Dashboard
Configure external authentication to secure the Gloo UI.
For example, you can secure the UI by requiring authentication with an OpenID Connect identity provider. To access the Gloo UI, users must authenticate with the OIDC provider, and all requests to retrieve data from the API must be authenticated.
For more information, see Set up external auth.
Proto: dashboard.proto
Package: admin.gloo.solo.io
Example
This example sets up OIDC authentication with Google.
apiVersion: admin.gloo.solo.io/v2
kind: Dashboard
metadata:
name: settings
namespace: gloo-mesh
spec:
authn:
oidc:
appUrl: https://localhost:8080
clientId: $CLIENT_ID
clientSecretName: dashboard
issuerUrl: https://accounts.google.com
spec
fields
Specifications for the resource.
Field | Description |
---|---|
authn | (authn )Configuration used to authenticate incoming requests. |
authz | (authz )Configuration used to authorize incoming requests. |
authn
Configuration used to authenticate incoming requests.
Field | Description |
---|---|
oidc | (oidc )Configuration for an OpenID Connect (OIDC) identity provider to secure the Gloo UI with. |
oidc
Configure authentication with an OpenID Connect (OIDC) identity provider.
Field | Description |
---|---|
appUrl | (string )The URL that the Gloo UI is exposed at, such as ‘https://localhost:8090’, to redirect to after successful authentication. |
authEndpointQueryParams | (repeated authEndpointQueryParams )Extra query parameters to apply to authorization requests to the identity provider. For example, you might use the PKCE flow by setting code_challenge and code_challenge_method . |
caCertConfigmapName | (string )A name of a config map that contains the root certificate to use when connecting to the OIDC provider. The config map must contain a key named “ca.crt” with the PEM-encoded CA. |
callbackPath | (string )Path to handle the OIDC callback. |
clientId | (string )The client ID from the OIDC provider. |
clientSecretName | (string )The client secret from the OIDC identity provider. Stored in a secret that you created in advance in the same namespace as the Gloo UI. |
discoveryOverride | (discoveryOverride )Ensure that certain values are set regardless of what the OIDC provider returns. |
discoveryPollInterval | (google.protobuf.Duration )How often to poll the OIDC issuer for new configuration. For information about the value format, see the Google protocol buffer documentation. |
issuerUrl | (string )The URL to connect to the OIDC identity provider, often in the format https://<domain>.<provider_url>/ . Gloo looks for OIDC information in {{ issuerURL }}/.well-known/openid-configuration . |
jwksCacheRefreshPolicy | (jwksCacheRefreshPolicy )If a user sends a request with a key that is not found in the JWKS, the keys might have rotated on the remote source, but not yet in the local cache. Use this policy to configure how to refresh the local cache when handling a request that provides an invalid key. |
logoutPath | (string )Path used to logout. If unset or empty, logout is disabled. |
scopes | (repeated string )Scopes to request in addition to ‘openid’. |
session | (session )Configuration for session data storage. |
tokenEndpointQueryParams | (repeated tokenEndpointQueryParams )Extra query parameters to apply to token requests to the identity provider. For example, you might use the PKCE flow by setting code_challenge and code_challenge_method . |
userMapping | (userMapping )If set, the ID token is used to infer user identity, which can be used to make authorization decisions. If unset or empty, no authorization is made. |
authEndpointQueryParams
Extra query parameters to apply to the authorization request to the identity provider. For example, you can use the PKCE flow by setting code_challenge
and code_challenge_method
.
Field | Description |
---|---|
key | (string ) |
value | (string ) |
discoveryOverride
OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration
. You can use the discoveryOverride
section to override this discovery configuration.
Field | Description |
---|---|
authEndpoint | (string )URL of the provider authorization endpoint. |
authMethods | (repeated string )List of client authentication methods supported by the provider token endpoint. |
claims | (repeated string )List of claim types that the provider supports. |
idTokenAlgs | (repeated string )List of JSON web signature signing algorithms that the provider supports for encoding claims in a JWT. |
jwksUri | (string )URL of the provider JSON web key set. |
responseTypes | (repeated string )List of response types that the provider supports. |
scopes | (repeated string )List of scope values that the provider supports. |
subjects | (repeated string )List of subject identifier types that the provider supports. |
tokenEndpoint | (string )URL of the provider token endpoint. |
jwksCacheRefreshPolicy
The json web key set (JWKS) is discovered at an interval from a remote source. When keys rotate in the remote source, there might be a delay before the local source picks up those new keys. In this case, a user might execute a request with a token that is signed by a key that is in the remote JWKS, but isn’t in the local cache yet. The request fails because the key isn’t contained in the local set. Because most IdPs publish key keys in their remote JWKS before they are used, this is typically not an issue. However, you can use this policy to define how to handle user tokens that have a key that is not yet in the local cache.
Field | Description |
---|---|
always | (google.protobuf.Empty )If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. NOTE: Use this setting only in trusted environments, because each missing key triggers a request to the IdP. When used in an environment that is exposed to the internet, malicious agents can execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys. For information about the value format, see the Google protocol buffer documentation. |
maxIdpReqPerPollingInterval | (uint32 )If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. This value sets the number of requests to the IdP per polling interval. If that limit is exceeded, fetching from the IdP stops for the remainder of the polling interval. |
never | (google.protobuf.Empty )Never refresh the local JWKS cache on demand. If a key is not in the local cache, it is assumed to be malicious. This is the default policy, because IdPs typically publish keys before they rotate them, and frequent polling finds the newest keys. For information about the value format, see the Google protocol buffer documentation. |
session
Configuration for session data storage.
Field | Description |
---|---|
cookieOptions | (cookieOptions )Configuration for storing the session data in a session cookie header. |
cookie | (cookie )Store all session data in a cookie header. |
redis | (redis )Store the session data in a Redis instance. |
cookieOptions
Configuration for storing the session data in a session cookie header.
Field | Description |
---|---|
domain | (string )Domain of the cookie. |
maxAge | (google.protobuf.UInt32Value )Max age of the cookie. If unset, defaults to 30. To disable expiration, set this field to 0. |
notSecure | (bool )Use an insecure cookie. Only set this field to true when testing in trusted environments. |
path | (google.protobuf.StringValue )Path of the cookie. Defaults to “/”. To disable this option, set this field to “”. |
redis
Store the session data in a Redis instance.
Field | Description |
---|---|
allowRefreshing | (google.protobuf.BoolValue )Refresh expired ID tokens by using the refresh token. Defaults to true. To disable refreshing, set this field to false. |
cookieName | (string )The name of the cookie header to set and store the session ID. If unset, defaults to "__session” . |
db | (int32 )The Redis database to use, indexed to start at 0 . If unset, defaults to 0 . |
host | (string )The address of the Redis instance to use, in the format address:port or unix://path-to-unix.sock . |
keyPrefix | (string )Redis key prefix. |
poolSize | (int32 )The maximum number of connections to establish at once. If unset, defaults to 10 connections per CPU. |
tokenEndpointQueryParams
Extra query parameters to apply to the token request to the identity provider. For example, you can use the PKCE flow by setting code_challenge
and code_challenge_method
.
Field | Description |
---|---|
key | (string ) |
value | (string ) |
userMapping
Settings to ensure that the identity derived from the ID token matches the Kubernetes identity. If set, the ID token is used to infer user identity, which can be used to make authorization decisions. If unset or empty, no authorization is made.
Field | Description |
---|---|
groupsClaim | (string )Configure the OIDCAuthenticator to try to populate the user’s groups with an ID Token field. If the GroupsClaim field is present in an ID Token, the value must be a string or list of strings. |
groupsPrefix | (string )Add a prefix to each mapped group name. For example, the value oidc: results in group names such as oidc:engineering . |
usernameClaim | (string )The JWT field to use as the user’s username. |
usernamePrefix | (string )Add a prefix to each mapped username. For example, the value oidc: results in usernames such as oidc:john . |
authz
Configuration used to authorize incoming requests.
Field | Description |
---|---|
multiClusterRbac | (multiClusterRbac )Enable multicluster RBAC so that RBAC resources in workload clusters are used to determine whether users can view resources in the Gloo UI. To use multicluster RBAC, the Gloo UI and the workload clusters must use the same identity source, such as an OIDC provider with the same user and group claims. When using OIDC, make sure to configure the userMapping field. |
Status fields
The status of the dashboard settings after you apply the Dashboard
resource to your Gloo environment.
To see the status, you can run a command such as the following:
kubectl get Dashboard -n gloo-mesh <name> -o yaml
Field | Description |
---|---|
errors | (repeated string )Any errors encountered while translating the Dashboard resource. |
observedGeneration | (int64 )The most recent generation observed in the Dashboard metadata. If the observedGeneration does not match metadata.generation , Gloo has not processed the most recent version of this resource. |
state | (state )Whether the resource has been accepted as valid and processed in the Gloo config translation. |
state
The state of the overall resource.
Name | Number | Description |
---|---|---|
PENDING | 0 | Gloo Network has not yet processed the resource. |
ACCEPTED | 1 | The resource is valid and Gloo Network successfully applied the configuration. |
INVALID | 2 | The resource contains incorrect configuration parameters, such as missing required values or invalid resource references. An invalid state can also result when a resource’s configuration is valid but conflicts with another resource that was previously accepted. |
WARNING | 3 | The resource contains partially incorrect configuration parameters, but Gloo Network still processed and applied the configuration. |
FAILED | 4 | The resource contains correct configuration parameters, but Gloo Network encountered an error when applying the configuration. |
UNLICENSED | 5 | Your Gloo license key(s) do not allow you to use this resource. |