diff --git a/README.md b/README.md index 896ce4fe..ced69081 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,13 @@ Policy Reporter provides also a Prometheus Metrics API as well as an standalone This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to unsupported targets. +## Preview Feature Docs + +Documentation for upcoming features and changes for the new Policy Reporter UI v2 are located in [Docs](https://github.com/kyverno/policy-reporter/tree/3.x/docs) + +* [Basic Installation](https://github.com/kyverno/policy-reporter/blob/3.x/docs/TUTORIALS.md) +* [OAUth2 / OpenIDConnect](https://github.com/kyverno/policy-reporter/blob/3.x/docs/UI_AUTH.md) + ## Documentation You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter). diff --git a/charts/policy-reporter/Chart.lock b/charts/policy-reporter/Chart.lock index dbdd82ba..66d2ce1c 100644 --- a/charts/policy-reporter/Chart.lock +++ b/charts/policy-reporter/Chart.lock @@ -4,12 +4,12 @@ dependencies: version: 2.8.1 - name: ui repository: oci://ghcr.io/kyverno/charts/policy-reporter - version: 0.0.18 + version: 0.0.22 - name: kyverno-plugin repository: oci://ghcr.io/kyverno/charts/policy-reporter version: 0.0.3 - name: trivy-plugin repository: oci://ghcr.io/kyverno/charts/policy-reporter version: 0.0.5 -digest: sha256:a28956d9501662782a76ae16f19bb344292354ecb5f930b04510542834765f58 -generated: "2024-02-07T17:38:17.927313+01:00" +digest: sha256:1a35c9c175c2eee87667e0f2955da34b9503a6d32544b2f26da7a2ba60c5a6bd +generated: "2024-02-18T16:01:19.61184+01:00" diff --git a/charts/policy-reporter/Chart.yaml b/charts/policy-reporter/Chart.yaml index 94dc5067..f71c8985 100644 --- a/charts/policy-reporter/Chart.yaml +++ b/charts/policy-reporter/Chart.yaml @@ -20,7 +20,7 @@ dependencies: condition: monitoring.enabled version: "2.8.1" - name: ui - version: "0.0.18" + version: "0.0.22" repository: "oci://ghcr.io/kyverno/charts/policy-reporter" condition: ui.enabled - name: kyverno-plugin diff --git a/charts/policy-reporter/README.md b/charts/policy-reporter/README.md index 6868e043..49d239a3 100644 --- a/charts/policy-reporter/README.md +++ b/charts/policy-reporter/README.md @@ -348,7 +348,7 @@ Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-get | | monitoring | 2.8.1 | | oci://ghcr.io/kyverno/charts/policy-reporter | kyverno-plugin | 0.0.3 | | oci://ghcr.io/kyverno/charts/policy-reporter | trivy-plugin | 0.0.5 | -| oci://ghcr.io/kyverno/charts/policy-reporter | ui | 0.0.14 | +| oci://ghcr.io/kyverno/charts/policy-reporter | ui | 0.0.22 | ## Maintainers diff --git a/charts/policy-reporter/charts/ui-0.0.18.tgz b/charts/policy-reporter/charts/ui-0.0.18.tgz deleted file mode 100644 index cae24acf..00000000 Binary files a/charts/policy-reporter/charts/ui-0.0.18.tgz and /dev/null differ diff --git a/charts/policy-reporter/charts/ui-0.0.22.tgz b/charts/policy-reporter/charts/ui-0.0.22.tgz new file mode 100644 index 00000000..a5ad5081 Binary files /dev/null and b/charts/policy-reporter/charts/ui-0.0.22.tgz differ diff --git a/docs/UI_AUTH.md b/docs/UI_AUTH.md new file mode 100644 index 00000000..c7d25b18 --- /dev/null +++ b/docs/UI_AUTH.md @@ -0,0 +1,104 @@ +# Configure Authentication for Policy Reporter UI + +With Policy Reporter UI v2 it is possible to use either OAuth2 or OpenIDConnect as authentication mechanism. + +Its not possible to reduce or configure view permission based on roles or any other information yet. +Authentication ensures that no unauthorized person is able to open the UI at all. + +## OAuth2 + +Policy Reporter UI v2 supports a fixed set of oauth2 providers. If the provider of your choice is not yet supported, you can submit a feature request for it. + +### Supported OAuth Provider + +* amazon +* gitlab +* github +* apple +* google +* yandex +* azuread + +### Example Configuration (GitHub Provider) + +Since the callback URL depends on your setup, you must explicitly configure it. + +```yaml +ui: + oauth: + enabled: true + clientId: c79c02881aa1... + clientSecret: fb2035255d0bd182c9... + provider: github + callback: http://localhost:8082/callback + scopes: [] +``` + +### Example SecretRef + +Instead of providing the information directly in the values, you can also fetch the information from an existing secret. + +#### Values + +```yaml +ui: + oauth: + enabled: true + callback: http://localhost:8082/callback + scopes: [] + secretRef: 'github-provider' +``` +#### Secret + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: github-provider +data: + clientId: Yzc5YzAyODgxYWEx + clientSecret: ZmIyMDM1MjU1ZDBiZDE4MmM5 + provider: Z2l0aHVi +``` + +## OpenIDConnect + +This authentication mechanism supports all compatible services and systems. + +### Example Configuration (Keycloak) + +```yaml +ui: + openIDConnect: + enabled: true + clientId: policy-reporter + clientSecret: c11cYF9tNtL94w.... + callbackUrl: http://localhost:8082/callback + discoveryUrl: 'https://keycloak.instance.de/realms/timetracker' +``` + +### Example SecretRef + +Instead of providing the information directly in the values, you can also fetch the information from an existing secret. + +#### Values + +```yaml +ui: + openIDConnect: + enabled: true + callback: http://localhost:8082/callback + secretRef: 'keycloak-provider' +``` +#### Secret + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-provider +data: + clientId: Yzc5YzAyODgxYWEx + clientSecret: ZmIyMDM1MjU1ZDBiZDE4MmM5 + discoveryUrl: aHR0cHM6Ly9rZXljbG9hay5pbnN0YW5jZS5kZS9yZWFsbXMvdGltZXRyYWNrZXI= +```