SSO Refactor for Global IdP values

Package Merge Request

Package Changes

Summary

When upgrading, the following changes may affect SSO:

• Values related to the Identity Provider paths, certificates, and OIDC claims were deprecated and replaced with a set of global values. Deprecated values will still work, but you will see a deprecation notice in the Helm upgrade notes. See the values.yaml for details on new values.
• (ArgoCD, GitLab, Grafana, Sonarqube): Login button label (name) is global and defaults to SSO.
• (Authservice): When jwksUri and jwks are both defined, jwksUri takes precedence (previously, jwks took precedence).
• (Authservice, Logging): Defaults expanded for URL endpoints and claim names to support global values and non-keycloak identity providers.

Details

ArgoCD

• default OIDC name changed from blank to SSO. This changes the login button label.

Authservice

• Preferences jwksUri over jwks if both are defined. Previously jwks was preferred. This allows jwks to be dynamically updated if both are defined.
• issuer_uri, authorization_uri, token_uri, logout_redirect_uri will be populated globally and per chain when the new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.

GitLab

• default label changed from blank to SSO. This changes the login button label.
• client_options: identifier and secret no longer default to global sso values. Those values are reserved for authservice use and should not have been used as defaults.

Grafana

• default name changed from blank (which resulted in an "OAuth" label) to SSO. This changes the login button label.

Logging

• issuer, auth_url, token_url, userinfo_url, endsession_url and jwkset_url will be populated when new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.
• Default claim names for principal, groups, and mail are populated with typical values from Keycloak and can be overridden in global variables.

Sonarqube

• default providerName changed from blank to SSO.

Twistlock

• default provider_name changed from blank to SSO.

Package MR

No package changes

For Issue

Closes #1361 (closed)

chart/templates/twistlock/values.yaml

@@ -4,7 +4,8 @@
 
 {{- define "bigbang.defaults.twistlock" -}}
 # hostname is deprecated and replaced with domain. But if hostname exists then use it.
-domain: {{ default .Values.domain .Values.hostname }}
+{{- $domainName := default .Values.domain .Values.hostname }}
+domain: {{ $domainName }}
 
 openshift: {{ .Values.openshift }}
 
@@ -52,12 +53,12 @@ console:
 sso:
   enabled: {{ .Values.twistlock.sso.enabled }}
   client_id: {{ .Values.twistlock.sso.client_id }}
-  provider_name: {{ .Values.twistlock.sso.provider_name }}
+  provider_name: {{ default .Values.sso.name .Values.twistlock.sso.provider_name }}
   provider_type: {{ .Values.twistlock.sso.provider_type }}
-  issuer_uri: {{ tpl .Values.twistlock.sso.issuer_uri . }}
-  idp_url: {{ tpl .Values.twistlock.sso.idp_url . }}
-  console_url: {{ tpl .Values.twistlock.sso.console_url . }}
+  issuer_uri: {{ default (include "sso.url" .) (tpl (default "" .Values.twistlock.sso.issuer_uri) .) }}
+  idp_url: {{ default (include "sso.saml.service" .) (tpl (default "" .Values.twistlock.sso.idp_url) .) }}
+  {{- $console := first (dig "istio" "console" "hosts" (list (printf "twistlock.%s" $domainName)) .Values.twistlock.values) }}
+  console_url: {{ tpl (default (printf "https://%s" $console) .Values.twistlock.sso.console_url) . }}
   groups: {{ .Values.twistlock.sso.groups }}
-  cert: {{ .Values.twistlock.sso.cert | quote }}
-
+  cert: {{ default (include "sso.saml.cert.withheaders" .) .Values.twistlock.sso.cert | quote }}
 {{- end -}}