TL;DR

• OpenUnison 1.0.23 is available
• Add applications, authentication changes, and more with custom resources
• Direct Istio support

OpenUnison 1.0.23

Today, OpenUnison 1.0.23 is available! The biggest part of this release is that OpenUnison can now read application configuration directly from a CR instead of having to be included in a customized version of the container. This makes adding new applications to your cluster management portal much easier. Let's take a look at adding SSO to Kiali as an example. Tremolo Security contributed the code to Kiali to support reverse proxy authentication with tokens and impersonation so Kiali can authenticate the same way the dashboard can. This means you can have the same smooth authentication for Kiali with OpenUnison that you do with the dashboard and kubectl. Let's say you have deployed EKS and want to integrate Kiali into your OpenUnison instance. You would add the following CR to your cluster:

---
apiVersion: openunison.tremolo.io/v1
kind: Application
metadata:
  name: kiali
  namespace: openunison
spec:
  azTimeoutMillis: 3000
  isApp: true
  urls:
  - hosts:
    - "#[OU_HOST]"
    filterChain:
    - className: com.tremolosecurity.proxy.filters.SetNoCacheHeaders
    - className: com.tremolosecurity.proxy.filters.K8sInjectImpersonation
      params:
        targetName: k8s
        userNameAttribute: sub
        useLdapGroups: "false"
        groupAttribute: groups
    uri: "/kiali"
    proxyTo: http://kiali.istio-system.svc:20001${fullURI}
    authChain: enterprise_idp
    azRules:
    - scope: dn
      constraint: o=Tremolo
  cookieConfig:
    sessionCookieName: tremolosession
    domain: "#[OU_HOST]"
    secure: true
    httpOnly: true
    logoutURI: "/logout"
    keyAlias: session-unison

This CR tells OpenUnison there's an application at /kiali that should be authenticated by the enterprise_idp authentication chain. For each request, inject no-cache headers and the impersonation headers needed for Kiali to authenticate you. Finally, forward all requests to the Kiali service. The session is encrypted with the same key used by the main portal. Once deployed to your cluster, all of your OpenUnison pods will pick this object dynamically and enable it, making Kiali a part of your OpenUnison portal! We created a new documentation site with instructions on how to onboard applications directly into OpenUnison, starting with Kiali. We'll be updating this site with additional applications, such as Grafana, Prometheus, and Alert Manager. We'll also be adding generic reference documentation so you can build application integrations yourself.

Direct Istio Support

Speaking of Kiali and Istio, this release adds first class support for Istio as an Ingress for OpenUnison. The helm charts and operator create the objects for you. Just as with the new applications section of the our new documentation site, we added an Ingresses section. As we add new Ingress support, we'll update the instructions here.

Upgrading

Upgrading is simple. First update your local helm repo to get the latest versions. Then upgrade your operator and finally, upgrade OpenUnison!

$ helm repo update
$ helm upgrade openunison tremolo/openunison-operator -n openunison

Once the operator is updated and the openunison pods have restarted, update your orchestra:

helm upgrade orchestra tremolo/openunison-k8s-XXXXX --namespace openunison -f /path/to/values.yaml