WRC103 saml integration (#37)

* add cert from secrets * set the secret for AWS2 * preserve line breaks * experimentation continues * remove '' when preserving multiline string * another go multiline * local cert * disable liveliness probe on local and use a local key * temporarily disable liveliness probe for debugging * jinja templates do not work in variables file * commenting out do not work * allow remote debugging * two ideas * revert possible problem * try tty£ * more hakcing * configure login url * clean up * clean up * clean up * init vars
fjelltopp · Nov 13, 2024 · 9697ac0 · 9697ac0
1 parent 9cea93f
commit 9697ac0
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 2 deletions.
diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml
@@ -131,6 +131,9 @@ ckan_googleanalytics_credentials: |-
     "universe_domain": ""
   }
 
+# SAML
+ckan_saml_idp_cert: ""
+
 # who.ini
 who_authenticators: |-
   [authenticators]
@@ -139,3 +142,4 @@ who_authenticators: |-
       ckan.lib.authenticator:UsernamePasswordAuthenticator
 
 storage_class_name: "efs-client"
+ckan_login_form_url: "/user/login"
diff --git a/roles/ckan/templates/ckan/ckan_who.ini b/roles/ckan/templates/ckan/ckan_who.ini
@@ -4,7 +4,7 @@ use = ckan.lib.repoze_plugins.auth_tkt:make_plugin
 #secret = somesecret
 [plugin:friendlyform]
 use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
-login_form_url= /user/login
+login_form_url={{ ckan_login_form_url }}
 login_handler_path = /login_generic
 logout_handler_path = /user/logout
 rememberer_name = auth_tkt

diff --git a/roles/ckan/templates/kubernetes/ckan.yaml b/roles/ckan/templates/kubernetes/ckan.yaml
@@ -152,15 +152,20 @@ spec:
 {% if fjelltopp_cloud_provider != 'azure' %}
             - name: AWS_DEFAULT_REGION
               value: "{{ aws_region }}"
+            - name: CKAN_SAML_IDP_CERT
+              value: |-
+                {{ ckan_saml_idp_cert }}
 {% endif %}
 {% if fjelltopp_env_type == 'local' %}
+            - name: CKAN_SAML_IDP_CERT
+              value: "{{ ckan_saml_idp_cert }}"
             - name: HOME
               value: "/usr/lib/ckan"
 {% endif %}
           image: {{ ckan_image }}:{{ ckan_image_tag }}
           imagePullPolicy: {{ (fjelltopp_env_type == 'local') | ternary('IfNotPresent', 'Always') }}
           name: ckan
-          
+
 # assume local user uid
 {% if fjelltopp_env_type == 'local' %}
           tty: true

diff --git a/roles/ckan/vars/secrets.yml b/roles/ckan/vars/secrets.yml
@@ -14,3 +14,8 @@ ckan_beaker_secret: "{{ lookup('aws_secret', application_namespace + '_ckan_beak
                     on_missing='skip', on_deleted='skip') }}"
 ckan_api_secret: "{{ lookup('aws_secret', application_namespace + '_ckan_api_secret' , region = aws_region,
                     on_missing='skip', on_deleted='skip') }}"
+
+#The following is not really a secret but a certificate
+#This is uploaded manually to AWS #TODO
+ckan_saml_idp_cert: "{{ lookup('aws_secret', application_namespace + '_ckan_saml_idp_cert' , region = aws_region,
+                    on_missing='skip', on_deleted='skip') }}"