Merge branch 'main' into fix-https-listen

This commit is contained in:
Kristoffer Dalby 2022-09-26 11:50:20 +02:00 committed by GitHub
commit ed58b2e4e2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 23 additions and 11 deletions

View file

@ -17,6 +17,7 @@
- Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
- Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
- Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
- Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)
## 0.16.4 (2022-08-21)

4
app.go
View file

@ -194,8 +194,10 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
if cfg.OIDC.Issuer != "" {
err = app.initOIDC()
if err != nil {
if err != nil && cfg.OIDC.OnlyStartIfOIDCIsAvailable {
return nil, err
} else {
log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
}
}

View file

@ -230,6 +230,7 @@ unix_socket_permission: "0770"
# help us test it.
# OpenID Connect
# oidc:
# only_start_if_oidc_is_available: true
# issuer: "https://your-oidc.issuer.com/path"
# client_id: "your-oidc-client-id"
# client_secret: "your-oidc-client-secret"

View file

@ -90,14 +90,15 @@ type LetsEncryptConfig struct {
}
type OIDCConfig struct {
Issuer string
ClientID string
ClientSecret string
Scope []string
ExtraParams map[string]string
AllowedDomains []string
AllowedUsers []string
StripEmaildomain bool
OnlyStartIfOIDCIsAvailable bool
Issuer string
ClientID string
ClientSecret string
Scope []string
ExtraParams map[string]string
AllowedDomains []string
AllowedUsers []string
StripEmaildomain bool
}
type DERPConfig struct {
@ -174,6 +175,7 @@ func LoadConfig(path string, isFile bool) error {
viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
viper.SetDefault("oidc.strip_email_domain", true)
viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
viper.SetDefault("logtail.enabled", false)
viper.SetDefault("randomize_client_port", false)
@ -559,6 +561,9 @@ func GetHeadscaleConfig() (*Config, error) {
UnixSocketPermission: GetFileMode("unix_socket_permission"),
OIDC: OIDCConfig{
OnlyStartIfOIDCIsAvailable: viper.GetBool(
"oidc.only_start_if_oidc_is_available",
),
Issuer: viper.GetString("oidc.issuer"),
ClientID: viper.GetString("oidc.client_id"),
ClientSecret: viper.GetString("oidc.client_secret"),

View file

@ -35,6 +35,7 @@ logtail:
enabled: false
metrics_listen_addr: 127.0.0.1:19090
oidc:
only_start_if_oidc_is_available: true
scope:
- openid
- profile

View file

@ -34,6 +34,7 @@ logtail:
enabled: false
metrics_listen_addr: 127.0.0.1:19090
oidc:
only_start_if_oidc_is_available: true
scope:
- openid
- profile

View file

@ -35,6 +35,7 @@ logtail:
enabled: false
metrics_listen_addr: 127.0.0.1:9090
oidc:
only_start_if_oidc_is_available: true
scope:
- openid
- profile

View file

@ -483,7 +483,7 @@ func (h *Headscale) handleNewMachineCommon(
Bool("noise", machineKey.IsZero()).
Str("machine", registerRequest.Hostinfo.Hostname).
Msg("The node seems to be new, sending auth url")
if h.cfg.OIDC.Issuer != "" {
if h.oauth2Config != nil {
resp.AuthURL = fmt.Sprintf(
"%s/oidc/register/%s",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
@ -716,7 +716,7 @@ func (h *Headscale) handleMachineExpiredCommon(
return
}
if h.cfg.OIDC.Issuer != "" {
if h.oauth2Config != nil {
resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
NodePublicKeyStripPrefix(registerRequest.NodeKey))