Backoffice Portal

CUGetReg have a dashboard for internal tooling located at auth.internal. Within it contains various tools for administering, monitoring, and deploying CUGetReg.

Accessing

Go to auth.internal, and press GitHub icon at the bottom and log-in with your GitHub account.

Your GitHub account must be a member of thinc-org/cugetreg team. Additionally, for certain tools, you must be a member of thinc-org/cugetreg-infra team.

If you get add to a new group, you must use Unenroll Me button and login again.

Available Tools

Following tools are available:

• Appsmith
  • For approving user review
  • This things is access control by Nut Pinyo, not from authentik due to free-tier limitation. You should ask him for access.
• Argo CD
  • For GitOps of the K8S Cluser
  • Only accessible by member of thinc-org/cugetreg-infra team
• Kube Login
  • For K8S management using kubectl tool.
  • cugetreg team currently have no permission assigned, but in the future, we may allows port-forwarding and access to staging environment.
  • infra team have cluster-admin access
• Kubernetes Dashboard
  • For easy monitoring of the K8S cluster.
• Open Search (like Kibana)
  • Monitoring of user behavior log (clientlogging) and backend log
  • infra team have full access
  • cugetreg team have limited access with some fields anonymized
• Traefik Dashboard
  • for monitoring the cluster's ingress

Technical Detail

The portal page is implemented using Authentik. We use authentik to

• Authenticate user via GitHub and grant user's permission via github Team
• Act as a authentication proxy for internal apps.
• Act as an OpenID Connect providers for internal apps.

GitHub Authentication Flow

1. GitHub Social Login provider is set-up with Thinc Github OAuth App
2. When user press log-in with GitHub, they go through default-source-authentication which contains is-in-thinc-org policy which check that user is in thinc-org
3. But if this is their first login, then they go though default-source-enrollment flow, which contains github-admin-enroll policy which retrieve user's team and enroll them into an authentik group of the same name. a. If there are additional group to be auto-enroll, the policy's group list must be modified.

Per-Application Authentication Mechanism

• AppSmith
  • No setup, just a link
• Argo CD
  • ArgoCD's OIDC is configured in argo-cm.yaml
  • It map group using OIDC's groups claim, the group cugetreg-infra is then mapped to admin role using argocd-rbac-cm.yaml.
• Kube Login
  • It use OIDC JWT Token setup in k3s.service. It map group using OIDC groups claim.
  • cugetreg-infra-role.yaml then map cluster admin rol to cugetreg-infra group.
  • KubeAPI Server is exposed directly through TCP Router in k8s-ingress.yaml
  • kubelogin is then used to automatically setup the kubectl command.
• Kubernetes Dashboard
  • Authentik's Proxy provider is used along with appropriate ingress route
• Open Search
  • Opensearch supports OIDC. This requires configuration in opensearch-helm.yaml and opensearch-dashboard.yaml
  • I additionally put username password bypass. Credential is in opensearch-dashboard.yaml
  • Opensearch authenticate by using roles_key which is an OIDC claim that are comma-separated list of "backend role"
    • This requires special "kibana-roles" Property Mapping to be setup in Authentik.
    • The python expression maps cugetreg-infra team to admin backend role and cugetreg to limited role
  • "backend role" is mapped to actual role by configuring through Opensearch Dashboard GUI's Security Tab.
  • limited role mask various fields and anonymized PI data.
• Traefik Dashboard
  • It use proxy provider