defenseunicorns · ericwyles · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024
@@ -45,7 +45,7 @@ packages:
           variables:
             - name: GITLAB_SSO_ENABLED
               description: "Boolean to enable or disable sso things"
-              path: "sso"
+              path: "sso.enabled"
         gitlab:
           variables:
             - name: GITLAB_SSO_ENABLED

@@ -0,0 +1,36 @@
+# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. 
+# GitLab needs to mount the secret and creating it this way avoids creating an unnecessary 
+# client in the keycloak realm and unnecessary secret data in the cluster.
+{{- if not .Values.sso.enabled }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.sso.secretName }}
+  namespace:  {{ .Release.Namespace }}
+type: "Opaque"
+stringData:
+  providers: |
+    {
+      "name": "openid_connect",
+      "label": "Dummy SSO",
+      "args": {
+        "name": "openid_connect",
+        "scope": [
+          "openid",
+          "profile"
+        ],
+        "response_type": "code",
+        "issuer": "https://sso.{{ .Values.domain }}/realms/uds",
+        "client_auth_method": "query",
+        "discovery": true,
+        "uid_field": "preferred_username",
+        "client_options": {
+          "identifier": "dummy_identifier",
+          "secret": "dummy_secret",
+          "redirect_uri": "https://dummy_redirect_uri.com",
+          "end_session_endpoint": "https://dummy_end_session_endpoint.com"
+        }
+      }
+    }
+{{- end }}
@@ -4,13 +4,13 @@ metadata:
   name: gitlab
   namespace: {{ .Release.Namespace }}
 spec:
-  {{- if .Values.sso }}
+  {{- if .Values.sso.enabled }}
   sso:
     - name: Gitlab SSO
-      clientId: uds-core-gitlab
+      clientId: uds-swf-gitlab
       redirectUris:
         - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback"
-      secretName: gitlab-sso-provider-json
+      secretName: {{ .Values.sso.secretName }}
       secretTemplate:
         # GitLab expects a providers JSON file that is documented more here: https://gitlab-org.gitlab.io/technical-writing-group/gitlab-docs-hugo/administration/auth/oidc/
         # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL

@@ -1,5 +1,7 @@
 domain: "###ZARF_VAR_DOMAIN###"
-sso: true
+sso:
+  enabled: true
+  secretName: gitlab-sso
 storage:
   # Set to false to use external storage
   internal: true

@@ -78,7 +78,7 @@ global:
       syncProfileAttributes: ['email']
       syncProfileFromProvider: []
       providers:
-        - secret: gitlab-sso-provider-json
+        - secret: gitlab-sso
           key: providers
     initialDefaults:
       signupEnabled: ###ZARF_VAR_GITLAB_SIGNUP_ENABLED###