SSO Refactor for Global IdP values

Package Merge Request

Package Changes

Summary

When upgrading, the following changes may affect SSO:

• Values related to the Identity Provider paths, certificates, and OIDC claims were deprecated and replaced with a set of global values. Deprecated values will still work, but you will see a deprecation notice in the Helm upgrade notes. See the values.yaml for details on new values.
• (ArgoCD, GitLab, Grafana, Sonarqube): Login button label (name) is global and defaults to SSO.
• (Authservice): When jwksUri and jwks are both defined, jwksUri takes precedence (previously, jwks took precedence).
• (Authservice, Logging): Defaults expanded for URL endpoints and claim names to support global values and non-keycloak identity providers.

Details

ArgoCD

• default OIDC name changed from blank to SSO. This changes the login button label.

Authservice

• Preferences jwksUri over jwks if both are defined. Previously jwks was preferred. This allows jwks to be dynamically updated if both are defined.
• issuer_uri, authorization_uri, token_uri, logout_redirect_uri will be populated globally and per chain when the new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.

GitLab

• default label changed from blank to SSO. This changes the login button label.
• client_options: identifier and secret no longer default to global sso values. Those values are reserved for authservice use and should not have been used as defaults.

Grafana

• default name changed from blank (which resulted in an "OAuth" label) to SSO. This changes the login button label.

Logging

• issuer, auth_url, token_url, userinfo_url, endsession_url and jwkset_url will be populated when new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.
• Default claim names for principal, groups, and mail are populated with typical values from Keycloak and can be overridden in global variables.

Sonarqube

• default providerName changed from blank to SSO.

Twistlock

• default provider_name changed from blank to SSO.

Package MR

No package changes

For Issue

Closes #1361 (closed)

marked this merge request as draft

added anchore argocd gitlab mattermost mattermostoperator nexus sonarqube statusdoing labels

changed milestone to %1.50.0

assigned to @michaelmcleroy

removed argocd label

added 64 commits

• 1834bc80...af1d2f5f - 26 commits from branch master
• 9cf599d3 - feat: initial sso refactor
• 09a2b93a - feat: sso values
• 38c07760 - docs: 2.0 changes to values
• e927dad6 - fix: sso helm typos
• e0ff2037 - fix: blank values in tpl
• ef1a7a93 - fix: logging oidc values
• 3e5422f0 - feat: legacy option for 1.0
• d9740db6 - fix: sonarqube value for loginUrl
• 6f2bb937 - feat(sso): package updates to support new values
• f5476081 - docs: migration udpates
• cdee9f27 - fix(twistlock): remove extra value
• 360ea107 - fix(helper): don't add headers to blank cert
• a7019670 - fix(authservice): remove problematic comment
• a4349aca - chore: make sure legacy value takes precedence
• 2e658b66 - fix(wrapper): only deploy if packages
• ce377afc - fix(twistlock): console_url not printed correctly
• 5abeed09 - fix(values2): group default
• 3888e7d4 - chore: make it the same as legacy
• bba9a352 - chore: keeping it consistent
• e961d7a5 - fix(monitoring): default for api_url
• bd89efce - chore: gitlab if
• 5ee88add - fix(gitlab): default label
• a811a982 - fix(sonarqube): saml login attribute
• b83187bb - cleanup
• abfac6e3 - sso.name change
• e9c6d289 - feat: convert to absolute paths for google support
• e0fd12bb - docs: updated to reflect sso changes
• 5101a276 - feat(sso): make new values default
• 3d7ac469 - feat: update test and dev values
• 4163d649 - feat: realm override support
• 20b0e285 - feat: split oidc/saml attributes
• 0dece68f - docs: updated notes for logging
• 7510a75e - misc stuff
• 48063246 - feat(grafana): pass down sso name
• 12a0939a - docs: update base-config.md
• 00392ab9 - fix(logging): pull values from $
• 35dbef52 - fix(logging): remove comment in helm
• 00f5cfaa - docs: updated dev saml metadata

Compare with previous version

added 1 commit

• 333d3f83 - feat: remove global saml attributes

Compare with previous version

added 1 commit

• 5fd7869f - revert: changes to saml attributes in nexus/sonarqube

Compare with previous version

added 1 commit

• 1e5d405a - more reverting

Compare with previous version

added 1 commit

• 0ee395ce - fix(sso): adjust defaults in helpers

Compare with previous version

added 1 commit

• b9fd334c - fix(notes): remove sonarqube deprecation condition

Compare with previous version

added 1 commit

• 332c0d81 - fix(sso): retain host for elasticsearch prior to pod roll

Compare with previous version

added statusreview label and removed statusdoing label

marked this merge request as ready

changed the description

added 52 commits

• 332c0d81...35c2d230 - 8 commits from branch master
• 1672f156 - feat: initial sso refactor
• c9a87f1c - feat: sso values
• e226100f - docs: 2.0 changes to values
• 02b112ca - fix: sso helm typos
• bd8ec927 - fix: blank values in tpl
• 57f86859 - fix: logging oidc values
• af8e5309 - feat: legacy option for 1.0
• e35b3332 - fix: sonarqube value for loginUrl
• 0cb40b59 - feat(sso): package updates to support new values
• e8187a40 - docs: migration udpates
• b44d47df - fix(twistlock): remove extra value
• b754e9aa - fix(helper): don't add headers to blank cert
• 458ee787 - fix(authservice): remove problematic comment
• 55bb5b8d - chore: make sure legacy value takes precedence
• 6986efc2 - fix(wrapper): only deploy if packages
• 21326f41 - fix(twistlock): console_url not printed correctly
• af2b9133 - fix(values2): group default
• 2e2fc792 - chore: make it the same as legacy
• 019682e1 - chore: keeping it consistent
• 14c96b68 - fix(monitoring): default for api_url
• 6ce4cf47 - chore: gitlab if
• 5e275557 - fix(gitlab): default label
• 19089170 - fix(sonarqube): saml login attribute
• a521d927 - cleanup
• 4cc79469 - sso.name change
• 76d04efb - feat: convert to absolute paths for google support
• 6c4f9cab - docs: updated to reflect sso changes
• 1a9eb799 - feat(sso): make new values default
• c8fa6770 - feat: update test and dev values
• 0e9604f4 - feat: realm override support
• a85a2ad3 - feat: split oidc/saml attributes
• 56fc8eec - docs: updated notes for logging
• 3c4b77d6 - misc stuff
• b7807416 - feat(grafana): pass down sso name
• 9ddb082f - docs: update base-config.md
• da13328b - fix(logging): pull values from $
• b122dcb8 - fix(logging): remove comment in helm
• 756e5b04 - docs: updated dev saml metadata
• 05d6c8c7 - feat: remove global saml attributes
• 9ff6f1b4 - revert: changes to saml attributes in nexus/sonarqube
• 7d453f23 - more reverting
• ee8a2f4e - fix(sso): adjust defaults in helpers
• f8454f9d - fix(notes): remove sonarqube deprecation condition
• 57725d5a - fix(sso): retain host for elasticsearch prior to pod roll

Compare with previous version

changed milestone to %1.52.0

requested review from @micah.nagel

requested review from @ryan.j.garcia

requested review from @rob.ferguson