From def0495bd15859932b5041afd1fb71a7015046d3 Mon Sep 17 00:00:00 2001 From: Eric Date: Mon, 13 Mar 2023 15:54:35 +0000 Subject: [PATCH 1/3] docs: clean up OIDC duplicates --- docs/admin/auth.md | 92 ++++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 49 deletions(-) diff --git a/docs/admin/auth.md b/docs/admin/auth.md index fb632fffddb19..2a9f67c15c905 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -50,33 +50,53 @@ CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true Once complete, run `sudo service coder restart` to reboot Coder. +If deploying Coder via Helm, you can set the above environment variables in the +`values.yaml` file as such: + +```yaml +coder: + env: + - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS + value: true + - name: CODER_OAUTH2_GITHUB_ALLOWED_ORGS + value: "your-org" + - name: CODER_OAUTH2_GITHUB_CLIENT_ID + value: "533...des" + - name: CODER_OAUTH2_GITHUB_CLIENT_SECRET + value: "G0CSP...7qSM" + - name: CODER_OAUTH2_GITHUB_ALLOW_EVERYONE + value: true +``` + > We recommend requiring and auditing MFA usage for all users in your GitHub > organizations. This can be enforced from the organization settings page in the > "Authentication security" sidebar tab. -## GitLab +## OpenID Connect -### Step 1: Configure the OAuth application in your GitLab instance +The following steps through how to integrate any OpenID Connect provider (Okta, Active Directory, etc.) to Coder. -First, [register a GitLab OAuth application](https://docs.gitlab.com/ee/integration/oauth_provider.html). GitLab will ask you for the following parameter: +### Step 1: Set Redirect URI with your OIDC provider + +Your OIDC provider will ask you for the following parameter: - **Redirect URI**: Set to `https://coder.domain.com/api/v2/users/oidc/callback` -### Step 2: Configure Coder with the Gitlab OpenID Connect credentials +### Step 2: Configure Coder with the OpenID Connect credentials Navigate to your Coder host and run the following command to start up the Coder server: ```console -coder server --oidc-issuer-url="https://gitlab.com" --oidc-email-domain="your-domain-1,your-domain-2" --oidc-client-id="533...des" --oidc-client-secret="G0CSP...7qSM" +coder server --oidc-issuer-url="https://issuer.corp.com" --oidc-email-domain="your-domain-1,your-domain-2" --oidc-client-id="533...des" --oidc-client-secret="G0CSP...7qSM" ``` -Alternatively, if you are running Coder as a system service, you can achieve the +If you are running Coder as a system service, you can achieve the same result as the command above by adding the following environment variables to the `/etc/coder.d/coder.env` file: ```console -CODER_OIDC_ISSUER_URL="https://gitlab.com" +CODER_OIDC_ISSUER_URL="https://issuer.corp.com" CODER_OIDC_EMAIL_DOMAIN="your-domain-1,your-domain-2" CODER_OIDC_CLIENT_ID="533...des" CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM" @@ -84,54 +104,28 @@ CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM" Once complete, run `sudo service coder restart` to reboot Coder. -> We recommend requiring and auditing MFA usage for all users in your GitLab -> organizations or deployment. This can be enforced for an organization from the -> organization settings page in the "Permissions and group features" section. -> For deployments, this can be enforced in the Admin area, under the "Settings > -> General" sidebar tab in the "Sign-in restrictions" section. - -### Additional Notes - -GitLab maintains configuration settings for OIDC applications at the following URL: - -```console -https://gitlab.com/.well-known/openid-configuration +If deploying Coder via Helm, you can set the above environment variables in the +`values.yaml` file as such: + +```yaml +coder: + env: + - name: CODER_OIDC_ISSUER_URL + value: "https://issuer.corp.com" + - name: CODER_OIDC_EMAIL_DOMAIN + value: "your-domain-1,your-domain-2" + - name: CODER_OIDC_CLIENT_ID + value: "533...des" + - name: CODER_OIDC_CLIENT_SECRET + value: "G0CSP...7qSM" ``` -If you are using a self-hosted GitLab instance, replace `gitlab.com` in the above URL -with your internal domain. The same will apply for the `OIDC_ISSUER_URL` variable. - -## OpenID Connect with Google - -### Step 1: Configure the OAuth application on Google Cloud - -First, [register a Google OAuth application](https://support.google.com/cloud/answer/6158849?hl=en). Google will ask you for the following Coder parameters: - -- **Authorized JavaScript origins**: Set to your Coder domain (e.g. `https://coder.domain.com`) -- **Redirect URIs**: Set to `https://coder.domain.com/api/v2/users/oidc/callback` - -### Step 2: Configure Coder with the Google OpenID Connect credentials - -Navigate to your Coder host and run the following command to start up the Coder -server: +To upgrade Coder, run: ```console -coder server --oidc-issuer-url="https://accounts.google.com" --oidc-email-domain="your-domain-1,your-domain-2" --oidc-client-id="533...ent.com" --oidc-client-secret="G0CSP...7qSM" +helm upgrade coder-v2/coder -n -f values.yaml ``` -Alternatively, if you are running Coder as a system service, you can achieve the -same result as the command above by adding the following environment variables -to the `/etc/coder.d/coder.env` file: - -```console -CODER_OIDC_ISSUER_URL="https://accounts.google.com" -CODER_OIDC_EMAIL_DOMAIN="your-domain-1,your-domain-2" -CODER_OIDC_CLIENT_ID="533...ent.com" -CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM" -``` - -Once complete, run `sudo service coder restart` to reboot Coder. - ## OIDC Claims Coder requires all OIDC email addresses to be verified by default. If the From 25871b1923e6b4ffae9a29e79d0372853a22b2f3 Mon Sep 17 00:00:00 2001 From: Eric Date: Mon, 13 Mar 2023 16:00:41 +0000 Subject: [PATCH 2/3] make fmt --- docs/admin/auth.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/admin/auth.md b/docs/admin/auth.md index 2a9f67c15c905..4dfdb12f08802 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -56,16 +56,16 @@ If deploying Coder via Helm, you can set the above environment variables in the ```yaml coder: env: - - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS - value: true - - name: CODER_OAUTH2_GITHUB_ALLOWED_ORGS - value: "your-org" - - name: CODER_OAUTH2_GITHUB_CLIENT_ID - value: "533...des" - - name: CODER_OAUTH2_GITHUB_CLIENT_SECRET - value: "G0CSP...7qSM" - - name: CODER_OAUTH2_GITHUB_ALLOW_EVERYONE - value: true + - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS + value: true + - name: CODER_OAUTH2_GITHUB_ALLOWED_ORGS + value: "your-org" + - name: CODER_OAUTH2_GITHUB_CLIENT_ID + value: "533...des" + - name: CODER_OAUTH2_GITHUB_CLIENT_SECRET + value: "G0CSP...7qSM" + - name: CODER_OAUTH2_GITHUB_ALLOW_EVERYONE + value: true ``` > We recommend requiring and auditing MFA usage for all users in your GitHub @@ -110,14 +110,14 @@ If deploying Coder via Helm, you can set the above environment variables in the ```yaml coder: env: - - name: CODER_OIDC_ISSUER_URL - value: "https://issuer.corp.com" - - name: CODER_OIDC_EMAIL_DOMAIN - value: "your-domain-1,your-domain-2" - - name: CODER_OIDC_CLIENT_ID - value: "533...des" - - name: CODER_OIDC_CLIENT_SECRET - value: "G0CSP...7qSM" + - name: CODER_OIDC_ISSUER_URL + value: "https://issuer.corp.com" + - name: CODER_OIDC_EMAIL_DOMAIN + value: "your-domain-1,your-domain-2" + - name: CODER_OIDC_CLIENT_ID + value: "533...des" + - name: CODER_OIDC_CLIENT_SECRET + value: "G0CSP...7qSM" ``` To upgrade Coder, run: From 42d84550de46612a3c5ce83f6e82a66a98046c45 Mon Sep 17 00:00:00 2001 From: Eric Date: Mon, 13 Mar 2023 16:47:19 +0000 Subject: [PATCH 3/3] add: upgrade command --- docs/admin/auth.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/admin/auth.md b/docs/admin/auth.md index 4dfdb12f08802..6368885739bae 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -68,6 +68,12 @@ coder: value: true ``` +To upgrade Coder, run: + +```console +helm upgrade coder-v2/coder -n -f values.yaml +``` + > We recommend requiring and auditing MFA usage for all users in your GitHub > organizations. This can be enforced from the organization settings page in the > "Authentication security" sidebar tab.