Skip to content

Commit

Permalink
feat: integrate with keycloak (#63)
Browse files Browse the repository at this point in the history
## Description

This adds sso support by integrating with keycloak using SAML protocol.
Also refactored the IDAM related zarf variables to helm values.

## Related Issue

Fixes #49 
Depends on defenseunicorns/uds-core#328

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow)
followed
  • Loading branch information
ericwyles authored Apr 30, 2024
1 parent 66474ac commit 2583684
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 32 deletions.
16 changes: 16 additions & 0 deletions chart/templates/sonarqube-sso-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml.
# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary
# client in the keycloak realm and unnecessary secret data in the cluster.
{{- if not .Values.sso.enabled }}

apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.sso.secretName }}
namespace: {{ .Release.Namespace }}
type: "Opaque"
stringData:
secret.properties: |
sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
{{- end }}
30 changes: 30 additions & 0 deletions chart/templates/uds-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,36 @@ metadata:
name: sonarqube
namespace: {{ .Release.Namespace }}
spec:
{{- if .Values.sso.enabled }}
sso:
- name: SonarQube Login
clientId: uds-swf-sonarqube
redirectUris:
- "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml"
protocol: saml
defaultClientScopes:
- "mapper-saml-email-email"
- "mapper-saml-username-login"
- "mapper-saml-username-name"

attributes:
saml.client.signature: "false"

secretName: {{ .Values.sso.secretName }}
# This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/
secretTemplate:
secret.properties: |
sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }}
sonar.auth.saml.applicationId: clientField(clientId)
sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }}
sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds
sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml
sonar.auth.saml.user.login: login
sonar.auth.saml.user.name: name
sonar.auth.saml.user.email: email
sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate)
{{- end }}
network:
expose:
- service: sonarqube-sonarqube
Expand Down
6 changes: 6 additions & 0 deletions chart/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
domain: "###ZARF_VAR_DOMAIN###"
sso:
enabled: true
secretName: sonarqube-sso
saml:
providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with <providerName>")
6 changes: 6 additions & 0 deletions tasks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ tasks:
- task: dependencies:create
- task: create:test-bundle

- name: dev
description: Create and deploy the bundle against an existing cluster
actions:
- task: create-sq-test-bundle
- task: deploy:test-bundle

# CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names

- name: test-package
Expand Down
17 changes: 3 additions & 14 deletions values/common-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,9 @@ OpenShift:

edition: "community"

sonarProperties:
sonar.auth.saml.enabled: ###ZARF_VAR_SONARQUBE_IDAM_ENABLED###
sonar.core.serverBaseURL: https://sonarqube.###ZARF_VAR_DOMAIN###
sonar.auth.saml.applicationId: ###ZARF_VAR_SONARQUBE_IDAM_CLIENT_ID###
sonar.auth.saml.providerName: ###ZARF_VAR_SONARQUBE_IDAM_PROVIDER_NAME###
sonar.auth.saml.providerId: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###
sonar.auth.saml.loginUrl: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###/protocol/saml
sonar.auth.saml.certificate.secured: ###ZARF_VAR_SONARQUBE_IDAM_SAML_CERT###
sonar.auth.saml.user.login: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_LOGIN###
sonar.auth.saml.user.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_NAME###
sonar.auth.saml.user.email: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_EMAIL###
sonar.auth.saml.group.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_GROUP###
# Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748
# This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml
sonarSecretProperties: sonarqube-sso

monitoring:
enabled: true
Expand Down Expand Up @@ -42,5 +33,3 @@ postgresql:
postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME###
service:
port: 5432

domain: ###ZARF_VAR_DOMAIN###
18 changes: 0 additions & 18 deletions zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,24 +14,6 @@ variables:
default: "false"
- name: DOMAIN
default: "uds.dev"
- name: SONARQUBE_IDAM_ENABLED
default: "false"
- name: SONARQUBE_IDAM_CLIENT_ID
default: ""
- name: SONARQUBE_IDAM_PROVIDER_NAME
default: ""
- name: SONARQUBE_IDAM_REALM_URL
default: ""
- name: SONARQUBE_IDAM_SAML_CERT
default: ""
- name: SONARQUBE_IDAM_ATTR_LOGIN
default: ""
- name: SONARQUBE_IDAM_ATTR_NAME
default: ""
- name: SONARQUBE_IDAM_ATTR_EMAIL
default: ""
- name: SONARQUBE_IDAM_ATTR_GROUP
default: ""
- name: SONARQUBE_DB_NAME
default: "sonarqubedb"
- name: SONARQUBE_DB_USERNAME
Expand Down

0 comments on commit 2583684

Please sign in to comment.