UNCLASSIFIED - NO CUI

feat(sso): add support for multiple OIDC identity providers

Carl Lawsonrequested to merge
feature/additional-oidc-providers into main

General MR

Summary

Add sso.additional_oidc MAP to configure additional OIDC identity providers beyond the primary SSO provider.

Why: Organizations often need to authenticate users from multiple identity providers (e.g., Platform One Keycloak + DAF ICAM Okta). Without native chart support, users would need to manually configure additional OIDC realms via deeply nested dot-notation keys repeated across all node types - error-prone and difficult to maintain.

Changes

  • chart/templates/_helpers.tpl - Extended oidc template to iterate over additional_oidc map, creating additional Elasticsearch OIDC realms (order starts at 3). Default requested_scopes includes groups.
  • chart/templates/_kibana-config.tpl - Added logic to create additional Kibana OIDC providers (oidc2, oidc3, etc.) with login_label field. Basic auth ordered last.
  • chart/templates/bigbang/sso-secret.yaml - Added loop to create client_secret entries for each additional OIDC realm
  • chart/values.yaml - Added sso.login_label and sso.additional_oidc with documentation
  • chart/tests/sso_test.yaml - Added 7 helm-unittest tests for SSO functionality
  • CHANGELOG.md - Added [1.34.0-bb.4] section documenting the feature

Example

sso:
  enabled: true
  login_label: "Platform One SSO"  # Button text on login screen
  # ... existing SSO config ...

  additional_oidc:
    OktaRealm:                     # Key = realm name
      client_id: "okta-client-id"
      client_secret: "okta-secret" # Can be in SOPS, merges with plain values
      issuer: "https://example.okta.mil/oauth2/default"
      auth_url: "https://example.okta.mil/oauth2/default/v1/authorize"
      token_url: "https://example.okta.mil/oauth2/default/v1/token"
      userinfo_url: "https://example.okta.mil/oauth2/default/v1/userinfo"
      jwkset_url: "https://example.okta.mil/oauth2/default/v1/keys"
      endsession_url: "https://example.okta.mil/oauth2/default/v1/logout"
      claims_principal: "preferred_username"
      claims_group: "groups"
      login_label: "Okta Login"
      # requested_scopes defaults to ["openid", "profile", "email", "groups"]

Testing

  • helm unittest chart - All 16 tests pass (including 7 new SSO tests)
  • Deploy to staging with additional OIDC provider configured
  • Verify Kibana login screen shows all providers in correct order
  • Verify Elasticsearch realm is properly configured

Checklist

  • Chart version bumped (1.34.0-bb.4)
  • CHANGELOG.md updated
  • Unit tests added
  • Backwards compatible with existing SSO configurations
  • No changes to default values behavior

Relevant logs/screenshots

helm unittest chart

### Chart [ elasticsearch-kibana ] .

 PASS  test bigbang/istio/authorizationPolicies/template.yaml	tests/authorizationPolicies_template_test.yaml
 PASS  test elasticsearch.yaml	tests/elasticsearch_test.yaml
 PASS  test kibana.yaml	tests/kibana_test.yaml
 PASS  test SSO and additional OIDC providers	tests/sso_test.yaml

Charts:      1 passed, 1 total
Test Suites: 4 passed, 4 total
Tests:       16 passed, 16 total
Snapshot:    2 passed, 2 total

Linked Issue

issue

Upgrade Notices

Configuring sso.additional_oidc modifies Elasticsearch secure settings, which will trigger a rolling restart of all Elasticsearch pods.

Edited by Carl Lawson

Merge request reports

UNCLASSIFIED - NO CUI