enhancement: openid

[lknite]

I recently opened a ticket with taiga about the taiga-contrib-oidc-auth plugin they had forked for their project (taigaio/taiga-back#66 ).

They advised me to instead use the taiga-contrib-openid-auth plugin which they said they are going to advise to fork instead of the oidc-auth plugin they currently have forked, and also that the oidc-auth plugin wouldn't work with taiga 6. I get the impression they are planning to add oidc functionality to the next taiga release.

I got things working, however to get things working I had to edit the front and back statefulsets.

I was thinking to fork taiga-helm and add in the changes needed to get the openid-auth plugin working.

First though I wanted to check with you as your helm chart is like a work of art, definitely an excellent example for folks to learn from. It makes perfect sense to me that you have created it for a class. It is unlikely that I'd be able to update things and perfectly mirror your style, but I am willing to give it a shot. Would you be interested in enhancing the helm chart, or have me take a shot at a pull request?

Summary of changes to get openid-auth to work:

• had to add some additional environment variables to taiga-front
• had to add some additional environment variables to taiga-back
• had to add an extra volume to taiga-back
• had to add run a postStart command to import an onprem ca-chain

Here are the changes I made to the statefulsets to get things working:
taiga-front

        - name: ENABLE_OPENID
          value: "true"
        - name: PUBLIC_REGISTER_ENABLED
          value: "true"
        - name: OPENID_URL
          value: "https://keycloak.k-prod.harmony.net/auth/realms/harmony/protocol/openid-connect/auth"
        - name: OPENID_CLIENT_ID
          value: "taiga.k-dev.harmony.net"
        - name: OPENID_NAME
          value: "keycloak"
        - name: OPENID_SCOPE
          value: "openid email"

taiga-back

        - name: ENABLE_OPENID
          value: "True"
        - name: PUBLIC_REGISTER_ENABLED
          value: "True"
        - name: OPENID_USER_URL 
          value: "https://keycloak.k-prod.harmony.net/auth/realms/harmony/protocol/openid-connect/userinfo"
        - name: OPENID_TOKEN_URL 
          value: "https://keycloak.k-prod.harmony.net/auth/realms/harmony/protocol/openid-connect/token"
        - name: OPENID_CLIENT_ID 
          value: "taiga.k-dev.harmony.net"
        - name: OPENID_CLIENT_SECRET
          value: "<secret>"
        - name: OPENID_SCOPE
          value: "openid email"


        volumeMounts:
        - mountPath: /tmp/ca
          name: certs
      volumes:
      - name: certs
        configMap:
          name: ca-certs
          items:
          - key: "ca.crt"
            path: "cacert.pem"


        lifecycle:
          postStart:
            exec:
              command:
              - /bin/sh
              - -c
              - "cat /tmp/ca/cacert.pem >> /opt/venv/lib/python3.7/site-packages/certifi/cacert.pem"

and then in my custom values.yaml

taigaFront:
  image:
    repository: robrotheram/taiga-front-openid
    pullPolicy: IfNotPresent
    tag: 6.4.2
taigaBack:
  image:
    repository: robrotheram/taiga-back-openid
    pullPolicy: IfNotPresent
    tag: 6.4.2

If I were to enhance taiga-helm I would make the additions above in 'Summary of changes to get openid-auth to work' section by copying similar methods from the nextcloud template which has the following allowed in its values.yaml:

nextcloud:
  extraVolumes:
  - name: certs
    configMap:
      name: ca-certs
      items:
      - key: "ca.crt"
        path: "ca.crt"
  extraVolumeMounts:
  - name: certs
    mountPath: /usr/local/share/ca-certificates

lifecycle:
  postStartCommand:
  - /bin/sh
  - -c
  - update-ca-certificates;
    lets you run any command here so anyone could use this to import ca certs mounted before;

not sure about adding the environment variables, would have to figure that out

[nemonik]

I've worked with Keycloak before so I know where you are coming from... a portion of whqy you are describing above could be handled with adds to the chart templates, values files and adds to the documentation.

I can look at doing this considering you've done the heavy lifting or you can propose a pull request and I can merge making any mods as needed. The default behavior would be to not to need oidc auth, but for much of the changes to be there as an example of what to do and the readme to be instructive as what to do to enable... I have worked to get GitLab to auth off of KeyCloak and in doing so contributed to the sameersbn/gitlab-docker documention in regards. The existing documentation there included how to spin up Keycloak and GitLab together, so the similiar here may be helpful.

Thanks for the compliment.

Let me know if you want to propose a pull request... and we can work it past that...

[lknite]

Ok, I'm going to work on a pull request which will add as mentioned above, the ability to mount extra volumes & run a postStart command via yaml specification, and look into adding environment variables somehow. I'll check in after getting the extra volumes and postStart command added.

[lknite]

Proposed pull request:
#6

[nemonik]

Let me review.

[throrin19]

any news about this part ?