Skip to content

应用商店-私有化应用#

  • 应用商店—私有化应用 点击菜单 "应用管理>应用商店>私有化应用" BxUU4w.png

  • 购买或试用 点击菜单 "应用管理>应用商店>私有化应用>选择记录>购买或试用" BxUU4w.png

  • 已购买 点击菜单 "应用管理>应用商店>私有化应用>已购买>" BxUaIb.png

  • 查看默认配置 点击菜单 "应用管理>应用商店>私有化应用>已购买>选择记录>默认配置" BxUvvt.png

  • 安装 点击菜单 "应用管理>应用商店>私有化应用>已购买>选择记录>安装",配置参考Helm Chart的values.yaml,可为空
    BxUcNB.md.png
    自定义配置参数说明:应用安装支持自动配置OIDC来登录应用,下表中参数会被发送给Helm Chart的values.yaml前替换成实际的OIDC地址

参数 说明 例子
$arkid_oidc_root_url ArkID应用入口地址 https://1cce88fae2bf4470a0d616d9459431b3.arkidv2.dev.longguikeji.com
$arkid_oidc_client_id client_id 1hQdgZJ9Gf9KhQGhL9RLmatEV1q97rp8Od9kR8n8
$arkid_oidc_client_secret client_secret FT2rETrpg9tmtB0wChSBUmRLlHXNH6eesPbeRl2qHpZ1nD3fcCFlEfa3UxLRsiR5MpHvc15i6zZcwLmMtcqVy5zf7ONqSOALNRXP1bBaWALbn2nrn8BLtEuaFIZvtrEm
$arkid_oidc_authorize authorize地址 https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d/app/e0d0253a-a97b-4b98-8506-cd1275573bdb/oauth/authorize/
$arkid_oidc_token 获取token地址 https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d/oauth/token/
$arkid_oidc_jwks_url 获取jwks证书地址 https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d/.well-known/jwks.json
$arkid_oidc_userinfo 获取用户信息地址 https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d/oauth/userinfo/
$arkid_oidc_logout 登出地址 https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d/oidc/logout/
$arkid_oidc_issuer_url issuer地址 https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d
$arkid_oidc_skip_authorization 是否隐藏授权页 False
$arkid_oidc_client_type 客户端类型 confidential
$arkid_oidc_grant_type 授权模式 authorization-code
$arkid_oidc_algorithm 加密类型 RS256
$arkid_oidc_redirect_uris 回调地址 /oidc/callback
$arkid_oidc_login_url OIDC登录地址 /oidc/login
$arkid_oidc_app_id 应用ID e0d0253a-a97b-4b98-8506-cd1275573bdb
$arkid_oidc_tenant_id 租户ID 49b91127-f786-4535-917d-a88024831a6d
$arkid_oidc_host 登出地址 https://arkidv2.dev.longguikeji.com

如所需参数不在上表中,可采用字符串拼接方式来生成:
例如:"${arkid_oidc_host}/api/v1/tenant/${arkid_oidc_tenant_id}/oauth/userinfo/",在私有化应用安装时会被替换成:"https://arkidv2.dev.longguikeji.com/api/v1/tenant/49b91127-f786-4535-917d-a88024831a6d/oauth/userinfo/"

例子1: Jumpserver 安装参数

global:
  storageClass: standard

## Please configure your MySQL server first
## Jumpserver will not start the external MySQL server.
##
externalDatabase:
  engine: mysql
  host: jms-mysql
  port: 3306
  user: root
  password: "weakPassword"
  database: jumpserver

## Please configure your Redis server first
## Jumpserver will not start the external Redis server.
##
externalRedis:
  host: jms-redis-master
  port: 6379
  password: "weakPassword"

ingress:
  hosts:
    - "test.jumpserver.org"

core:
  config:
    # Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
    secretKey: "GxrLH7rewfsRN8B9Zl6MEGD50Uou4LF6UVsEIwfsRN8B9Zl6MEGD50UouayGMhYll8dqmn"
    # Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
    bootstrapToken: "ilR8RvAbK7lgRTxs"
    log:
      level: DEBUG

  env:
    # Doc: https://docs.jumpserver.org/zh/master/admin-guide/authentication/openid/#5-jumpserver
    AUTH_OPENID: True
    BASE_SITE_URL: $arkid_oidc_root_url
    AUTH_OPENID_CLIENT_ID: $arkid_oidc_client_id
    AUTH_OPENID_CLIENT_SECRET: $arkid_oidc_client_secret
    AUTH_OPENID_PROVIDER_ENDPOINT: $arkid_oidc_client_authorize
    AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: $arkid_oidc_client_authorize
    AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: $arkid_oidc_client_token
    AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: $arkid_oidc_jwks
    AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: $arkid_oidc_client_userinfo
    AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: $arkid_oidc_logout
    AUTH_OPENID_PROVIDER_SIGNATURE_ALG: HS256
    AUTH_OPENID_PROVIDER_SIGNATURE_KEY: null
    AUTH_OPENID_SCOPES: openid profile email
    AUTH_OPENID_ID_TOKEN_MAX_AGE: 60
    AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS: True
    AUTH_OPENID_USE_STATE: True
    AUTH_OPENID_USE_NONCE: True
    AUTH_OPENID_SHARE_SESSION: False
    AUTH_OPENID_IGNORE_SSL_VERIFICATION: True

例子2: Grafana 安装参数

## arkid-oidc.yaml
env: 
  GF_SERVER_ROOT_URL: $arkid_oidc_root_url
  GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
  GF_AUTH_GENERIC_OAUTH_NAME: "arkid"
  GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "$arkid_oidc_client_id"
  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "$arkid_oidc_client_secret"
  GF_AUTH_GENERIC_OAUTH_SCOPES: "email,openid,userinfo"
  GF_AUTH_GENERIC_OAUTH_AUTH_URL: "$arkid_oidc_authorize"
  GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "$arkid_oidc_token"
  GF_AUTH_GENERIC_OAUTH_API_URL: "$arkid_oidc_userinfo"

  • 如果私有化应用有入口地址,安装后自动在应用列表中创建相应入口应用

    # 私有化应用 Chart.yaml 中annotations须加入下来配置,才会自动创建入口应用
    annotations:
      web_url_from_services: HelmChart中k8s的service名称
    
    BxUP96.png

  • 如需访问应用,点击首页>应用名,可进入应用

例子1:Jumpserver 首页点击jumpserver BF6wpB.jpg 进入jumpserver, 点击OpenID登录,开始OIDC登录jumpserver BF2ihj.jpg

例子2:Grafana 首页点击grafana BF2UVG.jpg 进入grafana,点击sign in with arkid,开始OIDC登录grafana BF2CO6.jpg

评论