charts: headscale oidc
diff --git a/charts/headscale/templates/_helpers.tpl b/charts/headscale/templates/_helpers.tpl
new file mode 100644
index 0000000..063b2b4
--- /dev/null
+++ b/charts/headscale/templates/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "clientSecret" -}}
+{{- if .Values.oauth2.clientSecret -}}
+{{- .Values.oauth2.clientSecret -}}
+{{- else -}}
+{{- randAlphaNum 32 -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/headscale/templates/config.yaml b/charts/headscale/templates/config.yaml
index 88ca0de..f4de425 100644
--- a/charts/headscale/templates/config.yaml
+++ b/charts/headscale/templates/config.yaml
@@ -263,36 +263,21 @@
# it is still being tested and might have some bugs, please
# help us test it.
# OpenID Connect
- # oidc:
- # only_start_if_oidc_is_available: true
- # issuer: "https://your-oidc.issuer.com/path"
- # client_id: "your-oidc-client-id"
- # client_secret: "your-oidc-client-secret"
- #
- # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
- # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
- #
- # scope: ["openid", "profile", "email", "custom"]
- # extra_params:
- # domain_hint: example.com
- #
- # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
- # authentication request will be rejected.
- #
- # allowed_domains:
- # - example.com
- # Groups from keycloak have a leading '/'
- # allowed_groups:
- # - /headscale
- # allowed_users:
- # - alice@example.com
- #
- # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
- # This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
- # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
- # namespace: `first-name.last-name.example.com`
- #
- # strip_email_domain: true
+ oidc:
+ only_start_if_oidc_is_available: false
+ issuer: {{ .Values.oauth2.hydraPublic }}
+ client_id: {{ .Values.oauth2.clientId }}
+ client_secret: {{ $secret }}
+ scope: ["openid", "profile", "email"]
+ extra_params:
+ domain_hint: lekva.me
+ allowed_domains:
+ - lekva.me
+ # allowed_groups:
+ # - /headscale
+ # allowed_users:
+ # - alice@example.com
+ strip_email_domain: true
# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
diff --git a/charts/headscale/templates/oauth2-client.yaml b/charts/headscale/templates/oauth2-client.yaml
new file mode 100644
index 0000000..c05b69a
--- /dev/null
+++ b/charts/headscale/templates/oauth2-client.yaml
@@ -0,0 +1,20 @@
+{{- $secret := include "clientSecret" . -}}
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: headscale
+ namespace: {{ .Release.Namespace }}
+spec:
+ grantTypes:
+ - authorization_code
+ responseTypes:
+ - code
+ scope: "openid profile email"
+ secretName: {{ .Values.oauth2.secretName }}
+ redirectUris:
+ - https://headscale.{{ .Values.domain }}/oidc/callback
+ hydraAdmin:
+ url: {{ .Values.oauth2.hydraAdmin }}
+ port: 80
+ endpoint: /clients
+ forwardedProto: https
diff --git a/charts/headscale/values.yaml b/charts/headscale/values.yaml
index 76af449..d0766a2 100644
--- a/charts/headscale/values.yaml
+++ b/charts/headscale/values.yaml
@@ -7,3 +7,10 @@
ingressClassName: pcloud-ingress-public
certificateIssuer: lekva-public
domain: headscale.example.com
+oauth2:
+ hydraAdmin: http://hydra-admin
+ hydraPublic: https://hydra.example.com
+ clientId: headscale
+ clientSecret: ""
+ secretName: oauth2-client-headscale
+