SCIM updates (#74)

bitwarden · Dec 6, 2023 · df2644a · df2644a
1 parent 495c83d
commit df2644a
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 1 deletion.
diff --git a/charts/self-host/README.md b/charts/self-host/README.md
@@ -53,6 +53,10 @@ Edit the `my-values.yaml` file and fill out the values.  Required values that mu
 
 Note that default values for Nginx have been setup for the ingress in the values.yaml file.  __*However, you will need to uncomment the ingress annotations and edit them as necessary for your environment.*__  Some other ingress controller examples are provided later in this document.
 
+#### SCIM
+
+The SCIM pod is disabled by default.  To enable the SCIM pod, set `component.scim.enabled` in `my-values.yaml` to `true`.
+
 ### Create namespace
 
 1. Create a namespace to deploy Bitwarden to.  In this guide, we will be using `bitwarden` as the namespace.
@@ -137,6 +141,7 @@ rawManifests:
           - /icons
           - /notifications
           - /events
+          - /scim
           - /sso
           - /identity
           ##### NOTE:  Admin will not function correctly with path strip middleware
@@ -195,6 +200,14 @@ rawManifests:
               port: 5000
           middlewares:
             - name: "bitwarden-self-host-middleware-stripprefix"
+        - kind: Rule
+          match: Host(`REPLACEME.COM`) && PathPrefix(`/scim`)
+          services:
+            - kind: Service
+              name: bitwarden-self-host-scim
+              port: 5000
+          middlewares:
+            - name: "bitwarden-self-host-middleware-stripprefix"
         - kind: Rule
           match: Host(`REPLACEME.COM`) && PathPrefix(`/sso`)
           services:
@@ -321,6 +334,9 @@ general:
       events:
         path: /events/*
         pathType: Prefix
+      scim:
+        path: /scim/*
+        pathType: Prefix
       sso:
         path: /sso/*
         pathType: Prefix
@@ -780,6 +796,26 @@ rawManifests:
         termination: edge
         insecureEdgeTerminationPolicy: Redirect
         destinationCACertificate: ''
+  - kind: Route
+    apiVersion: route.openshift.io/v1
+    metadata:
+      name: bitwarden-self-host-scim
+      namespace: bitwarden
+      annotations:
+        haproxy.router.openshift.io/rewrite-target: /
+    spec:
+      host: bitwarden.apps-crc.testing
+      path: "/scim"
+      to:
+        kind: Service
+        name: bitwarden-self-host-scim
+        weight: 100
+      port:
+        targetPort: 5000
+      tls:
+        termination: edge
+        insecureEdgeTerminationPolicy: Redirect
+        destinationCACertificate: ''
   - kind: Route
     apiVersion: route.openshift.io/v1
     metadata:
@@ -1005,6 +1041,9 @@ general:
       events:
         path: /events[/|$](.*)
         pathType: Prefix
+      scim:
+        path: /scim[/|$](.*)
+        pathType: Prefix
       sso:
         path: /sso[/|$](.*)
         pathType: Prefix

diff --git a/charts/self-host/templates/ingress.yaml b/charts/self-host/templates/ingress.yaml
@@ -88,6 +88,17 @@ spec:
                 port:
                   number: 5000
 
+          {{- if .Values.component.scim.enabled }}
+          - path: {{ .Values.general.ingress.paths.scim.path }}
+            {{ if .Values.general.ingress.paths.scim.pathType }}
+            pathType: {{ .Values.general.ingress.paths.scim.pathType }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ template "bitwarden.scim" . }}
+                port:
+                  number: 5000
+          {{- end }}
 
           - path: {{ .Values.general.ingress.paths.sso.path }}
             {{ if .Values.general.ingress.paths.sso.pathType }}

diff --git a/charts/self-host/templates/pre-install-hook-configmap.yaml b/charts/self-host/templates/pre-install-hook-configmap.yaml
@@ -23,7 +23,8 @@ data:
   globalSettings__baseServiceUri__internalIdentity: "http://{{ template "bitwarden.identity" . }}:5000"
   globalSettings__baseServiceUri__internalApi: "http://{{ template "bitwarden.api" . }}:5000"
   globalSettings__baseServiceUri__internalVault: "http://{{ template "bitwarden.web" . }}:5000"
-  globalSettings__baseServiceUri__internalsso: "http://{{ template "bitwarden.sso" . }}:5000"
+  globalSettings__baseServiceUri__internalSso: "http://{{ template "bitwarden.sso" . }}:5000"
+  globalSettings__baseServiceUri__internalScim: "http://{{ template "bitwarden.scim" . }}:5000"
   globalSettings__pushRelayBaseUri: "https://push.bitwarden.com"
   globalSettings__attachment__baseDirectory: "/etc/bitwarden/core/attachments"
   globalSettings__attachment__baseUrl: "https://{{ .Values.general.domain }}/attachments"

diff --git a/charts/self-host/templates/scim.yaml b/charts/self-host/templates/scim.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.component.scim.enabled }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -128,3 +129,4 @@ spec:
   ports:
   - port: 5000
     targetPort: 5000
+{{- end }}
diff --git a/charts/self-host/values.schema.json b/charts/self-host/values.schema.json
@@ -132,6 +132,18 @@
                                         }
                                     }
                                 },
+                                "scim": {
+                                    "type": "object",
+                                    "required": [],
+                                    "properties": {
+                                        "path": {
+                                            "type": "string"
+                                        },
+                                        "pathType": {
+                                            "type": "string"
+                                        }
+                                    }
+                                },
                                 "sso": {
                                     "type": "object",
                                     "required": [],
@@ -1572,6 +1584,9 @@
                     "type": "object",
                     "required": [],
                     "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
                         "labels": {
                             "type": "object",
                             "required": [],

diff --git a/charts/self-host/values.yaml b/charts/self-host/values.yaml
@@ -44,6 +44,9 @@ general:
       events:
         path: /events[/|$](.*)
         pathType: Prefix
+      scim:
+        path: /scim[/|$](.*)
+        pathType: Prefix
       sso:
         path: /sso[/|$](.*)
         pathType: Prefix
@@ -233,6 +236,8 @@ component:
     # Run the pod under a service account you create.  This is especially useful for OpenShift deployments
     podServiceAccount:
   scim:
+    # SCIM is disabled by default.  To use this service, enable it below and set an appropriate Ingress path
+    enabled: false
     # Additional deployment labels
     labels: {}
     # Image name, tag, and pull policy