diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index aada4b045d5ab79255e51a447a6c1d54b95b41a2..dd58c7a4ab3320f412515369db3ebc0eb9e3cd86 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -185,6 +185,208 @@ DEPRECATION NOTICE:
Please reconfigure your values overrides to use .Values.addons.nexusRepositoryManager
{{- end }}
+{{- $nexusOldValues := default dict .Values.addons.nexus -}}
+{{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
+
+{{- with .Values }}
+{{- if and .sso.url (coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate) }}
+DEPRECATION NOTICE:
+ The following SSO keys have been deprecated. Deprecated keys will continue to work, but will be removed in a future release. Please update your overrides.
+ {{- if coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName }}
+ sso:
+ {{- if coalesce .sso.oidc.host .sso.oidc.realm }}
+ oidc:
+ {{- if .sso.oidc.host }}
+ # "host" removed. It is now implicitly defined in "sso.url".
+ host: {{ .sso.oidc.host }}
+ {{- end }}
+ {{- if .sso.oidc.realm }}
+ # "realm" removed. It is now implicitly defined in "sso.url".
+ realm: {{ .sso.oidc.realm }}
+ {{- end }}
+ {{- end }}
+ {{- if .sso.certificate_authority }}
+ # "certificate_authority" was moved to "sso.certificateAuthority.cert".
+ certificate_authority: {{ .sso.certificate_authority | trunc 27 }}
+ {{- end }}
+ {{- if .sso.jwks }}
+ # "jwks" was moved to "sso.oidc.jwks". If possible, switch to using "sso.oidc.jwksUri" to dynamically retrieve metadata instead
+ jwks: {{ .sso.jwks }}
+ {{- end }}
+ {{- if .sso.jwks_uri }}
+ # "jwks_uri" was moved to "sso.oidc.jwksUri"
+ jwks_uri: {{ .sso.jwks_uri }}
+ {{- end }}
+ {{- if .sso.client_id }}
+ # "client_id" was moved to "addons.authservice.sso.client_id"
+ client_id: {{ .sso.client_id }}
+ {{- end }}
+ {{- if .sso.client_secret }}
+ # "client_secret" was moved to "addons.authservice.sso.client_secret"
+ client_secret: {{ .sso.client_secret }}
+ {{- end }}
+ {{- if .sso.token_url }}
+ # "token_url" was moved to "sso.oidc.token"
+ token_url: {{ .sso.token_url }}
+ {{- end }}
+ {{- if .sso.auth_url }}
+ # "auth_url" was moved to "sso.oidc.authorization"
+ auth_url: {{ .sso.auth_url }}
+ {{- end }}
+ {{- if .sso.secretName }}
+ # "secretName" was moved to "sso.certificateAuthority.secretName"
+ secretName: {{ .sso.secretName }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail }}
+ logging:
+ sso:
+ {{- if .logging.sso.issuer }}
+ # "issuer" was moved to "sso.url"
+ issuer: {{ .logging.sso.issuer }}
+ {{- end }}
+ {{- if .logging.sso.auth_url }}
+ # "auth_url" was moved to "sso.oidc.authorization"
+ auth_url: {{ .logging.sso.auth_url }}
+ {{- end }}
+ {{- if .logging.sso.token_url }}
+ # "token_url" was moved to "sso.oidc.token"
+ token_url: {{ .logging.sso.token_url }}
+ {{- end }}
+ {{- if .logging.sso.userinfo_url }}
+ # "userinfo_url" was moved to "sso.oidc.userinfo"
+ userinfo_url: {{ .logging.sso.userinfo_url }}
+ {{- end }}
+ {{- if .logging.sso.jwkset_url }}
+ # "jwkset_url" was moved to "sso.oidc.jwksUrl"
+ jwkset_url: {{ .logging.sso.jwkset_url }}
+ {{- end }}
+ {{- if .logging.sso.claims_principal }}
+ # "claims_principal" was moved to "sso.oidc.claims.username"
+ claims_principal: {{ .logging.sso.claims_principal }}
+ {{- end }}
+ {{- if .logging.sso.endsession_url }}
+ # "endsession_url" was moved to "sso.oidc.endsession"
+ endsession_url: {{ .logging.sso.endsession_url }}
+ {{- end }}
+ {{- if .logging.sso.claims_group }}
+ # "claims_group" was moved to "sso.oidc.claims.groups"
+ claims_group: {{ .logging.sso.claims_group }}
+ {{- end }}
+ {{- if .logging.sso.claims_mail }}
+ # "claims_mail" was moved to "sso.oidc.claims.email"
+ claims_mail: {{ .logging.sso.claims_mail }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url }}
+ monitoring:
+ sso:
+ grafana:
+ {{- if .monitoring.sso.grafana.auth_url }}
+ # "auth_url" moved to "sso.oidc.authorization"
+ auth_url: {{ .monitoring.sso.grafana.auth_url }}
+ {{- end }}
+ {{- if .monitoring.sso.grafana.token_url }}
+ # "token_url" moved to "sso.oidc.token"
+ token_url: {{ .monitoring.sso.grafana.token_url }}
+ {{- end }}
+ {{- if .monitoring.sso.grafana.api_url }}
+ # "api_url" moved to "sso.oidc.userinfo"
+ api_url: {{ .monitoring.sso.grafana.api_url }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert }}
+ twistlock:
+ sso:
+ {{- if .twistlock.sso.provider_name }}
+ # "provider_name" moved to "sso.name"
+ provider_name: {{ .twistlock.sso.provider_name }}
+ {{- end }}
+ {{- if .twistlock.sso.issuer_uri }}
+ # "issuer_uri" moved to "sso.url"
+ issuer_uri: {{ .twistlock.sso.issuer_uri }}
+ {{- end }}
+ {{- if .twistlock.sso.idp_url }}
+ # "idp_url" moved to "sso.saml.service"
+ idp_url: {{ .twistlock.sso.idp_url }}
+ {{- end }}
+ {{- if .twistlock.sso.console_url }}
+ # "console_url" deprecated. It will be created from "twistlock.values.istio.console.hosts" or "twistlock.<domain>"
+ console_url: {{ .twistlock.sso.console_url }}
+ {{- end }}
+ {{- if .twistlock.sso.cert }}
+ # "cert" is derived from "sso.saml.metadata"
+ cert: {{ .twistlock.sso.cert | trunc 27 }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
+ addons:
+ {{- if .addons.argocd.sso.provider_name }}
+ argocd:
+ sso:
+ # "provider_name" moved to "sso.name"
+ provider_name: {{ .addons.argocd.sso.provider_name }}
+ {{- end }}
+ {{- if coalesce .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field -}}
+ gitlab:
+ sso:
+ {{- if .addons.gitlab.sso.label }}
+ # "label" moved to "sso.name"
+ label: {{ .addons.gitlab.sso.label }}
+ {{- end }}
+ {{- if .addons.gitlab.sso.issuer_uri }}
+ # "issuer_uri" moved to "sso.url"
+ issuer_uri: {{ .addons.gitlab.sso.issuer_uri }}
+ {{- end }}
+ {{- if .addons.gitlab.sso.end_session_uri }}
+ # "end_session_uri" moved to "sso.oidc.endSession"
+ end_session_uri: {{ .addons.gitlab.sso.end_session_uri }}
+ {{- end }}
+ {{- if .addons.gitlab.sso.uid_field }}
+ # "uid_field" moved to "sso.oidc.claims.username"
+ uid_field: {{ .addons.gitlab.sso.uid_field }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint }}
+ mattermost:
+ sso:
+ {{- if .addons.mattermost.sso.auth_endpoint }}
+ # "auth_endpoint" moved to "sso.oidc.authorization"
+ auth_endpoint: {{ .addons.mattermost.sso.auth_endpoint }}
+ {{- end }}
+ {{- if .addons.mattermost.sso.token_endpoint }}
+ # "token_endpoint" moved "sso.oidc.token"
+ token_endpoint: {{ .addons.mattermost.sso.token_endpoint }}
+ {{- end }}
+ {{- if .addons.mattermost.sso.user_api_endpoint }}
+ # "user_api_endpoint" moved to "sso.oidc.userinfo"
+ user_api_endpoint: {{ .addons.mattermost.sso.user_api_endpoint }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce $nexusValues.sso.idp_data.idpMetadata }}
+ nexus:
+ sso:
+ {{- if $nexusValues.sso.idp_data.idpMetadata }}
+ # idpMetadata moved to "sso.saml.metadata"
+ idpMetadata: {{ $nexusValues.sso.idp_data.idpMetadata | trunc 27 }}
+ {{- end }}
+ {{- end }}
+ {{- if coalesce .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
+ sonarqube:
+ sso:
+ {{- if .addons.sonarqube.sso.provider_name }}
+ # "provider_name" moved to "sso.name"
+ provider_name: {{ .addons.sonarqube.sso.provider_name }}
+ {{- end }}
+ {{- if .addons.sonarqube.sso.certificate }}
+ # "certificate" derived from "sso.saml.metadata"
+ certificate: {{ .addons.sonarqube.sso.certificate | trunc 27 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
{{- if .Values.addons.mattermostoperator }}
DEPRECATION NOTICE:
.Values.addons.mattermostoperator has been deprecated and will be removed in a future Big Bang release.
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 1c9b3ca76feca3bcb96f21cc92599a9768da216c..dc9a6ecd264afb6ee84707c69450102b23504513 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -218,5 +218,116 @@ bigbang.dev/istioVersion: {{ .Values.istio.oci.tag }}
{{- /* Prints istio version */ -}}
{{- define "istioVersion" -}}
-{{ regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" }}
+ {{- regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" -}}
{{- end -}}
+
+{{- /* Returns an SSO host */ -}}
+{{- define "sso.host" -}}
+ {{- coalesce .Values.sso.oidc.host (regexReplaceAll ".*//([^/]*)/?.*" .Values.sso.url "${1}") -}}
+{{- end -}}
+
+{{- /* Returns an SSO realm */ -}}
+{{- define "sso.realm" -}}
+ {{- coalesce .Values.sso.oidc.realm (regexReplaceAll ".*/realms/([^/]*)" .Values.sso.url "${1}") (regexReplaceAll "\\W+" .Values.sso.name "") -}}
+{{- end -}}
+
+{{- /* Returns the SSO base URL */ -}}
+{{- define "sso.url" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "https://%s/auth/realms/%s" .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- else -}}
+ {{- tpl (default "" .Values.sso.url) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO auth url (OIDC) */ -}}
+{{- define "sso.oidc.auth" -}}
+ {{- if .Values.sso.auth_url -}}
+ {{- tpl (default "" .Values.sso.auth_url) . -}}
+ {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/auth" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "authorization" (printf "%s/protocol/openid-connect/auth" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO token url (OIDC) */ -}}
+{{- define "sso.oidc.token" -}}
+ {{- if .Values.sso.token_url -}}
+ {{- tpl (default "" .Values.sso.token_url) . -}}
+ {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/token" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "token" (printf "%s/protocol/openid-connect/token" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO userinfo url (OIDC) */ -}}
+{{- define "sso.oidc.userinfo" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/userinfo" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "userinfo" (printf "%s/protocol/openid-connect/userinfo" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO jwks url (OIDC) */ -}}
+{{- define "sso.oidc.jwksuri" -}}
+ {{- if .Values.sso.jwks_uri -}}
+ {{- tpl (default "" .Values.sso.jwks_uri) . -}}
+ {{- else if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/certs" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "jwksUri" (printf "%s/protocol/openid-connect/certs" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the SSO end session url (OIDC) */ -}}
+{{- define "sso.oidc.endsession" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/openid-connect/logout" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "oidc" "endSession" (printf "%s/protocol/openid-connect/logout" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the single sign on service (SAML) */ -}}
+{{- define "sso.saml.service" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/protocol/saml" (include "sso.url" .) -}}
+ {{- else -}}
+ {{- tpl (dig "saml" "service" (printf "%s/protocol/saml" (include "sso.url" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the single sign on entity descriptor (SAML) */ -}}
+{{- define "sso.saml.descriptor" -}}
+ {{- if and .Values.sso.oidc.host .Values.sso.oidc.realm -}}
+ {{- printf "%s/descriptor" (include "sso.saml.service" .) -}}
+ {{- else -}}
+ {{- tpl (dig "saml" "entityDescriptor" (printf "%s/descriptor" (include "sso.saml.service" .)) .Values.sso) . -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the signing cert (no headers) from the SAML metadata */ -}}
+{{- define "sso.saml.cert" -}}
+ {{- $cert := dig "saml" "metadata" "" .Values.sso -}}
+ {{- if $cert -}}
+ {{- $cert := regexFind "<md:IDPSSODescriptor[\\s>][\\s\\S]*?</md:IDPSSODescriptor[\\s>]" $cert -}}
+ {{- $cert = regexFind "<md:KeyDescriptor[\\s>][^>]*?use=\"signing\"[\\s\\S]*?</md:KeyDescriptor[\\s>]" $cert -}}
+ {{- $cert = regexFind "<ds:KeyInfo[\\s>][\\s\\S]*?</ds:KeyInfo[\\s>]" $cert -}}
+ {{- $cert = regexFind "<ds:X509Data[\\s>][\\s\\S]*?</ds:X509Data[\\s>]" $cert -}}
+ {{- $cert = regexFind "<ds:X509Certificate[\\s>][\\s\\S]*?</ds:X509Certificate[\\s>]" $cert -}}
+ {{- $cert = regexReplaceAll "<ds:X509Certificate[^>]*?>\\s*([\\s\\S]*?)</ds:X509Certificate[\\s>]" $cert "${1}" -}}
+ {{- $cert = regexReplaceAll "\\s*" $cert "" -}}
+ {{- required "X.509 signing certificate could not be found in sso.saml.metadata!" $cert -}}
+ {{- end -}}
+{{- end -}}
+
+{{- /* Returns the signing cert with headers from the SAML metadata */ -}}
+{{- define "sso.saml.cert.withheaders" -}}
+ {{- $cert := include "sso.saml.cert" . -}}
+ {{- if $cert -}}
+ {{- printf "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" $cert -}}
+ {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/anchore/secret-ca.yaml b/chart/templates/anchore/secret-ca.yaml
index c1096ba3c2d958cf59e3c816858d3b5fe9809e1d..a0c95319acaaee7914a9deb2915e1b62c8e48c56 100644
--- a/chart/templates/anchore/secret-ca.yaml
+++ b/chart/templates/anchore/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.anchore.enabled .Values.addons.anchore.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.anchore.enabled .Values.addons.anchore.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{.Values.sso.secretName}}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: anchore
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/anchore/values.yaml b/chart/templates/anchore/values.yaml
index c22fcf1dea47d6e55f97a60553ebf23d4992691d..c06d820c5b1b9a83250d92f03ceebd0bf73e87dc 100644
--- a/chart/templates/anchore/values.yaml
+++ b/chart/templates/anchore/values.yaml
@@ -49,7 +49,7 @@ sso:
spEntityId: {{ .Values.addons.anchore.sso.client_id }}
{{- $anchoreUrl := first (dig "istio" "ui" "hosts" list .Values.addons.anchore.values) }}
acsUrl: https://{{ tpl ($anchoreUrl | default (printf "%s.%s" "anchore" $domainName)) . }}/service/sso/auth/keycloak
- idpMetadataUrl: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml/descriptor"
+ idpMetadataUrl: "{{ include "sso.saml.descriptor" . }}"
roleAttribute: {{ .Values.addons.anchore.sso.role_attribute }}
{{- end }}
diff --git a/chart/templates/argocd/secret-ca.yaml b/chart/templates/argocd/secret-ca.yaml
index 00365cdac56271de92bca2cd58d91f85fc3935b5..4e667f9d0defd0ddb1b7671c6dcccbe5ef8df14b 100644
--- a/chart/templates/argocd/secret-ca.yaml
+++ b/chart/templates/argocd/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.argocd.enabled .Values.addons.argocd.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.argocd.enabled .Values.addons.argocd.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: argocd
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/argocd/values.yaml b/chart/templates/argocd/values.yaml
index 17574e67d46af2e7e88fe19795d856c5fb173fa0..fe576f188d7fb1bb6b4ad099159d7b1890c01b12 100644
--- a/chart/templates/argocd/values.yaml
+++ b/chart/templates/argocd/values.yaml
@@ -168,14 +168,14 @@ sso:
keycloakClientSecret: {{ .Values.addons.argocd.sso.client_secret }}
config:
oidc.config: |
- name: {{ .Values.addons.argocd.sso.provider_name }}
- issuer: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}
+ name: {{ default .Values.sso.name .Values.addons.argocd.sso.provider_name }}
+ issuer: {{ include "sso.url" . }}
clientID: {{ .Values.addons.argocd.sso.client_id }}
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid","ArgoCD"]
- {{- if .Values.sso.certificate_authority }}
+ {{- if (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
rootCA: |
- {{- .Values.sso.certificate_authority | nindent 8 }}
+ {{- default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
diff --git a/chart/templates/authservice/values.yaml b/chart/templates/authservice/values.yaml
index 71e47f1467cf37dce3b878c56e77ee1d25d36101..859212d6aea45bd60e56168d5d9e08e71e92dd62 100644
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -64,27 +64,38 @@ redis-bb:
namespace: monitoring
{{- end }}
+{{- $legacy := and .Values.sso.oidc.realm .Values.sso.oidc.host -}}
+{{- if not $legacy }}
+issuer_uri: {{ include "sso.url" . }}
+{{- end }}
+
global:
oidc:
- host: {{ .Values.sso.oidc.host }}
- realm: {{ .Values.sso.oidc.realm }}
+ host: {{ default (include "sso.host" .) .Values.sso.oidc.host }}
+ realm: {{ default (include "sso.realm" .) .Values.sso.oidc.realm }}
+
+ {{- if or .Values.sso.jwks_uri (dig "oidc" "jwksUri" false .Values.sso) }}
+ jwks_uri: {{ include "sso.oidc.jwksuri" . | quote }}
+ {{- else if or .Values.sso.jwks (dig "oidc" "jwks" false .Values.sso) }}
+ jwks: {{ default (dig "oidc" "jwks" "" .Values.sso) .Values.sso.jwks | quote }}
+ {{- end }}
- {{- if .Values.sso.jwks }}
- jwks: "{{ .Values.sso.jwks }}"
- {{- else if .Values.sso.jwks_uri }}
- jwks_uri: "{{ .Values.sso.jwks_uri }}"
+ {{- if or .Values.sso.client_id (dig "sso" "client_id" false .Values.addons.authservice) }}
+ client_id: {{ default (dig "sso" "client_id" "" .Values.addons.authservice) .Values.sso.client_id }}
{{- end }}
- {{- if .Values.sso.client_id}}
- client_id: {{ .Values.sso.client_id }}
+ {{- if or .Values.sso.client_secret (dig "sso" "client_secret" false .Values.addons.authservice) }}
+ client_secret: {{ default (dig "sso" "client_secret" "" .Values.addons.authservice) .Values.sso.client_secret }}
{{- end }}
- {{- if .Values.sso.client_secret }}
- client_secret: {{ .Values.sso.client_secret }}
+ {{- if (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
+ certificate_authority: {{ (default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority) | quote }}
{{- end }}
- {{- if .Values.sso.certificate_authority }}
- certificate_authority: {{ .Values.sso.certificate_authority | quote }}
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
{{- end }}
{{- $authserviceValues := .Values.addons.authservice.values | default dict }}
@@ -114,6 +125,11 @@ chains:
{{- end }}
client_id: "{{ .Values.jaeger.sso.client_id }}"
client_secret: "{{ .Values.jaeger.sso.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
{{- end }}
{{- if and .Values.tempo.enabled .Values.tempo.sso.enabled }}
@@ -133,6 +149,11 @@ chains:
{{- end }}
client_id: "{{ .Values.tempo.sso.client_id }}"
client_secret: "{{ .Values.tempo.sso.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
{{- end }}
{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
@@ -149,6 +170,11 @@ chains:
{{- end }}
client_id: {{ .Values.monitoring.sso.prometheus.client_id }}
client_secret: "{{ .Values.monitoring.sso.prometheus.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
alertmanager:
match:
@@ -163,5 +189,10 @@ chains:
{{- end }}
client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
+ {{- if not $legacy }}
+ authorization_uri: {{ include "sso.oidc.auth" . }}
+ token_uri: {{ include "sso.oidc.token" . }}
+ logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
+ {{- end }}
{{- end }}
{{- end -}}
diff --git a/chart/templates/gitlab/secret-ca.yaml b/chart/templates/gitlab/secret-ca.yaml
index beb2ccc2cd35dc4fa0ea614f980a056f380a1df3..747c5b8b027ea57efa1bf80bcf12a78503b0bee1 100644
--- a/chart/templates/gitlab/secret-ca.yaml
+++ b/chart/templates/gitlab/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled) .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+{{- if and (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled) .Values.addons.gitlab.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso))}}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: gitlab
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
diff --git a/chart/templates/gitlab/secret-sso.yaml b/chart/templates/gitlab/secret-sso.yaml
index f329474c614a201d2729ac8baab11e36740dbaf5..2ecae2442b6adc0c8551d83e7bb0dd67a1046a49 100644
--- a/chart/templates/gitlab/secret-sso.yaml
+++ b/chart/templates/gitlab/secret-sso.yaml
@@ -12,7 +12,7 @@ stringData:
gitlab-sso.json: |-
{
"name": "openid_connect",
- "label": "{{ .Values.addons.gitlab.sso.label }}",
+ "label": "{{ default .Values.sso.name .Values.addons.gitlab.sso.label }}",
"args": {
"name": "openid_connect",
"scope": [
@@ -25,23 +25,23 @@ stringData:
{{- if .Values.addons.gitlab.sso.issuer_uri }}
"issuer": "{{ .Values.addons.gitlab.sso.issuer_uri }}",
{{- else }}
- "issuer": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}",
+ "issuer": "{{ include "sso.url" . }}",
{{- end }}
"client_auth_method": "query",
"discovery": true,
- "uid_field": {{ .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
+ "uid_field": {{ default (dig "oidc" "claims" "username" "" .Values.sso) .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
"client_options": {
- "identifier": "{{ .Values.addons.gitlab.sso.client_id | default .Values.sso.client_id }}",
- "secret": "{{ .Values.addons.gitlab.sso.client_secret | default .Values.sso.client_secret }}",
+ "identifier": "{{ .Values.addons.gitlab.sso.client_id }}",
+ "secret": "{{ .Values.addons.gitlab.sso.client_secret }}",
"redirect_uri": "https://{{ .Values.addons.gitlab.hostnames.gitlab }}.{{ $domainName }}/users/auth/openid_connect/callback",
{{- if .Values.addons.gitlab.sso.end_session_uri }}
"end_session_endpoint": "{{ .Values.addons.gitlab.sso.end_session_uri }}"
{{- else }}
- "end_session_endpoint": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout"
+ "end_session_endpoint": "{{ include "sso.oidc.endsession" . }}"
{{- end }}
}
}
}
{{- end }}
-{{- end}}
+{{- end }}
diff --git a/chart/templates/gitlab/values.yaml b/chart/templates/gitlab/values.yaml
index 8275f9e87ad1aa4ab15122b7c29382468fd6c565..7afdc7476f265f8701e8f73e6af3464f21e54f4f 100644
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -226,10 +226,12 @@ minio:
{{- end }}
global:
- {{- if and .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+ {{- if and .Values.addons.gitlab.sso.enabled (or (dig "certificateAuthority" "secretName" false .Values.sso) .Values.sso.secretName) }}
certificates:
customCAs:
- - secret: tls-ca-sso
+ {{- if or .Values.sso.secretName (dig "certificateAuthority" "secretName" false .Values.sso) }}
+ - secret: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
+ {{- end }}
- secret: ca-certs-australian-defence-organisation-cross-cert-chain
- secret: ca-certs-australian-defence-organisation-direct-trust-chain
- secret: ca-certs-boeing
diff --git a/chart/templates/jaeger/secret-ca.yaml b/chart/templates/jaeger/secret-ca.yaml
index 0d94b9f5588b178a1aca28838bd1d575d0e77c23..86036a299430cdcf0b06130e6ecd76b546362fbc 100644
--- a/chart/templates/jaeger/secret-ca.yaml
+++ b/chart/templates/jaeger/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.jaeger.enabled .Values.jaeger.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.jaeger.enabled .Values.jaeger.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: jaeger
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kiali/secret-ca.yaml b/chart/templates/kiali/secret-ca.yaml
index a242cf6afb36be90ccf546cf79c9958c5db29d4a..6f86830e22ff35ac5c36c7265fdf0d9beba517fb 100644
--- a/chart/templates/kiali/secret-ca.yaml
+++ b/chart/templates/kiali/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.kiali.enabled .Values.kiali.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.kiali.enabled .Values.kiali.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: kiali
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kiali/values.yaml b/chart/templates/kiali/values.yaml
index 096f8fc74a40ea3db0c052de5ec95b369c6a4047..a5974cfaf1ab7ad4972302252f0144e2df566e6b 100644
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -43,11 +43,11 @@ cr:
openid:
client_id: "{{ .Values.kiali.sso.client_id }}"
disable_rbac: true
- issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
+ issuer_uri: "{{ include "sso.url" . }}"
scopes:
- openid
- email
- username_claim: email
+ username_claim: {{ dig "oidc" "claims" "email" "email" .Values.sso }}
{{- else }}
strategy: token
{{- end }}
diff --git a/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml b/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
index 7d0ea6ce394ca300c8f4466cc0f39dc88d1a4cba..657e3a277d702475c2becd4f03165761e107f75c 100644
--- a/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.logging.enabled .Values.logging.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.logging.enabled .Values.logging.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: logging
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/logging/elasticsearch-kibana/values.yaml b/chart/templates/logging/elasticsearch-kibana/values.yaml
index ade6792c6453efdfeee6d610c7e9f7124d61656b..fb8adcbabf0032acd84a9bc8517ea69a77292001 100644
--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -37,26 +37,22 @@ sso:
client_id: {{ .client_id | quote }}
client_secret: {{ .client_secret | default "no-secret" }}
oidc:
- {{- if $.Values.logging.sso.oidc }}
- host: {{ .oidc.host | default $.Values.sso.oidc.host | quote }}
- realm: {{ .oidc.realm | default $.Values.sso.oidc.realm | quote }}
- {{- else }}
- host: {{ $.Values.sso.oidc.host | quote }}
- realm: {{ $.Values.sso.oidc.realm | quote }}
- {{- end }}
+ host: {{ default (include "sso.host" $) (dig "oidc" "host" "" .) | quote }}
+ realm: {{ default (include "sso.realm" $) (dig "oidc" "realm" "" .) | quote }}
{{- /* Optional fields should be nil checked */ -}}
- {{- list "issuer" .issuer | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "auth_url" .auth_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "token_url" .token_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "userinfo_url" .userinfo_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "jwkset_url" .jwkset_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "claims_principal" .claims_principal | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- $legacy := and (not (empty $.Values.sso.oidc.realm)) (not (empty $.Values.sso.oidc.host)) -}}
+ {{- list "issuer" (default (ternary nil (include "sso.url" $) $legacy) .issuer) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "auth_url" (default (ternary nil (include "sso.oidc.auth" $) $legacy) .auth_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "token_url" (default (ternary nil (include "sso.oidc.token" $) $legacy) .token_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "userinfo_url" (default (ternary nil (include "sso.oidc.userinfo" $) $legacy) .userinfo_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "jwkset_url" (default (ternary nil (include "sso.oidc.jwksuri" $) $legacy) .jwkset_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "claims_principal" (default (ternary nil (dig "oidc" "claims" "username" nil $.Values.sso) $legacy) .claims_principal) | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "claims_principal_pattern" .claims_principal_pattern | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "requested_scopes" .requested_scopes | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "signature_algorithm" .signature_algorithm | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "endsession_url" .endsession_url | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "claims_group" .claims_group | include "bigbang.addValueIfSet" | indent 2 }}
- {{- list "claims_mail" .claims_mail | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "endsession_url" (default (ternary nil (include "sso.oidc.endsession" $) $legacy) .endsession_url) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "claims_group" (default (ternary nil (dig "oidc" "claims" "groups" nil $.Values.sso) $legacy) .claims_group) | include "bigbang.addValueIfSet" | indent 2 }}
+ {{- list "claims_mail" (default (ternary nil (dig "oidc" "claims" "email" nil $.Values.sso) $legacy) .claims_mail) | include "bigbang.addValueIfSet" | indent 2 }}
{{- list "cert_authorities" .cert_authorities | include "bigbang.addValueIfSet" | indent 2 }}
{{- end }}
{{- end }}
diff --git a/chart/templates/mattermost/secret-ca.yaml b/chart/templates/mattermost/secret-ca.yaml
index 7752a8a844a77452ea62157aeef156a1337a9500..615f15102aa54649f79df6df530a442f556a8eda 100644
--- a/chart/templates/mattermost/secret-ca.yaml
+++ b/chart/templates/mattermost/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.mattermost.enabled .Values.addons.mattermost.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.mattermost.enabled .Values.addons.mattermost.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: mattermost
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/mattermost/values.yaml b/chart/templates/mattermost/values.yaml
index e99644320184fb418f6e5be56fdb95ce7217d817..f800a7470d08d1577f3ddc0a19734dbe15f9d780 100644
--- a/chart/templates/mattermost/values.yaml
+++ b/chart/templates/mattermost/values.yaml
@@ -37,9 +37,9 @@ sso:
enabled: {{ .enabled }}
client_id: {{ .client_id }}
client_secret: {{ .client_secret | default "no-secret" }}
- auth_endpoint: {{ .auth_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/auth" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
- token_endpoint: {{ .token_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/token" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
- user_api_endpoint: {{ .user_api_endpoint | default (printf "https://%s/auth/realms/%s/protocol/openid-connect/userinfo" $.Values.sso.oidc.host $.Values.sso.oidc.realm) }}
+ auth_endpoint: {{ default (include "sso.oidc.auth" $) .auth_endpoint }}
+ token_endpoint: {{ default (include "sso.oidc.token" $) .token_endpoint }}
+ user_api_endpoint: {{ default (include "sso.oidc.userinfo" $) .user_api_endpoint }}
{{- end }}
networkPolicies:
diff --git a/chart/templates/monitoring/secret-ca.yaml b/chart/templates/monitoring/secret-ca.yaml
index 300ad3fab0ef7d4ca1f8be3d04cbcc1ce07db329..b2fc380983a3b946040d9cae4ae713cd72da236d 100644
--- a/chart/templates/monitoring/secret-ca.yaml
+++ b/chart/templates/monitoring/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: monitoring
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index 6cb85b2cd6964248a58f2e2ba2f6cdc0725bf9e0..8c8aeab8104040d024fa9b9fffdbc774143ea2b0 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -311,12 +311,15 @@ grafana:
auth.generic_oauth:
enabled: {{ .Values.monitoring.sso.enabled }}
+ {{- if .Values.sso.name }}
+ name: {{ .Values.sso.name }}
+ {{- end }}
client_id: {{ .Values.monitoring.sso.grafana.client_id }}
client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
scopes: {{ .Values.monitoring.sso.grafana.scopes | default "openid profile email" }}
- auth_url: {{ .Values.monitoring.sso.grafana.auth_url | default (tpl .Values.sso.auth_url .) }}
- token_url: {{ .Values.monitoring.sso.grafana.token_url | default (tpl .Values.sso.token_url .) }}
- api_url: {{ .Values.monitoring.sso.grafana.api_url | default (tpl "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/userinfo" .) }}
+ auth_url: {{ default (include "sso.oidc.auth" .) .Values.monitoring.sso.grafana.auth_url }}
+ token_url: {{ default (include "sso.oidc.token" .) .Values.monitoring.sso.grafana.token_url }}
+ api_url: {{ default (include "sso.oidc.userinfo" .) .Values.monitoring.sso.grafana.api_url }}
allow_sign_up: {{ .Values.monitoring.sso.grafana.allow_sign_up | default "True" }}
role_attribute_path: {{ .Values.monitoring.sso.grafana.role_attribute_path | default "Viewer" }}
{{- with .Values.monitoring.sso.grafana }}
diff --git a/chart/templates/nexus-repository-manager/secret-ca.yaml b/chart/templates/nexus-repository-manager/secret-ca.yaml
index b3554dddb60ffd0874972c5dba498d308cd53cea..7ffd1dae883025f4593f8afaa67b98db8096b8a2 100644
--- a/chart/templates/nexus-repository-manager/secret-ca.yaml
+++ b/chart/templates/nexus-repository-manager/secret-ca.yaml
@@ -1,12 +1,12 @@
{{- $nexusOldValues := default dict .Values.addons.nexus -}}
{{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
-{{- if and $nexusValues.enabled $nexusValues.sso.enabled .Values.sso.certificate_authority }}
+{{- if and $nexusValues.enabled $nexusValues.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{.Values.sso.secretName}}
+ name: {{default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName}}
namespace: nexus-repository-manager
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
diff --git a/chart/templates/nexus-repository-manager/values.yaml b/chart/templates/nexus-repository-manager/values.yaml
index f3164bbe577fe585b1a42ba7be9d5d5b38a8a997..9529642cce435ca107dda5ff7a459759e3de3112 100644
--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -77,7 +77,7 @@ sso:
groupsAttribute: "{{ default "groups" $nexusValues.sso.idp_data.groups }}"
validateResponseSignature: "true"
validateAssertionSignature: "true"
- idpMetadata: '{{ $nexusValues.sso.idp_data.idpMetadata }}'
+ idpMetadata: '{{ default (dig "saml" "metadata" "" .Values.sso) (dig "sso" "idp_data" "idpMetadata" "" $nexusValues) }}'
realm:
- "NexusAuthenticatingRealm"
- "NexusAuthorizingRealm"
diff --git a/chart/templates/secrets/certificateauthority.yaml b/chart/templates/secrets/certificateauthority.yaml
index dd25cd78ec329b7efacb29f5243c45026c7f1986..0329b2c92328bdaee77017601993c8113365527c 100644
--- a/chart/templates/secrets/certificateauthority.yaml
+++ b/chart/templates/secrets/certificateauthority.yaml
@@ -1,5 +1,5 @@
{{- /* Used for adding a trusted custom CA for SSO. One per namespace. */ -}}
-{{- if (dig "certificate_authority" false .Values.sso) -}}
+{{- if (or (dig "certificate_authority" false .Values.sso) (dig "certificateAuthority" "cert" false .Values.sso)) -}}
{{- range $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "default" false "constraint" "sso.enabled") $))) -}}
apiVersion: v1
kind: Secret
@@ -11,7 +11,7 @@ metadata:
{{- include "commonLabels" $ | nindent 4 }}
type: Opaque
data:
- ca.pem: {{ $.Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" $.Values.sso) $.Values.sso.certificate_authority | b64enc }}
---
{{ end -}}
{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/sonarqube/secret-ca.yaml b/chart/templates/sonarqube/secret-ca.yaml
index 29109e5bca965857af4ef842ca0de2af13bdb3d3..195c97573c2df995a542da6064bc439c0a118747 100644
--- a/chart/templates/sonarqube/secret-ca.yaml
+++ b/chart/templates/sonarqube/secret-ca.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.addons.sonarqube.enabled .Values.addons.sonarqube.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.sonarqube.enabled .Values.addons.sonarqube.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.sso.secretName }}
+ name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
namespace: sonarqube
type: Opaque
data:
- ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+ ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/sonarqube/values.yaml b/chart/templates/sonarqube/values.yaml
index de49ca36bb4871b699180ea7e43926ab4a31be97..94503208b111b2612b4150f2add81dd223d618b1 100644
--- a/chart/templates/sonarqube/values.yaml
+++ b/chart/templates/sonarqube/values.yaml
@@ -44,10 +44,10 @@ sonarProperties:
sonar.auth.saml.enabled: {{ .Values.addons.sonarqube.sso.enabled }}
sonar.core.serverBaseURL: https://sonarqube.{{ $domainName }}
sonar.auth.saml.applicationId: {{ .Values.addons.sonarqube.sso.client_id }}
- sonar.auth.saml.providerName: {{ .Values.addons.sonarqube.sso.provider_name | default .Values.addons.sonarqube.sso.label }}
- sonar.auth.saml.providerId: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}
- sonar.auth.saml.loginUrl: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml
- sonar.auth.saml.certificate.secured: {{ .Values.addons.sonarqube.sso.certificate }}
+ sonar.auth.saml.providerName: {{ coalesce .Values.addons.sonarqube.sso.provider_name .Values.addons.sonarqube.sso.label .Values.sso.name }}
+ sonar.auth.saml.providerId: {{ include "sso.url" . }}
+ sonar.auth.saml.loginUrl: {{ include "sso.saml.service" . }}
+ sonar.auth.saml.certificate.secured: {{ default (include "sso.saml.cert" .) .Values.addons.sonarqube.sso.certificate }}
sonar.auth.saml.user.login: {{ .Values.addons.sonarqube.sso.login | default "login" }}
sonar.auth.saml.user.name: {{ .Values.addons.sonarqube.sso.name | default "name" }}
sonar.auth.saml.user.email: {{ .Values.addons.sonarqube.sso.email | default "email" }}
diff --git a/chart/templates/twistlock/values.yaml b/chart/templates/twistlock/values.yaml
index 67cacca31fee4781373c7826414ee0c9b852a720..43a944f9d08117a5306ec8279e49cd55a4c01d73 100644
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -4,7 +4,8 @@
{{- define "bigbang.defaults.twistlock" -}}
# hostname is deprecated and replaced with domain. But if hostname exists then use it.
-domain: {{ default .Values.domain .Values.hostname }}
+{{- $domainName := default .Values.domain .Values.hostname }}
+domain: {{ $domainName }}
openshift: {{ .Values.openshift }}
@@ -52,12 +53,12 @@ console:
sso:
enabled: {{ .Values.twistlock.sso.enabled }}
client_id: {{ .Values.twistlock.sso.client_id }}
- provider_name: {{ .Values.twistlock.sso.provider_name }}
+ provider_name: {{ default .Values.sso.name .Values.twistlock.sso.provider_name }}
provider_type: {{ .Values.twistlock.sso.provider_type }}
- issuer_uri: {{ tpl .Values.twistlock.sso.issuer_uri . }}
- idp_url: {{ tpl .Values.twistlock.sso.idp_url . }}
- console_url: {{ tpl .Values.twistlock.sso.console_url . }}
+ issuer_uri: {{ default (include "sso.url" .) (tpl (default "" .Values.twistlock.sso.issuer_uri) .) }}
+ idp_url: {{ default (include "sso.saml.service" .) (tpl (default "" .Values.twistlock.sso.idp_url) .) }}
+ {{- $console := first (dig "istio" "console" "hosts" (list (printf "twistlock.%s" $domainName)) .Values.twistlock.values) }}
+ console_url: {{ tpl (default (printf "https://%s" $console) .Values.twistlock.sso.console_url) . }}
groups: {{ .Values.twistlock.sso.groups }}
- cert: {{ .Values.twistlock.sso.cert | quote }}
-
+ cert: {{ default (include "sso.saml.cert.withheaders" .) .Values.twistlock.sso.cert | quote }}
{{- end -}}
diff --git a/chart/templates/wrapper/gitrepository.yaml b/chart/templates/wrapper/gitrepository.yaml
index 16ba1329a65230d7247eccf5bf498a692a42ab55..2475f87fc5508cd4b4868a153dc2709edc45cb10 100644
--- a/chart/templates/wrapper/gitrepository.yaml
+++ b/chart/templates/wrapper/gitrepository.yaml
@@ -1,5 +1,5 @@
{{- /* Used for GitOps of the BigBang package wrapper Helm chart. Shared by all packages */ -}}
-{{- if .Values.wrapper -}}
+{{- if and .Values.wrapper (omit (default dict .Values.packages) "sample") -}}
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
diff --git a/chart/values.yaml b/chart/values.yaml
index b9b8d21dcc99b7ae269e328959ed167a280ddc37..5f381bb90fbaef3ea36d0130974def6d26e32b12 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -48,37 +48,53 @@ git:
publicKey: ""
knownHosts: ""
-# -- Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages.
+# -- Global SSO values used for BigBang deployments when sso is enabled
sso:
+ # -- Name of the identity provider. This is used by some packages as the SSO login label.
+ name: SSO
+ # -- Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID.
+ url: https://login.dso.mil/auth/realms/baby-yoda
+
+ # -- Certificate authority for the identity provider's certificates
+ certificateAuthority:
+ # -- The certificate authority public certificate in .pem format. Populating this will create a secret in each namespace that enables SSO.
+ cert: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
+ # -- The secret name to use for the certificate authority. Can be manually populated if cert is blank.
+ secretName: tls-ca-sso
+
+ saml:
+ # -- SAML entityDescriptor (metadata) path
+ entityDescriptor: "{{ .Values.sso.url }}/protocol/saml/descriptor"
+ # -- SAML SSO Service path
+ service: "{{ .Values.sso.url }}/protocol/saml"
+ # -- Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`. Required for SSO in Nexus, Twistlock, or Sonarqube.
+ metadata: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
+ # NOTE: SAML attribute names may vary by package. Use the package values to setup attribute names
+
+ # -- OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration`
oidc:
- # -- Domain for keycloak used for configuring SSO
- host: login.dso.mil
- # -- Keycloak realm containing clients
- realm: baby-yoda
-
- # -- Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages
- certificate_authority: ""
-
- # -- Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs
- jwks: ''
-
- # -- Optional use of JWKS fetcher config for ease of use and automation. Fill in JWKS URI value of OIDC endpoint, can be found under the well known OpenID metadata configuration page of your provider.
- jwks_uri: ""
-
- # -- OIDC client ID used for packages authenticated through authservice
- client_id: ""
-
- # -- OIDC client secret used for packages authenticated through authservice
- client_secret: ""
-
- # -- OIDC token URL template string (to be used as default)
- token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
-
- # -- OIDC auth URL template string (to be used as default)
- auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
-
- # -- Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces
- secretName: "tls-ca-sso"
+ # -- OIDC authorization path
+ authorization: "{{ .Values.sso.url }}/protocol/openid-connect/auth"
+ # -- OIDC logout / end session path
+ endSession: "{{ .Values.sso.url }}/protocol/openid-connect/logout"
+ # -- OIDC JSON Web Key Set (JWKS) path
+ jwksUri: "{{ .Values.sso.url }}/protocol/openid-connect/certs"
+ # -- OIDC token path
+ token: "{{ .Values.sso.url }}/protocol/openid-connect/token"
+ # -- OIDC user information path
+ userinfo: "{{ .Values.sso.url }}/protocol/openid-connect/userinfo"
+ # -- Literal OIDC JWKS data retrieved from JWKS Uri. Only needed if `jwsksUri` is not defined.
+ jwks: ""
+ # -- Identity provider claim names that store metadata about the authenticated user.
+ claims:
+ # -- IdP's claim name used for the user's email address.
+ email: email
+ # -- IdP's claim name used for the user's full name
+ name: name
+ # -- IdP's claim name used for the username
+ username: preferred_username
+ # -- IdP's claim name used for the user's groups or roles
+ groups: groups
# -- (Advanced) Flux reconciliation parameters.
# The default values provided will be sufficient for the majority of workloads.
@@ -736,27 +752,13 @@ twistlock:
# -- SAML client ID
client_id: ""
- # -- SAML Povider Alias (optional)
- provider_name: ""
-
# -- SAML Identity Provider. `shibboleth` is recommended by Twistlock support for Keycloak
+ # Possible values: okta, gsuite, ping, shibboleth, azure, adfs
provider_type: "shibboleth"
- # -- Identity Provider url with path to realm
- issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
-
- # -- SAML Identity Provider SSO URL
- idp_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml"
-
- # -- Console URL of the Twistlock app (optional)
- console_url: "https://twistlock.{{ .Values.domain }}"
-
# -- Groups attribute (optional)
groups: ""
- # -- X.509 Certificate from Identity Provider (i.e. Keycloak). See https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/blob/main/docs/KEYCLOAK.md for format. Use the `|-` syntax for multiline string.
- cert: ""
-
# -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
values: {}
@@ -800,9 +802,6 @@ addons:
# -- ArgoCD OIDC client secret
client_secret: ""
- # -- ArgoCD SSO login text
- provider_name: ""
-
# -- ArgoCD SSO group roles, see docs for more details: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
groups: |
g, Impact Level 2 Authorized, role:admin
@@ -918,24 +917,10 @@ addons:
# -- Gitlab OIDC client secret
client_secret: ""
- # -- Gitlab SSO login button label
- label: ""
-
# -- Gitlab SSO Scopes, default is ["Gitlab"]
scopes:
- Gitlab
- # -- GitLab SSO Issuer URI,
- # Only needed if your SSO is non-Keycloak
- issuer_uri: ""
-
- # -- GitLab SSO End Session URI,
- # Only needed if your SSO is non-Keycloak
- end_session_uri: ""
-
- # -- Gitlab SSO UID field
- uid_field: preferred_username
-
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Gitlab.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
@@ -1040,7 +1025,7 @@ addons:
# -- NXRM SAML SSO Integration data
idp_data:
- # Nexus saml URL. example: "https://nexus.example.mil/service/rest/v1/security/saml/metadata"
+ # Nexus saml URL. example: "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata"
entityId: ""
# -- IdP Field Mappings
@@ -1059,10 +1044,6 @@ addons:
# -- NXRM groups attribute (optional)
groups: ""
- # -- IDP SAML Metadata XML as a single line string in single quotes
- # -- this information is public and does not require a secret
- idpMetadata: ''
-
# -- NXRM Role
role:
# the id must match the Keycloak group name (case sensitive)
@@ -1104,13 +1085,6 @@ addons:
# -- SonarQube SAML client ID
client_id: ""
- # -- SonarQube SSO login button label
- provider_name: ""
-
- # -- SonarQube plaintext SAML sso certificate.
- # example: MITCAYCBFyIEUjNBkqhkiG9w0BA....
- certificate: ""
-
# -- SonarQube login sso attribute.
login: login
@@ -1198,14 +1172,14 @@ addons:
gateway: ""
sso:
- # -- Toggle OIDC SSO for Anchore on and off.
+ # -- Toggle SAML SSO for Anchore on and off.
# Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
enabled: false
- # -- Anchore OIDC client ID
+ # -- Anchore SAML client ID
client_id: ""
- # -- Anchore OIDC client role attribute
+ # -- Anchore SAML client role attribute
role_attribute: ""
database:
@@ -1306,18 +1280,6 @@ addons:
# -- Mattermost OIDC client secret
client_secret: ""
- # -- Mattermost OIDC auth endpoint
- # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
- auth_endpoint: ""
-
- # -- Mattermost OIDC token endpoint
- # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
- token_endpoint: ""
-
- # -- Mattermost OIDC user API endpoint
- # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
- user_api_endpoint: ""
-
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Mattermost.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
diff --git a/docs/assets/configs/example/dev-sso-values.yaml b/docs/assets/configs/example/dev-sso-values.yaml
index e835b6aae4bc94615bc5312a6d567a0845fb72db..8969c4e156dce5d38e292646dc24ef983e0e84b1 100644
--- a/docs/assets/configs/example/dev-sso-values.yaml
+++ b/docs/assets/configs/example/dev-sso-values.yaml
@@ -1,156 +1,148 @@
# Enables and configures sso for all packages using the test bigbang.dev clients:
-
sso:
+ name: P1 SSO
# Entrust certificate authority for login.dso.mil
# do not use this CA with a Keycloak deployed with a different certificate authority
# For example *.bigbang.dev because that certificate is issued by a different CA
- certificate_authority: |
- -----BEGIN CERTIFICATE-----
- MIIH0zCCBrugAwIBAgIQHeg1retyhPnWuzryBJeBvTANBgkqhkiG9w0BAQsFADCB
- ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
- H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
- MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
- A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
- MDEyMTUwMzE1MDJaFw0yMjAxMTQwMzE1MDJaMHMxCzAJBgNVBAYTAlVTMREwDwYD
- VQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEeMBwGA1UE
- ChMVRGVwYXJ0bWVudCBvZiBEZWZlbnNlMRYwFAYDVQQDEw1sb2dpbi5kc28ubWls
- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymUXk7STDlepS5HJu0ca
- B57S5dfLp7zxYmcsGjo10YkHy3m9LASQCTyiioDrlwo2b+n8oZ7esGLv3RgggMwf
- xvLVyx1+lZDswxdQoXmjArTdbqpcSoq3Y1rvVp33/jGb3slBjQtcMt2QvaFv3fxy
- cwwINvJFEqsQS7zGUgpolJ3smKdcVpUSGZmzpYposuDlPUGeOJaQRMAACW5arWiT
- VkDhJD+OVOYEHW8uCQfghD3JJXu6Xp9SwlWe6UNOdxo9cq3s/XE4ZwEgffdLXP2A
- wuJF/7B7CFdZjIMptmOODyCeatC344iyubU0MiGCOm4W4wn0pQ0XJtAzWeYFKATL
- 9BquNOzPUR6pMSFMvIEiS96zbVFuOYt2XKgPryWEYji3Oky082WWYOcXt0NnqnCj
- SafVU+2fQi4jQ0att5YXagEEPz83lQZdSKb2+grDeFg78VrEZAe+Y0mVu4/G93he
- UOqfZ9jdCnFXq8sEMG9bJJFKeOXkb1Da8Y0amfOw4hFd4UslrbvC5ZCUZNh6roOk
- 8kast9QWtWFIGPC3f+Uq3gvx3GBHzIG9QPOq1CjSSAF3tWKuMTxK4zaS33mriJo0
- Dv1CMX3FCmjT/qG3422guBL02hbGHveDSWk0/saY7ZWFifxnvKEdOi4ItnpMuQhE
- zx6/+t7FWuzBTPAeVqV1l2sCAwEAAaOCAxkwggMVMAwGA1UdEwEB/wQCMAAwHQYD
- VR0OBBYEFCLwpnkje7QKLWok+nWIeBEnIGfmMB8GA1UdIwQYMBaAFIKicHTdvFM/
- z3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDov
- L29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVz
- dC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
- Y3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMCcGA1UdEQQgMB6CDWxvZ2luLmRz
- by5taWyCDWxvZ2luLmRzb3AuaW8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
- CCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG+mwKAQUwKTAn
- BggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAEC
- AjCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUAVhQGmi/XwuzT9eG9RLI+x0Z2
- ubyZEVzA75SYVdaJ0N0AAAF2ZGTpIwAABAMARjBEAiAK+W9ukx92DJPFV87LexEg
- /qDFTjtkiLh/z+mLmDtOwQIgUD4YrMuo22sV9MeJ8JmzraCQVdUUIprw4K4HN+eO
- 6W0AdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXZkZOlKAAAE
- AwBIMEYCIQDRpvbR/GroWSGlCIh1q0RUITb8RfI4skqqBa/FeU811AIhAPlRY4lv
- DC2u9MFSEiCVeaFYJRU0xvAwmHQMtrl+IE4iAHYARqVV63X6kSAwtaKJafTzfREs
- QXS+/Um4havy/HD+bUcAAAF2ZGTrYAAABAMARzBFAiEAifP8Y0nXFBykaTyzpWpv
- E3FDi8NCQeJFRMJqD7loTjMCIHVDio7r+zANTbIdRLRRzHoNzo//xfJ0JUqejNRA
- aCpZMA0GCSqGSIb3DQEBCwUAA4IBAQB/wtYjDQiPLe99tZq98IyxOSJCli2mtlV9
- gSC67aj4rgW6g+C8P1bSoB5PamMq6rON5q0SXL3CQiQ7vegxCQnleDh0LWeKPFS2
- jjSIl3CvrYfBlNBzw4H1uAa/yw+enr0So8oX8kdSTBFGnU4KoK646lFZRXSifFIU
- zzQ9QYYedmiP0iKs5LDYGAOsB/w/O94+zv6qGKXA1fVzBXAD54MddqGk9mHZTSyL
- 6nsSTx4r8vCGQir7d2QuIGLD48zaYQz0TFcGKnBV3/9CB27RxJkRdMwUbMvNdp3C
- V+C2+jdR8xA/0qCnvSxHc1lTZgXxVkcu/wpqIBn3af5Ha8ddd0DU
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw
- CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl
- IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg
- RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD
- EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x
- NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG
- A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l
- dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt
- IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp
- ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
- MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ
- jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK
- m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT
- JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt
- LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F
- ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/
- BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
- AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah
- hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE
- VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd
- BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe
- 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw
- y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS
- BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC
- k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv
- c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1
- exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u
- Lcw=
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
- VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
- cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
- IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
- dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
- NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
- dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
- dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
- aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
- YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
- RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
- cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
- wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
- U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
- jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
- BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
- BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
- jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
- Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
- 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
- nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
- VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
- -----END CERTIFICATE-----
-
- # # LetsEncrypt certificate authority for keycloak.bigbang.dev
- # # Use this CA if you deployed Keycloak with *.bigbang.dev certificate using docs/assets/configs/example/keycloak-dev-values.yaml
- # certificate_authority: |
- # -----BEGIN CERTIFICATE-----
- # MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
- # TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- # cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
- # WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
- # ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
- # MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
- # h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
- # 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
- # A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
- # T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
- # B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
- # B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
- # KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
- # OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
- # jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
- # qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
- # rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
- # HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
- # hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
- # ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
- # 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
- # NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
- # ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
- # TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
- # jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
- # oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
- # 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
- # mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
- # emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
- # -----END CERTIFICATE-----
+ certificateAuthority:
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIH0zCCBrugAwIBAgIQHeg1retyhPnWuzryBJeBvTANBgkqhkiG9w0BAQsFADCB
+ ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
+ H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
+ MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
+ A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
+ MDEyMTUwMzE1MDJaFw0yMjAxMTQwMzE1MDJaMHMxCzAJBgNVBAYTAlVTMREwDwYD
+ VQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEeMBwGA1UE
+ ChMVRGVwYXJ0bWVudCBvZiBEZWZlbnNlMRYwFAYDVQQDEw1sb2dpbi5kc28ubWls
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymUXk7STDlepS5HJu0ca
+ B57S5dfLp7zxYmcsGjo10YkHy3m9LASQCTyiioDrlwo2b+n8oZ7esGLv3RgggMwf
+ xvLVyx1+lZDswxdQoXmjArTdbqpcSoq3Y1rvVp33/jGb3slBjQtcMt2QvaFv3fxy
+ cwwINvJFEqsQS7zGUgpolJ3smKdcVpUSGZmzpYposuDlPUGeOJaQRMAACW5arWiT
+ VkDhJD+OVOYEHW8uCQfghD3JJXu6Xp9SwlWe6UNOdxo9cq3s/XE4ZwEgffdLXP2A
+ wuJF/7B7CFdZjIMptmOODyCeatC344iyubU0MiGCOm4W4wn0pQ0XJtAzWeYFKATL
+ 9BquNOzPUR6pMSFMvIEiS96zbVFuOYt2XKgPryWEYji3Oky082WWYOcXt0NnqnCj
+ SafVU+2fQi4jQ0att5YXagEEPz83lQZdSKb2+grDeFg78VrEZAe+Y0mVu4/G93he
+ UOqfZ9jdCnFXq8sEMG9bJJFKeOXkb1Da8Y0amfOw4hFd4UslrbvC5ZCUZNh6roOk
+ 8kast9QWtWFIGPC3f+Uq3gvx3GBHzIG9QPOq1CjSSAF3tWKuMTxK4zaS33mriJo0
+ Dv1CMX3FCmjT/qG3422guBL02hbGHveDSWk0/saY7ZWFifxnvKEdOi4ItnpMuQhE
+ zx6/+t7FWuzBTPAeVqV1l2sCAwEAAaOCAxkwggMVMAwGA1UdEwEB/wQCMAAwHQYD
+ VR0OBBYEFCLwpnkje7QKLWok+nWIeBEnIGfmMB8GA1UdIwQYMBaAFIKicHTdvFM/
+ z3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDov
+ L29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVz
+ dC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
+ Y3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMCcGA1UdEQQgMB6CDWxvZ2luLmRz
+ by5taWyCDWxvZ2luLmRzb3AuaW8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
+ CCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG+mwKAQUwKTAn
+ BggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAEC
+ AjCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUAVhQGmi/XwuzT9eG9RLI+x0Z2
+ ubyZEVzA75SYVdaJ0N0AAAF2ZGTpIwAABAMARjBEAiAK+W9ukx92DJPFV87LexEg
+ /qDFTjtkiLh/z+mLmDtOwQIgUD4YrMuo22sV9MeJ8JmzraCQVdUUIprw4K4HN+eO
+ 6W0AdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXZkZOlKAAAE
+ AwBIMEYCIQDRpvbR/GroWSGlCIh1q0RUITb8RfI4skqqBa/FeU811AIhAPlRY4lv
+ DC2u9MFSEiCVeaFYJRU0xvAwmHQMtrl+IE4iAHYARqVV63X6kSAwtaKJafTzfREs
+ QXS+/Um4havy/HD+bUcAAAF2ZGTrYAAABAMARzBFAiEAifP8Y0nXFBykaTyzpWpv
+ E3FDi8NCQeJFRMJqD7loTjMCIHVDio7r+zANTbIdRLRRzHoNzo//xfJ0JUqejNRA
+ aCpZMA0GCSqGSIb3DQEBCwUAA4IBAQB/wtYjDQiPLe99tZq98IyxOSJCli2mtlV9
+ gSC67aj4rgW6g+C8P1bSoB5PamMq6rON5q0SXL3CQiQ7vegxCQnleDh0LWeKPFS2
+ jjSIl3CvrYfBlNBzw4H1uAa/yw+enr0So8oX8kdSTBFGnU4KoK646lFZRXSifFIU
+ zzQ9QYYedmiP0iKs5LDYGAOsB/w/O94+zv6qGKXA1fVzBXAD54MddqGk9mHZTSyL
+ 6nsSTx4r8vCGQir7d2QuIGLD48zaYQz0TFcGKnBV3/9CB27RxJkRdMwUbMvNdp3C
+ V+C2+jdR8xA/0qCnvSxHc1lTZgXxVkcu/wpqIBn3af5Ha8ddd0DU
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw
+ CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl
+ IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg
+ RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD
+ EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x
+ NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG
+ A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l
+ dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt
+ IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp
+ ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+ MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ
+ jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK
+ m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT
+ JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt
+ LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F
+ ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/
+ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
+ AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah
+ hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE
+ VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd
+ BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe
+ 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw
+ y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS
+ BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC
+ k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv
+ c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1
+ exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u
+ Lcw=
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
+ VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
+ cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
+ IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
+ dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
+ NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
+ dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
+ dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
+ aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
+ YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+ AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
+ RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
+ cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
+ wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
+ U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
+ jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+ BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
+ BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
+ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
+ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
+ 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
+ nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
+ VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
+ -----END CERTIFICATE-----
-
- # The JSON Web Key Set (JWKS) containing the public keys used to verify any JSON Web Token (JWT) issued by the IDP
- # The jwks is public and does not require a secret
- # The jwks is used by Istio authservice
- # Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
- # https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/certs
- # must be single quoted and double quotes must be escaped like this \"xxxx\"
- # This is the specific jwks from login.bigbang.dev
- # jwks: '{\"keys\":[{\"kid\":\"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=\"],\"x5t\":\"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8\",\"x5t#S256\":\"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco\"}]}'
- # Recent versions of authservice allow filling in of a URI for jwks which will be fetched on your behalf
- jwks_uri: "https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/certs"
+ # # LetsEncrypt certificate authority for keycloak.bigbang.dev
+ # # Use this CA if you deployed Keycloak with *.bigbang.dev certificate using docs/assets/configs/example/keycloak-dev-values.yaml
+ # certificate_authority: |
+ # -----BEGIN CERTIFICATE-----
+ # MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+ # TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ # cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+ # WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ # ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+ # MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+ # h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+ # 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+ # A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+ # T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+ # B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+ # B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+ # KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+ # OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+ # jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+ # qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+ # rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+ # HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+ # hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ # ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+ # 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+ # NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ # ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+ # TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+ # jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+ # oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+ # 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+ # mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+ # emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+ # -----END CERTIFICATE-----
+ saml:
+ # Retrieve from https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor
+ metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://login.dso.mil/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/resolve" index="0"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://login.dso.mil/auth/realms/baby-yoda/protocol/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
kiali:
sso:
@@ -179,7 +171,7 @@ tempo:
monitoring:
sso:
enabled: true
- prometheus:
+ prometheus:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-prometheus
alertmanager:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-alertmanager
@@ -192,20 +184,15 @@ twistlock:
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock
- cert: |-
- -----BEGIN CERTIFICATE-----
- MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=
- -----END CERTIFICATE-----
addons:
authservice:
enabled: true
- argocd:
+ argocd:
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-argocd
client_secret: anything-for-dev
- provider_name: "P1 SSO"
groups: |
g, Impact Level 2 Authorized, role:admin
gitlab:
@@ -216,8 +203,6 @@ addons:
sso:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-saml-sonarqube
- provider_name: "P1 SSO"
- certificate: MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=
login: login
name: name
email: email
@@ -263,10 +248,6 @@ addons:
lastName: "lastName"
email: "email"
groups: "groups"
- # -- IDP SAML Metadata XML as a single line string in single quotes
- # -- this information is public and does not require a secret
- # curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
- idpMetadata: 'enter-single-quoted-single-line-string-here'
role:
# id is the name of the Keycloak group (case sensitive)
- id: "Nexus"
diff --git a/docs/assets/configs/example/google-auth-example-values.yaml b/docs/assets/configs/example/google-auth-example-values.yaml
index 44524713ecd6d1eda88a7f25a9d4170f18e41b9c..a10e06471feca41d5f141260c5ae0de1690ae65c 100644
--- a/docs/assets/configs/example/google-auth-example-values.yaml
+++ b/docs/assets/configs/example/google-auth-example-values.yaml
@@ -6,6 +6,18 @@
# * kibana/es - https://www.elastic.co/guide/en/elasticsearch/reference/7.12/oidc-guide-stack.html
# - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html#oidc
#
+sso:
+ name: Google SSO
+ url: https://accounts.google.com
+ oidc:
+ authorization: https://accounts.google.com/o/oauth2/v2/auth
+ endSession: ""
+ jwksUri: https://www.googleapis.com/oauth2/v3/certs
+ token: https://oauth2.googleapis.com/token
+ userinfo: https://openidconnect.googleapis.com/v1/userinfo
+ claims:
+ username: email
+ groups: ""
monitoring:
sso:
@@ -15,31 +27,17 @@ monitoring:
client_secret: <client_secret>
scopes: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
allowed_domains: <allowed_domains>
- auth_url: https://accounts.google.com/o/oauth2/auth
- token_url: https://oauth2.googleapis.com/token
signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
logging:
sso:
enabled: true
- oidc:
- realm: "Google" # optionally override the name used in the custom ES realm def and login page
client_secret: "<client_secret>"
client_id: "<client_id>"
# additional fields (required to override keycloak defaults)
- issuer: "https://accounts.google.com"
- auth_url: "https://accounts.google.com/o/oauth2/v2/auth"
- token_url: "https://oauth2.googleapis.com/token"
- userinfo_url: "https://openidconnect.googleapis.com/v1/userinfo"
- jwkset_url: "https://www.googleapis.com/oauth2/v3/certs"
- claims_principal: email
claims_principal_pattern: "<regex for allowed email domains>" # example: "^([^@]+)@leapfrog\\.ai$"
requested_scopes:
- openid
- email
- # required for keycloak - should be empty for google)
signature_algorithm: ""
- endsession_url: ""
- claims_group: ""
- claims_mail: ""
license:
trial: true
\ No newline at end of file
diff --git a/docs/developer/package-integration/supported.md b/docs/developer/package-integration/supported.md
index 571ca8dc2df643b525e1c3dd7317957a85ab9ed2..4a6101e10a14756a773bb82c2d43c29c0facdeaa 100644
--- a/docs/developer/package-integration/supported.md
+++ b/docs/developer/package-integration/supported.md
@@ -28,7 +28,7 @@ After [graduating your package](https://repo1.dso.mil/platform-one/bbtoc/-/tree/
1. Make sure the files described in this [document](./flux.md) have been generated in `chart/templates/<your-package-name>` directory
-1. More details about secret-*.yaml: The secret template is where the code for secrets go. Typically you will see secrets for imagePullSecret, sso, database, and possibly object storage. These secrets are a BigBang chart enhancement. They are created conditionally based on what the user enables in the config. For example if the app supports SSO and will need a Certificate Authority supplied to trust the connection to the IdP there should be a `secret-ca.yaml` template to populate a secret with the `sso.certificate_authority` value in the application namespace.
+1. More details about secret-*.yaml: The secret template is where the code for secrets go. Typically you will see secrets for imagePullSecret, sso, database, and possibly object storage. These secrets are a BigBang chart enhancement. They are created conditionally based on what the user enables in the config. For example if the app supports SSO and will need a Certificate Authority supplied to trust the connection to the IdP there should be a `secret-ca.yaml` template to populate a secret with the `sso.certificateAuthority.cert` value in the application namespace.
1. Merge your default package values from `<your-package-git-folder>/bigbang/values.yaml` into `chart/values.yaml`. Only the "standard" keys used across packages should be used. Keep in mind that values can be passed directly to the package using `.Values.<package>.values`
diff --git a/docs/guides/deployment-scenarios/sso-quickstart.md b/docs/guides/deployment-scenarios/sso-quickstart.md
index 396b69cd4f6c427f2dd9d9318a2a01e2cd69bfc8..cc603aa513b645a6196ab18ee2862ade27c561d8 100644
--- a/docs/guides/deployment-scenarios/sso-quickstart.md
+++ b/docs/guides/deployment-scenarios/sso-quickstart.md
@@ -7,6 +7,8 @@ A 54min speed run with explanations video walkthrough of this sso quickstart gui
* [Google Drive - Video Mirror](https://drive.google.com/file/d/1xzRKhFQy4WXW97YWUFpixclLGAKfgA6Z/preview)
* [Repo1 - Video Mirror](https://repo1.dso.mil/platform-one/bullhorn-delivery-static-assets/-/blob/master/big_bang/bigbang_sso_quickstart.mp4)
+> SSO values have changed since these videos were created. The old values used in the videos should still work, but you will receive warnings that they have been deprecated.
+
## Blue Team Knowledge Drop
Imagine <https://authdemo.bigbang.dev> represents a mock-up of a custom-built mission application that doesn't have SSO, Authentication, or Authorization built-in. Auth Service can add those to it which creates layers of defense/defense in depth in the form only allowing authenticated users the ability to even see the page, enforcing MFA of authenticated users, and requiring that authenticated users are authorized to access that service (they must be in the correct group of their Identity Provider, and this means you can safely enable self-registration of users without hurting security. Auth Service's Authentication Proxy has an additional benefit in regards to defense in depth. You can add it in front of most frontend applications to create an additional layer of defense. Example: Grafana, Kibana, ArgoCD, and others have baked in support for OIDC/SSO and AuthN/AuthZ functionality, so you may think what benefit could be had from adding an authentication proxy in front of them (it seems redundant at first glance). Let's say that a frontend service was reachable from the public internet and it had some zero-day vulnerability that allowed authentication bypass or unauthenticated remote code execution to occur via a network-level exploit / uniquely crafted packet. Well someone on the internet wouldn't even be able to exploit these hypothetical zero-day vulnerabilities since it'd be behind an AuthN/AuthZ proxy layer of defense which would prevent them from even touching the frontend. Bonus: Istio, AuthService, and Keycloak are all Free Open Source Software (FOSS) solutions and they work in internet disconnect environments, we'll even demonstrate it working using only Kubernetes DNS and workstation hostfile edits / without needing to configure LAN/Internet DNS.
@@ -103,11 +105,11 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
-
+
# Commented out directly below, is how to use a pinned version of BigBang:
- # BIG_BANG_VERSION="1.30.1"
+ # BIG_BANG_VERSION="1.30.1"
# (Note: 1.30.1 was the last version this guide was tested against)
- #
+ #
# The following will load the latest tagger version of BigBang into an environment variable
BIG_BANG_VERSION=$(curl -s https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/base/gitrepository.yaml | grep 'tag:' | awk '{print $2}')
echo "This script will install Big Bang version: $BIG_BANG_VERSION"
@@ -120,10 +122,10 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
echo $REGISTRY1_PASSWORD | docker login https://registry1.dso.mil --username=$REGISTRY1_USERNAME --password-stdin | grep "Succeeded" ; echo $? | grep 0 && echo "This validation check shows your registry1 credentials are valid, please continue." || for i in {1..10}; do echo "Validation check shows error, fix your registry1 credentials before moving on."; done
-
+
export KEYCLOAK_IP=$(cat ~/.ssh/config | grep keycloak-cluster -A 1 | grep Hostname | awk '{print $2}')
echo "\n\n\n$KEYCLOAK_IP is the IP of the k3d node that will host Keycloak on Big Bang"
-
+
export WORKLOAD_IP=$(cat ~/.ssh/config | grep workload-cluster -A 1 | grep Hostname | awk '{print $2}')
echo "$WORKLOAD_IP is the IP of the k3d node that will host Workloads on Big Bang"
echo "Please manually verify that the IPs of your keycloak and workload k3d VMs look correct before moving on."
@@ -134,8 +136,8 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
- mkdir -p ~/qs
-
+ mkdir -p ~/qs
+
cat << EOFkeycloak-k3d-prepwork-commandsEOF > ~/qs/keycloak-k3d-prepwork-commands.txt
# Idempotent logic:
sudo sed -i "/.*BIG_BANG_VERSION.*/d" ~/.bashrc
@@ -148,14 +150,14 @@ Why 2 VMs? 2 reasons:
lines_in_file+=( 'export K3D_IP="$KEYCLOAK_IP"' )
lines_in_file+=( 'export REGISTRY1_USERNAME="$REGISTRY1_USERNAME"' )
lines_in_file+=( 'export REGISTRY1_PASSWORD="$REGISTRY1_PASSWORD"' )
-
+
for line in "\${lines_in_file[@]}"; do
grep -qF "\${line}" ~/.bashrc
if [ \$? -ne 0 ]; then echo "\${line}" >> ~/.bashrc ; fi
done
EOFkeycloak-k3d-prepwork-commandsEOF
-
-
+
+
cat << EOFworkload-k3d-prepwork-commandsEOF > ~/qs/workload-k3d-prepwork-commands.txt
# Idempotent logic:
sudo sed -i "/.*BIG_BANG_VERSION.*/d" ~/.bashrc
@@ -168,7 +170,7 @@ Why 2 VMs? 2 reasons:
lines_in_file+=( 'export K3D_IP="$WORKLOAD_IP"' )
lines_in_file+=( 'export REGISTRY1_USERNAME="$REGISTRY1_USERNAME"' )
lines_in_file+=( 'export REGISTRY1_PASSWORD="$REGISTRY1_PASSWORD"' )
-
+
for line in "\${lines_in_file[@]}"; do
grep -qF "\${line}" ~/.bashrc
if [ \$? -ne 0 ]; then echo "\${line}" >> ~/.bashrc ; fi
@@ -193,10 +195,10 @@ Why 2 VMs? 2 reasons:
```
```text
- Explanation: (We are basically doing the equivalent of Ansible, without
+ Explanation: (We are basically doing the equivalent of Ansible, without
having to install Ansible and its dependencies.)
ssh keycloak-cluster < ~/qs/keycloak-k3d-prepwork-commands.txt
- ^-- runs script against remote VM
+ ^-- runs script against remote VM
& at the end of the command means to let it run in the background
using it allows us to run the script against both machines in parallel.
wait command waits for background processes to finish
@@ -207,13 +209,13 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
# First a command to confirm ~/.bashrc was updated as expected
- ssh keycloak-cluster 'tail ~/.bashrc'
-
+ ssh keycloak-cluster 'tail ~/.bashrc'
+
# Then ssh in to see the differences
ssh keycloak-cluster
```
-1. Notice the prompt makes it obvious which VM you ssh'ed into.
+1. Notice the prompt makes it obvious which VM you ssh'ed into.
```shell
# [ubuntu@keycloak-cluster:~$]
@@ -221,7 +223,7 @@ Why 2 VMs? 2 reasons:
env | grep -i name
env | grep IP
exit
-
+
# [admin@Laptop:~]
```
@@ -231,7 +233,7 @@ Why 2 VMs? 2 reasons:
```shell
# [admin@Laptop:~]
# Note ? is escaped in some places in the form of \?, this prevents substitution
- # by the local machine, which allows the remote VM to do the substituting.
+ # by the local machine, which allows the remote VM to do the substituting.
cat << EOFshared-k3d-prepwork-commandsEOF > ~/qs/shared-k3d-prepwork-commands.txt
# Configure OS
sudo sysctl -w vm.max_map_count=524288
@@ -244,32 +246,32 @@ Why 2 VMs? 2 reasons:
sudo modprobe xt_statistic
printf "xt_REDIRECT\nxt_owner\nxt_statistic\n" | sudo tee -a /etc/modules
sudo swapoff -a
-
+
# Install git
sudo apt install git -y
-
+
# Install docker (note we use escape some vars we want the remote linux to substitute)
sudo apt update -y && sudo apt install apt-transport-https ca-certificates curl gnupg lsb-release -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor --yes -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update -y && sudo apt install docker-ce docker-ce-cli containerd.io -y && sudo usermod --append --groups docker \$USER
-
+
# Install k3d
wget -q -O - https://github.com/k3d-io/k3d/releases/download/v5.4.1/k3d-linux-amd64 > k3d
echo 50f64747989dc1fcde5db5cb82f8ac132a174b607ca7dfdb13da2f0e509fda11 k3d | sha256sum -c | grep OK
if [ \$? == 0 ]; then chmod +x k3d && sudo mv k3d /usr/local/bin/k3d ; fi
-
+
# Install kubectl
wget -q -O - https://dl.k8s.io/release/v1.23.5/bin/linux/amd64/kubectl > kubectl
echo 715da05c56aa4f8df09cb1f9d96a2aa2c33a1232f6fd195e3ffce6e98a50a879 kubectl | sha256sum -c | grep OK
if [ \$? == 0 ]; then chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl; fi
sudo ln -s /usr/local/bin/kubectl /usr/local/bin/k || true
-
+
# Install kustomize
wget -q -O - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.4/kustomize_v4.5.4_linux_amd64.tar.gz > kustomize.tar.gz
echo 1159c5c17c964257123b10e7d8864e9fe7f9a580d4124a388e746e4003added3 kustomize.tar.gz | sha256sum -c | grep OK
- if [ \$? == 0 ]; then tar -xvf kustomize.tar.gz && chmod +x kustomize && sudo mv kustomize /usr/local/bin/kustomize && rm kustomize.tar.gz ; fi
-
+ if [ \$? == 0 ]; then tar -xvf kustomize.tar.gz && chmod +x kustomize && sudo mv kustomize /usr/local/bin/kustomize && rm kustomize.tar.gz ; fi
+
# Install helm
wget -q -O - https://get.helm.sh/helm-v3.8.1-linux-amd64.tar.gz > helm.tar.gz
echo d643f48fe28eeb47ff68a1a7a26fc5142f348d02c8bc38d699674016716f61cd helm.tar.gz | sha256sum -c | grep OK
@@ -284,7 +286,7 @@ Why 2 VMs? 2 reasons:
# Run the above prereq script against both VMs
ssh keycloak-cluster < ~/qs/shared-k3d-prepwork-commands.txt &
ssh workload-cluster < ~/qs/shared-k3d-prepwork-commands.txt &
- wait
+ wait
```
* Copy paste the following to run validation checks against both VMs
@@ -297,10 +299,10 @@ Why 2 VMs? 2 reasons:
k3d version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: k3d installed" || echo "ERROR: issue with k3d install"
kubectl version --client >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: kubectl installed" || echo "ERROR: issue with kubectl install"
kustomize version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: kustomize installed" || echo "ERROR: issue with kustomize install"
- helm version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: helm installed" || echo "ERROR: issue with helm install"
+ helm version >> /dev/null ; echo \$? | grep 0 >> /dev/null && echo "SUCCESS: helm installed" || echo "ERROR: issue with helm install"
EOFshared-k3d-prepwork-verification-commandsEOF
-
- ssh keycloak-cluster < ~/qs/shared-k3d-prepwork-verification-commands.txt
+
+ ssh keycloak-cluster < ~/qs/shared-k3d-prepwork-verification-commands.txt
ssh workload-cluster < ~/qs/shared-k3d-prepwork-verification-commands.txt
```
@@ -312,7 +314,7 @@ Note: There's no need to copy paste commands from this text box,
If you were to copy paste the following into your laptop/workstation's terminal.
ssh keycloak-cluster 'env | grep K3D_IP'
-You'd receive blank text, this means that env vars defined in the remote VM's ~/.bashrc
+You'd receive blank text, this means that env vars defined in the remote VM's ~/.bashrc
are not populated when using non interactive shell copy paste automation method.
That's why the script that runs on the remote machine has lines like this one:
@@ -340,7 +342,7 @@ k3d cluster create \$CLUSTER_NAME \
--api-port 6443
sed -i "s/0.0.0.0/\$K3D_IP/" ~/.kube/config
# Explanation:
-# sed = stream editor
+# sed = stream editor
# -i s/.../.../ (i = inline), (s = substitution, basically cli find and replace)
# / / / are delimiters the separate what to find and what to replace.
# \$K3D_IP, is a variable with $ escaped, so the var will be processed by the remote VM.
@@ -442,7 +444,7 @@ logging:
requests:
cpu: 1m
memory: 1Mi
- limits:
+ limits:
cpu: null
memory: null
@@ -606,12 +608,12 @@ istio:
public-ingressgateway:
type: "NodePort"
values:
- values:
- global:
- proxy:
+ values:
+ global:
+ proxy:
resources:
requests:
- cpu: 0m
+ cpu: 0m
memory: 0Mi
limits:
cpu: 0m
@@ -628,7 +630,7 @@ helm upgrade --install bigbang \$HOME/bigbang/chart \
--namespace=bigbang --create-namespace
EOFdeploy-keycloakEOF
-ssh keycloak-cluster < ~/qs/deploy-keycloak.txt
+ssh keycloak-cluster < ~/qs/deploy-keycloak.txt
```
## Step 8: Edit your workstation's Hosts file to access the web pages hosted on the Big Bang Clusters
@@ -659,10 +661,10 @@ cat /etc/hosts
## Step 9: Make sure the clusters have had enough time to finish their deployments
-* Note:
- After copy pasting the following, you may need to wait up to 10 minutes. If you're too
- fast you may see a temporary error about pod keycloak-0 not found. It's recommended to
- copy paste this block of verification commands a 2nd time after 10 minutes have passed.
+* Note:
+ After copy pasting the following, you may need to wait up to 10 minutes. If you're too
+ fast you may see a temporary error about pod keycloak-0 not found. It's recommended to
+ copy paste this block of verification commands a 2nd time after 10 minutes have passed.
* Note when you run `kubectl get svc -n=istio-system`, against each cluster, verify that EXTERNAL-IP isn't stuck in pending.
@@ -670,14 +672,14 @@ cat /etc/hosts
# [admin@Laptop:~]
export KUBECONFIG=$HOME/.kube/keycloak-cluster
kubectl get pods -A
-kubectl wait --for=condition=ready --timeout=10m pod/keycloak-0 -n=keycloak
+kubectl wait --for=condition=ready --timeout=10m pod/keycloak-0 -n=keycloak
# ^-- takes about 5min
kubectl get hr -A
-kubectl get svc -n=istio-system
+kubectl get svc -n=istio-system
export KUBECONFIG=$HOME/.kube/workload-cluster
kubectl get hr -A
-kubectl wait --for=condition=ready --timeout=15m hr/jaeger -n=bigbang
+kubectl wait --for=condition=ready --timeout=15m hr/jaeger -n=bigbang
# ^-- takes about 10-15mins
kubectl get hr -A
kubectl get svc -n=istio-system
@@ -696,10 +698,10 @@ kubectl get svc -n=istio-system
cat << EOFdeploy-mock-mission-appEOF > ~/qs/deploy-mock-mission-app.txt
#Creating demo namespace
-k create ns mock-mission-app
+k create ns mock-mission-app
#Adding namespace to the service mesh
-k label ns mock-mission-app istio-injection=enabled
+k label ns mock-mission-app istio-injection=enabled
# Adding dockercred to namespace so istio side car image pull will work.
kubectl get secret private-registry -n=istio-system -o yaml | sed 's/namespace: .*/namespace: mock-mission-app/' | kubectl apply -f -
@@ -760,19 +762,19 @@ kubectl wait --for=condition=available deployment/podinfo --timeout=3m -n=mock-m
1. Visit <https://keycloak.bigbang.dev/auth/admin>
1. log in as a keycloak admin, using the default creds of admin:password
1. In the GUI:
- 1. Navigate to: Manage/Groups > Impact Level 2 Authorized (double click)
+ 1. Navigate to: Manage/Groups > Impact Level 2 Authorized (double click)
Notice the group UUID in the URL: 00eb8904-5b88-4c68-ad67-cec0d2e07aa6
1. In the GUI:
1. Navigate to: Configure/Clients > [Create]
1. Set:
- Client ID = "demo-env_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_authdemo"
- Client Protocol = openid-connect
+ Client ID = "demo-env_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_authdemo"
+ Client Protocol = openid-connect
Root URL = (blank)
1. Save
1. In the GUI:
1. Navigate to: Configure/Clients > [Edit] demo-env_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_authdemo
1. Under "Access Type": Change Public to Confidential
- 1. Under "Valid Redirect URIs": Add "https://authdemo.bigbang.dev/login/generic_oauth"
+ 1. Under "Valid Redirect URIs": Add "https://authdemo.bigbang.dev/login/generic_oauth"
Note: /login/generic_oauth comes from auth service
1. Save
1. Scroll up to the top of the page and you'll see a newly added [Credentials] tab, click it.
@@ -785,18 +787,18 @@ kubectl wait --for=condition=available deployment/podinfo --timeout=3m -n=mock-m
export AUTHDEMO_APP_ID_CLIENT_SECRET="pasted_value"
# It should look similar to the following dynamically generated demo value
-# export AUTHDEMO_APP_ID_CLIENT_SECRET="fsCUSkwy2kaaSlgN4r4LPYOAvHCqzUk5"
+# export AUTHDEMO_APP_ID_CLIENT_SECRET="fsCUSkwy2kaaSlgN4r4LPYOAvHCqzUk5"
echo $AUTHDEMO_APP_ID_CLIENT_SECRET | grep "pasted_value" ; echo $? | grep 1 && echo "This validation check shows you remembered to update the pasted value." || ( for i in {1..10}; do echo "Validation check shows error, update the variable by pasting in the dynamically generated secret before moving on." ; done ; sleep 3 )
-# Note:
+# Note:
# JWKS: JSON Web Key Set is a public key used to verify JWT's issued by the IDP.
# Every Instance of Keycloak will have a unique JWKS, auth service needs to verify JWTs issued by Keycloak
# You find it by curling https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs
-# then to prep for usage escape double quotes and wrapping the value in single quotes.
+# then to prep for usage escape double quotes and wrapping the value in single quotes.
export KEYCLOAK_IDP_JWKS=$(curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs | sed 's@"@\\"@g')
-# Note:
+# Note:
# Authservice needs the CA-cert.pem that Keycloak's HTTPS cert was signed by, *.bigbang.dev is signed by Let's Encrypt Free CA
export KEYCLOAK_CERTS_CA=$(curl https://letsencrypt.org/certs/isrgrootx1.pem)
```
@@ -823,18 +825,14 @@ kubectl patch deployment podinfo --type merge --patch "\$(cat ~/pods-in-deployme
cat << EOF > ~/auth_service_demo_values.yaml
sso:
- oidc:
- host: keycloak.bigbang.dev
- realm: baby-yoda
- token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
- auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
- jwks: '$KEYCLOAK_IDP_JWKS'
- certificate_authority: |
-$(echo "$KEYCLOAK_CERTS_CA" | sed 's/^/ /')
-# sed 's/^/ /', indents 4 spaces
+ url: https://keycloak.bigbang.dev/auth/realms/baby-yoda
+ certificateAuthority:
+ cert: |
+$(echo "$KEYCLOAK_CERTS_CA" | sed 's/^/ /')
+# sed 's/^/ /', indents 6 spaces
addons:
- authservice:
+ authservice:
enabled: true
values:
chains:
@@ -867,8 +865,8 @@ ssh workload-cluster 'helm get values bigbang -n=bigbang' # You can eyeball this
* Before we were taken straight to the mock mission app webpage
* Now* (or 30-120 seconds after copy pasting the above block of commands into the terminal), when you create a new tab and try to visit this URL it immediately redirects to a KeyCloak Log in Prompt and if you log in with your demo user, you'll a message like this:
-> RBAC: access denied
-> Your account has not been granted access to this application group yet.
+> RBAC: access denied
+> Your account has not been granted access to this application group yet.
## Step 17: Update the group membership of the user
@@ -880,13 +878,13 @@ ssh workload-cluster 'helm get values bigbang -n=bigbang' # You can eyeball this
1. Click Impact Level 2 Authorized
1. Click [Join]
-> Note:
-> If you try to repeat step 16 at this stage, you'll see either an infinite loading screen or message like this:
-> `Access to authdemo.bigbang.dev was denied`
-> `You don't have authorization to view this page.`
-> `HTTP ERROR 403`
-> The reason for this is that we configured our workstation's hostfile /etc/hosts to avoid needing to configure DNS. But the 2 k3d clusters are unable to resolve the DNS Names.
-> AuthService pods on the Workload Cluster need to be able to resolve the DNS name of keycloak.bigbang.dev
+> Note:
+> If you try to repeat step 16 at this stage, you'll see either an infinite loading screen or message like this:
+> `Access to authdemo.bigbang.dev was denied`
+> `You don't have authorization to view this page.`
+> `HTTP ERROR 403`
+> The reason for this is that we configured our workstation's hostfile /etc/hosts to avoid needing to configure DNS. But the 2 k3d clusters are unable to resolve the DNS Names.
+> AuthService pods on the Workload Cluster need to be able to resolve the DNS name of keycloak.bigbang.dev
> Keycloak pod on the Keycloak Cluster needs to be able to resolve the DNS name of authdemo.bigbang.dev
## Step 18: Update Inner Cluster DNS on the Workload Cluster
@@ -898,7 +896,7 @@ ssh workload-cluster 'helm get values bigbang -n=bigbang' # You can eyeball this
# The following tests DNS resolution from the perspective of a pod running in the cluster
export KUBECONFIG=$HOME/.kube/workload-cluster
-kubectl run -it test --image=busybox:stable
+kubectl run -it test --image=busybox:stable
```
```shell
@@ -912,7 +910,7 @@ exit
```shell
# [admin@Laptop:~]
kubectl exec -it test -- ping keycloak.bigbang.dev -c 1 | head -n 1
-# Notice it mentions resolution as 127.0.0.1, this comes from public internet DNS,
+# Notice it mentions resolution as 127.0.0.1, this comes from public internet DNS,
# The next steps will override the DNS resolution to suit the needs of this guide.
```
diff --git a/docs/understanding-bigbang/configuration/base-config.md b/docs/understanding-bigbang/configuration/base-config.md
index c9da07ba50a379e25533b0c4e5dbf59bdf169526..faefc88096668dc51670342db5a2ee7fbd689520 100644
--- a/docs/understanding-bigbang/configuration/base-config.md
+++ b/docs/understanding-bigbang/configuration/base-config.md
@@ -36,17 +36,27 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| git.credentials.username | string | `""` | HTTP git credentials, both username and password must be provided |
| git.credentials.caFile | string | `""` | HTTPS certificate authority file. Required for any repo with a self signed certificate |
| git.credentials.privateKey | string | `""` | SSH git credentials, privateKey, publicKey, and knownHosts must be provided |
-| sso | object | `{"auth_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth","certificate_authority":"","client_id":"","client_secret":"","jwks":"","jwks_uri":"","oidc":{"host":"login.dso.mil","realm":"baby-yoda"},"secretName":"tls-ca-sso","token_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"}` | Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages. |
-| sso.oidc.host | string | `"login.dso.mil"` | Domain for keycloak used for configuring SSO |
-| sso.oidc.realm | string | `"baby-yoda"` | Keycloak realm containing clients |
-| sso.certificate_authority | string | `""` | Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages |
-| sso.jwks | string | `""` | Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs |
-| sso.jwks_uri | string | `""` | Optional use of JWKS fetcher config for ease of use and automation. Fill in JWKS URI value of OIDC endpoint, can be found under the well known OpenID metadata configuration page of your provider. |
-| sso.client_id | string | `""` | OIDC client ID used for packages authenticated through authservice |
-| sso.client_secret | string | `""` | OIDC client secret used for packages authenticated through authservice |
-| sso.token_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"` | OIDC token URL template string (to be used as default) |
-| sso.auth_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"` | OIDC auth URL template string (to be used as default) |
-| sso.secretName | string | `"tls-ca-sso"` | Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces |
+| sso | object | `{"certificateAuthority":{"cert":null,"secretName":"tls-ca-sso"},"name":"SSO","oidc":{"authorization":"{{ .Values.sso.url }}/protocol/openid-connect/auth","claims":{"email":"email","groups":"groups","name":"name","username":"preferred_username"},"endSession":"{{ .Values.sso.url }}/protocol/openid-connect/logout","jwks":null,"jwksUri":"{{ .Values.sso.url }}/protocol/openid-connect/certs","token":"{{ .Values.sso.url }}/protocol/openid-connect/token","userinfo":"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"},"saml":{"attributes":{"email":"email","groups":"groups","name":"name","username":"login"},"entityDescriptor":"{{ .Values.sso.url }}/protocol/saml/descriptor","metadata":null,"service":"{{ .Values.sso.url }}/protocol/saml"},"url":"https://login.dso.mil/auth/realms/baby-yoda"}` | Global SSO values used for BigBang deployments when sso is enabled |
+| sso.name | string | `"SSO"` | Name of the identity provider. This is used by some packages as the SSO login label. |
+| sso.url | string | `"https://login.dso.mil/auth/realms/baby-yoda"` | Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID. |
+| sso.certificateAuthority | object | `{"cert":null,"secretName":"tls-ca-sso"}` | Certificate authority for the identity provider's certificates |
+| sso.certificateAuthority.cert | string | `nil` | The certificate authority public certificate in .pem format. Populating this will create a secret in each namespace that enables SSO. |
+| sso.certificateAuthority.secretName | string | `"tls-ca-sso"` | The secret name to use for the certificate authority. Can be manually populated if cert is blank. |
+| sso.saml.entityDescriptor | string | `"{{ .Values.sso.url }}/protocol/saml/descriptor"` | SAML entityDescriptor (metadata) path |
+| sso.saml.service | string | `"{{ .Values.sso.url }}/protocol/saml"` | SAML SSO Service path |
+| sso.saml.metadata | string | `nil` | Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`. Required for SSO in Nexus, Twistlock, or Sonarqube. |
+| sso.oidc | object | `{"authorization":"{{ .Values.sso.url }}/protocol/openid-connect/auth","claims":{"email":"email","groups":"groups","name":"name","username":"preferred_username"},"endSession":"{{ .Values.sso.url }}/protocol/openid-connect/logout","jwks":null,"jwksUri":"{{ .Values.sso.url }}/protocol/openid-connect/certs","token":"{{ .Values.sso.url }}/protocol/openid-connect/token","userinfo":"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"}` | OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration` |
+| sso.oidc.authorization | string | `"{{ .Values.sso.url }}/protocol/openid-connect/auth"` | OIDC authorization path |
+| sso.oidc.endSession | string | `"{{ .Values.sso.url }}/protocol/openid-connect/logout"` | OIDC logout / end session path |
+| sso.oidc.jwksUri | string | `"{{ .Values.sso.url }}/protocol/openid-connect/certs"` | OIDC JSON Web Key Set (JWKS) path |
+| sso.oidc.token | string | `"{{ .Values.sso.url }}/protocol/openid-connect/token"` | OIDC token path |
+| sso.oidc.userinfo | string | `"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"` | OIDC user information path |
+| sso.oidc.jwks | string | `nil` | Literal OIDC JWKS data retrieved from JWKS Uri. Only needed if `jwsksUri` is not defined. |
+| sso.oidc.claims | object | `{"email":"email","groups":"groups","name":"name","username":"preferred_username"}` | Identity provider claim names that store metadata about the authenticated user. |
+| sso.oidc.claims.email | string | `"email"` | IdP's claim name used for the user's email address. |
+| sso.oidc.claims.name | string | `"name"` | IdP's claim name used for the user's full name |
+| sso.oidc.claims.username | string | `"preferred_username"` | IdP's claim name used for the username |
+| sso.oidc.claims.groups | string | `"groups"` | IdP's claim name used for the user's groups or roles |
| flux | object | `{"install":{"remediation":{"retries":-1}},"interval":"2m","rollback":{"cleanupOnFail":true,"timeout":"10m"},"test":{"enable":false},"timeout":"10m","upgrade":{"cleanupOnFail":true,"remediation":{"remediateLastFailure":true,"retries":3}}}` | (Advanced) Flux reconciliation parameters. The default values provided will be sufficient for the majority of workloads. |
| networkPolicies | object | `{"controlPlaneCidr":"0.0.0.0/0","enabled":true,"nodeCidr":"","vpcCidr":"0.0.0.0/0"}` | Global NetworkPolicies settings |
| networkPolicies.enabled | bool | `true` | Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled` |
diff --git a/docs/understanding-bigbang/package-architecture/argocd.md b/docs/understanding-bigbang/package-architecture/argocd.md
index 070395c1c6ce6eaaf1ba5174d31af74448f71877..c1bce7fd8d3faf9e3080c63775ad379861e1c85a 100644
--- a/docs/understanding-bigbang/package-architecture/argocd.md
+++ b/docs/understanding-bigbang/package-architecture/argocd.md
@@ -57,7 +57,6 @@ addons:
enabled: true
client_id:
client_secret: ""
- provider_name: ""
groups: |
g, Impact Level 2 Authorized, role:admin
```
diff --git a/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md b/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
index 336ce446adeb0e7d6885cb54ef9fac1d5708a2b2..ec38a5d5e06ab259e1d139d44e336e3a1721f3f9 100644
--- a/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
+++ b/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
@@ -97,13 +97,6 @@ logging:
SSO integration for the eck stack requires a license (see below) and can be configured with the following values:
```yaml
-sso:
- oidc:
- # -- Domain for keycloak used for configuring SSO
- host: login.dso.mil
- # -- Keycloak realm containing clients
- realm: baby-yoda
-
logging:
sso:
# -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
diff --git a/docs/understanding-bigbang/package-architecture/kiali.md b/docs/understanding-bigbang/package-architecture/kiali.md
index 9b0909bcbcf3d064bba9f398fc09ef18046c72e9..5332aada77a704e8c923d60fbb4d1bd66d8c48c9 100644
--- a/docs/understanding-bigbang/package-architecture/kiali.md
+++ b/docs/understanding-bigbang/package-architecture/kiali.md
@@ -127,11 +127,7 @@ kiali:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
client_secret: your_client_secret_or_empty_string
-# Kiali inherits/uses the global SSO settings for the host/realm
-sso:
- oidc:
- host: login.dso.mil
- realm: baby-yoda
+# Kiali inherits/uses the global SSO settings at .sso
```
If you require a more advanced SSO configuration there are additional ways to customize that are detailed in the [upstream OIDC docs](https://kiali.io/docs/configuration/authentication/openid/). This doc includes details on how to configure username, scope, timeout, proxies, and more. It also lists some [SSO provider specifics](https://kiali.io/docs/configuration/authentication/openid/#_provider_specific_instructions) which may be needed for configuring with different providers. If you want to provide any further configuration than what is included in the `kiali.sso` block, you can override the BB pre-configured SSO and pass values via `kiali.values.cr.spec.auth`.
diff --git a/docs/understanding-bigbang/package-architecture/mattermost.md b/docs/understanding-bigbang/package-architecture/mattermost.md
index 6af1e04aae15359395887affe600606cb0d8b27b..8e1b851ee6b4194748d0d798ea32abb417e0c893 100644
--- a/docs/understanding-bigbang/package-architecture/mattermost.md
+++ b/docs/understanding-bigbang/package-architecture/mattermost.md
@@ -130,9 +130,6 @@ addons:
enabled: true
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost
client_secret: no-secret
- auth_endpoint: https://login.dso.mil/oauth/authorize
- token_endpoint: https://login.dso.mil/oauth/token
- user_api_endpoint: https://login.dso.mil/api/v4/user
```
## Licensing
diff --git a/docs/understanding-bigbang/package-architecture/sonarqube.md b/docs/understanding-bigbang/package-architecture/sonarqube.md
index 3c5e973999b587c31d6cbb25e9b7f700b2d91a80..c7037e8ac81f1800eb4cfe90e80933d7bde29f1f 100644
--- a/docs/understanding-bigbang/package-architecture/sonarqube.md
+++ b/docs/understanding-bigbang/package-architecture/sonarqube.md
@@ -84,19 +84,12 @@ addons:
SSO integration can be configured by modifying the following settings in the bigbang chart.
```yaml
-sso:
- oidc:
- host: login.dso.mil
- realm: baby-yoda
-
addons:
sonarqube:
enabled: true
sso:
enabled: true
client_id: ""
- label: ""
- certificate: ""
login: login
name: name
email: email
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 47ce71e27782f19e6865256ef50809913a83bf69..53f4680fc9db1ba261234be98042457f3cfb6bad 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -1,47 +1,45 @@
domain: bigbang.dev
sso:
- # LetsEncrypt certificate authority
- certificate_authority: |
- -----BEGIN CERTIFICATE-----
- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
- TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
- WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
- ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
- MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
- h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
- 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
- A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
- T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
- B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
- B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
- KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
- OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
- jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
- qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
- rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
- HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
- hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
- ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
- 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
- NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
- ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
- TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
- jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
- oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
- 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
- mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
- emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
- -----END CERTIFICATE-----
+ url: https://keycloak.bigbang.dev/auth/realms/baby-yoda
- # Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
- # https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs
- # must be single quoted and double quotes must be escaped like this \"xxxx\"
- jwks: '{\"keys\":[{\"kid\":\"nZUXZDUyyAEKY4dJyargboayGxJmmlrhcoBoik-7040\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"qAl-BtUwp2ZVl7wix_8-pucv-jTK1L9QGFVW02kPYlFi0frg-OL9XsSB1MsJIEFfnDIZ_psvvWYoZkVnzibgVlfAjOQXyIevOWLpSlUK3BpWFnAfO-0oyQWSsclyE8-xpzTifL75SvbSvDp3JXVBa4UdgV2qsNs7xu99wipQ7cro2lpne5EIHv6eKJMeG1eFQS2DJrI6ydNOLrzHFOA3pAhZRphId6dxYWaKzH_tcR34uQ2gg-IgmGakYLFhG_P2ZrMdPqouej_WFoc9Y9hlHx8NALfA6uYe4aDCbWCTL1V1sZJjzVR7WiTDh7fIogTu_2ukpCOnXX_SaLadoulxLw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=\"],\"x5t\":\"ihEvRimRNSdrnr_Fhnd4OElB3-E\",\"x5t#S256\":\"YNijWPCIhWA5xQTwyIfvlBN-UcMe46Um2ywE-ADiqjM\"}]}'
- oidc:
- host: keycloak.bigbang.dev
- realm: baby-yoda
+ # LetsEncrypt certificate authority
+ certificateAuthority:
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+ TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+ WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+ MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+ h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+ A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+ T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+ B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+ B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+ KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+ OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+ jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+ qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+ rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+ HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+ hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+ NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+ TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+ jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+ 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+ -----END CERTIFICATE-----
+ saml:
+ # Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
+ metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.bigbang.dev/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>
flux:
timeout: 20m
@@ -825,7 +823,6 @@ addons:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
client_secret: anything-for-dev
- provider_name: "P1 SSO"
groups: |
g, Impact Level 2 Authorized, role:admin
values:
@@ -1174,8 +1171,6 @@ addons:
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_saml-sonarqube
- provider_name: "P1 SSO"
- certificate: MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=
login: login
name: name
email: email
@@ -1294,7 +1289,7 @@ addons:
nexusRepositoryManager:
enabled: false
- # Nexus requires manual configuration in Keycloak client and cannot be tested with login.dso.mil
+ # Nexus requires manual configuration in Keycloak client and cannot be tested with
# you must test with your own dev deployment. Example: keycloak.bigbang.dev
# See more info in Nexus Package docs /docs/keycloak.md
# Nexus SSO is behind a paywall. You must have a valid license to enable SSO
@@ -1313,10 +1308,6 @@ addons:
lastName: "lastName"
email: "email"
groups: "groups"
- # -- IDP SAML Metadata XML as a single line string in single quotes
- # -- this information is public and does not require a secret
- # curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
- idpMetadata: 'enter-single-quoted-single-line-string-here'
role:
# id is the name of the Keycloak group (case sensitive)
- id: "Nexus"