From 157263f5980fd6084ef19b259164327bb5edc094 Mon Sep 17 00:00:00 2001
From: Waldemar Faist <cubic@coldice.net>
Date: Fri, 29 Nov 2024 19:33:41 +0100
Subject: [PATCH] node-red: add oidc

---
 .../node-red/app/config/settings.js           | 26 +++++++++++++++++++
 .../node-red/app/externalsecret.yaml          |  4 +++
 2 files changed, 30 insertions(+)

diff --git a/kubernetes/main/apps/automation/node-red/app/config/settings.js b/kubernetes/main/apps/automation/node-red/app/config/settings.js
index f9ffe54d..e1737569 100644
--- a/kubernetes/main/apps/automation/node-red/app/config/settings.js
+++ b/kubernetes/main/apps/automation/node-red/app/config/settings.js
@@ -3,6 +3,32 @@ module.exports = {
   credentialSecret: process.env.NODE_RED_CREDENTIAL_SECRET,
   flowFilePretty: true,
 
+  adminAuth: {
+    type: "strategy",
+    strategy: {
+      name: "openidconnect",
+      autoLogin: true,
+      label: "Sign in",
+      icon: "fa-cloud",
+      strategy: require("passport-openidconnect").Strategy,
+      options: {
+        issuer: "https://auth.${domain}",
+        authorizationURL: "https://auth.${domain}/api/oidc/authorization",
+        tokenURL: "https://auth.${domain}/api/oidc/token",
+        userInfoURL: "https://auth.${domain}/api/oidc/userinfo",
+        clientID: "node-red",
+        clientSecret: process.env.NODE_RED_OIDC_CLIENT_SECRET,
+        callbackURL: "https://r.${domain}/auth/strategy/callback",
+        scope: ["openid", "email", "profile", "groups"],
+        proxy: true,
+        verify: function (issuer, profile, done) {
+          done(null, profile);
+        },
+      },
+    },
+    users: [{ username: "cubic", permissions: ["*"] }],
+  },
+
   uiPort: process.env.PORT || 1880,
 
   diagnostics: {
diff --git a/kubernetes/main/apps/automation/node-red/app/externalsecret.yaml b/kubernetes/main/apps/automation/node-red/app/externalsecret.yaml
index e257a486..c11a4b4d 100644
--- a/kubernetes/main/apps/automation/node-red/app/externalsecret.yaml
+++ b/kubernetes/main/apps/automation/node-red/app/externalsecret.yaml
@@ -13,3 +13,7 @@ spec:
       remoteRef:
         key: node-red
         property: credential_secret
+    - secretKey: NODE_RED_OIDC_CLIENT_SECRET
+      remoteRef:
+        key: authelia
+        property: oidc_secret_nodered_plain