Resolve "Enable KeyCloak protection for Holocron"

69b37fb8 · Mark Howard · Michael Martin · 5e1129bc · 69b37fb8 · 69b37fb8
Commit 69b37fb8 authored 9 months ago by Mark Howard Committed by Michael Martin 9 months ago
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled) (and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled)) }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
 {{- end }}

@@ -141,6 +141,27 @@ chains:
    {{- end }}
  {{- end }}

+  {{- if and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled }}
+  holocron:
+    match:
+      header: ":authority"
+    {{- $holocronHosts := (dig "istio" "holocron" "hosts" dict .Values.addons.holocron.values) }}
+    {{- if $holocronHosts }}
+      prefix: {{ tpl ($holocronHosts | first) $ }}
+    callback_uri: https://{{ tpl ($holocronHosts | first) $ }}/login
+    {{- else }}
+      prefix: {{ printf "holocron.%s" $domainName }}
+    callback_uri: https://holocron.{{ $domainName }}/login
+    {{- end }}
+    client_id: "{{ .Values.addons.holocron.sso.client_id }}"
+    client_secret: "{{ .Values.addons.holocron.sso.client_secret }}"
+    {{- if not $legacy }}
+    authorization_uri: {{ include "sso.oidc.auth" . }}
+    token_uri: {{ include "sso.oidc.token" . }}
+    logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+    {{- end }}
+  {{- end }}
+
  {{- if and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled }}
  thanos:
    match:

--- a/chart/templates/holocron/values.yaml
+++ b/chart/templates/holocron/values.yaml
@@ -15,7 +15,19 @@ externalURL: https://holocron.{{ .Values.domain }}

 domain: {{ .Values.domain }}

+{{- $holocronAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
+{{- $holocronAuthServiceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
+
+{{- if .Values.addons.holocron.sso.enabled }}
+frontend:
+  labels:
+    {{ $holocronAuthserviceKey }}: {{ $holocronAuthServiceValue }}
+{{- end }}
 api:
+{{- if .Values.addons.holocron.sso.enabled }}
+  labels:
+    {{ $holocronAuthserviceKey }}: {{ $holocronAuthServiceValue }}
+{{- end }}
  env:
    REQUEST_IP_HEADER: Host
    SSO_ENABLED: {{ .Values.addons.holocron.sso.enabled }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1972,6 +1972,12 @@ addons:
    sso:
      # -- Toggle SSO for Holocron on and off
      enabled: false
+
+      # -- OIDC Client ID to use for Holocron
+      client_id: ""
+
+      # -- OIDC Client Secret to use for Holocron
+      client_secret: ""
      
      # -- Holocron SSO group roles: https://repo1.dso.mil/groups/big-bang/apps/sandbox/holocron/-/wikis/Administrator-Guide
      groups: