UNCLASSIFIED - NO CUI

Party Bus DSOP SSO Configuration Issue

Summary

(Summarize the bug encountered or feature requested concisely)

  1. (Biggest blocker) Our host record for anchore in preprod and IL2 is anchore-preprod.admin.dso.mil and anchore-il2.admin.dso.mil. It seems the helm chart is hardcoding/pulling specific values in for the 'acsUrl' sso variable. We need this to support our host naming convention.

  2. The 'spEntityId' is pulling from big bang level. While not a big deal, can this be supported to be done on the helm chart 'values' level as well? If we don't supply the 'spEntityId' on the bigbang level, but provide it in the helm chart level, the spEntityId field is blank. However, this shows up correctly in the anchore-values in the bigbang namespace

Chart Snippet:

  {{- if .Values.addons.anchore.enterprise.enabled }}
sso:
  enabled: {{ .Values.addons.anchore.sso.enabled }}
  spEntityId: {{ .Values.addons.anchore.sso.client_id }}
  acsUrl: "https://anchore.{{ .Values.hostname }}/service/sso/auth/keycloak"
  idpMetadataUrl: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml/descriptor"
  roleAttribute: {{ .Values.addons.anchore.sso.role_attribute }}
  {{- end }}

Anchore values from bigbang namespace (secrets): You can see that the right acs-url is applied correctly. The sp_entity_id was intentionally removed.

      sso:
        name: "keycloak"
        enabled: true
        acs_https_port: -1
        sp_entity_id: "omitted here"
        acs_url: "https://anchore-preprod.admin.dso.mil/service/sso/auth/keycloak"
        default_account: "user"
        default_role": "read-write"
        require_signed_assertions: false
        require_signed_response: true
        idp_metadata_url: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor"

Anchore SSO values: The sp_entity_id field is left blank in the anchore-sso secret if not provided on the bigbang level but provided on the helm chart level. The acs_url is incorrect and should be anchore-preprod instead of anchore.preprod.

{
  "name": "keycloak",
  "enabled": true,
  "acs_https_port": -1,
  "sp_entity_id": "",
  "acs_url": "https://anchore.preprod.dso.mil/service/sso/auth/keycloak",
  "default_account": "user",
  "default_role": "read-write",
  "require_signed_assertions": false,
  "require_signed_response": true,
  "idp_metadata_url": "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor"
}

Steps to reproduce

  1. Setup the SSO configuration on the chart level, deploy. You'll see the correct values in the bigbang namespace, but the anchore-sso secret will have the spEntityId field blank.
  2. Host record - review the helm chart; you can see that the acsUrl is semi-hardcoded.

What is the current behavior?

Can't get SSO configured 100% due to the acsUrl hardcoding.

What is the expected behavior?

I should be able to set the acsUrl to a host record specific to my environment.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

/cc {put CODEOWNERs @githandles here}

UNCLASSIFIED - NO CUI