chore: switch to new SSO secret template (#111)

## Description This implements the new secret templating for GitLab ## Related Issue Fixes #90 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow) followed
defenseunicorns · Apr 19, 2024 · acf28bc · acf28bc
1 parent b0e151e
commit acf28bc
Show file tree

Hide file tree

Showing 12 changed files with 45 additions and 110 deletions.
diff --git a/.yamllint b/.yamllint
@@ -3,7 +3,7 @@ yaml-files:
   - '.yamllint'
 
 ignore:
-  - '**/charts/**/templates**'
+  - '**/chart/templates**'
 
 rules:
   anchors: enable

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
@@ -46,11 +46,6 @@ packages:
             - name: GITLAB_SSO_ENABLED
               description: "Boolean to enable or disable sso things"
               path: "sso"
-        uds-gitlab-sso:
-          variables:
-            - name: GITLAB_SSO_ENABLED
-              description: "Boolean to enable or disable sso things"
-              path: "sso"
         gitlab:
           variables:
             - name: GITLAB_SSO_ENABLED

diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml
@@ -32,7 +32,6 @@ variables:
     gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local"
     DISABLE_REGISTRY_REDIRECT: "true"
     GITLAB_PAGES_ENABLED: true
-    GITLAB_SSO_ENABLED: false
     # # Overrides for scaled down cluster for local dev and CI
     webservice_replicas: 1
     webservice_resources:

diff --git a/charts/config/.helmignore → chart/.helmignore b/charts/config/.helmignore → chart/.helmignore
diff --git a/charts/config/Chart.yaml → chart/Chart.yaml b/charts/config/Chart.yaml → chart/Chart.yaml
diff --git a/charts/config/templates/uds-package.yaml → chart/templates/uds-package.yaml b/charts/config/templates/uds-package.yaml → chart/templates/uds-package.yaml
@@ -10,6 +10,38 @@ spec:
       clientId: uds-core-gitlab
       redirectUris:
         - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback"
+      secretName: gitlab-sso-provider-json
+      secretTemplate:
+        # GitLab expects a providers JSON file that is documented more here: https://gitlab-org.gitlab.io/technical-writing-group/gitlab-docs-hugo/administration/auth/oidc/
+        # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL
+        providers: |
+          {
+            "name": "openid_connect",
+            "label": "SSO",
+            "args": {
+              "name": "openid_connect",
+              "scope": [
+                "openid",
+                "profile"
+              ],
+              "response_type": "code",
+              "issuer": "https://sso.{{ .Values.domain }}/realms/uds",
+              "client_auth_method": "query",
+              "discovery": false,
+              "uid_field": "preferred_username",
+              "pkce": "true",
+              "client_options": {
+                "identifier": "clientField(clientId)",
+                "secret": "clientField(secret)",
+                "redirect_uri": "clientField(redirectUris)[0]",
+                "end_session_endpoint": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/logout",
+                "authorization_endpoint": "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/auth",
+                "token_endpoint": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/token",
+                "userinfo_endpoint": "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/userinfo",
+                "jwks_uri": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/certs"
+              }
+            }
+          }
   {{- end }}
   network:
     expose:
@@ -188,10 +220,20 @@ spec:
 
       # Webservice Netpols
       - direction: Egress
+        remoteNamespace: keycloak
+        remoteSelector:
+          app.kubernetes.io/name: keycloak
+        selector:
+          app: webservice
+        port: 8080
+        description: "SSO Internal"
+
+      - direction: Egress
+        remoteGenerated: Anywhere
         selector:
           app: webservice
         port: 443
-        description: "SSO"
+        description: "SSO External"
 
       - direction: Egress
         selector:

diff --git a/charts/config/values.yaml → chart/values.yaml b/charts/config/values.yaml → chart/values.yaml
diff --git a/charts/sso/.helmignore b/charts/sso/.helmignore
diff --git a/charts/sso/Chart.yaml b/charts/sso/Chart.yaml
diff --git a/charts/sso/templates/secret.yaml b/charts/sso/templates/secret.yaml
diff --git a/charts/sso/values.yaml b/charts/sso/values.yaml
diff --git a/common/zarf.yaml b/common/zarf.yaml
@@ -11,11 +11,7 @@ components:
       - name: uds-gitlab-config
         namespace: gitlab
         version: 0.2.0
-        localPath: ../charts/config
-      - name: uds-gitlab-sso
-        namespace: gitlab
-        version: 0.1.0
-        localPath: ../charts/sso
+        localPath: ../chart
       - name: gitlab
         namespace: gitlab
         url: https://charts.gitlab.io/