From c8f187b7c6d66c262e97e6606f3b86bfdfb9715e Mon Sep 17 00:00:00 2001
From: Michael McLeroy <michaelmcleroy@cloudfitsoftware.com>
Date: Wed, 1 Feb 2023 23:13:27 +0000
Subject: [PATCH] SSO Refactor for Global IdP values
---
chart/templates/NOTES.txt | 202 ++++++++++++
chart/templates/_helpers.tpl | 113 ++++++-
chart/templates/anchore/secret-ca.yaml | 6 +-
chart/templates/anchore/values.yaml | 2 +-
chart/templates/argocd/secret-ca.yaml | 6 +-
chart/templates/argocd/values.yaml | 8 +-
chart/templates/authservice/values.yaml | 55 +++-
chart/templates/gitlab/secret-ca.yaml | 6 +-
chart/templates/gitlab/secret-sso.yaml | 14 +-
chart/templates/gitlab/values.yaml | 6 +-
chart/templates/jaeger/secret-ca.yaml | 6 +-
chart/templates/kiali/secret-ca.yaml | 6 +-
chart/templates/kiali/values.yaml | 4 +-
.../elasticsearch-kibana/secret-ca.yaml | 6 +-
.../logging/elasticsearch-kibana/values.yaml | 28 +-
chart/templates/mattermost/secret-ca.yaml | 6 +-
chart/templates/mattermost/values.yaml | 6 +-
chart/templates/monitoring/secret-ca.yaml | 6 +-
chart/templates/monitoring/values.yaml | 9 +-
.../nexus-repository-manager/secret-ca.yaml | 6 +-
.../nexus-repository-manager/values.yaml | 2 +-
.../secrets/certificateauthority.yaml | 4 +-
chart/templates/sonarqube/secret-ca.yaml | 6 +-
chart/templates/sonarqube/values.yaml | 8 +-
chart/templates/twistlock/values.yaml | 15 +-
chart/templates/wrapper/gitrepository.yaml | 2 +-
chart/values.yaml | 138 +++-----
.../configs/example/dev-sso-values.yaml | 301 ++++++++----------
.../example/google-auth-example-values.yaml | 26 +-
.../package-integration/supported.md | 2 +-
.../deployment-scenarios/sso-quickstart.md | 148 +++++----
.../configuration/base-config.md | 32 +-
.../package-architecture/argocd.md | 1 -
.../elasticsearch-kibana.md | 7 -
.../package-architecture/kiali.md | 6 +-
.../package-architecture/mattermost.md | 3 -
.../package-architecture/sonarqube.md | 7 -
tests/test-values.yaml | 87 +++--
38 files changed, 780 insertions(+), 516 deletions(-)
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index aada4b045d..dd58c7a4ab 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -185,6 +185,208 @@ DEPRECATION NOTICE:
Please reconfigure your values overrides to use .Values.addons.nexusRepositoryManager
{{- end }}
+{{- $nexusOldValues := default dict .Values.addons.nexus -}}
+{{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
+
+{{- with .Values }}
+{{- if and .sso.url (coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate) }}
+DEPRECATION NOTICE:
+ The following SSO keys have been deprecated. Deprecated keys will continue to work, but will be removed in a future release. Please update your overrides.
+ {{- if coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName }}
+ sso:
+ {{- if coalesce .sso.oidc.host .sso.oidc.realm }}
+ oidc:
+ {{- if .sso.oidc.host }}
+ # "host" removed. It is now implicitly defined in "sso.url".
+ host: {{ .sso.oidc.host }}
+ {{- end }}
+ {{- if .sso.oidc.realm }}
+ # "realm" removed. It is now implicitly defined in "sso.url".
+ realm: {{ .sso.oidc.realm }}
+ {{- end }}
+ {{- end }}
+ {{- if .sso.certificate_authority }}
+ # "certificate_authority" was moved to "sso.certificateAuthority.cert".
+ certificate_authority: {{ .sso.certificate_authority | trunc 27 }}
+ {{- end }}
+ {{- if .sso.jwks }}
+ # "jwks" was moved to "sso.oidc.jwks". If possible, switch to using "sso.oidc.jwksUri" to dynamically retrieve metadata instead
+ jwks: {{ .sso.jwks }}
+ {{- end }}
+ {{- if .sso.jwks_uri }}
+ # "jwks_uri" was moved to "sso.oidc.jwksUri"
+ jwks_uri: {{ .sso.jwks_uri }}
+ {{- end }}
+ {{- if .sso.client_id }}
+ # "client_id" was moved to "addons.authservice.sso.client_id"
+ client_id: {{ .sso.client_id }}
+ {{- end }}
+ {{- if .sso.client_secret }}
+ # "client_secret" was moved to "addons.authservice.sso.client_secret"
+ client_secret: {{ .sso.client_secret }}
+ {{- end }}
+ {{- if .sso.token_url }}
+ # "token_url" was moved to "sso.oidc.token"
+ token_url: {{ .sso.token_url }}
+ {{- end }}
+ {{- if .sso.auth_url }}
+ # "auth_url" was moved to "sso.oidc.authorization"
+ auth_url: {{ .sso.auth_url }}
+ {{- end }}
+ {{- if .sso.secretName }}
+ # "secretName" was moved to "sso.certificateAuthority.secretName"
+ secretName: {{ .sso.secretName }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail }}
+ logging:
+ sso:
+ {{- if .logging.sso.issuer }}
+ # "issuer" was moved to "sso.url"
+ issuer: {{ .logging.sso.issuer }}
+ {{- end }}
+ {{- if .logging.sso.auth_url }}
+ # "auth_url" was moved to "sso.oidc.authorization"
+ auth_url: {{ .logging.sso.auth_url }}
+ {{- end }}
+ {{- if .logging.sso.token_url }}
+ # "token_url" was moved to "sso.oidc.token"
+ token_url: {{ .logging.sso.token_url }}
+ {{- end }}
+ {{- if .logging.sso.userinfo_url }}
+ # "userinfo_url" was moved to "sso.oidc.userinfo"
+ userinfo_url: {{ .logging.sso.userinfo_url }}
+ {{- end }}
+ {{- if .logging.sso.jwkset_url }}
+ # "jwkset_url" was moved to "sso.oidc.jwksUrl"
+ jwkset_url: {{ .logging.sso.jwkset_url }}
+ {{- end }}
+ {{- if .logging.sso.claims_principal }}
+ # "claims_principal" was moved to "sso.oidc.claims.username"
+ claims_principal: {{ .logging.sso.claims_principal }}
+ {{- end }}
+ {{- if .logging.sso.endsession_url }}
+ # "endsession_url" was moved to "sso.oidc.endsession"
+ endsession_url: {{ .logging.sso.endsession_url }}
+ {{- end }}
+ {{- if .logging.sso.claims_group }}
+ # "claims_group" was moved to "sso.oidc.claims.groups"
+ claims_group: {{ .logging.sso.claims_group }}
+ {{- end }}
+ {{- if .logging.sso.claims_mail }}
+ # "claims_mail" was moved to "sso.oidc.claims.email"
+ claims_mail: {{ .logging.sso.claims_mail }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url }}
+ monitoring:
+ sso:
+ grafana:
+ {{- if .monitoring.sso.grafana.auth_url }}
+ # "auth_url" moved to "sso.oidc.authorization"
+ auth_url: {{ .monitoring.sso.grafana.auth_url }}
+ {{- end }}
+ {{- if .monitoring.sso.grafana.token_url }}
+ # "token_url" moved to "sso.oidc.token"
+ token_url: {{ .monitoring.sso.grafana.token_url }}
+ {{- end }}
+ {{- if .monitoring.sso.grafana.api_url }}
+ # "api_url" moved to "sso.oidc.userinfo"
+ api_url: {{ .monitoring.sso.grafana.api_url }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert }}
+ twistlock:
+ sso:
+ {{- if .twistlock.sso.provider_name }}
+ # "provider_name" moved to "sso.name"
+ provider_name: {{ .twistlock.sso.provider_name }}
+ {{- end }}
+ {{- if .twistlock.sso.issuer_uri }}
+ # "issuer_uri" moved to "sso.url"
+ issuer_uri: {{ .twistlock.sso.issuer_uri }}
+ {{- end }}
+ {{- if .twistlock.sso.idp_url }}
+ # "idp_url" moved to "sso.saml.service"
+ idp_url: {{ .twistlock.sso.idp_url }}
+ {{- end }}
+ {{- if .twistlock.sso.console_url }}
+ # "console_url" deprecated. It will be created from "twistlock.values.istio.console.hosts" or "twistlock.<domain>"
+ console_url: {{ .twistlock.sso.console_url }}
+ {{- end }}
+ {{- if .twistlock.sso.cert }}
+ # "cert" is derived from "sso.saml.metadata"
+ cert: {{ .twistlock.sso.cert | trunc 27 }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
+ addons:
+ {{- if .addons.argocd.sso.provider_name }}
+ argocd:
+ sso:
+ # "provider_name" moved to "sso.name"
+ provider_name: {{ .addons.argocd.sso.provider_name }}
+ {{- end }}
+ {{- if coalesce .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field -}}
+ gitlab:
+ sso:
+ {{- if .addons.gitlab.sso.label }}
+ # "label" moved to "sso.name"
+ label: {{ .addons.gitlab.sso.label }}
+ {{- end }}
+ {{- if .addons.gitlab.sso.issuer_uri }}
+ # "issuer_uri" moved to "sso.url"
+ issuer_uri: {{ .addons.gitlab.sso.issuer_uri }}
+ {{- end }}
+ {{- if .addons.gitlab.sso.end_session_uri }}
+ # "end_session_uri" moved to "sso.oidc.endSession"
+ end_session_uri: {{ .addons.gitlab.sso.end_session_uri }}
+ {{- end }}
+ {{- if .addons.gitlab.sso.uid_field }}
+ # "uid_field" moved to "sso.oidc.claims.username"
+ uid_field: {{ .addons.gitlab.sso.uid_field }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint }}
+ mattermost:
+ sso:
+ {{- if .addons.mattermost.sso.auth_endpoint }}
+ # "auth_endpoint" moved to "sso.oidc.authorization"
+ auth_endpoint: {{ .addons.mattermost.sso.auth_endpoint }}
+ {{- end }}
+ {{- if .addons.mattermost.sso.token_endpoint }}
+ # "token_endpoint" moved "sso.oidc.token"
+ token_endpoint: {{ .addons.mattermost.sso.token_endpoint }}
+ {{- end }}
+ {{- if .addons.mattermost.sso.user_api_endpoint }}
+ # "user_api_endpoint" moved to "sso.oidc.userinfo"
+ user_api_endpoint: {{ .addons.mattermost.sso.user_api_endpoint }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce $nexusValues.sso.idp_data.idpMetadata }}
+ nexus:
+ sso:
+ {{- if $nexusValues.sso.idp_data.idpMetadata }}
+ # idpMetadata moved to "sso.saml.metadata"
+ idpMetadata: {{ $nexusValues.sso.idp_data.idpMetadata | trunc 27 }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
+ sonarqube:
+ sso:
+ {{- if .addons.sonarqube.sso.provider_name }}
+ # "provider_name" moved to "sso.name"
+ provider_name: {{ .addons.sonarqube.sso.provider_name }}
+ {{- end }}
+ {{- if .addons.sonarqube.sso.certificate }}
+ # "certificate" derived from "sso.saml.metadata"
+ certificate: {{ .addons.sonarqube.sso.certificate | trunc 27 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
{{- if .Values.addons.mattermostoperator }}
DEPRECATION NOTICE:
.Values.addons.mattermostoperator has been deprecated and will be removed in a future Big Bang release.
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 1c9b3ca76f..dc9a6ecd26 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -218,5 +218,116 @@ bigbang.dev/istioVersion: {{ .Values.istio.oci.tag }}
{{- /* Prints istio version */ -}}
{{- define "istioVersion" -}}
-{{ regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" }}
+ {{- regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" -}}
{{- end -}}
+
+{{- /* Returns an SSO host */ -}}
+{{- define "sso.host" -}}
+ {{- coalesce .Values.sso.oidc.host (regexReplaceAll ".*//([^/]*)/?.*" .Values.sso.url "${1}") -}}
+{{- end -}}
+
+{{- /* Returns an SSO realm */ -}}
+{{- define "sso.realm" -}}
+ {{- coalesce .Values.sso.oidc.realm (regexReplaceAll ".*/realms/([^/]*)" .Values.sso.url "${1}") (regexReplaceAll "\\W+" .Values.sso.name "") -}}
+{{- end -}}
+
+{{- /* Returns the SSO base URL */ -}}
+{{- define "sso.url" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "https://%s/auth/realms/%s" .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- else -}}
+ {{- tpl (default "" .Values.sso.url) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO auth url (OIDC) */ -}}
+{{- define "sso.oidc.auth" -}}
+ {{- if .Values.sso.auth_url -}}
+ {{- tpl (default "" .Values.sso.auth_url) . -}}
+ {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/auth" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "authorization" (printf "%s/protocol/openid-connect/auth" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO token url (OIDC) */ -}}
+{{- define "sso.oidc.token" -}}
+ {{- if .Values.sso.token_url -}}
+ {{- tpl (default "" .Values.sso.token_url) . -}}
+ {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/token" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "token" (printf "%s/protocol/openid-connect/token" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO userinfo url (OIDC) */ -}}
+{{- define "sso.oidc.userinfo" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/userinfo" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "userinfo" (printf "%s/protocol/openid-connect/userinfo" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO jwks url (OIDC) */ -}}
+{{- define "sso.oidc.jwksuri" -}}
+ {{- if .Values.sso.jwks_uri -}}
+ {{- tpl (default "" .Values.sso.jwks_uri) . -}}
+ {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/certs" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "jwksUri" (printf "%s/protocol/openid-connect/certs" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO end session url (OIDC) */ -}}
+{{- define "sso.oidc.endsession" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/logout" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "endSession" (printf "%s/protocol/openid-connect/logout" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the single sign on service (SAML) */ -}}
+{{- define "sso.saml.service" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/saml" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "saml" "service" (printf "%s/protocol/saml" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the single sign on entity descriptor (SAML) */ -}}
+{{- define "sso.saml.descriptor" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/descriptor" (include "sso.saml.service" .) -}}
+ {{- else -}}
+ {{- tpl (dig "saml" "entityDescriptor" (printf "%s/descriptor" (include "sso.saml.service" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the signing cert (no headers) from the SAML metadata */ -}}
+{{- define "sso.saml.cert" -}}
+ {{- $cert := dig "saml" "metadata" "" .Values.sso -}}
+ {{- if $cert -}}
+ {{- $cert := regexFind "<md:IDPSSODescriptor[\\s>][\\s\\S]*?</md:IDPSSODescriptor[\\s>]" $cert -}}
+ {{- $cert = regexFind "<md:KeyDescriptor[\\s>][^>]*?use=\"signing\"[\\s\\S]*?</md:KeyDescriptor[\\s>]" $cert -}}
+ {{- $cert = regexFind "<ds:KeyInfo[\\s>][\\s\\S]*?</ds:KeyInfo[\\s>]" $cert -}}
+ {{- $cert = regexFind "<ds:X509Data[\\s>][\\s\\S]*?</ds:X509Data[\\s>]" $cert -}}
+ {{- $cert = regexFind "<ds:X509Certificate[\\s>][\\s\\S]*?</ds:X509Certificate[\\s>]" $cert -}}
+ {{- $cert = regexReplaceAll "<ds:X509Certificate[^>]*?>\\s*([\\s\\S]*?)</ds:X509Certificate[\\s>]" $cert "${1}" -}}
+ {{- $cert = regexReplaceAll "\\s*" $cert "" -}}
+ {{- required "X.509 signing certificate could not be found in sso.saml.metadata!" $cert -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the signing cert with headers from the SAML metadata */ -}}
+{{- define "sso.saml.cert.withheaders" -}}
+ {{- $cert := include "sso.saml.cert" . -}}
+ {{- if $cert -}}
+ {{- printf "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" $cert -}}
+ {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/anchore/secret-ca.yaml b/chart/templates/anchore/secret-ca.yaml
index c1096ba3c2..a0c95319ac 100644
--- a/chart/templates/anchore/secret-ca.yaml
+++ b/chart/templates/anchore/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.anchore.enabled .Values.addons.anchore.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.anchore.enabled .Values.addons.anchore.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{.Values.sso.secretName}}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: anchore
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/anchore/values.yaml b/chart/templates/anchore/values.yaml
index c22fcf1dea..c06d820c5b 100644
--- a/chart/templates/anchore/values.yaml
+++ b/chart/templates/anchore/values.yaml
@@ -49,7 +49,7 @@ sso:
spEntityId: {{ .Values.addons.anchore.sso.client_id }}
{{- $anchoreUrl := first (dig "istio" "ui" "hosts" list .Values.addons.anchore.values) }}
acsUrl: https://{{ tpl ($anchoreUrl | default (printf "%s.%s" "anchore" $domainName)) . }}/service/sso/auth/keycloak
- idpMetadataUrl: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml/descriptor"
+ idpMetadataUrl: "{{ include "sso.saml.descriptor" . }}"
roleAttribute: {{ .Values.addons.anchore.sso.role_attribute }}
{{- end }}
diff --git a/chart/templates/argocd/secret-ca.yaml b/chart/templates/argocd/secret-ca.yaml
index 00365cdac5..4e667f9d0d 100644
--- a/chart/templates/argocd/secret-ca.yaml
+++ b/chart/templates/argocd/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.argocd.enabled .Values.addons.argocd.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.argocd.enabled .Values.addons.argocd.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: argocd
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/argocd/values.yaml b/chart/templates/argocd/values.yaml
index 17574e67d4..fe576f188d 100644
--- a/chart/templates/argocd/values.yaml
+++ b/chart/templates/argocd/values.yaml
@@ -168,14 +168,14 @@ sso:
keycloakClientSecret: {{ .Values.addons.argocd.sso.client_secret }}
config:
oidc.config: |
- name: {{ .Values.addons.argocd.sso.provider_name }}
- issuer: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}
+ name: {{ default .Values.sso.name .Values.addons.argocd.sso.provider_name }}
+ issuer: {{ include "sso.url" . }}
clientID: {{ .Values.addons.argocd.sso.client_id }}
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid","ArgoCD"]
- {{- if .Values.sso.certificate_authority }}
+ {{- if (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
rootCA: |
- {{- .Values.sso.certificate_authority | nindent 8 }}
+ {{- default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
diff --git a/chart/templates/authservice/values.yaml b/chart/templates/authservice/values.yaml
index 71e47f1467..859212d6ae 100644
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -64,27 +64,38 @@ redis-bb:
namespace: monitoring
{{- end }}
+{{- $legacy := and .Values.sso.oidc.realm .Values.sso.oidc.host -}}
+{{- if not $legacy }}
+issuer_uri: {{ include "sso.url" . }}
+{{- end }}
+
global:
oidc:
- host: {{ .Values.sso.oidc.host }}
- realm: {{ .Values.sso.oidc.realm }}
+ host: {{ default (include "sso.host" .) .Values.sso.oidc.host }}
+ realm: {{ default (include "sso.realm" .) .Values.sso.oidc.realm }}
+
+ {{- if or .Values.sso.jwks_uri (dig "oidc" "jwksUri" false .Values.sso) }}
+ jwks_uri: {{ include "sso.oidc.jwksuri" . | quote }}
+ {{- else if or .Values.sso.jwks (dig "oidc" "jwks" false .Values.sso) }}
+ jwks: {{ default (dig "oidc" "jwks" "" .Values.sso) .Values.sso.jwks | quote }}
+ {{- end }}
- {{- if .Values.sso.jwks }}
- jwks: "{{ .Values.sso.jwks }}"
- {{- else if .Values.sso.jwks_uri }}
- jwks_uri: "{{ .Values.sso.jwks_uri }}"
+ {{- if or .Values.sso.client_id (dig "sso" "client_id" false .Values.addons.authservice) }}
+ client_id: {{ default (dig "sso" "client_id" "" .Values.addons.authservice) .Values.sso.client_id }}
{{- end }}
- {{- if .Values.sso.client_id}}
- client_id: {{ .Values.sso.client_id }}
+ {{- if or .Values.sso.client_secret (dig "sso" "client_secret" false .Values.addons.authservice) }}
+ client_secret: {{ default (dig "sso" "client_secret" "" .Values.addons.authservice) .Values.sso.client_secret }}
{{- end }}
- {{- if .Values.sso.client_secret }}
- client_secret: {{ .Values.sso.client_secret }}
+ {{- if (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
+ certificate_authority: {{ (default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority) | quote }}
{{- end }}
- {{- if .Values.sso.certificate_authority }}
- certificate_authority: {{ .Values.sso.certificate_authority | quote }}
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
{{- end }}
{{- $authserviceValues := .Values.addons.authservice.values | default dict }}
@@ -114,6 +125,11 @@ chains:
{{- end }}
client_id: "{{ .Values.jaeger.sso.client_id }}"
client_secret: "{{ .Values.jaeger.sso.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
{{- end }}
{{- if and .Values.tempo.enabled .Values.tempo.sso.enabled }}
@@ -133,6 +149,11 @@ chains:
{{- end }}
client_id: "{{ .Values.tempo.sso.client_id }}"
client_secret: "{{ .Values.tempo.sso.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
{{- end }}
{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
@@ -149,6 +170,11 @@ chains:
{{- end }}
client_id: {{ .Values.monitoring.sso.prometheus.client_id }}
client_secret: "{{ .Values.monitoring.sso.prometheus.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
alertmanager:
match:
@@ -163,5 +189,10 @@ chains:
{{- end }}
client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
{{- end }}
{{- end -}}
diff --git a/chart/templates/gitlab/secret-ca.yaml b/chart/templates/gitlab/secret-ca.yaml
index beb2ccc2cd..747c5b8b02 100644
--- a/chart/templates/gitlab/secret-ca.yaml
+++ b/chart/templates/gitlab/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled) .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+{{- if and (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled) .Values.addons.gitlab.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso))}}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: gitlab
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
diff --git a/chart/templates/gitlab/secret-sso.yaml b/chart/templates/gitlab/secret-sso.yaml
index f329474c61..2ecae2442b 100644
--- a/chart/templates/gitlab/secret-sso.yaml
+++ b/chart/templates/gitlab/secret-sso.yaml
@@ -12,7 +12,7 @@ stringData:
gitlab-sso.json: |-
{
"name": "openid_connect",
- "label": "{{ .Values.addons.gitlab.sso.label }}",
+ "label": "{{ default .Values.sso.name .Values.addons.gitlab.sso.label }}",
"args": {
"name": "openid_connect",
"scope": [
@@ -25,23 +25,23 @@ stringData:
{{- if .Values.addons.gitlab.sso.issuer_uri }}
"issuer": "{{ .Values.addons.gitlab.sso.issuer_uri }}",
{{- else }}
- "issuer": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}",
+ "issuer": "{{ include "sso.url" . }}",
{{- end }}
"client_auth_method": "query",
"discovery": true,
- "uid_field": {{ .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
+ "uid_field": {{ default (dig "oidc" "claims" "username" "" .Values.sso) .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
"client_options": {
- "identifier": "{{ .Values.addons.gitlab.sso.client_id | default .Values.sso.client_id }}",
- "secret": "{{ .Values.addons.gitlab.sso.client_secret | default .Values.sso.client_secret }}",
+ "identifier": "{{ .Values.addons.gitlab.sso.client_id }}",
+ "secret": "{{ .Values.addons.gitlab.sso.client_secret }}",
"redirect_uri": "https://{{ .Values.addons.gitlab.hostnames.gitlab }}.{{ $domainName }}/users/auth/openid_connect/callback",
{{- if .Values.addons.gitlab.sso.end_session_uri }}
"end_session_endpoint": "{{ .Values.addons.gitlab.sso.end_session_uri }}"
{{- else }}
- "end_session_endpoint": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout"
+ "end_session_endpoint": "{{ include "sso.oidc.endsession" . }}"
{{- end }}
}
}
}
{{- end }}
-{{- end}}
+{{- end }}
diff --git a/chart/templates/gitlab/values.yaml b/chart/templates/gitlab/values.yaml
index 8275f9e87a..7afdc7476f 100644
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -226,10 +226,12 @@ minio:
{{- end }}
global:
- {{- if and .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+ {{- if and .Values.addons.gitlab.sso.enabled (or (dig "certificateAuthority" "secretName" false .Values.sso) .Values.sso.secretName) }}
certificates:
customCAs:
- - secret: tls-ca-sso
+ {{- if or .Values.sso.secretName (dig "certificateAuthority" "secretName" false .Values.sso) }}
+ - secret: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
+ {{- end }}
- secret: ca-certs-australian-defence-organisation-cross-cert-chain
- secret: ca-certs-australian-defence-organisation-direct-trust-chain
- secret: ca-certs-boeing
diff --git a/chart/templates/jaeger/secret-ca.yaml b/chart/templates/jaeger/secret-ca.yaml
index 0d94b9f558..86036a2994 100644
--- a/chart/templates/jaeger/secret-ca.yaml
+++ b/chart/templates/jaeger/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.jaeger.enabled .Values.jaeger.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.jaeger.enabled .Values.jaeger.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: jaeger
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kiali/secret-ca.yaml b/chart/templates/kiali/secret-ca.yaml
index a242cf6afb..6f86830e22 100644
--- a/chart/templates/kiali/secret-ca.yaml
+++ b/chart/templates/kiali/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.kiali.enabled .Values.kiali.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.kiali.enabled .Values.kiali.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: kiali
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kiali/values.yaml b/chart/templates/kiali/values.yaml
index 096f8fc74a..a5974cfaf1 100644
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -43,11 +43,11 @@ cr:
openid:
client_id: "{{ .Values.kiali.sso.client_id }}"
disable_rbac: true
- issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
+ issuer_uri: "{{ include "sso.url" . }}"
scopes:
- openid
- email
- username_claim: email
+ username_claim: {{ dig "oidc" "claims" "email" "email" .Values.sso }}
{{- else }}
strategy: token
{{- end }}
diff --git a/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml b/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
index 7d0ea6ce39..657e3a277d 100644
--- a/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.logging.enabled .Values.logging.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.logging.enabled .Values.logging.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: logging
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/logging/elasticsearch-kibana/values.yaml b/chart/templates/logging/elasticsearch-kibana/values.yaml
index ade6792c64..fb8adcbabf 100644
--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -37,26 +37,22 @@ sso:
client_id: {{ .client_id | quote }}
client_secret: {{ .client_secret | default "no-secret" }}
oidc:
- {{- if $.Values.logging.sso.oidc }}
- host: {{ .oidc.host | default $.Values.sso.oidc.host | quote }}
- realm: {{ .oidc.realm | default $.Values.sso.oidc.realm | quote }}
- {{- else }}
- host: {{ $.Values.sso.oidc.host | quote }}
- realm: {{ $.Values.sso.oidc.realm | quote }}
- {{- end }}
+ host: {{ default (include "sso.host" $) (dig "oidc" "host" "" .) | quote }}
+ realm: {{ default (include "sso.realm" $) (dig "oidc" "realm" "" .) | quote }}
{{- /* Optional fields should be nil checked */ -}}
- {{- list "issuer" .issuer | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "auth_url" .auth_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "token_url" .token_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "userinfo_url" .userinfo_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "jwkset_url" .jwkset_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "claims_principal" .claims_principal | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- $legacy := and (not (empty $.Values.sso.oidc.realm)) (not (empty $.Values.sso.oidc.host)) -}}
+ {{- list "issuer" (default (ternary nil (include "sso.url" $) $legacy) .issuer) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "auth_url" (default (ternary nil (include "sso.oidc.auth" $) $legacy) .auth_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "token_url" (default (ternary nil (include "sso.oidc.token" $) $legacy) .token_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "userinfo_url" (default (ternary nil (include "sso.oidc.userinfo" $) $legacy) .userinfo_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "jwkset_url" (default (ternary nil (include "sso.oidc.jwksuri" $) $legacy) .jwkset_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "claims_principal" (default (ternary nil (dig "oidc" "claims" "username" nil $.Values.sso) $legacy) .claims_principal) | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "claims_principal_pattern" .claims_principal_pattern | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "requested_scopes" .requested_scopes | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "signature_algorithm" .signature_algorithm | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "endsession_url" .endsession_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "claims_group" .claims_group | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "claims_mail" .claims_mail | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "endsession_url" (default (ternary nil (include "sso.oidc.endsession" $) $legacy) .endsession_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "claims_group" (default (ternary nil (dig "oidc" "claims" "groups" nil $.Values.sso) $legacy) .claims_group) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "claims_mail" (default (ternary nil (dig "oidc" "claims" "email" nil $.Values.sso) $legacy) .claims_mail) | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "cert_authorities" .cert_authorities | include "bigbang.addValueIfSet" | indent 2 }}
{{- end }}
{{- end }}
diff --git a/chart/templates/mattermost/secret-ca.yaml b/chart/templates/mattermost/secret-ca.yaml
index 7752a8a844..615f15102a 100644
--- a/chart/templates/mattermost/secret-ca.yaml
+++ b/chart/templates/mattermost/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.mattermost.enabled .Values.addons.mattermost.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.mattermost.enabled .Values.addons.mattermost.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: mattermost
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/mattermost/values.yaml b/chart/templates/mattermost/values.yaml
index e996443201..f800a7470d 100644
--- a/chart/templates/mattermost/values.yaml
+++ b/chart/templates/mattermost/values.yaml
@@ -37,9 +37,9 @@ sso:
enabled: {{ .enabled }}
client_id: {{ .client_id }}
client_secret: {{ .client_secret | default "no-secret" }}
- auth_endpoint: {{ .auth_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/auth" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
- token_endpoint: {{ .token_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/token" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
- user_api_endpoint: {{ .user_api_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/userinfo" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
+ auth_endpoint: {{ default (include "sso.oidc.auth" $) .auth_endpoint }}
+ token_endpoint: {{ default (include "sso.oidc.token" $) .token_endpoint }}
+ user_api_endpoint: {{ default (include "sso.oidc.userinfo" $) .user_api_endpoint }}
{{- end }}
networkPolicies:
diff --git a/chart/templates/monitoring/secret-ca.yaml b/chart/templates/monitoring/secret-ca.yaml
index 300ad3fab0..b2fc380983 100644
--- a/chart/templates/monitoring/secret-ca.yaml
+++ b/chart/templates/monitoring/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: monitoring
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index 6cb85b2cd6..8c8aeab810 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -311,12 +311,15 @@ grafana:
auth.generic_oauth:
enabled: {{ .Values.monitoring.sso.enabled }}
+ {{- if .Values.sso.name }}
+ name: {{ .Values.sso.name }}
+ {{- end }}
client_id: {{ .Values.monitoring.sso.grafana.client_id }}
client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
scopes: {{ .Values.monitoring.sso.grafana.scopes | default "openid profile email" }}
- auth_url: {{ .Values.monitoring.sso.grafana.auth_url | default (tpl .Values.sso.auth_url .) }}
- token_url: {{ .Values.monitoring.sso.grafana.token_url | default (tpl .Values.sso.token_url .) }}
- api_url: {{ .Values.monitoring.sso.grafana.api_url | default (tpl "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/userinfo" .) }}
+ auth_url: {{ default (include "sso.oidc.auth" .) .Values.monitoring.sso.grafana.auth_url }}
+ token_url: {{ default (include "sso.oidc.token" .) .Values.monitoring.sso.grafana.token_url }}
+ api_url: {{ default (include "sso.oidc.userinfo" .) .Values.monitoring.sso.grafana.api_url }}
allow_sign_up: {{ .Values.monitoring.sso.grafana.allow_sign_up | default "True" }}
role_attribute_path: {{ .Values.monitoring.sso.grafana.role_attribute_path | default "Viewer" }}
{{- with .Values.monitoring.sso.grafana }}
diff --git a/chart/templates/nexus-repository-manager/secret-ca.yaml b/chart/templates/nexus-repository-manager/secret-ca.yaml
index b3554dddb6..7ffd1dae88 100644
--- a/chart/templates/nexus-repository-manager/secret-ca.yaml
+++ b/chart/templates/nexus-repository-manager/secret-ca.yaml
@@ -1,12 +1,12 @@
{{- $nexusOldValues := default dict .Values.addons.nexus -}}
{{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
-{{- if and $nexusValues.enabled $nexusValues.sso.enabled .Values.sso.certificate_authority }}
+{{- if and $nexusValues.enabled $nexusValues.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{.Values.sso.secretName}}
+ name: {{default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName}}
namespace: nexus-repository-manager
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
diff --git a/chart/templates/nexus-repository-manager/values.yaml b/chart/templates/nexus-repository-manager/values.yaml
index f3164bbe57..9529642cce 100644
--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -77,7 +77,7 @@ sso:
groupsAttribute: "{{ default "groups" $nexusValues.sso.idp_data.groups }}"
validateResponseSignature: "true"
validateAssertionSignature: "true"
- idpMetadata: '{{ $nexusValues.sso.idp_data.idpMetadata }}'
+ idpMetadata: '{{ default (dig "saml" "metadata" "" .Values.sso) (dig "sso" "idp_data" "idpMetadata" "" $nexusValues) }}'
realm:
- "NexusAuthenticatingRealm"
- "NexusAuthorizingRealm"
diff --git a/chart/templates/secrets/certificateauthority.yaml b/chart/templates/secrets/certificateauthority.yaml
index dd25cd78ec..0329b2c923 100644
--- a/chart/templates/secrets/certificateauthority.yaml
+++ b/chart/templates/secrets/certificateauthority.yaml
@@ -1,5 +1,5 @@
{{- /* Used for adding a trusted custom CA for SSO. One per namespace. */ -}}
-{{- if (dig "certificate_authority" false .Values.sso) -}}
+{{- if (or (dig "certificate_authority" false .Values.sso) (dig "certificateAuthority" "cert" false .Values.sso)) -}}
{{- range $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "default" false "constraint" "sso.enabled") $))) -}}
apiVersion: v1
kind: Secret
@@ -11,7 +11,7 @@ metadata:
{{- include "commonLabels" $ | nindent 4 }}
type: Opaque
data:
- ca.pem: {{ $.Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" $.Values.sso) $.Values.sso.certificate_authority | b64enc }}
---
{{ end -}}
{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/sonarqube/secret-ca.yaml b/chart/templates/sonarqube/secret-ca.yaml
index 29109e5bca..195c97573c 100644
--- a/chart/templates/sonarqube/secret-ca.yaml
+++ b/chart/templates/sonarqube/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.sonarqube.enabled .Values.addons.sonarqube.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.sonarqube.enabled .Values.addons.sonarqube.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: sonarqube
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/sonarqube/values.yaml b/chart/templates/sonarqube/values.yaml
index de49ca36bb..94503208b1 100644
--- a/chart/templates/sonarqube/values.yaml
+++ b/chart/templates/sonarqube/values.yaml
@@ -44,10 +44,10 @@ sonarProperties:
sonar.auth.saml.enabled: {{ .Values.addons.sonarqube.sso.enabled }}
sonar.core.serverBaseURL: https://sonarqube.{{ $domainName }}
sonar.auth.saml.applicationId: {{ .Values.addons.sonarqube.sso.client_id }}
- sonar.auth.saml.providerName: {{ .Values.addons.sonarqube.sso.provider_name | default .Values.addons.sonarqube.sso.label }}
- sonar.auth.saml.providerId: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}
- sonar.auth.saml.loginUrl: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml
- sonar.auth.saml.certificate.secured: {{ .Values.addons.sonarqube.sso.certificate }}
+ sonar.auth.saml.providerName: {{ coalesce .Values.addons.sonarqube.sso.provider_name .Values.addons.sonarqube.sso.label .Values.sso.name }}
+ sonar.auth.saml.providerId: {{ include "sso.url" . }}
+ sonar.auth.saml.loginUrl: {{ include "sso.saml.service" . }}
+ sonar.auth.saml.certificate.secured: {{ default (include "sso.saml.cert" .) .Values.addons.sonarqube.sso.certificate }}
sonar.auth.saml.user.login: {{ .Values.addons.sonarqube.sso.login | default "login" }}
sonar.auth.saml.user.name: {{ .Values.addons.sonarqube.sso.name | default "name" }}
sonar.auth.saml.user.email: {{ .Values.addons.sonarqube.sso.email | default "email" }}
diff --git a/chart/templates/twistlock/values.yaml b/chart/templates/twistlock/values.yaml
index 67cacca31f..43a944f9d0 100644
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -4,7 +4,8 @@
{{- define "bigbang.defaults.twistlock" -}}
# hostname is deprecated and replaced with domain. But if hostname exists then use it.
-domain: {{ default .Values.domain .Values.hostname }}
+{{- $domainName := default .Values.domain .Values.hostname }}
+domain: {{ $domainName }}
openshift: {{ .Values.openshift }}
@@ -52,12 +53,12 @@ console:
sso:
enabled: {{ .Values.twistlock.sso.enabled }}
client_id: {{ .Values.twistlock.sso.client_id }}
- provider_name: {{ .Values.twistlock.sso.provider_name }}
+ provider_name: {{ default .Values.sso.name .Values.twistlock.sso.provider_name }}
provider_type: {{ .Values.twistlock.sso.provider_type }}
- issuer_uri: {{ tpl .Values.twistlock.sso.issuer_uri . }}
- idp_url: {{ tpl .Values.twistlock.sso.idp_url . }}
- console_url: {{ tpl .Values.twistlock.sso.console_url . }}
+ issuer_uri: {{ default (include "sso.url" .) (tpl (default "" .Values.twistlock.sso.issuer_uri) .) }}
+ idp_url: {{ default (include "sso.saml.service" .) (tpl (default "" .Values.twistlock.sso.idp_url) .) }}
+ {{- $console := first (dig "istio" "console" "hosts" (list (printf "twistlock.%s" $domainName)) .Values.twistlock.values) }}
+ console_url: {{ tpl (default (printf "https://%s" $console) .Values.twistlock.sso.console_url) . }}
groups: {{ .Values.twistlock.sso.groups }}
- cert: {{ .Values.twistlock.sso.cert | quote }}
-
+ cert: {{ default (include "sso.saml.cert.withheaders" .) .Values.twistlock.sso.cert | quote }}
{{- end -}}
diff --git a/chart/templates/wrapper/gitrepository.yaml b/chart/templates/wrapper/gitrepository.yaml
index 16ba1329a6..2475f87fc5 100644
--- a/chart/templates/wrapper/gitrepository.yaml
+++ b/chart/templates/wrapper/gitrepository.yaml
@@ -1,5 +1,5 @@
{{- /* Used for GitOps of the BigBang package wrapper Helm chart. Shared by all packages */ -}}
-{{- if .Values.wrapper -}}
+{{- if and .Values.wrapper (omit (default dict .Values.packages) "sample") -}}
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
diff --git a/chart/values.yaml b/chart/values.yaml
index 073181c74e..0efb3bac14 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -48,37 +48,53 @@ git:
publicKey: ""
knownHosts: ""
-# -- Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages.
+# -- Global SSO values used for BigBang deployments when sso is enabled
sso:
+ # -- Name of the identity provider. This is used by some packages as the SSO login label.
+ name: SSO
+ # -- Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID.
+ url: https://login.dso.mil/auth/realms/baby-yoda
+
+ # -- Certificate authority for the identity provider's certificates
+ certificateAuthority:
+ # -- The certificate authority public certificate in .pem format. Populating this will create a secret in each namespace that enables SSO.
+ cert: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
+ # -- The secret name to use for the certificate authority. Can be manually populated if cert is blank.
+ secretName: tls-ca-sso
+
+ saml:
+ # -- SAML entityDescriptor (metadata) path
+ entityDescriptor: "{{ .Values.sso.url }}/protocol/saml/descriptor"
+ # -- SAML SSO Service path
+ service: "{{ .Values.sso.url }}/protocol/saml"
+ # -- Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`. Required for SSO in Nexus, Twistlock, or Sonarqube.
+ metadata: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
+ # NOTE: SAML attribute names may vary by package. Use the package values to setup attribute names
+
+ # -- OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration`
oidc:
- # -- Domain for keycloak used for configuring SSO
- host: login.dso.mil
- # -- Keycloak realm containing clients
- realm: baby-yoda
-
- # -- Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages
- certificate_authority: ""
-
- # -- Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs
- jwks: ''
-
- # -- Optional use of JWKS fetcher config for ease of use and automation. Fill in JWKS URI value of OIDC endpoint, can be found under the well known OpenID metadata configuration page of your provider.
- jwks_uri: ""
-
- # -- OIDC client ID used for packages authenticated through authservice
- client_id: ""
-
- # -- OIDC client secret used for packages authenticated through authservice
- client_secret: ""
-
- # -- OIDC token URL template string (to be used as default)
- token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
-
- # -- OIDC auth URL template string (to be used as default)
- auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
-
- # -- Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces
- secretName: "tls-ca-sso"
+ # -- OIDC authorization path
+ authorization: "{{ .Values.sso.url }}/protocol/openid-connect/auth"
+ # -- OIDC logout / end session path
+ endSession: "{{ .Values.sso.url }}/protocol/openid-connect/logout"
+ # -- OIDC JSON Web Key Set (JWKS) path
+ jwksUri: "{{ .Values.sso.url }}/protocol/openid-connect/certs"
+ # -- OIDC token path
+ token: "{{ .Values.sso.url }}/protocol/openid-connect/token"
+ # -- OIDC user information path
+ userinfo: "{{ .Values.sso.url }}/protocol/openid-connect/userinfo"
+ # -- Literal OIDC JWKS data retrieved from JWKS Uri. Only needed if `jwsksUri` is not defined.
+ jwks: ""
+ # -- Identity provider claim names that store metadata about the authenticated user.
+ claims:
+ # -- IdP's claim name used for the user's email address.
+ email: email
+ # -- IdP's claim name used for the user's full name
+ name: name
+ # -- IdP's claim name used for the username
+ username: preferred_username
+ # -- IdP's claim name used for the user's groups or roles
+ groups: groups
# -- (Advanced) Flux reconciliation parameters.
# The default values provided will be sufficient for the majority of workloads.
@@ -736,27 +752,13 @@ twistlock:
# -- SAML client ID
client_id: ""
- # -- SAML Povider Alias (optional)
- provider_name: ""
-
# -- SAML Identity Provider. `shibboleth` is recommended by Twistlock support for Keycloak
+ # Possible values: okta, gsuite, ping, shibboleth, azure, adfs
provider_type: "shibboleth"
- # -- Identity Provider url with path to realm
- issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
-
- # -- SAML Identity Provider SSO URL
- idp_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml"
-
- # -- Console URL of the Twistlock app (optional)
- console_url: "https://twistlock.{{ .Values.domain }}"
-
# -- Groups attribute (optional)
groups: ""
- # -- X.509 Certificate from Identity Provider (i.e. Keycloak). See https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/blob/main/docs/KEYCLOAK.md for format. Use the `|-` syntax for multiline string.
- cert: ""
-
# -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
values: {}
@@ -800,9 +802,6 @@ addons:
# -- ArgoCD OIDC client secret
client_secret: ""
- # -- ArgoCD SSO login text
- provider_name: ""
-
# -- ArgoCD SSO group roles, see docs for more details: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
groups: |
g, Impact Level 2 Authorized, role:admin
@@ -918,24 +917,10 @@ addons:
# -- Gitlab OIDC client secret
client_secret: ""
- # -- Gitlab SSO login button label
- label: ""
-
# -- Gitlab SSO Scopes, default is ["Gitlab"]
scopes:
- Gitlab
- # -- GitLab SSO Issuer URI,
- # Only needed if your SSO is non-Keycloak
- issuer_uri: ""
-
- # -- GitLab SSO End Session URI,
- # Only needed if your SSO is non-Keycloak
- end_session_uri: ""
-
- # -- Gitlab SSO UID field
- uid_field: preferred_username
-
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Gitlab.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
@@ -1040,7 +1025,7 @@ addons:
# -- NXRM SAML SSO Integration data
idp_data:
- # Nexus saml URL. example: "https://nexus.example.mil/service/rest/v1/security/saml/metadata"
+ # Nexus saml URL. example: "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata"
entityId: ""
# -- IdP Field Mappings
@@ -1059,10 +1044,6 @@ addons:
# -- NXRM groups attribute (optional)
groups: ""
- # -- IDP SAML Metadata XML as a single line string in single quotes
- # -- this information is public and does not require a secret
- idpMetadata: ''
-
# -- NXRM Role
role:
# the id must match the Keycloak group name (case sensitive)
@@ -1104,13 +1085,6 @@ addons:
# -- SonarQube SAML client ID
client_id: ""
- # -- SonarQube SSO login button label
- provider_name: ""
-
- # -- SonarQube plaintext SAML sso certificate.
- # example: MITCAYCBFyIEUjNBkqhkiG9w0BA....
- certificate: ""
-
# -- SonarQube login sso attribute.
login: login
@@ -1198,14 +1172,14 @@ addons:
gateway: ""
sso:
- # -- Toggle OIDC SSO for Anchore on and off.
+ # -- Toggle SAML SSO for Anchore on and off.
# Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
enabled: false
- # -- Anchore OIDC client ID
+ # -- Anchore SAML client ID
client_id: ""
- # -- Anchore OIDC client role attribute
+ # -- Anchore SAML client role attribute
role_attribute: ""
database:
@@ -1306,18 +1280,6 @@ addons:
# -- Mattermost OIDC client secret
client_secret: ""
- # -- Mattermost OIDC auth endpoint
- # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
- auth_endpoint: ""
-
- # -- Mattermost OIDC token endpoint
- # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
- token_endpoint: ""
-
- # -- Mattermost OIDC user API endpoint
- # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
- user_api_endpoint: ""
-
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Mattermost.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
diff --git a/docs/assets/configs/example/dev-sso-values.yaml b/docs/assets/configs/example/dev-sso-values.yaml
index 05fb4f9ac0..969d71cad4 100644
--- a/docs/assets/configs/example/dev-sso-values.yaml
+++ b/docs/assets/configs/example/dev-sso-values.yaml
@@ -1,156 +1,148 @@
# Enables and configures sso for all packages using the test bigbang.dev clients:
-
sso:
+ name: P1 SSO
# Entrust certificate authority for login.dso.mil
# do not use this CA with a Keycloak deployed with a different certificate authority
# For example *.bigbang.dev because that certificate is issued by a different CA
- certificate_authority: |
- -----BEGIN CERTIFICATE-----
- MIIH0zCCBrugAwIBAgIQHeg1retyhPnWuzryBJeBvTANBgkqhkiG9w0BAQsFADCB
- ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
- H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
- MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
- A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
- MDEyMTUwMzE1MDJaFw0yMjAxMTQwMzE1MDJaMHMxCzAJBgNVBAYTAlVTMREwDwYD
- VQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEeMBwGA1UE
- ChMVRGVwYXJ0bWVudCBvZiBEZWZlbnNlMRYwFAYDVQQDEw1sb2dpbi5kc28ubWls
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymUXk7STDlepS5HJu0ca
- B57S5dfLp7zxYmcsGjo10YkHy3m9LASQCTyiioDrlwo2b+n8oZ7esGLv3RgggMwf
- xvLVyx1+lZDswxdQoXmjArTdbqpcSoq3Y1rvVp33/jGb3slBjQtcMt2QvaFv3fxy
- cwwINvJFEqsQS7zGUgpolJ3smKdcVpUSGZmzpYposuDlPUGeOJaQRMAACW5arWiT
- VkDhJD+OVOYEHW8uCQfghD3JJXu6Xp9SwlWe6UNOdxo9cq3s/XE4ZwEgffdLXP2A
- wuJF/7B7CFdZjIMptmOODyCeatC344iyubU0MiGCOm4W4wn0pQ0XJtAzWeYFKATL
- 9BquNOzPUR6pMSFMvIEiS96zbVFuOYt2XKgPryWEYji3Oky082WWYOcXt0NnqnCj
- SafVU+2fQi4jQ0att5YXagEEPz83lQZdSKb2+grDeFg78VrEZAe+Y0mVu4/G93he
- UOqfZ9jdCnFXq8sEMG9bJJFKeOXkb1Da8Y0amfOw4hFd4UslrbvC5ZCUZNh6roOk
- 8kast9QWtWFIGPC3f+Uq3gvx3GBHzIG9QPOq1CjSSAF3tWKuMTxK4zaS33mriJo0
- Dv1CMX3FCmjT/qG3422guBL02hbGHveDSWk0/saY7ZWFifxnvKEdOi4ItnpMuQhE
- zx6/+t7FWuzBTPAeVqV1l2sCAwEAAaOCAxkwggMVMAwGA1UdEwEB/wQCMAAwHQYD
- VR0OBBYEFCLwpnkje7QKLWok+nWIeBEnIGfmMB8GA1UdIwQYMBaAFIKicHTdvFM/
- z3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDov
- L29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVz
- dC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
- Y3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMCcGA1UdEQQgMB6CDWxvZ2luLmRz
- by5taWyCDWxvZ2luLmRzb3AuaW8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
- CCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG+mwKAQUwKTAn
- BggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAEC
- AjCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUAVhQGmi/XwuzT9eG9RLI+x0Z2
- ubyZEVzA75SYVdaJ0N0AAAF2ZGTpIwAABAMARjBEAiAK+W9ukx92DJPFV87LexEg
- /qDFTjtkiLh/z+mLmDtOwQIgUD4YrMuo22sV9MeJ8JmzraCQVdUUIprw4K4HN+eO
- 6W0AdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXZkZOlKAAAE
- AwBIMEYCIQDRpvbR/GroWSGlCIh1q0RUITb8RfI4skqqBa/FeU811AIhAPlRY4lv
- DC2u9MFSEiCVeaFYJRU0xvAwmHQMtrl+IE4iAHYARqVV63X6kSAwtaKJafTzfREs
- QXS+/Um4havy/HD+bUcAAAF2ZGTrYAAABAMARzBFAiEAifP8Y0nXFBykaTyzpWpv
- E3FDi8NCQeJFRMJqD7loTjMCIHVDio7r+zANTbIdRLRRzHoNzo//xfJ0JUqejNRA
- aCpZMA0GCSqGSIb3DQEBCwUAA4IBAQB/wtYjDQiPLe99tZq98IyxOSJCli2mtlV9
- gSC67aj4rgW6g+C8P1bSoB5PamMq6rON5q0SXL3CQiQ7vegxCQnleDh0LWeKPFS2
- jjSIl3CvrYfBlNBzw4H1uAa/yw+enr0So8oX8kdSTBFGnU4KoK646lFZRXSifFIU
- zzQ9QYYedmiP0iKs5LDYGAOsB/w/O94+zv6qGKXA1fVzBXAD54MddqGk9mHZTSyL
- 6nsSTx4r8vCGQir7d2QuIGLD48zaYQz0TFcGKnBV3/9CB27RxJkRdMwUbMvNdp3C
- V+C2+jdR8xA/0qCnvSxHc1lTZgXxVkcu/wpqIBn3af5Ha8ddd0DU
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw
- CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl
- IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg
- RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD
- EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x
- NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG
- A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l
- dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt
- IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp
- ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
- MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ
- jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK
- m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT
- JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt
- LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F
- ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/
- BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
- AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah
- hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE
- VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd
- BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe
- 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw
- y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS
- BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC
- k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv
- c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1
- exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u
- Lcw=
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
- VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
- cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
- IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
- dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
- NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
- dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
- dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
- aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
- YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
- RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
- cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
- wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
- U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
- jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
- BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
- BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
- jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
- Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
- 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
- nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
- VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
- -----END CERTIFICATE-----
-
- # # LetsEncrypt certificate authority for keycloak.bigbang.dev
- # # Use this CA if you deployed Keycloak with *.bigbang.dev certificate using docs/assets/configs/example/keycloak-dev-values.yaml
- # certificate_authority: |
- # -----BEGIN CERTIFICATE-----
- # MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
- # TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- # cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
- # WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
- # ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
- # MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
- # h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
- # 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
- # A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
- # T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
- # B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
- # B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
- # KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
- # OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
- # jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
- # qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
- # rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
- # HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
- # hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
- # ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
- # 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
- # NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
- # ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
- # TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
- # jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
- # oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
- # 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
- # mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
- # emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
- # -----END CERTIFICATE-----
+ certificateAuthority:
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIH0zCCBrugAwIBAgIQHeg1retyhPnWuzryBJeBvTANBgkqhkiG9w0BAQsFADCB
+ ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
+ H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
+ MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
+ A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
+ MDEyMTUwMzE1MDJaFw0yMjAxMTQwMzE1MDJaMHMxCzAJBgNVBAYTAlVTMREwDwYD
+ VQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEeMBwGA1UE
+ ChMVRGVwYXJ0bWVudCBvZiBEZWZlbnNlMRYwFAYDVQQDEw1sb2dpbi5kc28ubWls
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymUXk7STDlepS5HJu0ca
+ B57S5dfLp7zxYmcsGjo10YkHy3m9LASQCTyiioDrlwo2b+n8oZ7esGLv3RgggMwf
+ xvLVyx1+lZDswxdQoXmjArTdbqpcSoq3Y1rvVp33/jGb3slBjQtcMt2QvaFv3fxy
+ cwwINvJFEqsQS7zGUgpolJ3smKdcVpUSGZmzpYposuDlPUGeOJaQRMAACW5arWiT
+ VkDhJD+OVOYEHW8uCQfghD3JJXu6Xp9SwlWe6UNOdxo9cq3s/XE4ZwEgffdLXP2A
+ wuJF/7B7CFdZjIMptmOODyCeatC344iyubU0MiGCOm4W4wn0pQ0XJtAzWeYFKATL
+ 9BquNOzPUR6pMSFMvIEiS96zbVFuOYt2XKgPryWEYji3Oky082WWYOcXt0NnqnCj
+ SafVU+2fQi4jQ0att5YXagEEPz83lQZdSKb2+grDeFg78VrEZAe+Y0mVu4/G93he
+ UOqfZ9jdCnFXq8sEMG9bJJFKeOXkb1Da8Y0amfOw4hFd4UslrbvC5ZCUZNh6roOk
+ 8kast9QWtWFIGPC3f+Uq3gvx3GBHzIG9QPOq1CjSSAF3tWKuMTxK4zaS33mriJo0
+ Dv1CMX3FCmjT/qG3422guBL02hbGHveDSWk0/saY7ZWFifxnvKEdOi4ItnpMuQhE
+ zx6/+t7FWuzBTPAeVqV1l2sCAwEAAaOCAxkwggMVMAwGA1UdEwEB/wQCMAAwHQYD
+ VR0OBBYEFCLwpnkje7QKLWok+nWIeBEnIGfmMB8GA1UdIwQYMBaAFIKicHTdvFM/
+ z3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDov
+ L29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVz
+ dC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
+ Y3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMCcGA1UdEQQgMB6CDWxvZ2luLmRz
+ by5taWyCDWxvZ2luLmRzb3AuaW8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
+ CCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG+mwKAQUwKTAn
+ BggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAEC
+ AjCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUAVhQGmi/XwuzT9eG9RLI+x0Z2
+ ubyZEVzA75SYVdaJ0N0AAAF2ZGTpIwAABAMARjBEAiAK+W9ukx92DJPFV87LexEg
+ /qDFTjtkiLh/z+mLmDtOwQIgUD4YrMuo22sV9MeJ8JmzraCQVdUUIprw4K4HN+eO
+ 6W0AdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXZkZOlKAAAE
+ AwBIMEYCIQDRpvbR/GroWSGlCIh1q0RUITb8RfI4skqqBa/FeU811AIhAPlRY4lv
+ DC2u9MFSEiCVeaFYJRU0xvAwmHQMtrl+IE4iAHYARqVV63X6kSAwtaKJafTzfREs
+ QXS+/Um4havy/HD+bUcAAAF2ZGTrYAAABAMARzBFAiEAifP8Y0nXFBykaTyzpWpv
+ E3FDi8NCQeJFRMJqD7loTjMCIHVDio7r+zANTbIdRLRRzHoNzo//xfJ0JUqejNRA
+ aCpZMA0GCSqGSIb3DQEBCwUAA4IBAQB/wtYjDQiPLe99tZq98IyxOSJCli2mtlV9
+ gSC67aj4rgW6g+C8P1bSoB5PamMq6rON5q0SXL3CQiQ7vegxCQnleDh0LWeKPFS2
+ jjSIl3CvrYfBlNBzw4H1uAa/yw+enr0So8oX8kdSTBFGnU4KoK646lFZRXSifFIU
+ zzQ9QYYedmiP0iKs5LDYGAOsB/w/O94+zv6qGKXA1fVzBXAD54MddqGk9mHZTSyL
+ 6nsSTx4r8vCGQir7d2QuIGLD48zaYQz0TFcGKnBV3/9CB27RxJkRdMwUbMvNdp3C
+ V+C2+jdR8xA/0qCnvSxHc1lTZgXxVkcu/wpqIBn3af5Ha8ddd0DU
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw
+ CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl
+ IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg
+ RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD
+ EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x
+ NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG
+ A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l
+ dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt
+ IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp
+ ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+ MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ
+ jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK
+ m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT
+ JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt
+ LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F
+ ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/
+ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
+ AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah
+ hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE
+ VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd
+ BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe
+ 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw
+ y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS
+ BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC
+ k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv
+ c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1
+ exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u
+ Lcw=
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
+ VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
+ cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
+ IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
+ dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
+ NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
+ dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
+ dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
+ aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
+ YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+ AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
+ RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
+ cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
+ wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
+ U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
+ jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+ BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
+ BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
+ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
+ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
+ 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
+ nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
+ VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
+ -----END CERTIFICATE-----
-
- # The JSON Web Key Set (JWKS) containing the public keys used to verify any JSON Web Token (JWT) issued by the IDP
- # The jwks is public and does not require a secret
- # The jwks is used by Istio authservice
- # Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
- # https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/certs
- # must be single quoted and double quotes must be escaped like this \"xxxx\"
- # This is the specific jwks from login.bigbang.dev
- # jwks: '{\"keys\":[{\"kid\":\"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=\"],\"x5t\":\"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8\",\"x5t#S256\":\"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco\"}]}'
- # Recent versions of authservice allow filling in of a URI for jwks which will be fetched on your behalf
- jwks_uri: "https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/certs"
+ # # LetsEncrypt certificate authority for keycloak.bigbang.dev
+ # # Use this CA if you deployed Keycloak with *.bigbang.dev certificate using docs/assets/configs/example/keycloak-dev-values.yaml
+ # certificate_authority: |
+ # -----BEGIN CERTIFICATE-----
+ # MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+ # TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ # cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+ # WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ # ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+ # MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+ # h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+ # 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+ # A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+ # T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+ # B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+ # B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+ # KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+ # OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+ # jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+ # qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+ # rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+ # HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+ # hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ # ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+ # 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+ # NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ # ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+ # TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+ # jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+ # oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+ # 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+ # mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+ # emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+ # -----END CERTIFICATE-----
+ saml:
+ # Retrieve from https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor
+ metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://login.dso.mil/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/resolve" index="0"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
kiali:
sso:
@@ -179,7 +171,7 @@ tempo:
monitoring:
sso:
enabled: true
- prometheus:
+ prometheus:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-prometheus
alertmanager:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-alertmanager
@@ -192,20 +184,15 @@ twistlock:
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock
- cert: |-
- -----BEGIN CERTIFICATE-----
- MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=
- -----END CERTIFICATE-----
addons:
authservice:
enabled: true
- argocd:
+ argocd:
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-argocd
client_secret: anything-for-dev
- provider_name: "P1 SSO"
groups: |
g, Impact Level 2 Authorized, role:admin
gitlab:
@@ -216,8 +203,6 @@ addons:
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-saml-sonarqube
- provider_name: "P1 SSO"
- certificate: MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=
login: login
name: name
email: email
@@ -263,10 +248,6 @@ addons:
lastName: "lastName"
email: "email"
groups: "groups"
- # -- IDP SAML Metadata XML as a single line string in single quotes
- # -- this information is public and does not require a secret
- # curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
- idpMetadata: 'enter-single-quoted-single-line-string-here'
role:
# id is the name of the Keycloak group (case sensitive)
- id: "Nexus"
diff --git a/docs/assets/configs/example/google-auth-example-values.yaml b/docs/assets/configs/example/google-auth-example-values.yaml
index 44524713ec..a10e06471f 100644
--- a/docs/assets/configs/example/google-auth-example-values.yaml
+++ b/docs/assets/configs/example/google-auth-example-values.yaml
@@ -6,6 +6,18 @@
# * kibana/es - https://www.elastic.co/guide/en/elasticsearch/reference/7.12/oidc-guide-stack.html
# - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html#oidc
#
+sso:
+ name: Google SSO
+ url: https://accounts.google.com
+ oidc:
+ authorization: https://accounts.google.com/o/oauth2/v2/auth
+ endSession: ""
+ jwksUri: https://www.googleapis.com/oauth2/v3/certs
+ token: https://oauth2.googleapis.com/token
+ userinfo: https://openidconnect.googleapis.com/v1/userinfo
+ claims:
+ username: email
+ groups: ""
monitoring:
sso:
@@ -15,31 +27,17 @@ monitoring:
client_secret: <client_secret>
scopes: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
allowed_domains: <allowed_domains>
- auth_url: https://accounts.google.com/o/oauth2/auth
- token_url: https://oauth2.googleapis.com/token
signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
logging:
sso:
enabled: true
- oidc:
- realm: "Google" # optionally override the name used in the custom ES realm def and login page
client_secret: "<client_secret>"
client_id: "<client_id>"
# additional fields (required to override keycloak defaults)
- issuer: "https://accounts.google.com"
- auth_url: "https://accounts.google.com/o/oauth2/v2/auth"
- token_url: "https://oauth2.googleapis.com/token"
- userinfo_url: "https://openidconnect.googleapis.com/v1/userinfo"
- jwkset_url: "https://www.googleapis.com/oauth2/v3/certs"
- claims_principal: email
claims_principal_pattern: "<regex for allowed email domains>" # example: "^([^@]+)@leapfrog\\.ai$"
requested_scopes:
- openid
- email
- # required for keycloak - should be empty for google)
signature_algorithm: ""
- endsession_url: ""
- claims_group: ""
- claims_mail: ""
license:
trial: true
\ No newline at end of file
diff --git a/docs/developer/package-integration/supported.md b/docs/developer/package-integration/supported.md
index 571ca8dc2d..4a6101e10a 100644
--- a/docs/developer/package-integration/supported.md
+++ b/docs/developer/package-integration/supported.md
@@ -28,7 +28,7 @@ After [graduating your package](https://repo1.dso.mil/platform-one/bbtoc/-/tree/
1. Make sure the files described in this [document](./flux.md) have been generated in `chart/templates/<your-package-name>` directory
-1. More details about secret-*.yaml: The secret template is where the code for secrets go. Typically you will see secrets for imagePullSecret, sso, database, and possibly object storage. These secrets are a BigBang chart enhancement. They are created conditionally based on what the user enables in the config. For example if the app supports SSO and will need a Certificate Authority supplied to trust the connection to the IdP there should be a `secret-ca.yaml` template to populate a secret with the `sso.certificate_authority` value in the application namespace.
+1. More details about secret-*.yaml: The secret template is where the code for secrets go. Typically you will see secrets for imagePullSecret, sso, database, and possibly object storage. These secrets are a BigBang chart enhancement. They are created conditionally based on what the user enables in the config. For example if the app supports SSO and will need a Certificate Authority supplied to trust the connection to the IdP there should be a `secret-ca.yaml` template to populate a secret with the `sso.certificateAuthority.cert` value in the application namespace.
1. Merge your default package values from `<your-package-git-folder>/bigbang/values.yaml` into `chart/values.yaml`. Only the "standard" keys used across packages should be used. Keep in mind that values can be passed directly to the package using `.Values.<package>.values`
diff --git a/docs/guides/deployment-scenarios/sso-quickstart.md b/docs/guides/deployment-scenarios/sso-quickstart.md
index 396b69cd4f..cc603aa513 100644
--- a/docs/guides/deployment-scenarios/sso-quickstart.md
+++ b/docs/guides/deployment-scenarios/sso-quickstart.md
@@ -7,6 +7,8 @@ A 54min speed run with explanations video walkthrough of this sso quickstart gui
* [Google Drive - Video Mirror](https://drive.google.com/file/d/1xzRKhFQy4WXW97YWUFpixclLGAKfgA6Z/preview)
* [Repo1 - Video Mirror](https://repo1.dso.mil/platform-one/bullhorn-delivery-static-assets/-/blob/master/big_bang/bigbang_sso_quickstart.mp4)
+> SSO values have changed since these videos were created. The old values used in the videos should still work, but you will receive warnings that they have been deprecated.
+
## Blue Team Knowledge Drop
Imagine <https://authdemo.bigbang.dev> represents a mock-up of a custom-built mission application that doesn't have SSO, Authentication, or Authorization built-in. Auth Service can add those to it which creates layers of defense/defense in depth in the form only allowing authenticated users the ability to even see the page, enforcing MFA of authenticated users, and requiring that authenticated users are authorized to access that service (they must be in the correct group of their Identity Provider, and this means you can safely enable self-registration of users without hurting security. Auth Service's Authentication Proxy has an additional benefit in regards to defense in depth. You can add it in front of most frontend applications to create an additional layer of defense. Example: Grafana, Kibana, ArgoCD, and others have baked in support for OIDC/SSO and AuthN/AuthZ functionality, so you may think what benefit could be had from adding an authentication proxy in front of them (it seems redundant at first glance). Let's say that a frontend service was reachable from the public internet and it had some zero-day vulnerability that allowed authentication bypass or unauthenticated remote code execution to occur via a network-level exploit / uniquely crafted packet. Well someone on the internet wouldn't even be able to exploit these hypothetical zero-day vulnerabilities since it'd be behind an AuthN/AuthZ proxy layer of defense which would prevent them from even touching the frontend. Bonus: Istio, AuthService, and Keycloak are all Free Open Source Software (FOSS) solutions and they work in internet disconnect environments, we'll even demonstrate it working using only Kubernetes DNS and workstation hostfile edits / without needing to configure LAN/Internet DNS.
@@ -103,11 +105,11 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
-
+
# Commented out directly below, is how to use a pinned version of BigBang:
- # BIG_BANG_VERSION="1.30.1"
+ # BIG_BANG_VERSION="1.30.1"
# (Note: 1.30.1 was the last version this guide was tested against)
- #
+ #
# The following will load the latest tagger version of BigBang into an environment variable
BIG_BANG_VERSION=$(curl -s https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/base/gitrepository.yaml | grep 'tag:' | awk '{print $2}')
echo "This script will install Big Bang version: $BIG_BANG_VERSION"
@@ -120,10 +122,10 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
echo $REGISTRY1_PASSWORD | docker login https://registry1.dso.mil --username=$REGISTRY1_USERNAME --password-stdin | grep "Succeeded" ; echo $? | grep 0 && echo "This validation check shows your registry1 credentials are valid, please continue." || for i in {1..10}; do echo "Validation check shows error, fix your registry1 credentials before moving on."; done
-
+
export KEYCLOAK_IP=$(cat ~/.ssh/config | grep keycloak-cluster -A 1 | grep Hostname | awk '{print $2}')
echo "\n\n\n$KEYCLOAK_IP is the IP of the k3d node that will host Keycloak on Big Bang"
-
+
export WORKLOAD_IP=$(cat ~/.ssh/config | grep workload-cluster -A 1 | grep Hostname | awk '{print $2}')
echo "$WORKLOAD_IP is the IP of the k3d node that will host Workloads on Big Bang"
echo "Please manually verify that the IPs of your keycloak and workload k3d VMs look correct before moving on."
@@ -134,8 +136,8 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
- mkdir -p ~/qs
-
+ mkdir -p ~/qs
+
cat << EOFkeycloak-k3d-prepwork-commandsEOF > ~/qs/keycloak-k3d-prepwork-commands.txt
# Idempotent logic:
sudo sed -i "/.*BIG_BANG_VERSION.*/d" ~/.bashrc
@@ -148,14 +150,14 @@ Why 2 VMs? 2 reasons:
lines_in_file+=( 'export K3D_IP="$KEYCLOAK_IP"' )
lines_in_file+=( 'export REGISTRY1_USERNAME="$REGISTRY1_USERNAME"' )
lines_in_file+=( 'export REGISTRY1_PASSWORD="$REGISTRY1_PASSWORD"' )
-
+
for line in "\${lines_in_file[@]}"; do
grep -qF "\${line}" ~/.bashrc
if [ \$? -ne 0 ]; then echo "\${line}" >> ~/.bashrc ; fi
done
EOFkeycloak-k3d-prepwork-commandsEOF
-
-
+
+
cat << EOFworkload-k3d-prepwork-commandsEOF > ~/qs/workload-k3d-prepwork-commands.txt
# Idempotent logic:
sudo sed -i "/.*BIG_BANG_VERSION.*/d" ~/.bashrc
@@ -168,7 +170,7 @@ Why 2 VMs? 2 reasons:
lines_in_file+=( 'export K3D_IP="$WORKLOAD_IP"' )
lines_in_file+=( 'export REGISTRY1_USERNAME="$REGISTRY1_USERNAME"' )
lines_in_file+=( 'export REGISTRY1_PASSWORD="$REGISTRY1_PASSWORD"' )
-
+
for line in "\${lines_in_file[@]}"; do
grep -qF "\${line}" ~/.bashrc
if [ \$? -ne 0 ]; then echo "\${line}" >> ~/.bashrc ; fi
@@ -193,10 +195,10 @@ Why 2 VMs? 2 reasons:
```
```text
- Explanation: (We are basically doing the equivalent of Ansible, without
+ Explanation: (We are basically doing the equivalent of Ansible, without
having to install Ansible and its dependencies.)
ssh keycloak-cluster < ~/qs/keycloak-k3d-prepwork-commands.txt
- ^-- runs script against remote VM
+ ^-- runs script against remote VM
& at the end of the command means to let it run in the background
using it allows us to run the script against both machines in parallel.
wait command waits for background processes to finish
@@ -207,13 +209,13 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
# First a command to confirm ~/.bashrc was updated as expected
- ssh keycloak-cluster 'tail ~/.bashrc'
-
+ ssh keycloak-cluster 'tail ~/.bashrc'
+
# Then ssh in to see the differences
ssh keycloak-cluster
```
-1. Notice the prompt makes it obvious which VM you ssh'ed into.
+1. Notice the prompt makes it obvious which VM you ssh'ed into.
```shell
# [ubuntu@keycloak-cluster:~$]
@@ -221,7 +223,7 @@ Why 2 VMs? 2 reasons:
env | grep -i name
env | grep IP
exit
-
+
# [admin@Laptop:~]
```
@@ -231,7 +233,7 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
# Note ? is escaped in some places in the form of \?, this prevents substitution
- # by the local machine, which allows the remote VM to do the substituting.
+ # by the local machine, which allows the remote VM to do the substituting.
cat << EOFshared-k3d-prepwork-commandsEOF > ~/qs/shared-k3d-prepwork-commands.txt
# Configure OS
sudo sysctl -w vm.max_map_count=524288
@@ -244,32 +246,32 @@ Why 2 VMs? 2 reasons:
sudo modprobe xt_statistic
printf "xt_REDIRECT\nxt_owner\nxt_statistic\n" | sudo tee -a /etc/modules
sudo swapoff -a
-
+
# Install git
sudo apt install git -y
-
+
# Install docker (note we use escape some vars we want the remote linux to substitute)
sudo apt update -y && sudo apt install apt-transport-https ca-certificates curl gnupg lsb-release -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor --yes -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update -y && sudo apt install docker-ce docker-ce-cli containerd.io -y && sudo usermod --append --groups docker \$USER
-
+
# Install k3d
wget -q -O - https://github.com/k3d-io/k3d/releases/download/v5.4.1/k3d-linux-amd64 > k3d
echo 50f64747989dc1fcde5db5cb82f8ac132a174b607ca7dfdb13da2f0e509fda11 k3d | sha256sum -c | grep OK
if [ \$? == 0 ]; then chmod +x k3d && sudo mv k3d /usr/local/bin/k3d ; fi
-
+
# Install kubectl
wget -q -O - https://dl.k8s.io/release/v1.23.5/bin/linux/amd64/kubectl > kubectl
echo 715da05c56aa4f8df09cb1f9d96a2aa2c33a1232f6fd195e3ffce6e98a50a879 kubectl | sha256sum -c | grep OK
if [ \$? == 0 ]; then chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl; fi
sudo ln -s /usr/local/bin/kubectl /usr/local/bin/k || true
-
+
# Install kustomize
wget -q -O - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.4/kustomize_v4.5.4_linux_amd64.tar.gz > kustomize.tar.gz
echo 1159c5c17c964257123b10e7d8864e9fe7f9a580d4124a388e746e4003added3 kustomize.tar.gz | sha256sum -c | grep OK
- if [ \$? == 0 ]; then tar -xvf kustomize.tar.gz && chmod +x kustomize && sudo mv kustomize /usr/local/bin/kustomize && rm kustomize.tar.gz ; fi
-
+ if [ \$? == 0 ]; then tar -xvf kustomize.tar.gz && chmod +x kustomize && sudo mv kustomize /usr/local/bin/kustomize && rm kustomize.tar.gz ; fi
+
# Install helm
wget -q -O - https://get.helm.sh/helm-v3.8.1-linux-amd64.tar.gz > helm.tar.gz
echo d643f48fe28eeb47ff68a1a7a26fc5142f348d02c8bc38d699674016716f61cd helm.tar.gz | sha256sum -c | grep OK
@@ -284,7 +286,7 @@ Why 2 VMs? 2 reasons:
# Run the above prereq script against both VMs
ssh keycloak-cluster < ~/qs/shared-k3d-prepwork-commands.txt &
ssh workload-cluster < ~/qs/shared-k3d-prepwork-commands.txt &
- wait
+ wait
```
* Copy paste the following to run validation checks against both VMs
@@ -297,10 +299,10 @@ Why 2 VMs? 2 reasons:
k3d version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: k3d installed" || echo "ERROR: issue with k3d install"
kubectl version --client >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: kubectl installed" || echo "ERROR: issue with kubectl install"
kustomize version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: kustomize installed" || echo "ERROR: issue with kustomize install"
- helm version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: helm installed" || echo "ERROR: issue with helm install"
+ helm version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: helm installed" || echo "ERROR: issue with helm install"
EOFshared-k3d-prepwork-verification-commandsEOF
-
- ssh keycloak-cluster < ~/qs/shared-k3d-prepwork-verification-commands.txt
+
+ ssh keycloak-cluster < ~/qs/shared-k3d-prepwork-verification-commands.txt
ssh workload-cluster < ~/qs/shared-k3d-prepwork-verification-commands.txt
```
@@ -312,7 +314,7 @@ Note: There's no need to copy paste commands from this text box,
If you were to copy paste the following into your laptop/workstation's terminal.
ssh keycloak-cluster 'env | grep K3D_IP'
-You'd receive blank text, this means that env vars defined in the remote VM's ~/.bashrc
+You'd receive blank text, this means that env vars defined in the remote VM's ~/.bashrc
are not populated when using non interactive shell copy paste automation method.
That's why the script that runs on the remote machine has lines like this one:
@@ -340,7 +342,7 @@ k3d cluster create \$CLUSTER_NAME \
--api-port 6443
sed -i "s/0.0.0.0/\$K3D_IP/" ~/.kube/config
# Explanation:
-# sed = stream editor
+# sed = stream editor
# -i s/.../.../ (i = inline), (s = substitution, basically cli find and replace)
# / / / are delimiters the separate what to find and what to replace.
# \$K3D_IP, is a variable with $ escaped, so the var will be processed by the remote VM.
@@ -442,7 +444,7 @@ logging:
requests:
cpu: 1m
memory: 1Mi
- limits:
+ limits:
cpu: null
memory: null
@@ -606,12 +608,12 @@ istio:
public-ingressgateway:
type: "NodePort"
values:
- values:
- global:
- proxy:
+ values:
+ global:
+ proxy:
resources:
requests:
- cpu: 0m
+ cpu: 0m
memory: 0Mi
limits:
cpu: 0m
@@ -628,7 +630,7 @@ helm upgrade --install bigbang \$HOME/bigbang/chart \
--namespace=bigbang --create-namespace
EOFdeploy-keycloakEOF
-ssh keycloak-cluster < ~/qs/deploy-keycloak.txt
+ssh keycloak-cluster < ~/qs/deploy-keycloak.txt
```
## Step 8: Edit your workstation's Hosts file to access the web pages hosted on the Big Bang Clusters
@@ -659,10 +661,10 @@ cat /etc/hosts
## Step 9: Make sure the clusters have had enough time to finish their deployments
-* Note:
- After copy pasting the following, you may need to wait up to 10 minutes. If you're too
- fast you may see a temporary error about pod keycloak-0 not found. It's recommended to
- copy paste this block of verification commands a 2nd time after 10 minutes have passed.
+* Note:
+ After copy pasting the following, you may need to wait up to 10 minutes. If you're too
+ fast you may see a temporary error about pod keycloak-0 not found. It's recommended to
+ copy paste this block of verification commands a 2nd time after 10 minutes have passed.
* Note when you run `kubectl get svc -n=istio-system`, against each cluster, verify that EXTERNAL-IP isn't stuck in pending.
@@ -670,14 +672,14 @@ cat /etc/hosts
# [admin@Laptop:~]
export KUBECONFIG=$HOME/.kube/keycloak-cluster
kubectl get pods -A
-kubectl wait --for=condition=ready --timeout=10m pod/keycloak-0 -n=keycloak
+kubectl wait --for=condition=ready --timeout=10m pod/keycloak-0 -n=keycloak
# ^-- takes about 5min
kubectl get hr -A
-kubectl get svc -n=istio-system
+kubectl get svc -n=istio-system
export KUBECONFIG=$HOME/.kube/workload-cluster
kubectl get hr -A
-kubectl wait --for=condition=ready --timeout=15m hr/jaeger -n=bigbang
+kubectl wait --for=condition=ready --timeout=15m hr/jaeger -n=bigbang
# ^-- takes about 10-15mins
kubectl get hr -A
kubectl get svc -n=istio-system
@@ -696,10 +698,10 @@ kubectl get svc -n=istio-system
cat << EOFdeploy-mock-mission-appEOF > ~/qs/deploy-mock-mission-app.txt
#Creating demo namespace
-k create ns mock-mission-app
+k create ns mock-mission-app
#Adding namespace to the service mesh
-k label ns mock-mission-app istio-injection=enabled
+k label ns mock-mission-app istio-injection=enabled
# Adding dockercred to namespace so istio side car image pull will work.
kubectl get secret private-registry -n=istio-system -o yaml | sed 's/namespace: .*/namespace: mock-mission-app/' | kubectl apply -f -
@@ -760,19 +762,19 @@ kubectl wait --for=condition=available deployment/podinfo --timeout=3m -n=mock-m
1. Visit <https://keycloak.bigbang.dev/auth/admin>
1. log in as a keycloak admin, using the default creds of admin:password
1. In the GUI:
- 1. Navigate to: Manage/Groups > Impact Level 2 Authorized (double click)
+ 1. Navigate to: Manage/Groups > Impact Level 2 Authorized (double click)
Notice the group UUID in the URL: 00eb8904-5b88-4c68-ad67-cec0d2e07aa6
1. In the GUI:
1. Navigate to: Configure/Clients > [Create]
1. Set:
- Client ID = "demo-env_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_authdemo"
- Client Protocol = openid-connect
+ Client ID = "demo-env_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_authdemo"
+ Client Protocol = openid-connect
Root URL = (blank)
1. Save
1. In the GUI:
1. Navigate to: Configure/Clients > [Edit] demo-env_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_authdemo
1. Under "Access Type": Change Public to Confidential
- 1. Under "Valid Redirect URIs": Add "https://authdemo.bigbang.dev/login/generic_oauth"
+ 1. Under "Valid Redirect URIs": Add "https://authdemo.bigbang.dev/login/generic_oauth"
Note: /login/generic_oauth comes from auth service
1. Save
1. Scroll up to the top of the page and you'll see a newly added [Credentials] tab, click it.
@@ -785,18 +787,18 @@ kubectl wait --for=condition=available deployment/podinfo --timeout=3m -n=mock-m
export AUTHDEMO_APP_ID_CLIENT_SECRET="pasted_value"
# It should look similar to the following dynamically generated demo value
-# export AUTHDEMO_APP_ID_CLIENT_SECRET="fsCUSkwy2kaaSlgN4r4LPYOAvHCqzUk5"
+# export AUTHDEMO_APP_ID_CLIENT_SECRET="fsCUSkwy2kaaSlgN4r4LPYOAvHCqzUk5"
echo $AUTHDEMO_APP_ID_CLIENT_SECRET | grep "pasted_value" ; echo $? | grep 1 && echo "This validation check shows you remembered to update the pasted value." || ( for i in {1..10}; do echo "Validation check shows error, update the variable by pasting in the dynamically generated secret before moving on." ; done ; sleep 3 )
-# Note:
+# Note:
# JWKS: JSON Web Key Set is a public key used to verify JWT's issued by the IDP.
# Every Instance of Keycloak will have a unique JWKS, auth service needs to verify JWTs issued by Keycloak
# You find it by curling https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs
-# then to prep for usage escape double quotes and wrapping the value in single quotes.
+# then to prep for usage escape double quotes and wrapping the value in single quotes.
export KEYCLOAK_IDP_JWKS=$(curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs | sed 's@"@\\"@g')
-# Note:
+# Note:
# Authservice needs the CA-cert.pem that Keycloak's HTTPS cert was signed by, *.bigbang.dev is signed by Let's Encrypt Free CA
export KEYCLOAK_CERTS_CA=$(curl https://letsencrypt.org/certs/isrgrootx1.pem)
```
@@ -823,18 +825,14 @@ kubectl patch deployment podinfo --type merge --patch "\$(cat ~/pods-in-deployme
cat << EOF > ~/auth_service_demo_values.yaml
sso:
- oidc:
- host: keycloak.bigbang.dev
- realm: baby-yoda
- token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
- auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
- jwks: '$KEYCLOAK_IDP_JWKS'
- certificate_authority: |
-$(echo "$KEYCLOAK_CERTS_CA" | sed 's/^/ /')
-# sed 's/^/ /', indents 4 spaces
+ url: https://keycloak.bigbang.dev/auth/realms/baby-yoda
+ certificateAuthority:
+ cert: |
+$(echo "$KEYCLOAK_CERTS_CA" | sed 's/^/ /')
+# sed 's/^/ /', indents 6 spaces
addons:
- authservice:
+ authservice:
enabled: true
values:
chains:
@@ -867,8 +865,8 @@ ssh workload-cluster 'helm get values bigbang -n=bigbang' # You can eyeball this
* Before we were taken straight to the mock mission app webpage
* Now* (or 30-120 seconds after copy pasting the above block of commands into the terminal), when you create a new tab and try to visit this URL it immediately redirects to a KeyCloak Log in Prompt and if you log in with your demo user, you'll a message like this:
-> RBAC: access denied
-> Your account has not been granted access to this application group yet.
+> RBAC: access denied
+> Your account has not been granted access to this application group yet.
## Step 17: Update the group membership of the user
@@ -880,13 +878,13 @@ ssh workload-cluster 'helm get values bigbang -n=bigbang' # You can eyeball this
1. Click Impact Level 2 Authorized
1. Click [Join]
-> Note:
-> If you try to repeat step 16 at this stage, you'll see either an infinite loading screen or message like this:
-> `Access to authdemo.bigbang.dev was denied`
-> `You don't have authorization to view this page.`
-> `HTTP ERROR 403`
-> The reason for this is that we configured our workstation's hostfile /etc/hosts to avoid needing to configure DNS. But the 2 k3d clusters are unable to resolve the DNS Names.
-> AuthService pods on the Workload Cluster need to be able to resolve the DNS name of keycloak.bigbang.dev
+> Note:
+> If you try to repeat step 16 at this stage, you'll see either an infinite loading screen or message like this:
+> `Access to authdemo.bigbang.dev was denied`
+> `You don't have authorization to view this page.`
+> `HTTP ERROR 403`
+> The reason for this is that we configured our workstation's hostfile /etc/hosts to avoid needing to configure DNS. But the 2 k3d clusters are unable to resolve the DNS Names.
+> AuthService pods on the Workload Cluster need to be able to resolve the DNS name of keycloak.bigbang.dev
> Keycloak pod on the Keycloak Cluster needs to be able to resolve the DNS name of authdemo.bigbang.dev
## Step 18: Update Inner Cluster DNS on the Workload Cluster
@@ -898,7 +896,7 @@ ssh workload-cluster 'helm get values bigbang -n=bigbang' # You can eyeball this
# The following tests DNS resolution from the perspective of a pod running in the cluster
export KUBECONFIG=$HOME/.kube/workload-cluster
-kubectl run -it test --image=busybox:stable
+kubectl run -it test --image=busybox:stable
```
```shell
@@ -912,7 +910,7 @@ exit
```shell
# [admin@Laptop:~]
kubectl exec -it test -- ping keycloak.bigbang.dev -c 1 | head -n 1
-# Notice it mentions resolution as 127.0.0.1, this comes from public internet DNS,
+# Notice it mentions resolution as 127.0.0.1, this comes from public internet DNS,
# The next steps will override the DNS resolution to suit the needs of this guide.
```
diff --git a/docs/understanding-bigbang/configuration/base-config.md b/docs/understanding-bigbang/configuration/base-config.md
index c9da07ba50..faefc88096 100644
--- a/docs/understanding-bigbang/configuration/base-config.md
+++ b/docs/understanding-bigbang/configuration/base-config.md
@@ -36,17 +36,27 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| git.credentials.username | string | `""` | HTTP git credentials, both username and password must be provided |
| git.credentials.caFile | string | `""` | HTTPS certificate authority file. Required for any repo with a self signed certificate |
| git.credentials.privateKey | string | `""` | SSH git credentials, privateKey, publicKey, and knownHosts must be provided |
-| sso | object | `{"auth_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth","certificate_authority":"","client_id":"","client_secret":"","jwks":"","jwks_uri":"","oidc":{"host":"login.dso.mil","realm":"baby-yoda"},"secretName":"tls-ca-sso","token_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"}` | Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages. |
-| sso.oidc.host | string | `"login.dso.mil"` | Domain for keycloak used for configuring SSO |
-| sso.oidc.realm | string | `"baby-yoda"` | Keycloak realm containing clients |
-| sso.certificate_authority | string | `""` | Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages |
-| sso.jwks | string | `""` | Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs |
-| sso.jwks_uri | string | `""` | Optional use of JWKS fetcher config for ease of use and automation. Fill in JWKS URI value of OIDC endpoint, can be found under the well known OpenID metadata configuration page of your provider. |
-| sso.client_id | string | `""` | OIDC client ID used for packages authenticated through authservice |
-| sso.client_secret | string | `""` | OIDC client secret used for packages authenticated through authservice |
-| sso.token_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"` | OIDC token URL template string (to be used as default) |
-| sso.auth_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"` | OIDC auth URL template string (to be used as default) |
-| sso.secretName | string | `"tls-ca-sso"` | Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces |
+| sso | object | `{"certificateAuthority":{"cert":null,"secretName":"tls-ca-sso"},"name":"SSO","oidc":{"authorization":"{{ .Values.sso.url }}/protocol/openid-connect/auth","claims":{"email":"email","groups":"groups","name":"name","username":"preferred_username"},"endSession":"{{ .Values.sso.url }}/protocol/openid-connect/logout","jwks":null,"jwksUri":"{{ .Values.sso.url }}/protocol/openid-connect/certs","token":"{{ .Values.sso.url }}/protocol/openid-connect/token","userinfo":"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"},"saml":{"attributes":{"email":"email","groups":"groups","name":"name","username":"login"},"entityDescriptor":"{{ .Values.sso.url }}/protocol/saml/descriptor","metadata":null,"service":"{{ .Values.sso.url }}/protocol/saml"},"url":"https://login.dso.mil/auth/realms/baby-yoda"}` | Global SSO values used for BigBang deployments when sso is enabled |
+| sso.name | string | `"SSO"` | Name of the identity provider. This is used by some packages as the SSO login label. |
+| sso.url | string | `"https://login.dso.mil/auth/realms/baby-yoda"` | Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID. |
+| sso.certificateAuthority | object | `{"cert":null,"secretName":"tls-ca-sso"}` | Certificate authority for the identity provider's certificates |
+| sso.certificateAuthority.cert | string | `nil` | The certificate authority public certificate in .pem format. Populating this will create a secret in each namespace that enables SSO. |
+| sso.certificateAuthority.secretName | string | `"tls-ca-sso"` | The secret name to use for the certificate authority. Can be manually populated if cert is blank. |
+| sso.saml.entityDescriptor | string | `"{{ .Values.sso.url }}/protocol/saml/descriptor"` | SAML entityDescriptor (metadata) path |
+| sso.saml.service | string | `"{{ .Values.sso.url }}/protocol/saml"` | SAML SSO Service path |
+| sso.saml.metadata | string | `nil` | Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`. Required for SSO in Nexus, Twistlock, or Sonarqube. |
+| sso.oidc | object | `{"authorization":"{{ .Values.sso.url }}/protocol/openid-connect/auth","claims":{"email":"email","groups":"groups","name":"name","username":"preferred_username"},"endSession":"{{ .Values.sso.url }}/protocol/openid-connect/logout","jwks":null,"jwksUri":"{{ .Values.sso.url }}/protocol/openid-connect/certs","token":"{{ .Values.sso.url }}/protocol/openid-connect/token","userinfo":"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"}` | OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration` |
+| sso.oidc.authorization | string | `"{{ .Values.sso.url }}/protocol/openid-connect/auth"` | OIDC authorization path |
+| sso.oidc.endSession | string | `"{{ .Values.sso.url }}/protocol/openid-connect/logout"` | OIDC logout / end session path |
+| sso.oidc.jwksUri | string | `"{{ .Values.sso.url }}/protocol/openid-connect/certs"` | OIDC JSON Web Key Set (JWKS) path |
+| sso.oidc.token | string | `"{{ .Values.sso.url }}/protocol/openid-connect/token"` | OIDC token path |
+| sso.oidc.userinfo | string | `"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"` | OIDC user information path |
+| sso.oidc.jwks | string | `nil` | Literal OIDC JWKS data retrieved from JWKS Uri. Only needed if `jwsksUri` is not defined. |
+| sso.oidc.claims | object | `{"email":"email","groups":"groups","name":"name","username":"preferred_username"}` | Identity provider claim names that store metadata about the authenticated user. |
+| sso.oidc.claims.email | string | `"email"` | IdP's claim name used for the user's email address. |
+| sso.oidc.claims.name | string | `"name"` | IdP's claim name used for the user's full name |
+| sso.oidc.claims.username | string | `"preferred_username"` | IdP's claim name used for the username |
+| sso.oidc.claims.groups | string | `"groups"` | IdP's claim name used for the user's groups or roles |
| flux | object | `{"install":{"remediation":{"retries":-1}},"interval":"2m","rollback":{"cleanupOnFail":true,"timeout":"10m"},"test":{"enable":false},"timeout":"10m","upgrade":{"cleanupOnFail":true,"remediation":{"remediateLastFailure":true,"retries":3}}}` | (Advanced) Flux reconciliation parameters. The default values provided will be sufficient for the majority of workloads. |
| networkPolicies | object | `{"controlPlaneCidr":"0.0.0.0/0","enabled":true,"nodeCidr":"","vpcCidr":"0.0.0.0/0"}` | Global NetworkPolicies settings |
| networkPolicies.enabled | bool | `true` | Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled` |
diff --git a/docs/understanding-bigbang/package-architecture/argocd.md b/docs/understanding-bigbang/package-architecture/argocd.md
index 070395c1c6..c1bce7fd8d 100644
--- a/docs/understanding-bigbang/package-architecture/argocd.md
+++ b/docs/understanding-bigbang/package-architecture/argocd.md
@@ -57,7 +57,6 @@ addons:
enabled: true
client_id:
client_secret: ""
- provider_name: ""
groups: |
g, Impact Level 2 Authorized, role:admin
```
diff --git a/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md b/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
index 336ce446ad..ec38a5d5e0 100644
--- a/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
+++ b/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
@@ -97,13 +97,6 @@ logging:
SSO integration for the eck stack requires a license (see below) and can be configured with the following values:
```yaml
-sso:
- oidc:
- # -- Domain for keycloak used for configuring SSO
- host: login.dso.mil
- # -- Keycloak realm containing clients
- realm: baby-yoda
-
logging:
sso:
# -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
diff --git a/docs/understanding-bigbang/package-architecture/kiali.md b/docs/understanding-bigbang/package-architecture/kiali.md
index 9b0909bcbc..5332aada77 100644
--- a/docs/understanding-bigbang/package-architecture/kiali.md
+++ b/docs/understanding-bigbang/package-architecture/kiali.md
@@ -127,11 +127,7 @@ kiali:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
client_secret: your_client_secret_or_empty_string
-# Kiali inherits/uses the global SSO settings for the host/realm
-sso:
- oidc:
- host: login.dso.mil
- realm: baby-yoda
+# Kiali inherits/uses the global SSO settings at .sso
```
If you require a more advanced SSO configuration there are additional ways to customize that are detailed in the [upstream OIDC docs](https://kiali.io/docs/configuration/authentication/openid/). This doc includes details on how to configure username, scope, timeout, proxies, and more. It also lists some [SSO provider specifics](https://kiali.io/docs/configuration/authentication/openid/#_provider_specific_instructions) which may be needed for configuring with different providers. If you want to provide any further configuration than what is included in the `kiali.sso` block, you can override the BB pre-configured SSO and pass values via `kiali.values.cr.spec.auth`.
diff --git a/docs/understanding-bigbang/package-architecture/mattermost.md b/docs/understanding-bigbang/package-architecture/mattermost.md
index 6af1e04aae..8e1b851ee6 100644
--- a/docs/understanding-bigbang/package-architecture/mattermost.md
+++ b/docs/understanding-bigbang/package-architecture/mattermost.md
@@ -130,9 +130,6 @@ addons:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost
client_secret: no-secret
- auth_endpoint: https://login.dso.mil/oauth/authorize
- token_endpoint: https://login.dso.mil/oauth/token
- user_api_endpoint: https://login.dso.mil/api/v4/user
```
## Licensing
diff --git a/docs/understanding-bigbang/package-architecture/sonarqube.md b/docs/understanding-bigbang/package-architecture/sonarqube.md
index 3c5e973999..c7037e8ac8 100644
--- a/docs/understanding-bigbang/package-architecture/sonarqube.md
+++ b/docs/understanding-bigbang/package-architecture/sonarqube.md
@@ -84,19 +84,12 @@ addons:
SSO integration can be configured by modifying the following settings in the bigbang chart.
```yaml
-sso:
- oidc:
- host: login.dso.mil
- realm: baby-yoda
-
addons:
sonarqube:
enabled: true
sso:
enabled: true
client_id: ""
- label: ""
- certificate: ""
login: login
name: name
email: email
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 4e295af51a..967ec74099 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -1,47 +1,45 @@
domain: bigbang.dev
sso:
- # LetsEncrypt certificate authority
- certificate_authority: |
- -----BEGIN CERTIFICATE-----
- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
- TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
- WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
- ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
- MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
- h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
- 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
- A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
- T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
- B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
- B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
- KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
- OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
- jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
- qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
- rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
- HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
- hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
- ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
- 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
- NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
- ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
- TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
- jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
- oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
- 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
- mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
- emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
- -----END CERTIFICATE-----
+ url: https://keycloak.bigbang.dev/auth/realms/baby-yoda
- # Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
- # https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs
- # must be single quoted and double quotes must be escaped like this \"xxxx\"
- jwks: '{\"keys\":[{\"kid\":\"nZUXZDUyyAEKY4dJyargboayGxJmmlrhcoBoik-7040\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"qAl-BtUwp2ZVl7wix_8-pucv-jTK1L9QGFVW02kPYlFi0frg-OL9XsSB1MsJIEFfnDIZ_psvvWYoZkVnzibgVlfAjOQXyIevOWLpSlUK3BpWFnAfO-0oyQWSsclyE8-xpzTifL75SvbSvDp3JXVBa4UdgV2qsNs7xu99wipQ7cro2lpne5EIHv6eKJMeG1eFQS2DJrI6ydNOLrzHFOA3pAhZRphId6dxYWaKzH_tcR34uQ2gg-IgmGakYLFhG_P2ZrMdPqouej_WFoc9Y9hlHx8NALfA6uYe4aDCbWCTL1V1sZJjzVR7WiTDh7fIogTu_2ukpCOnXX_SaLadoulxLw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=\"],\"x5t\":\"ihEvRimRNSdrnr_Fhnd4OElB3-E\",\"x5t#S256\":\"YNijWPCIhWA5xQTwyIfvlBN-UcMe46Um2ywE-ADiqjM\"}]}'
- oidc:
- host: keycloak.bigbang.dev
- realm: baby-yoda
+ # LetsEncrypt certificate authority
+ certificateAuthority:
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+ TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+ WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+ MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+ h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+ A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+ T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+ B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+ B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+ KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+ OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+ jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+ qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+ rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+ HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+ hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+ NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+ TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+ jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+ 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+ -----END CERTIFICATE-----
+ saml:
+ # Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
+ metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.bigbang.dev/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>
flux:
timeout: 20m
@@ -825,7 +823,6 @@ addons:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
client_secret: anything-for-dev
- provider_name: "P1 SSO"
groups: |
g, Impact Level 2 Authorized, role:admin
values:
@@ -1174,8 +1171,6 @@ addons:
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_saml-sonarqube
- provider_name: "P1 SSO"
- certificate: MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=
login: login
name: name
email: email
@@ -1294,7 +1289,7 @@ addons:
nexusRepositoryManager:
enabled: false
- # Nexus requires manual configuration in Keycloak client and cannot be tested with login.dso.mil
+ # Nexus requires manual configuration in Keycloak client and cannot be tested with
# you must test with your own dev deployment. Example: keycloak.bigbang.dev
# See more info in Nexus Package docs /docs/keycloak.md
# Nexus SSO is behind a paywall. You must have a valid license to enable SSO
@@ -1313,10 +1308,6 @@ addons:
lastName: "lastName"
email: "email"
groups: "groups"
- # -- IDP SAML Metadata XML as a single line string in single quotes
- # -- this information is public and does not require a secret
- # curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
- idpMetadata: 'enter-single-quoted-single-line-string-here'
role:
# id is the name of the Keycloak group (case sensitive)
- id: "Nexus"
--
GitLab