On this page
Dashboard
Dashboard API reference.
Proto: dashboard.proto
Package: admin.gloo.solo.io
Types:
- DashboardSpec
- DashboardSpec.AuthnConfig
- DashboardSpec.AuthzConfig
- DashboardStatus
- JwksOnDemandCacheRefreshPolicy
- MultiClusterRbac
- OidcConfig
- OidcConfig.AuthEndpointQueryParamsEntry
- OidcConfig.DiscoveryOverride
- OidcConfig.TokenEndpointQueryParamsEntry
- SessionConfig
- SessionConfig.CookieOptions
- SessionConfig.CookieSession
- SessionConfig.RedisSession
- UserMapping
DashboardSpec
Dashboard describes the settings for the Gloo Mesh Enterprise dashboard.
Currently, this resource is only used to secure the Gloo Mesh Enterprise Dashboard by
requiring authentication with an OpenID Connect identity provider.
Users accessing the dashboard will be required to authenticate with the OIDC provider
and all requests to retrieve data from the API will also be authenticated.
The following example sets up OIDC authentication:
apiVersion: admin.gloo.solo.io/v2
kind: Dashboard
metadata:
name: settings
namespace: gloo-mesh
spec:
authn:
oidc:
appUrl: https://localhost:8080
clientId: $CLIENT_ID
clientSecretName: dashboard
issuerUrl: https://accounts.google.com
| Field | Description |
|---|---|
authn | (DashboardSpec.AuthnConfig)Configuration used to authenticate incoming requests. |
authz | (DashboardSpec.AuthzConfig)Configuration used to authorize incoming requests. |
DashboardSpec.AuthnConfig
| Field | Description |
|---|---|
oidc | (OidcConfig) |
DashboardSpec.AuthzConfig
| Field | Description |
|---|---|
multiClusterRbac | (MultiClusterRbac)Enable multi cluster RBAC. When this is enabled, Gloo Mesh Enterprise will use RBAC resources from managed clusters to determine if users are allowed to see resources in the dashbaord. For this to work, the dashboard and the kubernetes clusters need to have the same identity source (i.e. OIDC with the same user and group claims). When using OIDC, make sure to configure the userMapping field. |
DashboardStatus
| Field | Description |
|---|---|
observedGeneration | (int64)The most recent generation observed in the Dashboard metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this resource. |
state | (common.gloo.solo.io.ApprovalState)The state of the overall resource. It will only show accepted if no processing errors encountered. |
errors | (repeated string)Any errors encountered while processing Settings object. |
JwksOnDemandCacheRefreshPolicy
The json web key set (JWKS) is discovered at an interval from a remote source. When keys rotate in the remote source, there may be a delay in the local source picking up those new keys. Therefore, a user could execute a request with a token that has been signed by a key in the remote JWKS, but the local cache doesn’t have the key yet. The request would fail because the key isn’t contained in the local set. Since most IdPs publish key keys in their remote JWKS before they are used, this is not an issue most of the time. This policy lets you define the behavior for when a user has a token with a key not yet in the local cache.
| Field | Description |
|---|---|
never | (google.protobuf.Empty)Never refresh the local JWKS cache on demand. If a key is not in the cache, it is assumed to be malicious. This is the default policy since we assume that IdPs publish keys before they rotate them, and frequent polling finds the newest keys. For information about the value format, see the Google protocol buffer documentation. |
always | (google.protobuf.Empty)If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. NOTE: This should only be done in trusted environments, since missing keys will each trigger a request to the IdP. Using this in an environment exposed to the internet will allow malicious agents to execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys. For information about the value format, see the Google protocol buffer documentation. |
maxIdpReqPerPollingInterval | (uint32)If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. This value sets the number of requests to the IdP per polling interval. If that limit is exceeded, we will stop fetching from the IdP for the remainder of the polling interval. |
MultiClusterRbac
OidcConfig
| Field | Description |
|---|---|
clientId | (string)The client ID from the issuer |
clientSecretName | (string)The client secret from the issuer |
issuerUrl | (string)The url of the issuer. We will look for OIDC information in: {{ issuerURL }}/.well-known/openid-configuration |
authEndpointQueryParams | (repeated OidcConfig.AuthEndpointQueryParamsEntry)Extra query parameters to apply to the authorization request to the identity provider. For example, using the PKCE flow by setting code_challenge and code_challenge_method. |
tokenEndpointQueryParams | (repeated OidcConfig.TokenEndpointQueryParamsEntry)Extra query parameters to apply to the token request to the identity provider. For example, using the PKCE flow by setting code_challenge and code_challenge_method. |
appUrl | (string)URL to redirect to after successful auth. |
callbackPath | (string)Path to handle the OIDC callback. |
logoutPath | (string)Path used to logout. If not provided, logout will be disabled. |
scopes | (repeated string)Scopes to request in addition to ‘openid’. |
session | (SessionConfig)Configuration for session storage. |
discoveryOverride | (OidcConfig.DiscoveryOverride)Ensure that certain values are set regardless of what the OIDC provider returns. |
discoveryPollInterval | (google.protobuf.Duration)How often to poll the OIDC issuer for new configuration. For information about the value format, see the Google protocol buffer documentation. |
jwksCacheRefreshPolicy | (JwksOnDemandCacheRefreshPolicy)If a user executes a request with a key that is not found in the JWKS, it could be that the keys have rotated on the remote source, and not yet in the local cache. This policy lets you define the behavior for how to refresh the local cache during a request where an invalid key is provided |
userMapping | (UserMapping)If set, the ID token will used to infer user identity, that can be used to make authorization decisions. If not specified, no authorization will be made. |
caCertConfigmapName | (string)A name of a config map containing root cert to use when talking with the OIDC provider. The config map must contain the a key named “ca.crt” with PEM encoded CA. |
OidcConfig.AuthEndpointQueryParamsEntry
| Field | Description |
|---|---|
key | (string) |
value | (string) |
OidcConfig.DiscoveryOverride
OIDC configuration is discovered at
| Field | Description |
|---|---|
authEndpoint | (string)URL of the provider authorization endpoint. |
tokenEndpoint | (string)URL of the provider token endpoint. |
jwksUri | (string)URL of the provider JSON web key set. |
scopes | (repeated string)List of scope values that the provider supports. |
responseTypes | (repeated string)List of response types that the provider supports. |
subjects | (repeated string)List of subject identifier types that the provider supports. |
idTokenAlgs | (repeated string)List of json web signature signing algorithms that the provider supports for encoding claims in a JWT. |
authMethods | (repeated string)List of client authentication methods supported by the provider token endpoint. |
claims | (repeated string)List of claim types that the provider supports. |
OidcConfig.TokenEndpointQueryParamsEntry
| Field | Description |
|---|---|
key | (string) |
value | (string) |
SessionConfig
| Field | Description |
|---|---|
cookieOptions | (SessionConfig.CookieOptions)Set-Cookie options |
cookie | (SessionConfig.CookieSession)Store all session data in the cookie itself |
redis | (SessionConfig.RedisSession)Store the session data in a Redis instance. |
SessionConfig.CookieOptions
| Field | Description |
|---|---|
maxAge | (google.protobuf.UInt32Value)Max age of the cookie. If unset, the default of 30 days will be used. To disable expiration, set explicitly to 0. |
notSecure | (bool)Use an insecure cookie. Should only be used for testing and in trusted environments. |
path | (google.protobuf.StringValue)Path of the cookie. Defaults to “/”, set to "" to disable the option. |
domain | (string)Domain of the cookie. |
SessionConfig.CookieSession
SessionConfig.RedisSession
| Field | Description |
|---|---|
host | (string)address of the redis. can be address:port or unix://path/to/unix.sock |
db | (int32)db to use. can leave unset for db 0. |
poolSize | (int32)size of the connection pool. can leave unset for default. defaults to 10 connections per every CPU |
keyPrefix | (string)Key prefix inside redis |
cookieName | (string)Cookie name to set and store the session id. If empty the default “__session” is used. |
allowRefreshing | (google.protobuf.BoolValue)When set, refresh expired id-tokens using the refresh-token. Defaults to true. Explicitly set to false to disable refreshing. |
UserMapping
Settings to make sure the identity derivied from the ID token matches the kubernetes identity.
| Field | Description |
|---|---|
usernameClaim | (string)The JWT field to use as the user’s username. |
usernamePrefix | (string)If specified, causes claims mapping to username to be prefix with the provided value. A value “oidc:” would result in usernames like “oidc:john”. |
groupsClaim | (string)If specified, causes the OIDCAuthenticator to try to populate the user’s groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings. |
groupsPrefix | (string)If specified, causes claims mapping to group names to be prefixed with the value. A value “oidc:” would result in groups like “oidc:engineering” and “oidc:marketing”. |