diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml new file mode 100644 index 0000000..8711237 --- /dev/null +++ b/chart/templates/sonarqube-sso-secret.yaml @@ -0,0 +1,16 @@ +# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. +# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary +# client in the keycloak realm and unnecessary secret data in the cluster. +{{- if not .Values.sso.enabled }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.sso.secretName }} + namespace: {{ .Release.Namespace }} +type: "Opaque" +stringData: + secret.properties: | + sonar.auth.saml.enabled: {{ .Values.sso.enabled }} + +{{- end }} diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index d46e8d3..0779eae 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,6 +4,36 @@ metadata: name: sonarqube namespace: {{ .Release.Namespace }} spec: + {{- if .Values.sso.enabled }} + sso: + - name: SonarQube Login + clientId: uds-swf-sonarqube + redirectUris: + - "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml" + protocol: saml + defaultClientScopes: + - "mapper-saml-email-email" + - "mapper-saml-username-login" + - "mapper-saml-username-name" + + attributes: + saml.client.signature: "false" + + secretName: {{ .Values.sso.secretName }} + # This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/ + secretTemplate: + secret.properties: | + sonar.auth.saml.enabled: {{ .Values.sso.enabled }} + sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }} + sonar.auth.saml.applicationId: clientField(clientId) + sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }} + sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds + sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml + sonar.auth.saml.user.login: login + sonar.auth.saml.user.name: name + sonar.auth.saml.user.email: email + sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) + {{- end }} network: expose: - service: sonarqube-sonarqube diff --git a/chart/values.yaml b/chart/values.yaml index e69de29..d6efbc5 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -0,0 +1,6 @@ +domain: "###ZARF_VAR_DOMAIN###" +sso: + enabled: true + secretName: sonarqube-sso + saml: + providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") diff --git a/tasks.yaml b/tasks.yaml index 684b092..935d934 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -39,6 +39,12 @@ tasks: - task: dependencies:create - task: create:test-bundle + - name: dev + description: Create and deploy the bundle against an existing cluster + actions: + - task: create-sq-test-bundle + - task: deploy:test-bundle + # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names - name: test-package diff --git a/values/common-values.yaml b/values/common-values.yaml index d404142..3c56a04 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -3,18 +3,9 @@ OpenShift: edition: "community" -sonarProperties: - sonar.auth.saml.enabled: ###ZARF_VAR_SONARQUBE_IDAM_ENABLED### - sonar.core.serverBaseURL: https://sonarqube.###ZARF_VAR_DOMAIN### - sonar.auth.saml.applicationId: ###ZARF_VAR_SONARQUBE_IDAM_CLIENT_ID### - sonar.auth.saml.providerName: ###ZARF_VAR_SONARQUBE_IDAM_PROVIDER_NAME### - sonar.auth.saml.providerId: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL### - sonar.auth.saml.loginUrl: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###/protocol/saml - sonar.auth.saml.certificate.secured: ###ZARF_VAR_SONARQUBE_IDAM_SAML_CERT### - sonar.auth.saml.user.login: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_LOGIN### - sonar.auth.saml.user.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_NAME### - sonar.auth.saml.user.email: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_EMAIL### - sonar.auth.saml.group.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_GROUP### +# Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748 +# This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml +sonarSecretProperties: sonarqube-sso monitoring: enabled: true @@ -42,5 +33,3 @@ postgresql: postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME### service: port: 5432 - -domain: ###ZARF_VAR_DOMAIN### diff --git a/zarf.yaml b/zarf.yaml index 576137a..b544685 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -14,24 +14,6 @@ variables: default: "false" - name: DOMAIN default: "uds.dev" - - name: SONARQUBE_IDAM_ENABLED - default: "false" - - name: SONARQUBE_IDAM_CLIENT_ID - default: "" - - name: SONARQUBE_IDAM_PROVIDER_NAME - default: "" - - name: SONARQUBE_IDAM_REALM_URL - default: "" - - name: SONARQUBE_IDAM_SAML_CERT - default: "" - - name: SONARQUBE_IDAM_ATTR_LOGIN - default: "" - - name: SONARQUBE_IDAM_ATTR_NAME - default: "" - - name: SONARQUBE_IDAM_ATTR_EMAIL - default: "" - - name: SONARQUBE_IDAM_ATTR_GROUP - default: "" - name: SONARQUBE_DB_NAME default: "sonarqubedb" - name: SONARQUBE_DB_USERNAME