From 2583684b048207d14213409f62d7c70fea999bb4 Mon Sep 17 00:00:00 2001
From: Eric Wyles <23637493+ericwyles@users.noreply.github.com>
Date: Tue, 30 Apr 2024 16:30:35 -0400
Subject: [PATCH] feat: integrate with keycloak (#63)

## Description

This adds sso support by integrating with keycloak using SAML protocol.
Also refactored the IDAM related zarf variables to helm values.

## Related Issue

Fixes #49
Depends on https://github.com/defenseunicorns/uds-core/pull/328

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow)
followed
---
 chart/templates/sonarqube-sso-secret.yaml | 16 ++++++++++++
 chart/templates/uds-package.yaml          | 30 +++++++++++++++++++++++
 chart/values.yaml                         |  6 +++++
 tasks.yaml                                |  6 +++++
 values/common-values.yaml                 | 17 +++----------
 zarf.yaml                                 | 18 --------------
 6 files changed, 61 insertions(+), 32 deletions(-)
 create mode 100644 chart/templates/sonarqube-sso-secret.yaml

diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml
new file mode 100644
index 0000000..8711237
--- /dev/null
+++ b/chart/templates/sonarqube-sso-secret.yaml
@@ -0,0 +1,16 @@
+# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. 
+# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary 
+# client in the keycloak realm and unnecessary secret data in the cluster.
+{{- if not .Values.sso.enabled }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.sso.secretName }}
+  namespace:  {{ .Release.Namespace }}
+type: "Opaque"
+stringData:
+  secret.properties: |
+    sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
+
+{{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index d46e8d3..0779eae 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -4,6 +4,36 @@ metadata:
   name: sonarqube
   namespace: {{ .Release.Namespace }}
 spec:
+  {{- if .Values.sso.enabled }}
+  sso:
+    - name: SonarQube Login
+      clientId: uds-swf-sonarqube
+      redirectUris:
+        - "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml"
+      protocol: saml
+      defaultClientScopes:
+        - "mapper-saml-email-email"
+        - "mapper-saml-username-login"
+        - "mapper-saml-username-name"
+
+      attributes:
+        saml.client.signature: "false"
+
+      secretName: {{ .Values.sso.secretName }}
+      # This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/
+      secretTemplate:
+        secret.properties: |
+            sonar.auth.saml.enabled: {{ .Values.sso.enabled }}
+            sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }}
+            sonar.auth.saml.applicationId: clientField(clientId)
+            sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }}
+            sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds
+            sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml
+            sonar.auth.saml.user.login: login
+            sonar.auth.saml.user.name: name
+            sonar.auth.saml.user.email: email
+            sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate)
+  {{- end }}
   network:
     expose:
       - service: sonarqube-sonarqube
diff --git a/chart/values.yaml b/chart/values.yaml
index e69de29..d6efbc5 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -0,0 +1,6 @@
+domain: "###ZARF_VAR_DOMAIN###"
+sso:
+  enabled: true
+  secretName: sonarqube-sso
+  saml:
+    providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with <providerName>")
diff --git a/tasks.yaml b/tasks.yaml
index 684b092..935d934 100644
--- a/tasks.yaml
+++ b/tasks.yaml
@@ -39,6 +39,12 @@ tasks:
       - task: dependencies:create
       - task: create:test-bundle
 
+  - name: dev
+    description: Create and deploy the bundle against an existing cluster
+    actions:
+      - task: create-sq-test-bundle
+      - task: deploy:test-bundle
+
 # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names
 
   - name: test-package
diff --git a/values/common-values.yaml b/values/common-values.yaml
index d404142..3c56a04 100644
--- a/values/common-values.yaml
+++ b/values/common-values.yaml
@@ -3,18 +3,9 @@ OpenShift:
 
 edition: "community"
 
-sonarProperties:
-  sonar.auth.saml.enabled: ###ZARF_VAR_SONARQUBE_IDAM_ENABLED###
-  sonar.core.serverBaseURL: https://sonarqube.###ZARF_VAR_DOMAIN###
-  sonar.auth.saml.applicationId: ###ZARF_VAR_SONARQUBE_IDAM_CLIENT_ID###
-  sonar.auth.saml.providerName: ###ZARF_VAR_SONARQUBE_IDAM_PROVIDER_NAME###
-  sonar.auth.saml.providerId: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###
-  sonar.auth.saml.loginUrl: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###/protocol/saml
-  sonar.auth.saml.certificate.secured: ###ZARF_VAR_SONARQUBE_IDAM_SAML_CERT###
-  sonar.auth.saml.user.login: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_LOGIN###
-  sonar.auth.saml.user.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_NAME###
-  sonar.auth.saml.user.email: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_EMAIL###
-  sonar.auth.saml.group.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_GROUP###
+# Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748
+# This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml
+sonarSecretProperties: sonarqube-sso
 
 monitoring:
   enabled: true
@@ -42,5 +33,3 @@ postgresql:
   postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME###
   service:
     port: 5432
-
-domain: ###ZARF_VAR_DOMAIN###
diff --git a/zarf.yaml b/zarf.yaml
index 576137a..b544685 100644
--- a/zarf.yaml
+++ b/zarf.yaml
@@ -14,24 +14,6 @@ variables:
     default: "false"
   - name: DOMAIN
     default: "uds.dev"
-  - name: SONARQUBE_IDAM_ENABLED
-    default: "false"
-  - name: SONARQUBE_IDAM_CLIENT_ID
-    default: ""
-  - name: SONARQUBE_IDAM_PROVIDER_NAME
-    default: ""
-  - name: SONARQUBE_IDAM_REALM_URL
-    default: ""
-  - name: SONARQUBE_IDAM_SAML_CERT
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_LOGIN
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_NAME
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_EMAIL
-    default: ""
-  - name: SONARQUBE_IDAM_ATTR_GROUP
-    default: ""
   - name: SONARQUBE_DB_NAME
     default: "sonarqubedb"
   - name: SONARQUBE_DB_USERNAME