OpenUnison 1.0.24 - Going Cloud Native


Marc Boorshtein


Cloud Native Security

Tremolo Security is thrilled to release OpenUnison 1.0.24, the first release with both consolidated configuration and documentation. We've gone from a container per authentication method to a single container with all configuration done through Kubernetes custom resources. In this post we'll walk through the changes, how they benefit you, and how you can get the most out of your clusters!

Simplified Deployment

With OpenUnison 1.0.24, we moved almost all of the configuration management out of our operator and into helm. When we first built the operator, helm 3 didn't exist yet and helm 2 still relied on Tiller. We saw an operator as an easier and more secure way to deploy OpenUnison. With helm v3's maturity, we realized we needed to stop relying on our operator for manifest generation. This move makes it much easier to incorporate new configuration options. For instance, in 1.0.24 we have included configuration options for pull secrets, resource requests and limits, and node selectors to make it easier to manage your OpenUnison deployment. It will also make easier for us to add new configuration options without having to make updates to the operator.

Easier Customization

We moved all of OpenUnison's configuration from statically compiled containers into Kubernetes native custom resources. The original approach provided simplicity before Kubernetes Custom Resource Definitions (CRDs) were even available! With CRDs, you can customize how you authenticate and which applications you integrate with. For instance, if you're using Istio you can integrate SSO with Kiali by running a helm chart! Want to add Multi-Factor Authentication? Change a Kubernetes object! We're going to be adding more documentation and examples in the weeks ahead!

In addition to making it easier to customize OpenUnison's configuration, we also made it easier to customize the pages and images used by OpenUnison by splitting out static HTML into its own container. This makes it much easier to customize without having to fork and build a container. Now updating the logos is a simple task of creating a ConfigMap and updating your values.yaml!

How easy and powerful is OpenUnison's configuration customization? In the final chapter of Kubernetes: An Enterprise Guide 2nd Edition (available Dec 9), we build out a custom GitOps platform using GitLab for git hosting and management, TektonCD for builds, ArgoCD for GitOps, OPA GateKeeper for policy management,and OpenUnison providing SSO and Namespace as a Service (NaaS). Everything was automated, with no custom containers. All customization to OpenUnison to make this platform work was automated via custom resources deployed through a helm chart! This includes SSO for GitLab, ArgoCD, and TektonCD's dashboard. Stay tuned for more details about this capability!

Namespace as a Service

Have you ever received an email that starts with "please add Jennifer to this Namespace", or "please create a Namespace for these ten users?" What's the point of all this automation if we're manually onboarding users and applications? With OpenUnison's Namespace as a Service (NaaS), you can give your users the freedom to create Namespaces and manage access without having to involve the cluster's operations team to run manual kubectl commands. Users can either drive access from the identity provider's groups, let OpenUnison manage and store groups, or both! Go from namespace creation, to user onboarding and offboarding, all without involving the cluster operations team!

Easy Upgrades

If you're already using OpenUnison, we're providing an easy upgrade path! Your existing values.yaml will work with the new version. We put together a step-by-step upgrade guide for you. We know that upgrading your cluster's authentication shouldn't be done lightly, so we're going to continue to support our legacy containers until December 2022. Each new release of OpenUnison will have containers upgraded and packages updated appropriately. We know we can't always move as fast as new technology, so we're committed to supporting your existing investment while you plan your upgrade.

What's Next?

Want to get started with the easiest to deploy authentication system for Kubernetes? Head over to our new documentation site! Everything is open source and you don't need to talk to a sales rep to get into production. If you are interested in investing in a support contract, take a look at our pricing and let us know how we can help!

Related Posts