Merge branch 'sso_2.0' into 'master'

SSO Refactor for Global IdP values Closes #1361 See merge request !2321

Merge branch 'sso_2.0' into 'master'
e731912b · Micah Nagel · c1e0d157 · c8f187b7 · e731912b · e731912b
Commit e731912b authored 2 years ago by Micah Nagel
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -185,6 +185,208 @@ DEPRECATION NOTICE:
  Please reconfigure your values overrides to use .Values.addons.nexusRepositoryManager 
 {{- end }}

+{{- $nexusOldValues := default dict .Values.addons.nexus -}}
+{{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
+
+{{- with .Values }}
+{{- if and .sso.url (coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate) }}
+DEPRECATION NOTICE:
+  The following SSO keys have been deprecated.  Deprecated keys will continue to work, but will be removed in a future release.  Please update your overrides.
+    {{- if coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName }}
+    sso:
+      {{- if coalesce .sso.oidc.host .sso.oidc.realm }}
+      oidc:
+        {{- if .sso.oidc.host }}
+        # "host" removed.  It is now implicitly defined in "sso.url".
+        host: {{ .sso.oidc.host }}
+        {{- end }}
+        {{- if .sso.oidc.realm }}
+        # "realm" removed.  It is now implicitly defined in "sso.url".
+        realm: {{ .sso.oidc.realm }}
+        {{- end }}
+      {{- end }}
+      {{- if .sso.certificate_authority }}
+      # "certificate_authority" was moved to "sso.certificateAuthority.cert".
+      certificate_authority: {{ .sso.certificate_authority | trunc 27 }}
+      {{- end }}
+      {{- if .sso.jwks }}
+      # "jwks" was moved to "sso.oidc.jwks". If possible, switch to using "sso.oidc.jwksUri" to dynamically retrieve metadata instead
+      jwks: {{ .sso.jwks }}
+      {{- end }}
+      {{- if .sso.jwks_uri }}
+      # "jwks_uri" was moved to "sso.oidc.jwksUri"
+      jwks_uri: {{ .sso.jwks_uri }}
+      {{- end }}
+      {{- if .sso.client_id }}
+      # "client_id" was moved to "addons.authservice.sso.client_id"
+      client_id: {{ .sso.client_id }}
+      {{- end }}
+      {{- if .sso.client_secret }}
+      # "client_secret" was moved to "addons.authservice.sso.client_secret"
+      client_secret: {{ .sso.client_secret }}
+      {{- end }}
+      {{- if .sso.token_url }}
+      # "token_url" was moved to "sso.oidc.token"
+      token_url: {{ .sso.token_url }}
+      {{- end }}
+      {{- if .sso.auth_url }}
+      # "auth_url" was moved to "sso.oidc.authorization"
+      auth_url: {{ .sso.auth_url }}
+      {{- end }}
+      {{- if .sso.secretName }}
+      # "secretName" was moved to "sso.certificateAuthority.secretName"
+      secretName: {{ .sso.secretName }}
+      {{- end }}
+    {{- end }}
+    {{- if coalesce .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail }}
+    logging:
+      sso:
+        {{- if .logging.sso.issuer }}
+        # "issuer" was moved to "sso.url"
+        issuer: {{ .logging.sso.issuer }}
+        {{- end }}
+        {{- if .logging.sso.auth_url }}
+        # "auth_url" was moved to "sso.oidc.authorization"
+        auth_url: {{ .logging.sso.auth_url }}
+        {{- end }}
+        {{- if .logging.sso.token_url }}
+        # "token_url" was moved to "sso.oidc.token"
+        token_url: {{ .logging.sso.token_url }}
+        {{- end }}
+        {{- if .logging.sso.userinfo_url }}
+        # "userinfo_url" was moved to "sso.oidc.userinfo"
+        userinfo_url: {{ .logging.sso.userinfo_url }}
+        {{- end }}
+        {{- if .logging.sso.jwkset_url }}
+        # "jwkset_url" was moved to "sso.oidc.jwksUrl"
+        jwkset_url: {{ .logging.sso.jwkset_url }}
+        {{- end }}
+        {{- if .logging.sso.claims_principal }}
+        # "claims_principal" was moved to "sso.oidc.claims.username"
+        claims_principal: {{ .logging.sso.claims_principal }}
+        {{- end }}
+        {{- if .logging.sso.endsession_url }}
+        # "endsession_url" was moved to "sso.oidc.endsession"
+        endsession_url: {{ .logging.sso.endsession_url }}
+        {{- end }}
+        {{- if .logging.sso.claims_group }}
+        # "claims_group" was moved to "sso.oidc.claims.groups"
+        claims_group: {{ .logging.sso.claims_group }}
+        {{- end }}
+        {{- if .logging.sso.claims_mail }}
+        # "claims_mail" was moved to "sso.oidc.claims.email"
+        claims_mail: {{ .logging.sso.claims_mail }}
+        {{- end }}
+    {{- end }}
+    {{- if coalesce .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url }}
+    monitoring:
+      sso:
+        grafana:
+          {{- if .monitoring.sso.grafana.auth_url }}
+          # "auth_url" moved to "sso.oidc.authorization"
+          auth_url: {{ .monitoring.sso.grafana.auth_url }}
+          {{- end }}
+          {{- if .monitoring.sso.grafana.token_url }}
+          # "token_url" moved to "sso.oidc.token"
+          token_url: {{ .monitoring.sso.grafana.token_url }}
+          {{- end }}
+          {{- if .monitoring.sso.grafana.api_url }}
+          # "api_url" moved to "sso.oidc.userinfo"
+          api_url: {{ .monitoring.sso.grafana.api_url }}
+          {{- end }}
+    {{- end }}
+    {{- if coalesce .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert }}
+    twistlock:
+      sso:
+        {{- if .twistlock.sso.provider_name }}
+        # "provider_name" moved to "sso.name"
+        provider_name: {{ .twistlock.sso.provider_name }}
+        {{- end }}
+        {{- if .twistlock.sso.issuer_uri }}
+        # "issuer_uri" moved to "sso.url"
+        issuer_uri: {{ .twistlock.sso.issuer_uri }}
+        {{- end }}
+        {{- if .twistlock.sso.idp_url }}
+        # "idp_url" moved to "sso.saml.service"
+        idp_url: {{ .twistlock.sso.idp_url }}
+        {{- end }}
+        {{- if .twistlock.sso.console_url }}
+        # "console_url" deprecated.  It will be created from "twistlock.values.istio.console.hosts" or "twistlock.<domain>"
+        console_url: {{ .twistlock.sso.console_url }}
+        {{- end }}
+        {{- if .twistlock.sso.cert }}
+        # "cert" is derived from "sso.saml.metadata"
+        cert: {{ .twistlock.sso.cert | trunc 27 }}
+        {{- end }}
+    {{- end }}
+    {{- if coalesce .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
+    addons:
+      {{- if .addons.argocd.sso.provider_name }}
+      argocd:
+        sso:
+          # "provider_name" moved to "sso.name"
+          provider_name: {{ .addons.argocd.sso.provider_name }}
+      {{- end }}
+      {{- if coalesce .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field -}}
+      gitlab:
+        sso:
+          {{- if .addons.gitlab.sso.label }}
+          # "label" moved to "sso.name"
+          label: {{ .addons.gitlab.sso.label }}
+          {{- end }}
+          {{- if .addons.gitlab.sso.issuer_uri }}
+          # "issuer_uri" moved to "sso.url"
+          issuer_uri: {{ .addons.gitlab.sso.issuer_uri }}
+          {{- end }}
+          {{- if .addons.gitlab.sso.end_session_uri }}
+          # "end_session_uri" moved to "sso.oidc.endSession"
+          end_session_uri: {{ .addons.gitlab.sso.end_session_uri }}
+          {{- end }}
+          {{- if .addons.gitlab.sso.uid_field }}
+          # "uid_field" moved to "sso.oidc.claims.username"
+          uid_field: {{ .addons.gitlab.sso.uid_field }}
+          {{- end }}
+      {{- end }}
+      {{- if coalesce .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint }}
+      mattermost:
+        sso:
+          {{- if .addons.mattermost.sso.auth_endpoint }}
+          # "auth_endpoint" moved to "sso.oidc.authorization"
+          auth_endpoint: {{ .addons.mattermost.sso.auth_endpoint }}
+          {{- end }}
+          {{- if .addons.mattermost.sso.token_endpoint }}
+          # "token_endpoint" moved "sso.oidc.token"
+          token_endpoint: {{ .addons.mattermost.sso.token_endpoint }}
+          {{- end }}
+          {{- if .addons.mattermost.sso.user_api_endpoint }}
+          # "user_api_endpoint" moved to "sso.oidc.userinfo"
+          user_api_endpoint: {{ .addons.mattermost.sso.user_api_endpoint }}
+          {{- end }}
+      {{- end }}
+      {{- if coalesce $nexusValues.sso.idp_data.idpMetadata }}
+      nexus:
+        sso:
+          {{- if $nexusValues.sso.idp_data.idpMetadata }}
+          # idpMetadata moved to "sso.saml.metadata"
+          idpMetadata: {{ $nexusValues.sso.idp_data.idpMetadata | trunc 27 }}
+          {{- end }}
+      {{- end }}
+      {{- if coalesce .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
+      sonarqube:
+        sso:
+          {{- if .addons.sonarqube.sso.provider_name }}
+          # "provider_name" moved to "sso.name"
+          provider_name: {{ .addons.sonarqube.sso.provider_name }}
+          {{- end }}
+          {{- if .addons.sonarqube.sso.certificate }}
+          # "certificate" derived from "sso.saml.metadata"
+          certificate: {{ .addons.sonarqube.sso.certificate | trunc 27 }}
+          {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
 {{- if .Values.addons.mattermostoperator }}
 DEPRECATION NOTICE:
  .Values.addons.mattermostoperator has been deprecated and will be removed in a future Big Bang release.

--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -218,5 +218,116 @@ bigbang.dev/istioVersion: {{ .Values.istio.oci.tag }}

 {{- /* Prints istio version */ -}}
 {{- define "istioVersion" -}}
-{{ regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" }}
+  {{- regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" -}}
 {{- end -}}
+
+{{- /* Returns an SSO host */ -}}
+{{- define "sso.host" -}}
+  {{- coalesce .Values.sso.oidc.host (regexReplaceAll ".*//([^/]*)/?.*" .Values.sso.url "${1}") -}}
+{{- end -}}
+
+{{- /* Returns an SSO realm */ -}}
+{{- define "sso.realm" -}}
+  {{- coalesce .Values.sso.oidc.realm (regexReplaceAll ".*/realms/([^/]*)" .Values.sso.url "${1}") (regexReplaceAll "\\W+" .Values.sso.name "") -}}
+{{- end -}}
+
+{{- /* Returns the SSO base URL */ -}}
+{{- define "sso.url" -}}
+  {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "https://%s/auth/realms/%s" .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+  {{- else -}}
+    {{- tpl (default "" .Values.sso.url) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO auth url (OIDC) */ -}}
+{{- define "sso.oidc.auth" -}}
+  {{- if .Values.sso.auth_url -}}
+    {{- tpl (default "" .Values.sso.auth_url) . -}}
+  {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/protocol/openid-connect/auth" (include "sso.url" .) -}}
+  {{- else -}}
+    {{- tpl (dig "oidc" "authorization" (printf "%s/protocol/openid-connect/auth" (include "sso.url" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO token url (OIDC) */ -}}
+{{- define "sso.oidc.token" -}}
+  {{- if .Values.sso.token_url -}}
+    {{- tpl (default "" .Values.sso.token_url) . -}}
+  {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/protocol/openid-connect/token" (include "sso.url" .) -}}
+  {{- else -}}
+    {{- tpl (dig "oidc" "token" (printf "%s/protocol/openid-connect/token" (include "sso.url" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO userinfo url (OIDC) */ -}}
+{{- define "sso.oidc.userinfo" -}}
+  {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/protocol/openid-connect/userinfo" (include "sso.url" .) -}}
+  {{- else -}}
+    {{- tpl (dig "oidc" "userinfo" (printf "%s/protocol/openid-connect/userinfo" (include "sso.url" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO jwks url (OIDC) */ -}}
+{{- define "sso.oidc.jwksuri" -}}
+  {{- if .Values.sso.jwks_uri -}}
+    {{- tpl (default "" .Values.sso.jwks_uri) . -}}
+  {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/protocol/openid-connect/certs" (include "sso.url" .) -}}
+  {{- else -}}
+    {{- tpl (dig "oidc" "jwksUri" (printf "%s/protocol/openid-connect/certs" (include "sso.url" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO end session url (OIDC) */ -}}
+{{- define "sso.oidc.endsession" -}}
+  {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/protocol/openid-connect/logout" (include "sso.url" .) -}}
+  {{- else -}}
+    {{- tpl (dig "oidc" "endSession" (printf "%s/protocol/openid-connect/logout" (include "sso.url" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the single sign on service (SAML) */ -}}
+{{- define "sso.saml.service" -}}
+  {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/protocol/saml" (include "sso.url" .) -}}
+  {{- else -}}
+    {{- tpl (dig "saml" "service" (printf "%s/protocol/saml" (include "sso.url" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the single sign on entity descriptor (SAML) */ -}}
+{{- define "sso.saml.descriptor" -}}
+  {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+    {{- printf "%s/descriptor" (include "sso.saml.service" .) -}}
+  {{- else -}}
+    {{- tpl (dig "saml" "entityDescriptor" (printf "%s/descriptor" (include "sso.saml.service" .)) .Values.sso) . -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the signing cert (no headers) from the SAML metadata */ -}}
+{{- define "sso.saml.cert" -}}
+  {{- $cert := dig "saml" "metadata" "" .Values.sso -}}
+  {{- if $cert -}}
+    {{- $cert := regexFind "<md:IDPSSODescriptor[\\s>][\\s\\S]*?</md:IDPSSODescriptor[\\s>]" $cert -}}
+    {{- $cert = regexFind "<md:KeyDescriptor[\\s>][^>]*?use=\"signing\"[\\s\\S]*?</md:KeyDescriptor[\\s>]" $cert -}}
+    {{- $cert = regexFind "<ds:KeyInfo[\\s>][\\s\\S]*?</ds:KeyInfo[\\s>]" $cert -}}
+    {{- $cert = regexFind "<ds:X509Data[\\s>][\\s\\S]*?</ds:X509Data[\\s>]" $cert -}}
+    {{- $cert = regexFind "<ds:X509Certificate[\\s>][\\s\\S]*?</ds:X509Certificate[\\s>]" $cert -}}
+    {{- $cert = regexReplaceAll "<ds:X509Certificate[^>]*?>\\s*([\\s\\S]*?)</ds:X509Certificate[\\s>]" $cert "${1}" -}}
+    {{- $cert = regexReplaceAll "\\s*" $cert "" -}}
+    {{- required "X.509 signing certificate could not be found in sso.saml.metadata!" $cert -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Returns the signing cert with headers from the SAML metadata */ -}}
+{{- define "sso.saml.cert.withheaders" -}}
+  {{- $cert := include "sso.saml.cert" . -}}
+  {{- if $cert -}}
+    {{- printf "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" $cert -}}
+  {{- end -}}
+{{- end -}}
\ No newline at end of file
--- a/chart/templates/anchore/secret-ca.yaml
+++ b/chart/templates/anchore/secret-ca.yaml
-{{- if and  .Values.addons.anchore.enabled .Values.addons.anchore.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.anchore.enabled .Values.addons.anchore.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{.Values.sso.secretName}}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: anchore
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/anchore/values.yaml
+++ b/chart/templates/anchore/values.yaml
@@ -49,7 +49,7 @@ sso:
  spEntityId: {{ .Values.addons.anchore.sso.client_id }}
  {{- $anchoreUrl := first (dig "istio" "ui" "hosts" list .Values.addons.anchore.values) }}
  acsUrl: https://{{ tpl ($anchoreUrl | default (printf "%s.%s" "anchore" $domainName)) . }}/service/sso/auth/keycloak
-  idpMetadataUrl: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml/descriptor"
+  idpMetadataUrl: "{{ include "sso.saml.descriptor" . }}"
  roleAttribute: {{ .Values.addons.anchore.sso.role_attribute }}
  {{- end }}


--- a/chart/templates/argocd/secret-ca.yaml
+++ b/chart/templates/argocd/secret-ca.yaml
-{{- if and  .Values.addons.argocd.enabled .Values.addons.argocd.sso.enabled .Values.sso.certificate_authority   }}
+{{- if and .Values.addons.argocd.enabled .Values.addons.argocd.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso))   }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: argocd
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/argocd/values.yaml
+++ b/chart/templates/argocd/values.yaml
@@ -168,14 +168,14 @@ sso:
  keycloakClientSecret: {{ .Values.addons.argocd.sso.client_secret }}
  config:
    oidc.config: |
-      name: {{ .Values.addons.argocd.sso.provider_name }}
-      issuer: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}
+      name: {{ default .Values.sso.name .Values.addons.argocd.sso.provider_name }}
+      issuer: {{ include "sso.url" . }}
      clientID: {{ .Values.addons.argocd.sso.client_id }}
      clientSecret: $oidc.keycloak.clientSecret
      requestedScopes: ["openid","ArgoCD"]
-      {{- if .Values.sso.certificate_authority }}
+      {{- if (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
      rootCA: |
-        {{- .Values.sso.certificate_authority | nindent 8 }}
+        {{- default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | nindent 8 }}
      {{- end }}
 {{- end }}
 {{- end -}}

--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -64,27 +64,38 @@ redis-bb:
      namespace: monitoring
 {{- end }}

+{{- $legacy := and .Values.sso.oidc.realm .Values.sso.oidc.host -}}
+{{- if not $legacy }}
+issuer_uri: {{ include "sso.url" . }}
+{{- end }}
+
 global:
  oidc:
-    host: {{ .Values.sso.oidc.host }}
-    realm: {{ .Values.sso.oidc.realm }}
+    host: {{ default (include "sso.host" .) .Values.sso.oidc.host }}
+    realm: {{ default (include "sso.realm" .) .Values.sso.oidc.realm }}
+
+  {{- if or .Values.sso.jwks_uri (dig "oidc" "jwksUri" false .Values.sso) }}
+  jwks_uri: {{ include "sso.oidc.jwksuri" . | quote }}
+  {{- else if or .Values.sso.jwks (dig "oidc" "jwks" false .Values.sso) }}
+  jwks: {{ default (dig "oidc" "jwks" "" .Values.sso) .Values.sso.jwks | quote }}
+  {{- end }}

-  {{- if .Values.sso.jwks }}
-  jwks: "{{ .Values.sso.jwks }}"
-  {{- else if .Values.sso.jwks_uri }}
-  jwks_uri: "{{ .Values.sso.jwks_uri }}"
+  {{- if or .Values.sso.client_id (dig "sso" "client_id" false .Values.addons.authservice) }}
+  client_id: {{ default (dig "sso" "client_id" "" .Values.addons.authservice) .Values.sso.client_id }}
  {{- end }}

-  {{- if .Values.sso.client_id}}
-  client_id: {{ .Values.sso.client_id }}
+  {{- if or .Values.sso.client_secret (dig "sso" "client_secret" false .Values.addons.authservice) }}
+  client_secret: {{ default (dig "sso" "client_secret" "" .Values.addons.authservice) .Values.sso.client_secret }}
  {{- end }}

-  {{- if .Values.sso.client_secret }}
-  client_secret: {{ .Values.sso.client_secret }}
+  {{- if (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
+  certificate_authority: {{ (default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority) | quote }}
  {{- end }}

-  {{- if .Values.sso.certificate_authority }}
-  certificate_authority: {{ .Values.sso.certificate_authority | quote }}
+  {{- if not $legacy }}
+  authorization_uri: {{ include "sso.oidc.auth" . }}
+  token_uri: {{ include "sso.oidc.token" . }}
+  logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
  {{- end }}

  {{- $authserviceValues := .Values.addons.authservice.values | default dict }}
@@ -114,6 +125,11 @@ chains:
    {{- end }}
    client_id: "{{ .Values.jaeger.sso.client_id }}"
    client_secret: "{{ .Values.jaeger.sso.client_secret }}"
+    {{- if not $legacy }}
+    authorization_uri: {{ include "sso.oidc.auth" . }}
+    token_uri: {{ include "sso.oidc.token" . }}
+    logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+    {{- end }}
  {{- end }}

  {{- if and .Values.tempo.enabled .Values.tempo.sso.enabled }}
@@ -133,6 +149,11 @@ chains:
    {{- end }}
    client_id: "{{ .Values.tempo.sso.client_id }}"
    client_secret: "{{ .Values.tempo.sso.client_secret }}"
+    {{- if not $legacy }}
+    authorization_uri: {{ include "sso.oidc.auth" . }}
+    token_uri: {{ include "sso.oidc.token" . }}
+    logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+    {{- end }}
  {{- end }}

  {{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
@@ -149,6 +170,11 @@ chains:
    {{- end }}
    client_id: {{ .Values.monitoring.sso.prometheus.client_id }}
    client_secret: "{{ .Values.monitoring.sso.prometheus.client_secret }}"
+    {{- if not $legacy }}
+    authorization_uri: {{ include "sso.oidc.auth" . }}
+    token_uri: {{ include "sso.oidc.token" . }}
+    logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+    {{- end }}

  alertmanager:
    match:
@@ -163,5 +189,10 @@ chains:
    {{- end }}
    client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
    client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
+    {{- if not $legacy }}
+    authorization_uri: {{ include "sso.oidc.auth" . }}
+    token_uri: {{ include "sso.oidc.token" . }}
+    logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+    {{- end }}
  {{- end }}
 {{- end -}}
--- a/chart/templates/gitlab/secret-ca.yaml
+++ b/chart/templates/gitlab/secret-ca.yaml
-{{- if and  (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled) .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+{{- if and  (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled) .Values.addons.gitlab.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso))}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: gitlab
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
--- a/chart/templates/gitlab/secret-sso.yaml
+++ b/chart/templates/gitlab/secret-sso.yaml
@@ -12,7 +12,7 @@ stringData:
  gitlab-sso.json: |-
    {
      "name": "openid_connect",
-      "label": "{{ .Values.addons.gitlab.sso.label }}",
+      "label": "{{ default .Values.sso.name .Values.addons.gitlab.sso.label }}",
      "args": {
        "name": "openid_connect",
        "scope": [
@@ -25,23 +25,23 @@ stringData:
        {{- if .Values.addons.gitlab.sso.issuer_uri }}
        "issuer": "{{ .Values.addons.gitlab.sso.issuer_uri }}",
        {{- else }}
-        "issuer": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}",
+        "issuer": "{{ include "sso.url" . }}",
        {{- end }}
        "client_auth_method": "query",
        "discovery": true,
-        "uid_field": {{ .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
+        "uid_field": {{ default (dig "oidc" "claims" "username" "" .Values.sso) .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
        "client_options": {
-          "identifier": "{{ .Values.addons.gitlab.sso.client_id | default .Values.sso.client_id }}",
-          "secret": "{{ .Values.addons.gitlab.sso.client_secret | default .Values.sso.client_secret }}",
+          "identifier": "{{ .Values.addons.gitlab.sso.client_id }}",
+          "secret": "{{ .Values.addons.gitlab.sso.client_secret }}",
          "redirect_uri": "https://{{ .Values.addons.gitlab.hostnames.gitlab }}.{{ $domainName }}/users/auth/openid_connect/callback",
          {{- if .Values.addons.gitlab.sso.end_session_uri }}
          "end_session_endpoint": "{{ .Values.addons.gitlab.sso.end_session_uri }}"
          {{- else }}
-          "end_session_endpoint": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout"
+          "end_session_endpoint": "{{ include "sso.oidc.endsession" . }}"
          {{- end }}
        }
      }
    }

 {{- end }}
-{{- end}}
+{{- end }}
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -226,10 +226,12 @@ minio:
 {{- end }}

 global:
-  {{- if and .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+  {{- if and .Values.addons.gitlab.sso.enabled (or (dig "certificateAuthority" "secretName" false .Values.sso) .Values.sso.secretName) }}
  certificates:
    customCAs:
-      - secret: tls-ca-sso
+      {{- if or .Values.sso.secretName (dig "certificateAuthority" "secretName" false .Values.sso) }}
+      - secret: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
+      {{- end }}
      - secret: ca-certs-australian-defence-organisation-cross-cert-chain
      - secret: ca-certs-australian-defence-organisation-direct-trust-chain
      - secret: ca-certs-boeing

--- a/chart/templates/jaeger/secret-ca.yaml
+++ b/chart/templates/jaeger/secret-ca.yaml
-{{- if and  .Values.jaeger.enabled .Values.jaeger.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.jaeger.enabled .Values.jaeger.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: jaeger
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/kiali/secret-ca.yaml
+++ b/chart/templates/kiali/secret-ca.yaml
-{{- if and  .Values.kiali.enabled .Values.kiali.sso.enabled .Values.sso.certificate_authority  }}
+{{- if and .Values.kiali.enabled .Values.kiali.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso))  }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: kiali
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -43,11 +43,11 @@ cr:
      openid:
        client_id: "{{ .Values.kiali.sso.client_id }}"
        disable_rbac: true
-        issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
+        issuer_uri: "{{ include "sso.url" . }}"
        scopes:
        - openid
        - email
-        username_claim: email
+        username_claim: {{ dig "oidc" "claims" "email" "email" .Values.sso }}
      {{- else }}
      strategy: token
      {{- end }}

--- a/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
-{{- if and .Values.logging.enabled .Values.logging.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.logging.enabled .Values.logging.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: logging
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -37,26 +37,22 @@ sso:
  client_id: {{ .client_id | quote }}
  client_secret: {{ .client_secret | default "no-secret" }}
  oidc:
-    {{- if $.Values.logging.sso.oidc }}
-    host: {{ .oidc.host | default $.Values.sso.oidc.host | quote }}
-    realm: {{ .oidc.realm | default $.Values.sso.oidc.realm | quote }}
-    {{- else }}
-    host: {{ $.Values.sso.oidc.host | quote }}
-    realm: {{ $.Values.sso.oidc.realm | quote }}
-    {{- end }}
+    host: {{ default (include "sso.host" $) (dig "oidc" "host" "" .) | quote }}
+    realm: {{ default (include "sso.realm" $) (dig "oidc" "realm" "" .) | quote }}
  {{- /* Optional fields should be nil checked */ -}}
-  {{- list "issuer" .issuer | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "auth_url" .auth_url | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "token_url" .token_url | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "userinfo_url" .userinfo_url | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "jwkset_url" .jwkset_url | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "claims_principal" .claims_principal | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- $legacy := and (not (empty $.Values.sso.oidc.realm)) (not (empty $.Values.sso.oidc.host)) -}}
+  {{- list "issuer" (default (ternary nil (include "sso.url" $) $legacy) .issuer) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "auth_url" (default (ternary nil (include "sso.oidc.auth" $) $legacy) .auth_url) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "token_url" (default (ternary nil (include "sso.oidc.token" $) $legacy) .token_url) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "userinfo_url" (default (ternary nil (include "sso.oidc.userinfo" $) $legacy) .userinfo_url) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "jwkset_url" (default (ternary nil (include "sso.oidc.jwksuri" $) $legacy) .jwkset_url) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_principal" (default (ternary nil (dig "oidc" "claims" "username" nil $.Values.sso) $legacy) .claims_principal) | include "bigbang.addValueIfSet" | indent 2 }}
  {{- list "claims_principal_pattern" .claims_principal_pattern | include "bigbang.addValueIfSet" | indent 2 }}
  {{- list "requested_scopes" .requested_scopes | include "bigbang.addValueIfSet" | indent 2 }}
  {{- list "signature_algorithm" .signature_algorithm | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "endsession_url" .endsession_url | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "claims_group" .claims_group | include "bigbang.addValueIfSet" | indent 2 }}
-  {{- list "claims_mail" .claims_mail | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "endsession_url" (default (ternary nil (include "sso.oidc.endsession" $) $legacy) .endsession_url) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_group" (default (ternary nil (dig "oidc" "claims" "groups" nil $.Values.sso) $legacy) .claims_group) | include "bigbang.addValueIfSet" | indent 2 }}
+  {{- list "claims_mail" (default (ternary nil (dig "oidc" "claims" "email" nil $.Values.sso) $legacy) .claims_mail) | include "bigbang.addValueIfSet" | indent 2 }}
  {{- list "cert_authorities" .cert_authorities | include "bigbang.addValueIfSet" | indent 2 }}
 {{- end }}
 {{- end }}

--- a/chart/templates/mattermost/secret-ca.yaml
+++ b/chart/templates/mattermost/secret-ca.yaml
-{{- if and  .Values.addons.mattermost.enabled .Values.addons.mattermost.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.mattermost.enabled .Values.addons.mattermost.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: mattermost
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/mattermost/values.yaml
+++ b/chart/templates/mattermost/values.yaml
@@ -37,9 +37,9 @@ sso:
  enabled: {{ .enabled }}
  client_id: {{ .client_id }}
  client_secret: {{ .client_secret | default "no-secret" }}
-  auth_endpoint: {{ .auth_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/auth" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
-  token_endpoint: {{ .token_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/token" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
-  user_api_endpoint: {{ .user_api_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/userinfo" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
+  auth_endpoint: {{ default (include "sso.oidc.auth" $) .auth_endpoint }}
+  token_endpoint: {{ default (include "sso.oidc.token" $) .token_endpoint }}
+  user_api_endpoint: {{ default (include "sso.oidc.userinfo" $) .user_api_endpoint }}
 {{- end }}

 networkPolicies:

--- a/chart/templates/monitoring/secret-ca.yaml
+++ b/chart/templates/monitoring/secret-ca.yaml
-{{- if and  .Values.monitoring.enabled .Values.monitoring.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: monitoring
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -311,12 +311,15 @@ grafana:

    auth.generic_oauth:
      enabled: {{ .Values.monitoring.sso.enabled }}
+      {{- if .Values.sso.name }}
+      name: {{ .Values.sso.name }}
+      {{- end }}
      client_id: {{ .Values.monitoring.sso.grafana.client_id }}
      client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
      scopes: {{ .Values.monitoring.sso.grafana.scopes | default "openid profile email" }}
-      auth_url: {{ .Values.monitoring.sso.grafana.auth_url | default (tpl .Values.sso.auth_url .) }}
-      token_url: {{ .Values.monitoring.sso.grafana.token_url | default (tpl .Values.sso.token_url .) }}
-      api_url: {{ .Values.monitoring.sso.grafana.api_url | default (tpl "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/userinfo" .) }}
+      auth_url: {{ default (include "sso.oidc.auth" .) .Values.monitoring.sso.grafana.auth_url }}
+      token_url: {{ default (include "sso.oidc.token" .) .Values.monitoring.sso.grafana.token_url }}
+      api_url: {{ default (include "sso.oidc.userinfo" .) .Values.monitoring.sso.grafana.api_url }}
      allow_sign_up: {{ .Values.monitoring.sso.grafana.allow_sign_up | default "True" }}
      role_attribute_path: {{ .Values.monitoring.sso.grafana.role_attribute_path | default "Viewer" }}
    {{- with .Values.monitoring.sso.grafana }}

--- a/chart/templates/nexus-repository-manager/secret-ca.yaml
+++ b/chart/templates/nexus-repository-manager/secret-ca.yaml
 {{- $nexusOldValues := default dict .Values.addons.nexus -}}
 {{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
-{{- if and  $nexusValues.enabled $nexusValues.sso.enabled .Values.sso.certificate_authority }}
+{{- if and $nexusValues.enabled $nexusValues.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{.Values.sso.secretName}}
+  name: {{default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName}}
  namespace: nexus-repository-manager
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}