml-fluffy.yaml new file mode 100644 index 0000000..1c05212 --- /dev/null +++ b/examples/lakefs/enterprise/saml-fluffy.yaml @@ -0,0 +1,68 @@ +ingress: + enabled: true + ingressClassName: + hosts: + # the ingress that will be created for lakeFS + - host: + paths: + - / + +fluffy: + enabled: true + image: + privateRegistry: + enabled: true + secretToken: + fluffyConfig: | + auth: + # logout_redirect_url: https:// + # post_login_redirect_url: https:// + saml: + sp_sign_request: true + # depends on IDP + sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" + # url to the metadata of the IDP + idp_metadata_url: "https:///federationmetadata/2007-06/federationmetadata.xml" + # IDP SAML claims format default unspecified + # idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + # claim name from IDP to use as the uniqueue user name + external_user_id_claim_name: samName + # depending on IDP setup, if CA certs are self signed and not trusted by a known CA + idp_skip_verify_tls_cert: true + rbac: + enabled: true + secrets: + create: true + sso: + enabled: true + saml: + enabled: true + createSecret: true + lakeFSServiceProviderIngress: https:// + certificate: + saml_rsa_public_cert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + saml_rsa_private_key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + +lakefsConfig: | + blockstore: + type: local + auth: + cookie_auth_verification: + # claim name to display user in the UI + friendly_name_claim_name: displayName + # claim name from IDP to use as the uniqueue user name + external_user_id_claim_name: samName + default_initial_groups: + - "Developers" + ui_config: + login_cookie_names: + - internal_auth_session + - saml_auth_session + +useDevPostgres: true \ No newline at end of file From 5a9c22edb2907868256a2c76b72fe9284f372da5 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 3 Jul 2025 19:25:28 +0300 Subject: [PATCH 16/25] Typo --- examples/lakefs/enterprise/saml-enterprise.yaml | 2 +- examples/lakefs/enterprise/saml-fluffy.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/lakefs/enterprise/saml-enterprise.yaml b/examples/lakefs/enterprise/saml-enterprise.yaml index 8ad6371..18e5e7c 100644 --- a/examples/lakefs/enterprise/saml-enterprise.yaml +++ b/examples/lakefs/enterprise/saml-enterprise.yaml @@ -40,7 +40,7 @@ lakefsConfig: | auth_source: saml # claim name to display user in the UI friendly_name_claim_name: displayName - # claim name from IDP to use as the uniqueue user name + # claim name from IDP to use as the unique user name external_user_id_claim_name: samName default_initial_groups: - "Developers" diff --git a/examples/lakefs/enterprise/saml-fluffy.yaml b/examples/lakefs/enterprise/saml-fluffy.yaml index 1c05212..e446d87 100644 --- a/examples/lakefs/enterprise/saml-fluffy.yaml +++ b/examples/lakefs/enterprise/saml-fluffy.yaml @@ -25,7 +25,7 @@ fluffy: idp_metadata_url: "https:///federationmetadata/2007-06/federationmetadata.xml" # IDP SAML claims format default unspecified # idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" - # claim name from IDP to use as the uniqueue user name + # claim name from IDP to use as the unique user name external_user_id_claim_name: samName # depending on IDP setup, if CA certs are self signed and not trusted by a known CA idp_skip_verify_tls_cert: true @@ -56,7 +56,7 @@ lakefsConfig: | cookie_auth_verification: # claim name to display user in the UI friendly_name_claim_name: displayName - # claim name from IDP to use as the uniqueue user name + # claim name from IDP to use as the unique user name external_user_id_claim_name: samName default_initial_groups: - "Developers" From 1479e525e83e90b07704d7fdb54a45364cb45232 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Thu, 3 Jul 2025 21:03:35 +0300 Subject: [PATCH 17/25] Fix --- charts/lakefs/templates/_env.tpl | 4 +- charts/lakefs/templates/secret.yaml | 37 ++++++++++++++----- .../lakefs/enterprise/ldap-enterprise.yaml | 10 ++--- examples/lakefs/enterprise/ldap-fluffy.yaml | 2 +- 4 files changed, 36 insertions(+), 17 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 772af60..46ec6ce 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -63,7 +63,7 @@ env: - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ include "lakefs.fullname" . }} + name: oidc-client-secret key: oidc_client_secret {{- end }} {{- end }} @@ -74,7 +74,7 @@ env: - name: LAKEFS_AUTH_PROVIDERS_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: {{ include "lakefs.fullname" . }} + name: ldap-secret key: ldap_bind_password {{- end }} {{- end }} diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 3b26e84..bc370d8 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -13,14 +13,6 @@ data: {{- if .Values.secrets.authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} -{{- if (.Values.enterprise).enabled }} -{{- if (((.Values.enterprise).auth).oidc).clientSecret }} - oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} -{{- end}} -{{- if (((.Values.enterprise).auth).ldap).bindPassword }} - ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} -{{- end}} -{{- end }} {{- end }} --- @@ -40,7 +32,34 @@ data: {{- end }} {{- end }} --- - +# LDAP bind password secret, used for LDAP authentication +{{- if (.Values.enterprise).enabled }} +{{- if (((.Values.enterprise).auth).ldap).enabled }} +{{- if (((.Values.enterprise).auth).ldap).bindPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: ldap-secret +data: + ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} +{{- end }} +{{- end }} +{{- end }} +--- +# OIDC client secret, used for OIDC authentication +{{- if (.Values.enterprise).enabled }} +{{- if (((.Values.enterprise).auth).oidc).enabled }} +{{- if (((.Values.enterprise).auth).oidc).clientSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: oidc-client-secret +data: + oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} +{{- end }} +{{- end }} +{{- end }} +--- {{- if and .Values.image.privateRegistry.enabled .Values.image.privateRegistry.secretToken }} apiVersion: v1 kind: Secret diff --git a/examples/lakefs/enterprise/ldap-enterprise.yaml b/examples/lakefs/enterprise/ldap-enterprise.yaml index 2c32447..9dceb18 100644 --- a/examples/lakefs/enterprise/ldap-enterprise.yaml +++ b/examples/lakefs/enterprise/ldap-enterprise.yaml @@ -4,15 +4,15 @@ ingress: hosts: # the ingress that will be created for lakeFS - host: - paths: - - / + paths: + - / enterprise: enabled: true auth: ldap: enabled: true - bind_password: + bindPassword: image: privateRegistry: @@ -31,9 +31,9 @@ lakefsConfig: | providers: ldap: server_endpoint: ldaps://ldap.company.com:636 - bind_dn: uid=,ou=Users,o=,dc=,dc=com + bind_dn: uid=,ou=Users,o=,dc=,dc=com username_attribute: uid - user_base_dn: ou=Users,o=,dc=,dc=com + user_base_dn: ou=Users,o=,dc=,dc=com user_filter: (objectClass=inetOrgPerson) default_user_group: "Developers" connection_timeout_seconds: 15 diff --git a/examples/lakefs/enterprise/ldap-fluffy.yaml b/examples/lakefs/enterprise/ldap-fluffy.yaml index 20e5996..65ba939 100644 --- a/examples/lakefs/enterprise/ldap-fluffy.yaml +++ b/examples/lakefs/enterprise/ldap-fluffy.yaml @@ -12,7 +12,7 @@ fluffy: image: privateRegistry: enabled: true - secretToken: + secretToken: fluffyConfig: | auth: post_login_redirect_url: / From 0ea5617cfb6d83f3f63cb5d21e83e26250e8c1c5 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 6 Jul 2025 13:44:41 +0300 Subject: [PATCH 18/25] Fixed SAML example --- examples/lakefs/enterprise/saml-enterprise.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/lakefs/enterprise/saml-enterprise.yaml b/examples/lakefs/enterprise/saml-enterprise.yaml index 18e5e7c..98d7bbb 100644 --- a/examples/lakefs/enterprise/saml-enterprise.yaml +++ b/examples/lakefs/enterprise/saml-enterprise.yaml @@ -34,27 +34,27 @@ lakefsConfig: | features: local_rbac: true auth: - # logout_redirect_url: https:// - # post_login_redirect_url: https:// + logout_redirect_url: https:// cookie_auth_verification: auth_source: saml # claim name to display user in the UI - friendly_name_claim_name: displayName + friendly_name_claim_name: displayName # claim name from IDP to use as the unique user name external_user_id_claim_name: samName default_initial_groups: - "Developers" providers: saml: + post_login_redirect_url: https:// sp_root_url: https:// sp_sign_request: true # depends on IDP - sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" + sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # url to the metadata of the IDP - idp_metadata_url: "https://login.microsoftonline.com/70ff2bb8-06f0-4d1f-8d12-b170294bf4a0/federationmetadata/2007-06/federationmetadata.xml?appid=b41a2142-3fc3-444d-a057-0cf6adee26ba" + idp_metadata_url: "https:///federationmetadata/2007-06/federationmetadata.xml" # IDP SAML claims format default unspecified - # idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" # depending on IDP setup, if CA certs are self signed and not trusted by a known CA - idp_skip_verify_tls_cert: true + #idp_skip_verify_tls_cert: true useDevPostgres: true \ No newline at end of file From 8c13fac74508576eb878ff5fdb8348a590e23619 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 7 Jul 2025 10:41:36 +0300 Subject: [PATCH 19/25] Fix PR comments --- charts/lakefs/templates/_env.tpl | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 46ec6ce..25a96c4 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -32,10 +32,8 @@ env: {{- if (.Values.enterprise).enabled}} - name: LAKEFS_USAGE_REPORT_ENABLED value: "true" - {{- if (((.Values.enterprise).auth).rbac).enabled }} - name: LAKEFS_FEATURES_LOCAL_RBAC - value: "true" - {{- end }} + value: "{{ (((.Values.enterprise).auth).rbac).enabled | default false }}" {{- if (((.Values.enterprise).auth).saml).enabled }} - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE value: saml @@ -44,7 +42,7 @@ env: - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /sso/logout-saml - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME - value: "internal_auth_session, saml_auth_session" + value: "internal_auth_session,saml_auth_session" - name: LAKEFS_AUTH_PROVIDERS_SAML_POST_LOGIN_REDIRECT_URL value: / - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_KEY_PATH @@ -58,7 +56,7 @@ env: - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: '/oidc/logout' - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME - value: "internal_auth_session, oidc_auth_session" + value: "internal_auth_session,oidc_auth_session" {{- if (((.Values.enterprise).auth).oidc).clientSecret }} - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET valueFrom: From 5f9eff51338e7635345ebfbfa5d6299e0f4cfb84 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 7 Jul 2025 12:35:13 +0300 Subject: [PATCH 20/25] Secret changes --- charts/lakefs/templates/_env.tpl | 20 +++++++++--- charts/lakefs/templates/secret.yaml | 48 ++++++++++------------------- charts/lakefs/values.yaml | 4 +++ 3 files changed, 37 insertions(+), 35 deletions(-) diff --git a/charts/lakefs/templates/_env.tpl b/charts/lakefs/templates/_env.tpl index 25a96c4..6292e78 100644 --- a/charts/lakefs/templates/_env.tpl +++ b/charts/lakefs/templates/_env.tpl @@ -57,22 +57,34 @@ env: value: '/oidc/logout' - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME value: "internal_auth_session,oidc_auth_session" - {{- if (((.Values.enterprise).auth).oidc).clientSecret }} + {{- if and .Values.existingSecret .Values.secretKeys.oidcClientSecret }} - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: oidc-client-secret + name: {{ .Values.existingSecret }} + key: {{ .Values.secretKeys.oidcClientSecret }} + {{- else if (((.Values.enterprise).auth).oidc).clientSecret }} + - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "lakefs.fullname" . }} key: oidc_client_secret {{- end }} {{- end }} {{- if (((.Values.enterprise).auth).ldap).enabled }} - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL value: /logout - {{- if (((.Values.enterprise).auth).ldap).bindPassword }} + {{- if and .Values.existingSecret .Values.secretKeys.ldapBindPassword }} - name: LAKEFS_AUTH_PROVIDERS_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: - name: ldap-secret + name: {{ .Values.existingSecret }} + key: {{ .Values.secretKeys.ldapBindPassword }} + {{- else if (((.Values.enterprise).auth).ldap).bindPassword }} + - name: LAKEFS_AUTH_PROVIDERS_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "lakefs.fullname" . }} key: ldap_bind_password {{- end }} {{- end }} diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index bc370d8..8e04861 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.secrets) (not .Values.existingSecret) }} +{{- if not .Values.existingSecret }} apiVersion: v1 kind: Secret metadata: @@ -7,12 +7,26 @@ metadata: {{- include "lakefs.labels" . | nindent 4 }} type: Opaque data: -{{- if .Values.secrets.databaseConnectionString }} +{{- if (.Values.secrets).databaseConnectionString }} database_connection_string: {{ .Values.secrets.databaseConnectionString | default "" | b64enc }} {{- end }} -{{- if .Values.secrets.authEncryptSecretKey }} +{{- if (.Values.secrets).authEncryptSecretKey }} auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} +{{- if (.Values.enterprise).enabled }} +{{- if (((.Values.enterprise).auth).oidc).enabled }} +{{- if (((.Values.enterprise).auth).oidc).clientSecret }} + # LDAP bind password secret, used for LDAP authentication + ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} +{{- end }} +{{- end }} +{{- if (((.Values.enterprise).auth).oidc).enabled }} +{{- if (((.Values.enterprise).auth).oidc).clientSecret }} +# OIDC client secret, used for OIDC authentication + oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} +{{- end }} +{{- end }} +{{- end }} {{- end }} --- @@ -32,34 +46,6 @@ data: {{- end }} {{- end }} --- -# LDAP bind password secret, used for LDAP authentication -{{- if (.Values.enterprise).enabled }} -{{- if (((.Values.enterprise).auth).ldap).enabled }} -{{- if (((.Values.enterprise).auth).ldap).bindPassword }} -apiVersion: v1 -kind: Secret -metadata: - name: ldap-secret -data: - ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} -{{- end }} -{{- end }} -{{- end }} ---- -# OIDC client secret, used for OIDC authentication -{{- if (.Values.enterprise).enabled }} -{{- if (((.Values.enterprise).auth).oidc).enabled }} -{{- if (((.Values.enterprise).auth).oidc).clientSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: oidc-client-secret -data: - oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} -{{- end }} -{{- end }} -{{- end }} ---- {{- if and .Values.image.privateRegistry.enabled .Values.image.privateRegistry.secretToken }} apiVersion: v1 kind: Secret diff --git a/charts/lakefs/values.yaml b/charts/lakefs/values.yaml index 24ae01c..ce71c12 100644 --- a/charts/lakefs/values.yaml +++ b/charts/lakefs/values.yaml @@ -121,6 +121,10 @@ secretKeys: authEncryptSecretKey: auth_encrypt_secret_key # Use the following to fetch PostgreSQL connection string from an existing secret: databaseConnectionString: null + # Use the following to fetch LDAP bind password from an existing secret: + ldapBindPassword: null + # Use the following to fetch OIDC client secret from an existing secret: + oidcClientSecret: null # Enterprise configuration enterprise: From 4911564b15436f7cc98e8bd2c76b9e6d2a643206 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 7 Jul 2025 12:37:48 +0300 Subject: [PATCH 21/25] Remove useDevPostgres from examples --- examples/lakefs/enterprise/external-enterprise.yaml | 2 +- examples/lakefs/enterprise/external-fluffy.yaml | 2 +- examples/lakefs/enterprise/ldap-enterprise.yaml | 1 - examples/lakefs/enterprise/oidc-enterprise.yaml | 1 - examples/lakefs/enterprise/oidc-fluffy.yaml | 1 - examples/lakefs/enterprise/saml-enterprise.yaml | 1 - examples/lakefs/enterprise/saml-fluffy.yaml | 1 - 7 files changed, 2 insertions(+), 7 deletions(-) diff --git a/examples/lakefs/enterprise/external-enterprise.yaml b/examples/lakefs/enterprise/external-enterprise.yaml index 804dfed..acb2a34 100644 --- a/examples/lakefs/enterprise/external-enterprise.yaml +++ b/examples/lakefs/enterprise/external-enterprise.yaml @@ -7,7 +7,7 @@ ingress: paths: - / -useDevPostgres: true + lakefsConfig: | auth: diff --git a/examples/lakefs/enterprise/external-fluffy.yaml b/examples/lakefs/enterprise/external-fluffy.yaml index 724bbd0..78fc59d 100644 --- a/examples/lakefs/enterprise/external-fluffy.yaml +++ b/examples/lakefs/enterprise/external-fluffy.yaml @@ -37,5 +37,5 @@ fluffy: rbac: enabled: true -useDevPostgres: true + diff --git a/examples/lakefs/enterprise/ldap-enterprise.yaml b/examples/lakefs/enterprise/ldap-enterprise.yaml index 9dceb18..81e3a71 100644 --- a/examples/lakefs/enterprise/ldap-enterprise.yaml +++ b/examples/lakefs/enterprise/ldap-enterprise.yaml @@ -39,4 +39,3 @@ lakefsConfig: | connection_timeout_seconds: 15 request_timeout_seconds: 7 -useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/oidc-enterprise.yaml b/examples/lakefs/enterprise/oidc-enterprise.yaml index fd50018..6480149 100644 --- a/examples/lakefs/enterprise/oidc-enterprise.yaml +++ b/examples/lakefs/enterprise/oidc-enterprise.yaml @@ -43,4 +43,3 @@ lakefsConfig: | - returnTo - https:///oidc/login -useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/oidc-fluffy.yaml b/examples/lakefs/enterprise/oidc-fluffy.yaml index 0249b1d..019553e 100644 --- a/examples/lakefs/enterprise/oidc-fluffy.yaml +++ b/examples/lakefs/enterprise/oidc-fluffy.yaml @@ -54,4 +54,3 @@ lakefsConfig: | friendly_name_claim_name: default_initial_groups: ["Developers"] -useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/saml-enterprise.yaml b/examples/lakefs/enterprise/saml-enterprise.yaml index 98d7bbb..9cab9e9 100644 --- a/examples/lakefs/enterprise/saml-enterprise.yaml +++ b/examples/lakefs/enterprise/saml-enterprise.yaml @@ -57,4 +57,3 @@ lakefsConfig: | # depending on IDP setup, if CA certs are self signed and not trusted by a known CA #idp_skip_verify_tls_cert: true -useDevPostgres: true \ No newline at end of file diff --git a/examples/lakefs/enterprise/saml-fluffy.yaml b/examples/lakefs/enterprise/saml-fluffy.yaml index e446d87..3e5e1b4 100644 --- a/examples/lakefs/enterprise/saml-fluffy.yaml +++ b/examples/lakefs/enterprise/saml-fluffy.yaml @@ -65,4 +65,3 @@ lakefsConfig: | - internal_auth_session - saml_auth_session -useDevPostgres: true \ No newline at end of file From 1bb97ab4f3bdac1c5edcbe300feb8561b3b5223b Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Mon, 7 Jul 2025 13:37:03 +0300 Subject: [PATCH 22/25] fix --- charts/lakefs/templates/secret.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/lakefs/templates/secret.yaml b/charts/lakefs/templates/secret.yaml index 8e04861..a7ad0f5 100644 --- a/charts/lakefs/templates/secret.yaml +++ b/charts/lakefs/templates/secret.yaml @@ -14,8 +14,8 @@ data: auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} {{- end }} {{- if (.Values.enterprise).enabled }} -{{- if (((.Values.enterprise).auth).oidc).enabled }} -{{- if (((.Values.enterprise).auth).oidc).clientSecret }} +{{- if (((.Values.enterprise).auth).ldap).enabled }} +{{- if (((.Values.enterprise).auth).ldap).bindPassword }} # LDAP bind password secret, used for LDAP authentication ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} {{- end }} From 6345ed37b1da63254349dec21daf8c9afd6379d8 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 13 Jul 2025 10:35:13 +0300 Subject: [PATCH 23/25] Migration guide --- charts/lakefs/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lakefs/templates/_helpers.tpl b/charts/lakefs/templates/_helpers.tpl index a60b79c..d1f06ba 100644 --- a/charts/lakefs/templates/_helpers.tpl +++ b/charts/lakefs/templates/_helpers.tpl @@ -83,7 +83,7 @@ Define which repository to use according to the following: {{- define "lakefs.checkDeprecated" -}} {{- if .Values.fluffy -}} -{{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration and use treeverse/lakefs-enterprise docker image. See migration guide." -}} +{{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration and use treeverse/lakefs-enterprise docker image. See migration guide: https://docs.lakefs.io/latest/enterprise/upgrade/#kubernetes-migrating-with-helm-from-fluffy-to-new-lakefs-enterprise." -}} {{- end -}} {{- end -}} From 177d79b9d2279c49fc21ef1b0122d0d472befe60 Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 13 Jul 2025 16:25:25 +0300 Subject: [PATCH 24/25] Update lakeFS version + changelog --- CHANGELOG.md | 10 ++++++++++ charts/lakefs/Chart.yaml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 810fc3d..06b2fc2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +# 1.5.0 + +### Important +The lakeFS Helm chart now uses lakeFS Enterprise with integrated authentication, removing the need for the separate Fluffy service. +All authentication capabilities (LDAP, OIDC, SAML, AWS IAM) are now built directly into lakeFS Enterprise. +For more information, see the [migration guide](https://docs.lakefs.io/latest/enterprise/upgrade/#kubernetes-migrating-with-helm-from-fluffy-to-new-lakefs-enterprise). + +:new: What's new: +- Update lakeFS version to [1.63.0](https://github.com/treeverse/lakeFS/releases/tag/v1.63.0) + # 1.4.20 :new: What's new: diff --git a/charts/lakefs/Chart.yaml b/charts/lakefs/Chart.yaml index 1f00971..b7f21b8 100644 --- a/charts/lakefs/Chart.yaml +++ b/charts/lakefs/Chart.yaml @@ -3,7 +3,7 @@ name: lakefs description: A Helm chart for running LakeFS on Kubernetes type: application version: 1.5.0 -appVersion: 1.62.0 +appVersion: 1.63.0 home: https://lakefs.io icon: https://lakefs.io/wp-content/uploads/2020/07/lake-fs-color-2.svg From a5372ced93e645139657b54c976978a12162a6af Mon Sep 17 00:00:00 2001 From: Idan Novogroder Date: Sun, 13 Jul 2025 16:47:04 +0300 Subject: [PATCH 25/25] Changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06b2fc2..2be2755 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,8 @@ # 1.5.0 ### Important -The lakeFS Helm chart now uses lakeFS Enterprise with integrated authentication, removing the need for the separate Fluffy service. -All authentication capabilities (LDAP, OIDC, SAML, AWS IAM) are now built directly into lakeFS Enterprise. +Fluffy is no longer supported in this chart version, and all authentication capabilities (LDAP, OIDC, SAML, AWS IAM) are now built directly into lakeFS Enterprise. +lakeFS-Enterprise image is now required for all enterprise authentication capabilities to work. For more information, see the [migration guide](https://docs.lakefs.io/latest/enterprise/upgrade/#kubernetes-migrating-with-helm-from-fluffy-to-new-lakefs-enterprise). :new: What's new: