From ca54424fc48d3eef82daa4d383bdfce51a70061b Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 11:34:44 +0100 Subject: [PATCH 01/27] adds sso config for forgejo --- template/stacks/core/forgejo/secret.yaml | 9 ++++++ template/stacks/core/forgejo/values.yaml | 6 ++++ .../keycloak/manifests/keycloak-config.yaml | 29 +++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 template/stacks/core/forgejo/secret.yaml diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml new file mode 100644 index 0000000..231a7f0 --- /dev/null +++ b/template/stacks/core/forgejo/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-credentials + namespace: gitea +type: Opaque +stringData: + key: forgejo + secret: nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY \ No newline at end of file diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index bfcd384..b763f93 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -27,6 +27,12 @@ gitea: server: DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}' ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' + oauth: + - name: 'Keycloak' + provider: 'openidConnect' + # or with 'key' and 'secret' parameter directly + existingSecret: gitea-credentials + autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' service: ssh: diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index e2a0981..0627306 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,6 +181,35 @@ data: ] } + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "https://{{{ .Env.DOMAIN }}}", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } + --- apiVersion: batch/v1 kind: Job -- 2.45.2 From 8b93796afe86172a5c7088f76bdb533141670e34 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 12:19:46 +0100 Subject: [PATCH 02/27] debugging --- template/stacks/core/forgejo/values.yaml | 6 ------ .../keycloak/manifests/keycloak-config.yaml | 8 ++++---- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index b763f93..bfcd384 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -27,12 +27,6 @@ gitea: server: DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}' ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' - oauth: - - name: 'Keycloak' - provider: 'openidConnect' - # or with 'key' and 'secret' parameter directly - existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' service: ssh: diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 0627306..798c735 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -100,11 +100,11 @@ data: user-user1.json: | { "username": "user1", - "email": "", + "email": "user1@user.de", "firstName": "user", "lastName": "one", "requiredActions": [], - "emailVerified": false, + "emailVerified": true, "groups": [ "/admin" ], @@ -113,11 +113,11 @@ data: user-user2.json: | { "username": "user2", - "email": "", + "email": "user2@user.de", "firstName": "user", "lastName": "two", "requiredActions": [], - "emailVerified": false, + "emailVerified": true, "groups": [ "/base-user" ], -- 2.45.2 From d6578419132fa712234f68293da2113b2fd2c022 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 12:31:04 +0100 Subject: [PATCH 03/27] debugging --- template/stacks/core/forgejo/values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index bfcd384..f0ba6e0 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -27,6 +27,14 @@ gitea: server: DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}' ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' + oauth: + - name: 'Keycloak' + provider: 'openidConnect' + # or with 'key' and 'secret' parameter directly + keys: 'forgejo' + secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' + # existingSecret: gitea-credentials + autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' service: ssh: -- 2.45.2 From 97f4eb33d9f250ceeb0c94106394f0c220e415ec Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 13:24:24 +0100 Subject: [PATCH 04/27] debugging --- template/stacks/core/forgejo/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index f0ba6e0..0c07fa2 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -30,11 +30,10 @@ gitea: oauth: - name: 'Keycloak' provider: 'openidConnect' - # or with 'key' and 'secret' parameter directly keys: 'forgejo' secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' + autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration' service: ssh: -- 2.45.2 From 348a27d7c0a963e63003f386d50d0e1b2f91dc1e Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:01:01 +0100 Subject: [PATCH 05/27] debugging --- template/stacks/core/forgejo/values.yaml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 0c07fa2..9d724cd 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -27,13 +27,18 @@ gitea: server: DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}' ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' - oauth: - - name: 'Keycloak' - provider: 'openidConnect' - keys: 'forgejo' - secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' - # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration' + +oauth2_client: + ENABLE_AUTO_REGISTRATION: true + ACCOUNT_LINKING: auto + +oauth: + - name: 'Keycloak' + provider: 'openidConnect' + key: 'forgejo' + secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' + # existingSecret: gitea-credentials + autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration' service: ssh: -- 2.45.2 From c2fa44adc35ca5af733e363b946ad5183078dd0d Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:06:38 +0100 Subject: [PATCH 06/27] debugging --- template/stacks/core/forgejo/values.yaml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 9d724cd..3d5a230 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -27,18 +27,16 @@ gitea: server: DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}' ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' - -oauth2_client: - ENABLE_AUTO_REGISTRATION: true - ACCOUNT_LINKING: auto - -oauth: - - name: 'Keycloak' - provider: 'openidConnect' - key: 'forgejo' - secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' - # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration' + oauth2_client: + ENABLE_AUTO_REGISTRATION: true + ACCOUNT_LINKING: auto + oauth: + - name: 'Keycloak' + provider: 'openidConnect' + key: 'forgejo' + secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' + # existingSecret: gitea-credentials + autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration' service: ssh: -- 2.45.2 From 109198d96fbfc7cd6280a16b7fbd060d0910c8f2 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:33:32 +0100 Subject: [PATCH 07/27] debugging --- template/stacks/core/forgejo/values.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 3d5a230..c1be3ca 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -36,7 +36,7 @@ gitea: key: 'forgejo' secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration' + autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/.well-known/openid-configuration' service: ssh: diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 798c735..c6b407e 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -200,10 +200,10 @@ data: "oidc.ciba.grant.enabled": false }, "alwaysDisplayInConsole": false, - "rootUrl": "https://{{{ .Env.DOMAIN }}}", + "rootUrl": "https://gitea.{{{ .Env.DOMAIN }}}", "baseUrl": "", "redirectUris": [ - "https://{{{ .Env.DOMAIN }}}/*" + "https://gitea.{{{ .Env.DOMAIN }}}/*" ], "webOrigins": [ "/*" -- 2.45.2 From 456dc397f88ae03e67513e3039f4829cbbfb4cee Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:39:32 +0100 Subject: [PATCH 08/27] debugging --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index c1be3ca..05bed49 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -36,7 +36,7 @@ gitea: key: 'forgejo' secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/.well-known/openid-configuration' + autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/realms/cnoe/.well-known/openid-configuration' service: ssh: -- 2.45.2 From bc3a5ee0e2b45935e1287652b724b7e9dfd6a135 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:46:48 +0100 Subject: [PATCH 09/27] debugging --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 05bed49..f8cf3c3 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -36,7 +36,7 @@ gitea: key: 'forgejo' secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/realms/cnoe/.well-known/openid-configuration' + autoDiscoverUrl: 'https://auth.gitea.runner.c-one-infra.de/realms/cnoe/.well-known/openid-configuration' service: ssh: -- 2.45.2 From f3ad8444e863038cd00facc95644d7346336f47b Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:52:24 +0100 Subject: [PATCH 10/27] debugging --- template/stacks/core/forgejo/values.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index f8cf3c3..49cc05e 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -30,13 +30,6 @@ gitea: oauth2_client: ENABLE_AUTO_REGISTRATION: true ACCOUNT_LINKING: auto - oauth: - - name: 'Keycloak' - provider: 'openidConnect' - key: 'forgejo' - secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' - # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://auth.gitea.runner.c-one-infra.de/realms/cnoe/.well-known/openid-configuration' service: ssh: -- 2.45.2 From 3c65ec704e02459f17cb9143b301f598d0df842a Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 14:59:27 +0100 Subject: [PATCH 11/27] debugging --- template/stacks/core/forgejo/values.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 49cc05e..5ec79db 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -29,7 +29,14 @@ gitea: ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' oauth2_client: ENABLE_AUTO_REGISTRATION: true - ACCOUNT_LINKING: auto + ACCOUNT_LINKING: auto + oauth: + - name: 'Keycloak' + provider: 'openidConnect' + key: 'forgejo' + secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' + # existingSecret: gitea-credentials + autoDiscoverUrl: 'https://runner.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration' service: ssh: -- 2.45.2 From 45f84b30b18755c757def1db6c0f945d10751c55 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 15:12:19 +0100 Subject: [PATCH 12/27] debugging --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 5ec79db..a0bb605 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -30,7 +30,7 @@ gitea: oauth2_client: ENABLE_AUTO_REGISTRATION: true ACCOUNT_LINKING: auto - oauth: + oauth: - name: 'Keycloak' provider: 'openidConnect' key: 'forgejo' -- 2.45.2 From 95c45ded96e9564b7fe884c5ec1e51d32f80fcb9 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 15:18:35 +0100 Subject: [PATCH 13/27] debugging --- template/stacks/core/forgejo/values.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index a0bb605..d849b37 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -29,14 +29,7 @@ gitea: ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443' oauth2_client: ENABLE_AUTO_REGISTRATION: true - ACCOUNT_LINKING: auto - oauth: - - name: 'Keycloak' - provider: 'openidConnect' - key: 'forgejo' - secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY' - # existingSecret: gitea-credentials - autoDiscoverUrl: 'https://runner.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration' + ACCOUNT_LINKING: auto service: ssh: -- 2.45.2 From d22ea7c82a5a309afb6828174a40f98b8cae6827 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 25 Feb 2025 15:45:17 +0100 Subject: [PATCH 14/27] debugging --- template/stacks/core/forgejo/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index d849b37..fcfb59a 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -30,6 +30,8 @@ gitea: oauth2_client: ENABLE_AUTO_REGISTRATION: true ACCOUNT_LINKING: auto + ssh: + logLevel: 'DEBUG' service: ssh: -- 2.45.2 From 1b565de935b8444c6fef08d52c370e125b58a917 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 26 Feb 2025 16:32:55 +0100 Subject: [PATCH 15/27] forgejo config for sso --- template/stacks/core/forgejo/values.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index fcfb59a..32d7242 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -30,8 +30,13 @@ gitea: oauth2_client: ENABLE_AUTO_REGISTRATION: true ACCOUNT_LINKING: auto - ssh: - logLevel: 'DEBUG' + oauth: + - name: 'Keycloak' + provider: 'openidConnect' + # key: 'forgejo' + # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' + existingSecret: gitea-credentials + autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' service: ssh: -- 2.45.2 From fd0df35b1ae00028195e59ef1a8c21de6f2b19cf Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 26 Feb 2025 16:48:18 +0100 Subject: [PATCH 16/27] forgejo oauth uses existing secret --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 32d7242..c4216b9 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -35,7 +35,7 @@ gitea: provider: 'openidConnect' # key: 'forgejo' # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' - existingSecret: gitea-credentials + existingSecret: forgejo-oidc autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' service: -- 2.45.2 From a2b3e0cbd3323400aff676f57dfcf950810d5004 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 27 Feb 2025 13:15:27 +0100 Subject: [PATCH 17/27] testing --- template/stacks/core/forgejo/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 3ec4778..4d81041 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -30,13 +30,13 @@ gitea: oauth2_client: ENABLE_AUTO_REGISTRATION: true ACCOUNT_LINKING: auto - oauth: - - name: 'Keycloak' - provider: 'openidConnect' - # key: 'forgejo' - # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' - existingSecret: forgejo-oidc - autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' +# oauth: +# - name: 'Keycloak' +# provider: 'openidConnect' +# # key: 'forgejo' +# # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' +# existingSecret: forgejo-oidc +# autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' service: ssh: -- 2.45.2 From b804f2293fe9a013a9a0b36c93b3aa0b36deba2e Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 27 Feb 2025 13:32:12 +0100 Subject: [PATCH 18/27] extends keycloak-config.yaml --- template/stacks/core/forgejo/secret.yaml | 4 +- .../keycloak/manifests/keycloak-config.yaml | 39 ++++++++++++++++--- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml index 231a7f0..7d33fd6 100644 --- a/template/stacks/core/forgejo/secret.yaml +++ b/template/stacks/core/forgejo/secret.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Secret metadata: - name: gitea-credentials + name: forgejo-oidc namespace: gitea type: Opaque stringData: key: forgejo - secret: nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY \ No newline at end of file + secret: uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu \ No newline at end of file diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c6b407e..baff0ef 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -200,10 +200,10 @@ data: "oidc.ciba.grant.enabled": false }, "alwaysDisplayInConsole": false, - "rootUrl": "https://gitea.{{{ .Env.DOMAIN }}}", + "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443", "baseUrl": "", "redirectUris": [ - "https://gitea.{{{ .Env.DOMAIN }}}/*" + "https://{{{ .Env.DOMAIN_GITEA }}}/*" ], "webOrigins": [ "/*" @@ -370,12 +370,39 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + =$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + echo "creating Forgejo client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') @@ -394,6 +421,8 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml -- 2.45.2 From d0fb858a817f097dcc4d378a0df08d37510783b0 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 3 Mar 2025 13:40:34 +0100 Subject: [PATCH 19/27] debugging --- .../ref-implementation/keycloak/manifests/keycloak-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index baff0ef..e6d0a4c 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -378,7 +378,7 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - =$(curl -sS -H "Content-Type: application/json" \ + curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') -- 2.45.2 From 6b18ed0443718d59386aff05f7ae8dea3ba3eaa1 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 4 Mar 2025 12:41:32 +0100 Subject: [PATCH 20/27] adds external secret for forgejo client --- .../forgejo/forgejo-sso/secret-forgejo.yaml | 21 +++++++++++++++++++ template/stacks/core/forgejo/secret.yaml | 9 -------- template/stacks/core/forgejo/values.yaml | 2 +- 3 files changed, 22 insertions(+), 10 deletions(-) create mode 100644 template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml delete mode 100644 template/stacks/core/forgejo/secret.yaml diff --git a/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml new file mode 100644 index 0000000..09318c3 --- /dev/null +++ b/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: gitea +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.FORGEJO_CLIENT_SECRET}}" + data: + - secretKey: FORGEJO_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml deleted file mode 100644 index 7d33fd6..0000000 --- a/template/stacks/core/forgejo/secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: forgejo-oidc - namespace: gitea -type: Opaque -stringData: - key: forgejo - secret: uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu \ No newline at end of file diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 4d81041..b24d023 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -31,7 +31,7 @@ gitea: ENABLE_AUTO_REGISTRATION: true ACCOUNT_LINKING: auto # oauth: -# - name: 'Keycloak' +# - name: 'Keycloak' # provider: 'openidConnect' # # key: 'forgejo' # # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' -- 2.45.2 From c298530caa1dd640d7dad8986b7136dc01bf7ef8 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 5 Mar 2025 12:39:34 +0100 Subject: [PATCH 21/27] fixes syntax error --- .../ref-implementation/keycloak/manifests/keycloak-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index e6d0a4c..0e202f1 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -378,7 +378,7 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - curl -sS -H "Content-Type: application/json" \ + BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') -- 2.45.2 From 68166e110e976af2dbce8a3357866e1ec501cdb9 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 5 Mar 2025 14:46:11 +0100 Subject: [PATCH 22/27] adds defaultClientScopes to forgejo-client-payload.json --- .../keycloak/manifests/keycloak-config.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 0e202f1..752ba7d 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -208,6 +208,15 @@ data: "webOrigins": [ "/*" ] + "defaultClientScopes": [ + "web-origins", + "acr", + "offline_access", + "roles", + "profile", + "groups", + "email" + ] } --- -- 2.45.2 From d972b3846c31bf3626bc2dd622486a837f3f7f18 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 10 Mar 2025 10:38:37 +0100 Subject: [PATCH 23/27] adds tip for admin permissions --- template/stacks/core/forgejo/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index b24d023..1517571 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -36,7 +36,8 @@ gitea: # # key: 'forgejo' # # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' # existingSecret: forgejo-oidc -# autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' +# autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' +# # admin-group: is to specify which keycloak group has forgejo admin permissions service: ssh: -- 2.45.2 From b54d689edb0a6063aad1cff359e9583541e006c3 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 18 Mar 2025 10:38:37 +0100 Subject: [PATCH 24/27] adds argocd application for forgejo-sso --- template/stacks/core/forgejo-sso.yaml | 29 +++++++++++++++++++ .../forgejo-sso/secret-forgejo.yaml | 0 2 files changed, 29 insertions(+) create mode 100644 template/stacks/core/forgejo-sso.yaml rename template/stacks/core/{forgejo => }/forgejo-sso/secret-forgejo.yaml (100%) diff --git a/template/stacks/core/forgejo-sso.yaml b/template/stacks/core/forgejo-sso.yaml new file mode 100644 index 0000000..6402b41 --- /dev/null +++ b/template/stacks/core/forgejo-sso.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forgejo-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/core/forgejo-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: gitea + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/secret-forgejo.yaml similarity index 100% rename from template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml rename to template/stacks/core/forgejo-sso/secret-forgejo.yaml -- 2.45.2 From b6a276689bfc82029a9761e6b82f779d202b64b4 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 9 Apr 2025 12:18:19 +0200 Subject: [PATCH 25/27] removes the rest of initial sso config from values.yaml --- template/stacks/core/forgejo/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 781ef5b..bf61379 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -27,9 +27,6 @@ gitea: server: DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}' ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443' - oauth2_client: - ENABLE_AUTO_REGISTRATION: true - ACCOUNT_LINKING: auto mailer: ENABLED: true FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}} -- 2.45.2 From 2c4866f2c93754396d608c6b49415d948261d6f9 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 10 Apr 2025 11:33:24 +0200 Subject: [PATCH 26/27] removes comments --- template/stacks/core/forgejo-sso/forgejo-sso-config.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index b3c069c..dc8264c 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -6,8 +6,5 @@ gitea: oauth: - name: 'Keycloak' provider: 'openidConnect' - # key: 'forgejo' - # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu' existingSecret: auth-generic-oauth-secret - autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' - # admin-group: is to specify which keycloak group has forgejo admin permissions \ No newline at end of file + autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' \ No newline at end of file -- 2.45.2 From 85c7ea1dbb086a66e64caf7fc61d07862ab102d5 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Fri, 11 Apr 2025 15:37:30 +0200 Subject: [PATCH 27/27] adds job to append the sso config to the values.yaml of Forgejo --- .../core/forgejo-sso/forgejo-sso-config.yaml | 70 ++++++++++++++++--- 1 file changed, 60 insertions(+), 10 deletions(-) diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index dc8264c..6b4a9f2 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -1,10 +1,60 @@ -gitea: - config: - oauth2_client: - ENABLE_AUTO_REGISTRATION: true - ACCOUNT_LINKING: auto - oauth: - - name: 'Keycloak' - provider: 'openidConnect' - existingSecret: auth-generic-oauth-secret - autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration' \ No newline at end of file +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: forgejo-config + namespace: gitea +# annotations: +# argocd.argoproj.io/hook: PostSync +spec: + template: + metadata: + generateName: forgejo-config- + spec: + # serviceAccountName: forgejo-config + restartPolicy: Never + containers: + - name: push + image: docker.io/library/ubuntu:22.04 + command: ["/bin/bash", "-c"] + args: + - | + #! /bin/bash + + apt-get install git-all + wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY} -O /usr/bin/yq && chmod +x /usr/bin/yq + + DOMAIN=192-168-197-2.c-one-infra.de + + git clone https://gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + cd edfbuilder + yq eval ".gitea.oauth = [ + { + \"name\": \"Keycloak\", + \"provider\": \"openidConnect\", + \"existingSecret\": \"auth-generic-oauth-secret\", + \"autoDiscoverUrl\": \"https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration\" + } + ] | + (.gitea.oauth[] | .name) |= (. style=\"single\") + | + (.gitea.oauth[] | .provider) |= (. style=\"single\") + | + (.gitea.oauth[] | .existingSecret) |= (. style=\"single\") + | + (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\") + " -i stacks/core/forgejo/values.yaml + + yq eval '.gitea.config.oauth2_client = + { + "ENABLE_AUTO_REGISTRATION" : true, + "ACCOUNT_LINKING" : "auto" + } + ' -i stacks/core/forgejo/values.yaml + + git add stacks/core/forgejo/values.yaml + git commit -m "adds Forgejo SSO config" + git push + + + -- 2.45.2