From b2349a85d5e615a1df29d2c629b6ed036e19d8eb Mon Sep 17 00:00:00 2001
From: Andrew Blanchard <andrew.blanchard@leapfrog.ai>
Date: Thu, 1 Apr 2021 12:33:52 +0000
Subject: [PATCH] Added new global var template strings for sso/{auth_url,
 token_url}. Updated monitoring/grafana to reference the new global values as
 a default pointing to keycloak. Added a new folder to the .gitignore for
 scratch manifests and testing.

---
 chart/google-auth-example-values.yaml  | 17 +++++++++++++++++
 chart/templates/monitoring/values.yaml |  9 +++++----
 chart/values.yaml                      |  6 ++++++
 3 files changed, 28 insertions(+), 4 deletions(-)
 create mode 100644 chart/google-auth-example-values.yaml

diff --git a/chart/google-auth-example-values.yaml b/chart/google-auth-example-values.yaml
new file mode 100644
index 0000000000..a52de28a6c
--- /dev/null
+++ b/chart/google-auth-example-values.yaml
@@ -0,0 +1,17 @@
+#
+# The values below demonstrate how to override the default SSO provider (Keycloak) in favor of google auth.
+#
+# Current tested implementations and reference docs:
+#   * grafana - https://grafana.com/docs/grafana/latest/auth/google/
+#
+
+monitoring:
+  sso:
+    grafana:
+      client_id: <client_id>
+      client_secret: <client_secret>
+      scopes: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
+      allowed_domains: <allowed_domains>
+      auth_url: https://accounts.google.com/o/oauth2/auth
+      token_url: https://oauth2.googleapis.com/token
+      signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
\ No newline at end of file
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index d30f60d512..d83f81e578 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -44,18 +44,19 @@ grafana:
     {{- end }}
 
     auth:
-      signout_redirect_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout
+      signout_redirect_url: {{ .Values.monitoring.sso.grafana.signout_redirect_url | default (tpl "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout" .) }}
 
     auth.generic_oauth:
       enabled: {{ .Values.monitoring.sso.enabled }}
       client_id: {{ .Values.monitoring.sso.grafana.client_id }}
       client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
       scopes: {{ .Values.monitoring.sso.grafana.scopes | default "openid profile email" }}
-      auth_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth
-      token_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token
-      api_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/userinfo
+      auth_url: {{ .Values.monitoring.sso.grafana.auth_url | default (tpl .Values.sso.auth_url .) }}
+      token_url: {{ .Values.monitoring.sso.grafana.token_url | default (tpl .Values.sso.token_url .) }}
+      api_url: {{ .Values.monitoring.sso.grafana.api_url | default (tpl "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/userinfo" .) }}
       allow_sign_up: {{ .Values.monitoring.sso.grafana.allow_sign_up | default "True" }}
       role_attribute_path: {{ .Values.monitoring.sso.grafana.role_attribute_path | default "Viewer" }}
+      allowed_domains: {{ .Values.monitoring.sso.grafana.allowed_domains }}
 
 prometheus-node-exporter:
   serviceAccount:
diff --git a/chart/values.yaml b/chart/values.yaml
index 959ab3e0e1..33a36eee61 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -67,6 +67,12 @@ sso:
   # -- OIDC client secret used for packages authenticated through authservice
   client_secret: ""
 
+  # -- OIDC token URL template string (to be used as default)
+  token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
+    
+  # -- OIDC auth URL template string (to be used as default)
+  auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
+
 # -- (Advanced) Flux reconciliation parameters.
 # The default values provided will be sufficient for the majority of workloads.
 flux:
-- 
GitLab