adds ArgoCD client in Keycloak
This commit is contained in:
parent
303d7b3a7e
commit
5506baa885
4 changed files with 81 additions and 0 deletions
11
template/stacks/core/argocd/argocd-sso/argocd-secret.yaml
Normal file
11
template/stacks/core/argocd/argocd-sso/argocd-secret.yaml
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: argocd
|
||||||
|
name: keycloak-oidc
|
||||||
|
namespace: argocd
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
clientSecret: h37eb29EbQIVCMc9Fj82IqAQs1qvvv1R
|
||||||
|
immutable: false
|
||||||
12
template/stacks/core/argocd/argocd-sso/cm.yml
Normal file
12
template/stacks/core/argocd/argocd-sso/cm.yml
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: argocd-cm
|
||||||
|
data:
|
||||||
|
url: https://factory-192-168-198-2.traefik.me/argocd
|
||||||
|
oidc.config: |
|
||||||
|
name: Keycloak
|
||||||
|
issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe
|
||||||
|
clientID: argocd
|
||||||
|
clientSecret: $keycloak-oidc:clientSecret
|
||||||
|
requestedScopes: ["openid", "profile", "email", "groups"]
|
||||||
|
|
@ -5,6 +5,7 @@ configs:
|
||||||
params:
|
params:
|
||||||
server.insecure: true
|
server.insecure: true
|
||||||
server.basehref: /argocd
|
server.basehref: /argocd
|
||||||
|
server.rootpath: /argocd
|
||||||
cm:
|
cm:
|
||||||
application.resourceTrackingMethod: annotation
|
application.resourceTrackingMethod: annotation
|
||||||
timeout.reconciliation: 60s
|
timeout.reconciliation: 60s
|
||||||
|
|
|
||||||
|
|
@ -219,6 +219,44 @@ data:
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
argocd-client-payload.json: |
|
||||||
|
{
|
||||||
|
"protocol": "openid-connect",
|
||||||
|
"clientId": "argocd",
|
||||||
|
"name": "ArgoCD Client",
|
||||||
|
"description": "Used for ArgoCD SSO",
|
||||||
|
"publicClient": false,
|
||||||
|
"authorizationServicesEnabled": false,
|
||||||
|
"serviceAccountsEnabled": false,
|
||||||
|
"implicitFlowEnabled": false,
|
||||||
|
"directAccessGrantsEnabled": true,
|
||||||
|
"standardFlowEnabled": true,
|
||||||
|
"frontchannelLogout": true,
|
||||||
|
"attributes": {
|
||||||
|
"saml_idp_initiated_sso_url_name": "",
|
||||||
|
"oauth2.device.authorization.grant.enabled": false,
|
||||||
|
"oidc.ciba.grant.enabled": false
|
||||||
|
},
|
||||||
|
"alwaysDisplayInConsole": false,
|
||||||
|
"rootUrl": "",
|
||||||
|
"baseUrl": "",
|
||||||
|
"redirectUris": [
|
||||||
|
"https://{{{ .Env.DOMAIN_GITEA }}}/*"
|
||||||
|
],
|
||||||
|
"webOrigins": [
|
||||||
|
"/*"
|
||||||
|
]
|
||||||
|
"defaultClientScopes": [
|
||||||
|
"web-origins",
|
||||||
|
"acr",
|
||||||
|
"offline_access",
|
||||||
|
"roles",
|
||||||
|
"profile",
|
||||||
|
"groups",
|
||||||
|
"email"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
|
|
@ -407,6 +445,23 @@ spec:
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
|
echo "creating ArgoCD client"
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X POST --data @/var/config/argocd-client-payload.json \
|
||||||
|
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||||
|
|
||||||
|
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id')
|
||||||
|
|
||||||
|
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||||
|
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
|
ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
||||||
|
|
||||||
ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
|
ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
|
||||||
|
|
@ -426,6 +481,8 @@ spec:
|
||||||
BACKSTAGE_CLIENT_ID: backstage
|
BACKSTAGE_CLIENT_ID: backstage
|
||||||
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
||||||
GRAFANA_CLIENT_ID: grafana
|
GRAFANA_CLIENT_ID: grafana
|
||||||
|
ARGOCD_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
||||||
|
ARGOCD_CLIENT_ID: argocd
|
||||||
" > /tmp/secret.yaml
|
" > /tmp/secret.yaml
|
||||||
|
|
||||||
./kubectl apply -f /tmp/secret.yaml
|
./kubectl apply -f /tmp/secret.yaml
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue