Skip to content

Add option to allow headscale to start if OIDC fails to initialise #829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 26, 2022
Merged

Add option to allow headscale to start if OIDC fails to initialise #829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8dcc82c
Use oidc if it initialised, not if it is configured
kradalby Sep 26, 2022
dbe58e5
Allow headscale to start if oidc setup fails.
kradalby Sep 26, 2022
fb25a06
Preserve current behaviour with a config flag
kradalby Sep 26, 2022
6b4d533
Update changelog
kradalby Sep 26, 2022
256b6cb
Add new option to config-example
kradalby Sep 26, 2022
2462989
Add new config option to cli integration tests
kradalby Sep 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
- Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
- Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
- Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
- Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)

## 0.16.4 (2022-08-21)

Expand Down
4 changes: 3 additions & 1 deletion app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,8 +192,10 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {

if cfg.OIDC.Issuer != "" {
err = app.initOIDC()
if err != nil {
if err != nil && cfg.OIDC.OnlyStartIfOIDCIsAvailable {
return nil, err
} else {
log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
}
}

Expand Down
1 change: 1 addition & 0 deletions config-example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ unix_socket_permission: "0770"
# help us test it.
# OpenID Connect
# oidc:
# only_start_if_oidc_is_available: true
# issuer: "https://your-oidc.issuer.com/path"
# client_id: "your-oidc-client-id"
# client_secret: "your-oidc-client-secret"
Expand Down
21 changes: 13 additions & 8 deletions config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,14 +90,15 @@ type LetsEncryptConfig struct {
}

type OIDCConfig struct {
Issuer string
ClientID string
ClientSecret string
Scope []string
ExtraParams map[string]string
AllowedDomains []string
AllowedUsers []string
StripEmaildomain bool
OnlyStartIfOIDCIsAvailable bool
Issuer string
ClientID string
ClientSecret string
Scope []string
ExtraParams map[string]string
AllowedDomains []string
AllowedUsers []string
StripEmaildomain bool
}

type DERPConfig struct {
Expand Down Expand Up @@ -174,6 +175,7 @@ func LoadConfig(path string, isFile bool) error {

viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
viper.SetDefault("oidc.strip_email_domain", true)
viper.SetDefault("oidc.only_start_if_oidc_is_available", true)

viper.SetDefault("logtail.enabled", false)
viper.SetDefault("randomize_client_port", false)
Expand Down Expand Up @@ -559,6 +561,9 @@ func GetHeadscaleConfig() (*Config, error) {
UnixSocketPermission: GetFileMode("unix_socket_permission"),

OIDC: OIDCConfig{
OnlyStartIfOIDCIsAvailable: viper.GetBool(
"oidc.only_start_if_oidc_is_available",
),
Issuer: viper.GetString("oidc.issuer"),
ClientID: viper.GetString("oidc.client_id"),
ClientSecret: viper.GetString("oidc.client_secret"),
Expand Down
1 change: 1 addition & 0 deletions integration_test/etc/alt-config.dump.gold.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ logtail:
enabled: false
metrics_listen_addr: 127.0.0.1:19090
oidc:
only_start_if_oidc_is_available: true
scope:
- openid
- profile
Expand Down
1 change: 1 addition & 0 deletions integration_test/etc/alt-env-config.dump.gold.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ logtail:
enabled: false
metrics_listen_addr: 127.0.0.1:19090
oidc:
only_start_if_oidc_is_available: true
scope:
- openid
- profile
Expand Down
1 change: 1 addition & 0 deletions integration_test/etc/config.dump.gold.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ logtail:
enabled: false
metrics_listen_addr: 127.0.0.1:9090
oidc:
only_start_if_oidc_is_available: true
scope:
- openid
- profile
Expand Down
4 changes: 2 additions & 2 deletions protocol_common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,7 @@ func (h *Headscale) handleNewMachineCommon(
Bool("noise", machineKey.IsZero()).
Str("machine", registerRequest.Hostinfo.Hostname).
Msg("The node seems to be new, sending auth url")
if h.cfg.OIDC.Issuer != "" {
if h.oauth2Config != nil {
resp.AuthURL = fmt.Sprintf(
"%s/oidc/register/%s",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
Expand Down Expand Up @@ -716,7 +716,7 @@ func (h *Headscale) handleMachineExpiredCommon(
return
}

if h.cfg.OIDC.Issuer != "" {
if h.oauth2Config != nil {
resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
NodePublicKeyStripPrefix(registerRequest.NodeKey))
Expand Down