testkube-enterprise: add scim integration

Signed-off-by: Dejan Zele Pejchev <[email protected]>
kubeshop · Jan 8, 2025 · 4399bc3 · 4399bc3
1 parent 60be0c0
commit 4399bc3
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 0 deletions.
diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml
@@ -435,6 +435,14 @@ spec:
               value: "{{ .Values.api.storage.cleanup.maxStorageSizeGb }}"
             - name: MIGRATION_MIGRATE_DATABASE
               value: "{{ .Values.api.migrations.enabled }}"
+            {{- if .Values.scim.enabled }}
+            - name: SCIM_SERVER_ENABLED
+              value: "true"
+            - name: SCIM_SERVER_PORT
+              value: "{{ .Values.scim.port }}"
+            - name: SCIM_SERVER_DEFAULT_ORGANIZATION
+              value: "{{ .Values.scim.defaultOrganization }}"
+            {{- end }}
           ports:
             - name: {{ if .Values.api.tls.serveHTTPS }}https{{ else }}http{{ end }}
               containerPort: {{ if .Values.api.tls.serveHTTPS }}{{ .Values.api.tls.apiPort }}{{ else }}8090{{ end }}
@@ -447,6 +455,11 @@ spec:
               containerPort: 9100
               protocol: TCP
             {{- end }}
+            {{- if .Values.scim.enabled }}
+            - name: scim
+              containerPort: {{ .Values.scim.port }}
+              protocol: TCP
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /health

diff --git a/charts/testkube-cloud-api/templates/ingress-scim.yaml b/charts/testkube-cloud-api/templates/ingress-scim.yaml
@@ -0,0 +1,69 @@
+{{- if and .Values.global.ingress.enabled .Values.scimIngress.enabled -}}
+{{- $fullName := include "testkube-cloud-api.fullname" . -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.scimIngress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.scimIngress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-scim
+  labels:
+    {{- include "testkube-cloud-api.labels" . | nindent 4 }}
+    {{- with .Values.scimIngress.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if eq .Values.ingress.className "nginx"}}
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    # Enable use of a regular expression in the path definition
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    # Rewrite /scim/v2/<anything> to /<anything>
+    nginx.ingress.kubernetes.io/rewrite-target: "/$1"
+    {{- if and (not .Values.api.tls.serveHTTPS) (eq .Values.global.certificateProvider "cert-manager") }}
+    cert-manager.io/cluster-issuer: {{ required ".Values.global.certManager.issuerRef must be provided if provider is cert-manager" .Values.global.certManager.issuerRef }}
+    {{- end }}
+    {{- end }}
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.scimIngress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  tls:
+    - hosts:
+        - {{ include "testkube-cloud-api.ingress.restHost" . | quote }}
+      secretName: {{ .Values.api.tls.tlsSecret }}
+  rules:
+    {{- $tlsConfig := .Values.api.tls }}
+    - host: {{ include "testkube-cloud-api.ingress.restHost" . | quote }}
+      http:
+        paths:
+          - path: /scim/v2/(.*)
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  name: scim
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: scim
+              {{- end }}
+{{- end }}
diff --git a/charts/testkube-cloud-api/templates/service.yaml b/charts/testkube-cloud-api/templates/service.yaml
@@ -28,5 +28,11 @@ spec:
       protocol: TCP
       name: metrics
     {{- end }}
+    {{- if .Values.scim.enabled }}
+    - port: {{ .Values.scim.port }}
+      targetPort: scim
+      protocol: TCP
+      name: scim
+    {{- end }}
   selector:
     {{- include "testkube-cloud-api.selectorLabels" . | nindent 4 }}
diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml
@@ -19,6 +19,8 @@ global:
   uiSubdomain: "cloud"
   # -- REST API subdomain which get prepended to the domain
   restApiSubdomain: "api"
+  # -- SCIM API subdomain which get prepended to the domain
+  scimApiSubdomain: "scim"
   # -- gRPC API subdomain which get prepended to the domain
   grpcApiSubdomain: "agent"
   # -- gRPC Logs subdomain which get prepended to the domain
@@ -182,6 +184,13 @@ audit:
     cronInterval: "0 3 * * *"
     # -- Audit log retention period in days
     retentionPeriod: 30
+scim:
+  # -- Toggle whether to enable the SCIM server
+  enabled: false
+  # -- Default organization in which users will be provisioned (must be configured if SCIM server is enabled)
+  defaultOrganization: ""
+  # -- Port on which the SCIM server will listen
+  port: 8091
 api:
   debug:
     # -- Toggle whether to enable debug logs by setting the GODEBUG=http2debug=2
@@ -409,6 +418,14 @@ restIngress:
   # kubernetes.io/ingress.class: nginx
   # -- Hostname for which to create rules and TLS certificates (if omitted, the host will be generated using the global subdomain and `domain` values)
   host: ""
+scimIngress:
+  # -- Toggle whether to enable the SCIM Ingress
+  enabled: true
+  # -- Additional labels to add to the SCIM Ingress resource
+  labels: { }
+  # -- Additional annotations to add to the SCIM Ingress resource
+  annotations: { }
+  # kubernetes.io/ingress.class: nginx
 grpcIngress:
   # -- Toggle whether to enable the gRPC API Ingress
   enabled: true

diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml
@@ -287,6 +287,13 @@ testkube-cloud-api:
       cronInterval: "0 3 * * *"
       # -- Audit log retention period in days
       retentionPeriod: 30
+  scim:
+    # -- Toggle whether to enable the SCIM server
+    enabled: true
+    # -- Default organization in which users will be provisioned (must be configured if SCIM server is enabled)
+    defaultOrganization: ""
+    # -- Port on which the SCIM server will listen
+    port: 8091
   api:
     storage:
       cleanup: