On this page

Dashboard

Configure external authentication to secure the Gloo Mesh Core UI.

For example, you can secure the UI by requiring authentication with an OpenID Connect identity provider. To access the Gloo Mesh Core UI, users must authenticate with the OIDC provider, and all requests to retrieve data from the API must be authenticated.

For more information, see Set up external auth.

Proto: dashboard.proto

Package: admin.gloo.solo.io

Example

This example sets up OIDC authentication with Google.

  apiVersion: admin.gloo.solo.io/v2
kind: Dashboard
metadata:
  name: settings
  namespace: gloo-mesh
spec:
  authn:
    oidc:
      appUrl: https://localhost:8080
      clientId: $CLIENT_ID
      clientSecretName: dashboard
      issuerUrl: https://accounts.google.com

`spec` fields

Field	Description
`authn`	(`authn`) Configuration used to authenticate incoming requests.
`authz`	(`authz`) Configuration used to authorize incoming requests.

`authn`

Configuration used to authenticate incoming requests.

Field	Description
`oidc`	(`oidc`) Configure authentication with an OIDC provider.

`oidc`

Configure authentication with an OpenID Connect (OIDC) identity provider.

Field	Description
`appUrl`	(`string`) URL to redirect to after successful auth.
`authEndpointQueryParams`	(`repeated authEndpointQueryParams`) Extra query parameters to apply to the authorization request to the identity provider. For example, you can use the PKCE flow by setting `code_challenge` and `code_challenge_method`.
`caCertConfigmapName`	(`string`) A name of a config map containing root cert to use when talking with the OIDC provider. The config map must contain the a key named “ca.crt” with PEM encoded CA.
`callbackPath`	(`string`) Path to handle the OIDC callback.
`clientId`	(`string`) The client ID from the issuer
`clientSecretName`	(`string`) The client secret from the issuer
`discoveryOverride`	(`discoveryOverride`) Ensure that certain values are set regardless of what the OIDC provider returns.
`discoveryPollInterval`	(`google.protobuf.Duration`) How often to poll the OIDC issuer for new configuration. For information about the value format, see the Google protocol buffer documentation.
`issuerUrl`	(`string`) The url of the issuer. We will look for OIDC information in: {{ issuerURL }}/.well-known/openid-configuration
`jwksCacheRefreshPolicy`	(`jwksCacheRefreshPolicy`) If a user executes a request with a key that is not found in the JWKS, it could be that the keys have rotated on the remote source, and not yet in the local cache. This policy lets you define the behavior for how to refresh the local cache during a request where an invalid key is provided.
`logoutPath`	(`string`) Path used to logout. If not provided, logout will be disabled.
`scopes`	(`repeated string`) Scopes to request in addition to ‘openid’.
`session`	(`session`) Configuration for session storage.
`tokenEndpointQueryParams`	(`repeated tokenEndpointQueryParams`) Extra query parameters to apply to the token request to the identity provider. For example, you can use the PKCE flow by setting `code_challenge` and `code_challenge_method`.
`userMapping`	(`userMapping`) Settings to ensure that the identity derivied from the ID token matches the Kubernetes identity.

`authEndpointQueryParams`

Extra query parameters to apply to the authorization request to the identity provider. For example, you can use the PKCE flow by setting code_challenge and code_challenge_method.

Field	Description
`key`	(`string`)
`value`	(`string`)

`discoveryOverride`

Ensure that certain values are set regardless of what the OIDC provider returns. The discovery override defines any properties that should override this discovery configuration.

Field	Description
`authEndpoint`	(`string`) URL of the provider authorization endpoint.
`authMethods`	(`repeated string`) List of client authentication methods supported by the provider token endpoint.
`claims`	(`repeated string`) List of claim types that the provider supports.
`idTokenAlgs`	(`repeated string`) List of json web signature signing algorithms that the provider supports for encoding claims in a JWT.
`jwksUri`	(`string`) URL of the provider JSON web key set.
`responseTypes`	(`repeated string`) List of response types that the provider supports.
`scopes`	(`repeated string`) List of scope values that the provider supports.
`subjects`	(`repeated string`) List of subject identifier types that the provider supports.
`tokenEndpoint`	(`string`) URL of the provider token endpoint.

`jwksCacheRefreshPolicy`

The json web key set (JWKS) is discovered at an interval from a remote source. When keys rotate in the remote source, there might be a delay in the local source picking up those new keys. In this case, a user can execute a request with a token that has been signed by a key in the remote JWKS, but the local cache doesn’t have the key yet. The request would fail because the key isn’t contained in the local set. Since most IdPs publish keys in their remote JWKS before they are used, this is not an issue most of the time. However, you can use this policy to define the behavior when a user has a token with a key that is not yet in the local cache.

Field	Description
`always`	(`google.protobuf.Empty`) If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. NOTE: Enable this setting only in trusted environments, because each missing key triggers a request to the IdP. In an environment exposed to the internet, malicious agents can execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys. For information about the value format, see the Google protocol buffer documentation.
`maxIdpReqPerPollingInterval`	(`uint32`) If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. This value sets the number of requests to the IdP per polling interval. If that limit is exceeded, keys are not fetched from the IdP for the remainder of the polling interval.
`never`	(`google.protobuf.Empty`) Never refresh the local JWKS cache on demand. If a key is not in the cache, it is assumed to be malicious. This is the default policy, due to the assumption that IdPs publish keys before they rotate them, and frequent polling finds the newest keys. For information about the value format, see the Google protocol buffer documentation.

`session`

Configuration for session storage.

Field	Description
`cookieOptions`	(`cookieOptions`) Set cookie options.
`cookie`	(`cookie`) Store all session data in the cookie.
`redis`	(`redis`) Store the session data in a Redis instance.

`cookieOptions`

Set cookie options.

Field	Description
`domain`	(`string`) Domain of the cookie.
`maxAge`	(`google.protobuf.UInt32Value`) Max age of the cookie. If unset, the default of 30 days is used. To disable expiration, set explicitly to 0.
`notSecure`	(`bool`) Use an insecure cookie. Use this only when testing and in trusted environments.
`path`	(`google.protobuf.StringValue`) Path of the cookie. Defaults to “/”. Set to "" to disable the option.

`redis`

Store the session data in a Redis instance.

Field	Description
`allowRefreshing`	(`google.protobuf.BoolValue`) When set, refresh expired ID tokens by using the refresh-token. Defaults to true. Explicitly set to false to disable refreshing.
`cookieName`	(`string`) Cookie name to set and store the session id. If empty, the default “__session” is used.
`db`	(`int32`) Database to use. If unset, defaults to db 0.
`host`	(`string`) Address of the Redis instance. Supported formats are `address:port` or `unix://path/to/unix.sock`.
`keyPrefix`	(`string`) Key prefix in the Redis instance.
`poolSize`	(`int32`) Size of the connection pool. If unset, defaults to 10 connections per every CPU.

`tokenEndpointQueryParams`

Extra query parameters to apply to the token request to the identity provider. For example, you can use the PKCE flow by setting code_challenge and code_challenge_method.

Field	Description
`key`	(`string`)
`value`	(`string`)

`userMapping`

Settings to ensure that the identity derivied from the ID token matches the Kubernetes identity. If set, the ID token is used to infer the user identity that can be used to make authorization decisions. If unset, no authorization occurs.

Field	Description
`groupsClaim`	(`string`) If specified, causes the OIDCAuthenticator to try to populate the user’s groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.
`groupsPrefix`	(`string`) If specified, causes claims mapping to group names to be prefixed with the value. A value “oidc:” would result in groups like “oidc:engineering” and “oidc:marketing”.
`usernameClaim`	(`string`) The JWT field to use as the user’s username.
`usernamePrefix`	(`string`) If specified, causes claims mapping to username to be prefix with the provided value. A value “oidc:” would result in usernames like “oidc:john”.

`authz`

Configuration used to authorize incoming requests.

Field Description

multiClusterRbac (multiClusterRbac)

Enable multi cluster RBAC. When this is enabled, Gloo Mesh Core will use RBAC resources from managed clusters to determine if users are allowed to see resources in the dashbaord. For this to work, the dashboard and the kubernetes clusters need to have the same identity source (i.e. OIDC with the same user and group claims). When using OIDC, make sure to configure the userMapping field.

Field	Description
`multiClusterRbac`	(`multiClusterRbac`) Enable multi cluster RBAC. When this is enabled, Gloo Mesh Core will use RBAC resources from managed clusters to determine if users are allowed to see resources in the dashbaord. For this to work, the dashboard and the kubernetes clusters need to have the same identity source (i.e. OIDC with the same user and group claims). When using OIDC, make sure to configure the userMapping field.

Status fields

The status of the dashboard settings after you apply the Dashboard resource to your Gloo environment.

To see the status, you can run a command such as the following:

  kubectl get Dashboard -n gloo-mesh <name> -o yaml

Field	Description
`errors`	(`repeated string`) Any errors encountered while processing the Dashboard settings.
`observedGeneration`	(`int64`) The most recent generation observed in the Dashboard metadata. If the `observedGeneration` does not match `metadata.generation`, Gloo Mesh Core has not processed the most recent version of this resource.
`state`	(`state`) The state of the overall resource.

`state`

The state of the overall resource.

Name	Number	Description
`PENDING`	0	Gloo Mesh Core has not yet processed the resource.
`ACCEPTED`	1	The resource is valid and Gloo Mesh Core succesfully applied the configuration.
`INVALID`	2	The resource contains incorrect configuration parameters, such as missing required values or invalid resource references. An invalid state can also result when a resource’s configuration is valid but conflicts with another resource that was previously accepted.
`WARNING`	3	The resource contains partially incorrect configuration parameters, but Gloo Mesh Core still processed and applied the configuration.
`FAILED`	4	The resource contains correct configuration parameters, but Gloo Mesh Core encountered an error when applying the configuration.
`UNLICENSED`	5	Your Gloo license key(s) do not allow you to use this resource.

IstioLifecycleManager

Use Gloo Mesh Core to install Istio …

InsightsConfig

As you resolve insights in your …

Dashboard

Example link

spec fields link

authn link

oidc link

authEndpointQueryParams link

discoveryOverride link

jwksCacheRefreshPolicy link

session link

cookieOptions link

redis link

tokenEndpointQueryParams link

userMapping link

authz link

Status fields link

state link