Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: integrate with keycloak #63

Merged
merged 23 commits into from
Apr 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions chart/templates/sonarqube-sso-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml.
# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary
# client in the keycloak realm and unnecessary secret data in the cluster.
{{- if not .Values.sso.enabled }}

apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.sso.secretName }}
namespace: {{ .Release.Namespace }}
type: "Opaque"
stringData:
secret.properties: |
sonar.auth.saml.enabled: {{ .Values.sso.enabled }}

{{- end }}
30 changes: 30 additions & 0 deletions chart/templates/uds-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,36 @@ metadata:
name: sonarqube
namespace: {{ .Release.Namespace }}
spec:
{{- if .Values.sso.enabled }}
sso:
- name: SonarQube Login
clientId: uds-swf-sonarqube
redirectUris:
- "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml"
protocol: saml
defaultClientScopes:
- "mapper-saml-email-email"
- "mapper-saml-username-login"
- "mapper-saml-username-name"

attributes:
saml.client.signature: "false"

secretName: {{ .Values.sso.secretName }}
# This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/
secretTemplate:
secret.properties: |
sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
Racer159 marked this conversation as resolved.
Show resolved Hide resolved
sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }}
sonar.auth.saml.applicationId: clientField(clientId)
sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }}
sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds
sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml
sonar.auth.saml.user.login: login
sonar.auth.saml.user.name: name
sonar.auth.saml.user.email: email
sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate)
{{- end }}
network:
expose:
- service: sonarqube-sonarqube
Expand Down
6 changes: 6 additions & 0 deletions chart/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
domain: "###ZARF_VAR_DOMAIN###"
sso:
enabled: true
secretName: sonarqube-sso
saml:
providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with <providerName>")
6 changes: 6 additions & 0 deletions tasks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ tasks:
- task: dependencies:create
- task: create:test-bundle

- name: dev
description: Create and deploy the bundle against an existing cluster
actions:
- task: create-sq-test-bundle
- task: deploy:test-bundle

# CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names

- name: test-package
Expand Down
17 changes: 3 additions & 14 deletions values/common-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,9 @@ OpenShift:

edition: "community"

sonarProperties:
sonar.auth.saml.enabled: ###ZARF_VAR_SONARQUBE_IDAM_ENABLED###
sonar.core.serverBaseURL: https://sonarqube.###ZARF_VAR_DOMAIN###
sonar.auth.saml.applicationId: ###ZARF_VAR_SONARQUBE_IDAM_CLIENT_ID###
sonar.auth.saml.providerName: ###ZARF_VAR_SONARQUBE_IDAM_PROVIDER_NAME###
sonar.auth.saml.providerId: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###
sonar.auth.saml.loginUrl: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###/protocol/saml
sonar.auth.saml.certificate.secured: ###ZARF_VAR_SONARQUBE_IDAM_SAML_CERT###
sonar.auth.saml.user.login: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_LOGIN###
sonar.auth.saml.user.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_NAME###
sonar.auth.saml.user.email: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_EMAIL###
sonar.auth.saml.group.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_GROUP###
# Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748
# This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml
sonarSecretProperties: sonarqube-sso

monitoring:
enabled: true
Expand Down Expand Up @@ -42,5 +33,3 @@ postgresql:
postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME###
service:
port: 5432

domain: ###ZARF_VAR_DOMAIN###
18 changes: 0 additions & 18 deletions zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,24 +14,6 @@ variables:
default: "false"
- name: DOMAIN
default: "uds.dev"
- name: SONARQUBE_IDAM_ENABLED
default: "false"
- name: SONARQUBE_IDAM_CLIENT_ID
default: ""
- name: SONARQUBE_IDAM_PROVIDER_NAME
default: ""
- name: SONARQUBE_IDAM_REALM_URL
default: ""
- name: SONARQUBE_IDAM_SAML_CERT
default: ""
- name: SONARQUBE_IDAM_ATTR_LOGIN
default: ""
- name: SONARQUBE_IDAM_ATTR_NAME
default: ""
- name: SONARQUBE_IDAM_ATTR_EMAIL
default: ""
- name: SONARQUBE_IDAM_ATTR_GROUP
default: ""
- name: SONARQUBE_DB_NAME
default: "sonarqubedb"
- name: SONARQUBE_DB_USERNAME
Expand Down