fix!: sso failing deployment when it is disabled (#115)

## Description This hotfixes sso killing a deployment when it is disabled. ## Related Issue Fixes #N/A ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Eric Wyles <[email protected]>
defenseunicorns · Apr 30, 2024 · 8cfdb58 · 8cfdb58
1 parent a0e2c48
commit 8cfdb58
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 6 deletions.
diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
@@ -45,7 +45,7 @@ packages:
           variables:
             - name: GITLAB_SSO_ENABLED
               description: "Boolean to enable or disable sso things"
-              path: "sso"
+              path: "sso.enabled"
         gitlab:
           variables:
             - name: GITLAB_SSO_ENABLED

diff --git a/chart/templates/gitlab-sso-secret.yaml b/chart/templates/gitlab-sso-secret.yaml
@@ -0,0 +1,36 @@
+# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. 
+# GitLab needs to mount the secret and creating it this way avoids creating an unnecessary 
+# client in the keycloak realm and unnecessary secret data in the cluster.
+{{- if not .Values.sso.enabled }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.sso.secretName }}
+  namespace:  {{ .Release.Namespace }}
+type: "Opaque"
+stringData:
+  providers: |
+    {
+      "name": "openid_connect",
+      "label": "Dummy SSO",
+      "args": {
+        "name": "openid_connect",
+        "scope": [
+          "openid",
+          "profile"
+        ],
+        "response_type": "code",
+        "issuer": "https://sso.{{ .Values.domain }}/realms/uds",
+        "client_auth_method": "query",
+        "discovery": true,
+        "uid_field": "preferred_username",
+        "client_options": {
+          "identifier": "dummy_identifier",
+          "secret": "dummy_secret",
+          "redirect_uri": "https://dummy_redirect_uri.com",
+          "end_session_endpoint": "https://dummy_end_session_endpoint.com"
+        }
+      }
+    }
+{{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -4,13 +4,13 @@ metadata:
   name: gitlab
   namespace: {{ .Release.Namespace }}
 spec:
-  {{- if .Values.sso }}
+  {{- if .Values.sso.enabled }}
   sso:
     - name: Gitlab SSO
-      clientId: uds-core-gitlab
+      clientId: uds-swf-gitlab
       redirectUris:
         - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback"
-      secretName: gitlab-sso-provider-json
+      secretName: {{ .Values.sso.secretName }}
       secretTemplate:
         # GitLab expects a providers JSON file that is documented more here: https://gitlab-org.gitlab.io/technical-writing-group/gitlab-docs-hugo/administration/auth/oidc/
         # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1,5 +1,7 @@
 domain: "###ZARF_VAR_DOMAIN###"
-sso: true
+sso:
+  enabled: true
+  secretName: gitlab-sso
 storage:
   # Set to false to use external storage
   internal: true

diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -78,7 +78,7 @@ global:
       syncProfileAttributes: ['email']
       syncProfileFromProvider: []
       providers:
-        - secret: gitlab-sso-provider-json
+        - secret: gitlab-sso
           key: providers
     initialDefaults:
       signupEnabled: ###ZARF_VAR_GITLAB_SIGNUP_ENABLED###