Add OIDC to bootstrap CLI

cmd/gitops/app/bootstrap/cmd.go

@@ -29,17 +29,28 @@ gitops bootstrap --kubeconfig <your-kubeconfig-location>
 
 # Start WGE installation with given 'username' and 'password'
 gitops bootstrap --username wego-admin --password=hell0!
+
+# Start WGE installation using OIDC
+gitops bootstrap --client-id <client-id> --client-secret <client-secret> --discovery-url <discovery-url>
 `
 )
 
 type bootstrapFlags struct {
-	username           string
-	password           string
-	version            string
-	domainType         string
-	domain             string
+	// wge version flags
+	version string
+
+	// domain flags
+	domainType string
+	domain     string
+
+	// private key flags
 	privateKeyPath     string
 	privateKeyPassword string
+
+	// oidc flags
+	discoveryURL string
+	clientID     string
+	clientSecret string
 }
 
 var flags bootstrapFlags
@@ -53,13 +64,17 @@ func Command(opts *config.Options) *cobra.Command {
 		RunE:    getBootstrapCmdRun(opts),
 	}
 
-	cmd.Flags().StringVarP(&flags.username, "username", "u", "", "dashboard admin username")
-	cmd.Flags().StringVarP(&flags.password, "password", "p", "", "dashboard admin password")
-	cmd.Flags().StringVarP(&flags.version, "version", "v", "", "version of Weave GitOps Enterprise (should be from the latest 3 versions)")
 	cmd.Flags().StringVarP(&flags.domainType, "domain-type", "t", "", "dashboard domain type: could be 'localhost' or 'externaldns'")
 	cmd.Flags().StringVarP(&flags.domain, "domain", "d", "", "indicate the domain to use in case of using `externaldns`")
-	cmd.Flags().StringVarP(&flags.privateKeyPath, "private-key", "k", "", "private key path. This key will be used to push the Weave GitOps Enterprise's resources to the default cluster repository")
-	cmd.Flags().StringVarP(&flags.privateKeyPassword, "private-key-password", "c", "", "private key password. If the private key is encrypted using password")
+	cmd.Flags().StringVarP(&flags.version, "version", "v", "", "version of Weave GitOps Enterprise (should be from the latest 3 versions)")
+	cmd.PersistentFlags().StringVarP(&flags.privateKeyPath, "private-key", "k", "", "private key path. This key will be used to push the Weave GitOps Enterprise's resources to the default cluster repository")
+	cmd.PersistentFlags().StringVarP(&flags.privateKeyPassword, "private-key-password", "c", "", "private key password. If the private key is encrypted using password")
+	cmd.PersistentFlags().StringVarP(&flags.discoveryURL, "discovery-url", "", "", "OIDC discovery URL")
+	cmd.PersistentFlags().StringVarP(&flags.clientID, "client-id", "i", "", "OIDC client ID")
+	cmd.PersistentFlags().StringVarP(&flags.clientSecret, "client-secret", "s", "", "OIDC client secret")
+
+	cmd.AddCommand(AuthCommand(opts))
+
 	return cmd
 }
 
@@ -72,12 +87,13 @@ func getBootstrapCmdRun(opts *config.Options) func(*cobra.Command, []string) err
 		c, err := steps.NewConfigBuilder().
 			WithLogWriter(cliLogger).
 			WithKubeconfig(opts.Kubeconfig).
-			WithUsername(flags.username).
-			WithPassword(flags.password).
+			WithUsername(opts.Username).
+			WithPassword(opts.Password).
 			WithVersion(flags.version).
 			WithDomainType(flags.domainType).
 			WithDomain(flags.domain).
 			WithPrivateKey(flags.privateKeyPath, flags.privateKeyPassword).
+			WithOIDCConfig(flags.discoveryURL, flags.clientID, flags.clientSecret, true).
 			Build()
 
 		if err != nil {

cmd/gitops/app/bootstrap/cmd_acceptance_test.go

@@ -77,6 +77,10 @@ func TestBootstrapCmd(t *testing.T) {
 	privateKeyFlag := fmt.Sprintf("--private-key=%s", privateKeyFile)
 	kubeconfigFlag := fmt.Sprintf("--kubeconfig=%s", kubeconfigPath)
 
+	oidcClientSecret := os.Getenv("OIDC_CLIENT_SECRET")
+	g.Expect(oidcClientSecret).NotTo(BeEmpty())
+	oidcClientSecretFlag := fmt.Sprintf("--client-secret=%s", oidcClientSecret)
+
 	_ = k8sClient.Create(context.Background(), &fluxSystemNamespace)
 
 	tests := []struct {
@@ -87,13 +91,16 @@ func TestBootstrapCmd(t *testing.T) {
 		reset            func(t *testing.T)
 	}{
 		{
-			name: "should install with ssh repo",
+			name: "should bootstrap non-interactive with valid arguments",
 			flags: []string{kubeconfigFlag,
 				"--version=0.33.0",
 				privateKeyFlag, "--private-key-password=\"\"",
 				"--username=admin",
 				"--password=admin123",
 				"--domain-type=localhost",
+				"--discovery-url=https://dex-01.wge.dev.weave.works/.well-known/openid-configuration",
+				"--client-id=weave-gitops-enterprise",
+				oidcClientSecretFlag,
 			},
 			setup: func(t *testing.T) {
 				bootstrapFluxSsh(g, kubeconfigFlag)
@@ -122,6 +129,7 @@ func TestBootstrapCmd(t *testing.T) {
 			bootstrapCmdArgs := []string{"bootstrap"}
 			bootstrapCmdArgs = append(bootstrapCmdArgs, tt.flags...)
 			cmd.SetArgs(bootstrapCmdArgs)
+			fmt.Println("bootstrap args: ", bootstrapCmdArgs)
 
 			err := cmd.Execute()
 			if tt.expectedErrorStr != "" {

cmd/gitops/app/bootstrap/cmd_auth.go

@@ -0,0 +1,78 @@
+package bootstrap
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	. "github.com/weaveworks/weave-gitops-enterprise/pkg/bootstrap"
+	"github.com/weaveworks/weave-gitops-enterprise/pkg/bootstrap/steps"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
+	"github.com/weaveworks/weave-gitops/pkg/logger"
+)
+
+const (
+	autCmdName             = "auth"
+	autCmdShortDescription = "Generate authentication configuration for Weave GitOps. You can specify the type of authentication using the '--type' flag. Currently, only OIDC is supported."
+	authCmdExamples        = `
+# Add OIDC configuration to your cluster. 
+gitops bootstrap auth --type=oidc
+
+# Add OIDC configuration from a specific kubeconfig
+gitops bootstrap auth --type=oidc --kubeconfig <your-kubeconfig-location>
+
+# Add OIDC configuration with given oidc configurations 'discoveryURL' 'client-id' 'client-secret'
+gitops bootstrap auth --type=oidc --client-id <client-id> --client-secret <client-secret> --discovery-url <discovery-url>
+`
+)
+
+type authConfigFlags struct {
+	authType string
+}
+
+var authFlags authConfigFlags
+
+func AuthCommand(opts *config.Options) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     autCmdName,
+		Short:   autCmdShortDescription,
+		Example: authCmdExamples,
+		Run: func(cmd *cobra.Command, args []string) {
+			err := getAuthCmdRun(opts)(cmd, args)
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+		},
+	}
+
+	cmd.Flags().StringVarP(&authFlags.authType, "type", "t", "", "type of authentication to be configured")
+
+	return cmd
+}
+
+func getAuthCmdRun(opts *config.Options) func(*cobra.Command, []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		cliLogger := logger.NewCLILogger(os.Stdout)
+
+		c, err := steps.NewConfigBuilder().
+			WithLogWriter(cliLogger).
+			WithKubeconfig(opts.Kubeconfig).
+			WithPrivateKey(flags.privateKeyPath, flags.privateKeyPassword).
+			WithOIDCConfig(flags.discoveryURL, flags.clientID, flags.clientSecret, false).
+			Build()
+
+		if err != nil {
+			return fmt.Errorf("cannot config bootstrap auth: %v", err)
+
+		}
+
+		err = BootstrapAuth(c)
+		if err != nil {
+			return fmt.Errorf("cannot bootstrap auth: %v", err)
+		}
+
+		return nil
+
+	}
+}

pkg/bootstrap/bootstrap.go

@@ -15,6 +15,8 @@ func Bootstrap(config steps.Config) error {
 		steps.NewAskAdminCredsSecretStep(config),
 		steps.NewSelectDomainType(config),
 		steps.NewInstallWGEStep(config),
+		steps.NewInstallOIDCStep(config),
+		steps.NewOIDCConfigStep(config),
 		steps.CheckUIDomainStep,
 	}
 

pkg/bootstrap/bootstrap_auth.go

@@ -0,0 +1,42 @@
+package bootstrap
+
+import (
+	"fmt"
+
+	"github.com/weaveworks/weave-gitops-enterprise/pkg/bootstrap/steps"
+)
+
+// BootstrapAuth initiated by the command runs the WGE bootstrap auth steps
+func BootstrapAuth(config steps.Config) error {
+	// use bootstrapAuth function to bootstrap the authentication
+	switch config.AuthType {
+	case steps.AuthOIDC:
+		err := bootstrapOIDC(config)
+		if err != nil {
+			return fmt.Errorf("cannot bootstrap auth: %v", err)
+		}
+	default:
+		return fmt.Errorf("authentication type %s is not supported", config.AuthType)
+
+	}
+	return nil
+}
+
+func bootstrapOIDC(config steps.Config) error {
+	var steps = []steps.BootstrapStep{
+		steps.VerifyFluxInstallation,
+		steps.CheckEntitlementSecret,
+		steps.NewAskPrivateKeyStep(config),
+		steps.NewInstallOIDCStep(config),
+		steps.NewOIDCConfigStep(config),
+	}
+
+	for _, step := range steps {
+		config.Logger.Waitingf(step.Name)
+		err := step.Execute(&config)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/bootstrap/steps/config.go

@@ -10,6 +10,11 @@ import (
 	k8s_client "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// auth types
+const (
+	AuthOIDC = "oidc"
+)
+
 const (
 	defaultAdminUsername = "wego-admin"
 	defaultAdminPassword = "password"
@@ -25,6 +30,11 @@ const (
 	PrivateKeyPassword = "privateKeyPassword"
 	existingCreds      = "existingCreds"
 	domainType         = "domainType"
+	DiscoveryURL       = "discoveryURL"
+	ClientID           = "clientID"
+	ClientSecret       = "clientSecret"
+	oidcInstalled      = "oidcInstalled"
+	existingOIDC       = "existingOIDC"
 )
 
 // input/output types
@@ -39,15 +49,21 @@ const (
 
 // ConfigBuilder contains all the different configuration options that a user can introduce
 type ConfigBuilder struct {
-	logger             logger.Logger
-	kubeconfig         string
-	username           string
-	password           string
-	wGEVersion         string
-	domainType         string
-	domain             string
-	privateKeyPath     string
-	privateKeyPassword string
+	logger                  logger.Logger
+	kubeconfig              string
+	username                string
+	password                string
+	wgeVersion              string
+	domainType              string
+	domain                  string
+	privateKeyPath          string
+	privateKeyPassword      string
+	authType                string
+	installOIDC             string
+	discoveryURL            string
+	clientID                string
+	clientSecret            string
+	PromptedForDiscoveryURL bool
 }
 
 func NewConfigBuilder() *ConfigBuilder {
@@ -75,7 +91,7 @@ func (c *ConfigBuilder) WithKubeconfig(kubeconfig string) *ConfigBuilder {
 }
 
 func (c *ConfigBuilder) WithVersion(version string) *ConfigBuilder {
-	c.wGEVersion = version
+	c.wgeVersion = version
 	return c
 }
 
@@ -97,6 +113,19 @@ func (c *ConfigBuilder) WithPrivateKey(privateKeyPath string, privateKeyPassword
 	return c
 }
 
+func (c *ConfigBuilder) WithOIDCConfig(discoveryURL string, clientID string, clientSecret string, prompted bool) *ConfigBuilder {
+	c.authType = AuthOIDC
+	c.discoveryURL = discoveryURL
+	c.clientID = clientID
+	c.clientSecret = clientSecret
+	if discoveryURL != "" && clientID != "" && clientSecret != "" {
+		prompted = false
+	}
+	c.PromptedForDiscoveryURL = prompted
+	c.installOIDC = "y" // todo: change to parameter
+	return c
+}
+
 // Config is the configuration struct to user for WGE installation. It includes
 // configuration values as well as other required structs like clients
 type Config struct {
@@ -113,6 +142,15 @@ type Config struct {
 
 	PrivateKeyPath     string
 	PrivateKeyPassword string
+
+	AuthType                string
+	InstallOIDC             string
+	DiscoveryURL            string
+	IssuerURL               string
+	ClientID                string
+	ClientSecret            string
+	RedirectURL             string
+	PromptedForDiscoveryURL bool
 }
 
 // Builds creates a valid config so boostrap could be executed. It uses values introduced
@@ -140,15 +178,21 @@ func (cb *ConfigBuilder) Build() (Config, error) {
 
 	//TODO we should do validations in case invalid values and throw an error early
 	return Config{
-		KubernetesClient:   kubeHttp.Client,
-		WGEVersion:         cb.wGEVersion,
-		Username:           cb.username,
-		Password:           cb.password,
-		Logger:             cb.logger,
-		DomainType:         cb.domainType,
-		UserDomain:         cb.domain,
-		PrivateKeyPath:     cb.privateKeyPath,
-		PrivateKeyPassword: cb.privateKeyPassword,
+		KubernetesClient:        kubeHttp.Client,
+		WGEVersion:              cb.wgeVersion,
+		Username:                cb.username,
+		Password:                cb.password,
+		Logger:                  cb.logger,
+		DomainType:              cb.domainType,
+		UserDomain:              cb.domain,
+		PrivateKeyPath:          cb.privateKeyPath,
+		PrivateKeyPassword:      cb.privateKeyPassword,
+		AuthType:                cb.authType,
+		InstallOIDC:             cb.installOIDC,
+		DiscoveryURL:            cb.discoveryURL,
+		ClientID:                cb.clientID,
+		ClientSecret:            cb.clientSecret,
+		PromptedForDiscoveryURL: cb.PromptedForDiscoveryURL,
 	}, nil
 
 }