From 2532958de87404df337c29f9b628b036389412e7 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:05:35 +0200 Subject: [PATCH] Added Forgejo to Keycloak config --- .../keycloak/manifests/keycloak-config.yaml | 149 ++++++++++++------ 1 file changed, 104 insertions(+), 45 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c30cee6..6416367 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,34 +181,6 @@ data: ] } - forgejo-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "forgejo", - "name": "Forgejo Client", - "description": "Used for Forgejo SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN_GITEA }}}/*" - ], - "webOrigins": [ - "/*" - ] - grafana-client-payload.json: | { "clientId": "grafana", @@ -245,7 +217,65 @@ data: "groups", "email" ] - } + } + + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } + + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } --- apiVersion: batch/v1 @@ -343,7 +373,7 @@ spec: ${KEYCLOAK_URL}/admin/realms/cnoe/groups # Create scope mapper - echo 'adding group claim to tokens' + echo 'adding group claim to tokens' CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') curl -sS -H "Content-Type: application/json" \ @@ -383,8 +413,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -398,21 +428,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -422,7 +457,7 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -440,11 +475,33 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + echo "creating Forgejo client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/forgejo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -459,9 +516,9 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) @@ -479,10 +536,12 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage - FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} - FORGEJO_CLIENT_ID: forgejo GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml