feat: integrate with keycloak (#63)

## Description This adds sso support by integrating with keycloak using SAML protocol. Also refactored the IDAM related zarf variables to helm values. ## Related Issue Fixes #49 Depends on defenseunicorns/uds-core#328 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow) followed
defenseunicorns · Apr 30, 2024 · 2583684 · 2583684
1 parent 66474ac
commit 2583684
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 32 deletions.
diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml
@@ -0,0 +1,16 @@
+# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. 
+# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary 
+# client in the keycloak realm and unnecessary secret data in the cluster.
+{{- if not .Values.sso.enabled }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.sso.secretName }}
+  namespace:  {{ .Release.Namespace }}
+type: "Opaque"
+stringData:
+  secret.properties: |
+    sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
+
+{{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -4,6 +4,36 @@ metadata:
   name: sonarqube
   namespace: {{ .Release.Namespace }}
 spec:
+  {{- if .Values.sso.enabled }}
+  sso:
+    - name: SonarQube Login
+      clientId: uds-swf-sonarqube
+      redirectUris:
+        - "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml"
+      protocol: saml
+      defaultClientScopes:
+        - "mapper-saml-email-email"
+        - "mapper-saml-username-login"
+        - "mapper-saml-username-name"
+
+      attributes:
+        saml.client.signature: "false"
+
+      secretName: {{ .Values.sso.secretName }}
+      # This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/
+      secretTemplate:
+        secret.properties: |
+            sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
+            sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }}
+            sonar.auth.saml.applicationId: clientField(clientId)
+            sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }}
+            sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds
+            sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml
+            sonar.auth.saml.user.login: login
+            sonar.auth.saml.user.name: name
+            sonar.auth.saml.user.email: email
+            sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate)
+  {{- end }}
   network:
     expose:
       - service: sonarqube-sonarqube

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -0,0 +1,6 @@
+domain: "###ZARF_VAR_DOMAIN###"
+sso:
+  enabled: true
+  secretName: sonarqube-sso
+  saml:
+    providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with <providerName>")
diff --git a/tasks.yaml b/tasks.yaml
@@ -39,6 +39,12 @@ tasks:
       - task: dependencies:create
       - task: create:test-bundle
 
+  - name: dev
+    description: Create and deploy the bundle against an existing cluster
+    actions:
+      - task: create-sq-test-bundle
+      - task: deploy:test-bundle
+
 # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names
 
   - name: test-package

diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -3,18 +3,9 @@ OpenShift:
 
 edition: "community"
 
-sonarProperties:
-  sonar.auth.saml.enabled: ###ZARF_VAR_SONARQUBE_IDAM_ENABLED###
-  sonar.core.serverBaseURL: https://sonarqube.###ZARF_VAR_DOMAIN###
-  sonar.auth.saml.applicationId: ###ZARF_VAR_SONARQUBE_IDAM_CLIENT_ID###
-  sonar.auth.saml.providerName: ###ZARF_VAR_SONARQUBE_IDAM_PROVIDER_NAME###
-  sonar.auth.saml.providerId: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###
-  sonar.auth.saml.loginUrl: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###/protocol/saml
-  sonar.auth.saml.certificate.secured: ###ZARF_VAR_SONARQUBE_IDAM_SAML_CERT###
-  sonar.auth.saml.user.login: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_LOGIN###
-  sonar.auth.saml.user.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_NAME###
-  sonar.auth.saml.user.email: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_EMAIL###
-  sonar.auth.saml.group.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_GROUP###
+# Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748
+# This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml
+sonarSecretProperties: sonarqube-sso
 
 monitoring:
   enabled: true
@@ -42,5 +33,3 @@ postgresql:
   postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME###
   service:
     port: 5432
-
-domain: ###ZARF_VAR_DOMAIN###
diff --git a/zarf.yaml b/zarf.yaml
@@ -14,24 +14,6 @@ variables:
     default: "false"
   - name: DOMAIN
     default: "uds.dev"
-  - name: SONARQUBE_IDAM_ENABLED
-    default: "false"
-  - name: SONARQUBE_IDAM_CLIENT_ID
-    default: ""
-  - name: SONARQUBE_IDAM_PROVIDER_NAME
-    default: ""
-  - name: SONARQUBE_IDAM_REALM_URL
-    default: ""
-  - name: SONARQUBE_IDAM_SAML_CERT
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_LOGIN
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_NAME
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_EMAIL
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_GROUP
-    default: ""
   - name: SONARQUBE_DB_NAME
     default: "sonarqubedb"
   - name: SONARQUBE_DB_USERNAME