SSO Refactor for Global IdP values

Package Merge Request

Package Changes

Summary

When upgrading, the following changes may affect SSO:

• Values related to the Identity Provider paths, certificates, and OIDC claims were deprecated and replaced with a set of global values. Deprecated values will still work, but you will see a deprecation notice in the Helm upgrade notes. See the values.yaml for details on new values.
• (ArgoCD, GitLab, Grafana, Sonarqube): Login button label (name) is global and defaults to SSO.
• (Authservice): When jwksUri and jwks are both defined, jwksUri takes precedence (previously, jwks took precedence).
• (Authservice, Logging): Defaults expanded for URL endpoints and claim names to support global values and non-keycloak identity providers.

Details

ArgoCD

• default OIDC name changed from blank to SSO. This changes the login button label.

Authservice

• Preferences jwksUri over jwks if both are defined. Previously jwks was preferred. This allows jwks to be dynamically updated if both are defined.
• issuer_uri, authorization_uri, token_uri, logout_redirect_uri will be populated globally and per chain when the new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.

GitLab

• default label changed from blank to SSO. This changes the login button label.
• client_options: identifier and secret no longer default to global sso values. Those values are reserved for authservice use and should not have been used as defaults.

Grafana

• default name changed from blank (which resulted in an "OAuth" label) to SSO. This changes the login button label.

Logging

• issuer, auth_url, token_url, userinfo_url, endsession_url and jwkset_url will be populated when new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.
• Default claim names for principal, groups, and mail are populated with typical values from Keycloak and can be overridden in global variables.

Sonarqube

• default providerName changed from blank to SSO.

Twistlock

• default provider_name changed from blank to SSO.

Package MR

No package changes

For Issue

Closes #1361 (closed)

chart/templates/twistlock/values.yaml

@@ -58,7 +58,7 @@ sso:
   issuer_uri: {{ default (include "sso.url" .) (tpl (default "" .Values.twistlock.sso.issuer_uri) .) }}
   idp_url: {{ default (include "sso.saml.service" .) (tpl (default "" .Values.twistlock.sso.idp_url) .) }}
   {{- $console := first (dig "istio" "console" "hosts" (list (printf "twistlock.%s" $domainName)) .Values.twistlock.values) }}
-  console_url: {{ tpl (default "" .Values.twistlock.sso.console_url) . }}
+  console_url: {{ tpl (default (printf "https://%s" $console) .Values.twistlock.sso.console_url) . }}
   groups: {{ default (dig "attributes" "group" "" .Values.sso) .Values.twistlock.sso.groups }}
   cert: {{ default (include "sso.saml.cert.withheaders" .) .Values.twistlock.sso.cert | quote }}
 {{- end -}}