Dashboard

Proto: dashboard.proto

Package: admin.gloo.solo.io

Configure external authentication to secure the Gloo UI. For example, you can secure the UI by requiring authentication with an OpenID Connect (OIDC) identity provider. To access the Gloo UI, users must authenticate with the OIDC provider, and all requests to retrieve data from the API must be authenticated.

For more information, see Set up external auth.

This example sets up OIDC authentication with Google.

apiVersion: admin.gloo.solo.io/v2
kind: Dashboard
metadata:
  name: settings
  namespace: gloo-mesh
spec:
  authn:
    oidc:
      appUrl: https://localhost:8080
      clientId: $CLIENT_ID
      clientSecretName: dashboard
      issuerUrl: https://accounts.google.com

Types:

DashboardSpec

Specifications for the resource.

Field Description
authn (DashboardSpec.AuthnConfig)

Configuration used to authenticate incoming requests.
authz (DashboardSpec.AuthzConfig)

Configuration used to authorize incoming requests.

DashboardSpec.AuthnConfig

Configuration used to authenticate incoming requests.

Field Description
oidc (OidcConfig)

Configuration for an OpenID Connect (OIDC) identity provider to secure the Gloo UI with.

DashboardSpec.AuthzConfig

Configuration used to authorize incoming requests.

Field Description
multiClusterRbac (MultiClusterRbac)

Enable multicluster RBAC so that RBAC resources in workload clusters are used to determine whether users can view resources in the Gloo UI. To use multicluster RBAC, the Gloo UI and the workload clusters must use the same identity source, such as an OIDC provider with the same user and group claims. When using OIDC, make sure to configure the userMapping field.

DashboardStatus

Field Description
observedGeneration (int64)

The most recent generation observed in the Dashboard metadata. If the observedGeneration does not match metadata.generation, Gloo has not processed the most recent version of this resource.
state (common.gloo.solo.io.ApprovalState)

Whether the resource has been accepted as valid and processed in the Gloo config translation.
errors (repeated string)

Any errors encountered while translating the Dashboard resource.

JwksOnDemandCacheRefreshPolicy

The json web key set (JWKS) is discovered at an interval from a remote source. When keys rotate in the remote source, there might be a delay before the local source picks up those new keys. In this case, a user might execute a request with a token that is signed by a key that is in the remote JWKS, but isn't in the local cache yet. The request fails because the key isn't contained in the local set. Because most IdPs publish key keys in their remote JWKS before they are used, this is typically not an issue. However, you can use this policy to define how to handle user tokens that have a key that is not yet in the local cache.

Field Description
never (google.protobuf.Empty)

Never refresh the local JWKS cache on demand. If a key is not in the local cache, it is assumed to be malicious. This is the default policy, because IdPs typically publish keys before they rotate them, and frequent polling finds the newest keys. For information about the value format, see the Google protocol buffer documentation.
always (google.protobuf.Empty)

If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. NOTE: Use this setting only in trusted environments, because each missing key triggers a request to the IdP. When used in an environment that is exposed to the internet, malicious agents can execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys. For information about the value format, see the Google protocol buffer documentation.
maxIdpReqPerPollingInterval (uint32)

If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. This value sets the number of requests to the IdP per polling interval. If that limit is exceeded, fetching from the IdP stops for the remainder of the polling interval.

MultiClusterRbac

Enable multicluster RBAC so that RBAC resources in workload clusters are used to determine whether users can view resources in the Gloo UI. To use multicluster RBAC, the Gloo UI and the workload clusters must use the same identity source, such as an OIDC provider with the same user and group claims. When using OIDC, make sure to configure the userMapping field.

OidcConfig

Configuration for an OpenID Connect (OIDC) identity provider to secure the Gloo UI with.

Field Description
clientId (string)

The client ID from the OIDC provider.
clientSecretName (string)

The client secret from the OIDC identity provider. Stored in a secret that you created in advance in the same namespace as the Gloo UI.
issuerUrl (string)

The URL to connect to the OIDC identity provider, often in the format https://<domain>.<provider_url>/. Gloo looks for OIDC information in {{ issuerURL }}/.well-known/openid-configuration.
authEndpointQueryParams (repeated OidcConfig.AuthEndpointQueryParamsEntry)

Extra query parameters to apply to authorization requests to the identity provider. For example, you might use the PKCE flow by setting code_challenge and code_challenge_method.
tokenEndpointQueryParams (repeated OidcConfig.TokenEndpointQueryParamsEntry)

Extra query parameters to apply to token requests to the identity provider. For example, you might use the PKCE flow by setting code_challenge and code_challenge_method.
appUrl (string)

The URL that the Gloo UI is exposed at, such as ‘https://localhost:8090’, to redirect to after successful authentication.
callbackPath (string)

Path to handle the OIDC callback.
logoutPath (string)

Path used to logout. If unset or empty, logout is disabled.
scopes (repeated string)

Scopes to request in addition to ‘openid’.
session (SessionConfig)

Configuration for session storage.
discoveryOverride (OidcConfig.DiscoveryOverride)

Ensure that certain values are set regardless of what the OIDC provider returns.
discoveryPollInterval (google.protobuf.Duration)

How often to poll the OIDC issuer for new configuration. For information about the value format, see the Google protocol buffer documentation.
jwksCacheRefreshPolicy (JwksOnDemandCacheRefreshPolicy)

If a user sends a request with a key that is not found in the JWKS, the keys might have rotated on the remote source, but not yet in the local cache. Use this policy to configure how to refresh the local cache when handling a request that provides an invalid key.
userMapping (UserMapping)

If set, the ID token is used to infer user identity, which can be used to make authorization decisions. If unset or empty, no authorization is made.
caCertConfigmapName (string)

A name of a config map that contains the root certificate to use when connecting to the OIDC provider. The config map must contain a key named “ca.crt” with the PEM-encoded CA.

OidcConfig.AuthEndpointQueryParamsEntry

Field Description
key (string)

value (string)

OidcConfig.DiscoveryOverride

OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration. You can use the discoveryOverride section to override this discovery configuration.

Field Description
authEndpoint (string)

URL of the provider authorization endpoint.
tokenEndpoint (string)

URL of the provider token endpoint.
jwksUri (string)

URL of the provider JSON web key set.
scopes (repeated string)

List of scope values that the provider supports.
responseTypes (repeated string)

List of response types that the provider supports.
subjects (repeated string)

List of subject identifier types that the provider supports.
idTokenAlgs (repeated string)

List of JSON web signature signing algorithms that the provider supports for encoding claims in a JWT.
authMethods (repeated string)

List of client authentication methods supported by the provider token endpoint.
claims (repeated string)

List of claim types that the provider supports.

OidcConfig.TokenEndpointQueryParamsEntry

Field Description
key (string)

value (string)

SessionConfig

Configuration for session data storage.

Field Description
cookieOptions (SessionConfig.CookieOptions)

Configuration for storing the session data in the session cookie.
cookie (SessionConfig.CookieSession)

Store the session data in the session cookie.
redis (SessionConfig.RedisSession)

Store the session data in a Redis instance.

SessionConfig.CookieOptions

Configuration for storing the session data in a session cookie header.

Field Description
maxAge (google.protobuf.UInt32Value)

Max age of the cookie. If unset, defaults to 30. To disable expiration, set this field to 0.
notSecure (bool)

Use an insecure cookie. Only set this field to true when testing in trusted environments.
path (google.protobuf.StringValue)

Path of the cookie. Defaults to “/". To disable this option, set this field to “".
domain (string)

Domain of the cookie.

SessionConfig.CookieSession

Store all session data in a cookie header. This is the default.

SessionConfig.RedisSession

Store the session data in a Redis instance.

Field Description
host (string)

The address of the Redis instance to use, in the format address:port or unix://path-to-unix.sock.
db (int32)

The Redis database to use, indexed to start at 0. If unset, defaults to 0.
poolSize (int32)

The maximum number of connections to establish at once. If unset, defaults to 10 connections per CPU.
keyPrefix (string)

Redis key prefix.
cookieName (string)

The name of the cookie header to set and store the session ID. If unset, defaults to "__session”.
allowRefreshing (google.protobuf.BoolValue)

Refresh expired ID tokens by using the refresh token. Defaults to true. To disable refreshing, set this field to false.

UserMapping

Settings to ensure that the identity that is derived from the ID token matches the Kubernetes identity.

Field Description
usernameClaim (string)

The JWT field to use as the user's username.
usernamePrefix (string)

Add a prefix to each mapped username. For example, the value oidc: results in usernames such as oidc:john.
groupsClaim (string)

Configure the OIDCAuthenticator to try to populate the user's groups with an ID Token field. If the GroupsClaim field is present in an ID Token, the value must be a string or list of strings.
groupsPrefix (string)

Add a prefix to each mapped group name. For example, the value oidc: results in group names such as oidc:engineering.