WIP: IPCEICIS-2293_oidc_in_forgejo #12
5 changed files with 170 additions and 3 deletions
29
template/stacks/core/forgejo-sso.yaml
Normal file
29
template/stacks/core/forgejo-sso.yaml
Normal file
|
|
@ -0,0 +1,29 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: forgejo-sso
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
env: dev
|
||||||
|
finalizers:
|
||||||
|
- resources-finalizer.argocd.argoproj.io
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: "stacks/core/forgejo-sso"
|
||||||
|
destination:
|
||||||
|
server: "https://kubernetes.default.svc"
|
||||||
|
namespace: gitea
|
||||||
|
syncPolicy:
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
|
automated:
|
||||||
|
selfHeal: true
|
||||||
|
retry:
|
||||||
|
limit: -1
|
||||||
|
backoff:
|
||||||
|
duration: 15s
|
||||||
|
factor: 1
|
||||||
|
maxDuration: 15s
|
||||||
60
template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
Normal file
60
template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
Normal file
|
|
@ -0,0 +1,60 @@
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: forgejo-config
|
||||||
|
namespace: gitea
|
||||||
|
# annotations:
|
||||||
|
# argocd.argoproj.io/hook: PostSync
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
generateName: forgejo-config-
|
||||||
|
spec:
|
||||||
|
# serviceAccountName: forgejo-config
|
||||||
|
restartPolicy: Never
|
||||||
|
containers:
|
||||||
|
- name: push
|
||||||
|
image: docker.io/library/ubuntu:22.04
|
||||||
|
command: ["/bin/bash", "-c"]
|
||||||
|
args:
|
||||||
|
- |
|
||||||
|
#! /bin/bash
|
||||||
|
|
||||||
|
apt-get install git-all
|
||||||
|
wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY} -O /usr/bin/yq && chmod +x /usr/bin/yq
|
||||||
|
|
||||||
|
DOMAIN=192-168-197-2.c-one-infra.de
|
||||||
|
|
||||||
|
git clone https://gitea-${DOMAIN}/giteaAdmin/edfbuilder.git
|
||||||
|
cd edfbuilder
|
||||||
|
yq eval ".gitea.oauth = [
|
||||||
|
{
|
||||||
|
\"name\": \"Keycloak\",
|
||||||
|
\"provider\": \"openidConnect\",
|
||||||
|
\"existingSecret\": \"auth-generic-oauth-secret\",
|
||||||
|
\"autoDiscoverUrl\": \"https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration\"
|
||||||
|
}
|
||||||
|
] |
|
||||||
|
(.gitea.oauth[] | .name) |= (. style=\"single\")
|
||||||
|
|
|
||||||
|
(.gitea.oauth[] | .provider) |= (. style=\"single\")
|
||||||
|
|
|
||||||
|
(.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
|
||||||
|
|
|
||||||
|
(.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
|
||||||
|
" -i stacks/core/forgejo/values.yaml
|
||||||
|
|
||||||
|
yq eval '.gitea.config.oauth2_client =
|
||||||
|
{
|
||||||
|
"ENABLE_AUTO_REGISTRATION" : true,
|
||||||
|
"ACCOUNT_LINKING" : "auto"
|
||||||
|
}
|
||||||
|
' -i stacks/core/forgejo/values.yaml
|
||||||
|
|
||||||
|
git add stacks/core/forgejo/values.yaml
|
||||||
|
git commit -m "adds Forgejo SSO config"
|
||||||
|
git push
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
21
template/stacks/core/forgejo-sso/secret-forgejo.yaml
Normal file
21
template/stacks/core/forgejo-sso/secret-forgejo.yaml
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: auth-generic-oauth-secret
|
||||||
|
namespace: gitea
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
name: keycloak
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
refreshInterval: "0"
|
||||||
|
target:
|
||||||
|
name: auth-generic-oauth-secret
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
client_secret: "{{.FORGEJO_CLIENT_SECRET}}"
|
||||||
|
data:
|
||||||
|
- secretKey: FORGEJO_CLIENT_SECRET
|
||||||
|
remoteRef:
|
||||||
|
key: keycloak-clients
|
||||||
|
property: FORGEJO_CLIENT_SECRET
|
||||||
|
|
@ -181,6 +181,34 @@ data:
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
forgejo-client-payload.json: |
|
||||||
|
{
|
||||||
|
"protocol": "openid-connect",
|
||||||
|
"clientId": "forgejo",
|
||||||
|
"name": "Forgejo Client",
|
||||||
|
"description": "Used for Forgejo SSO",
|
||||||
|
"publicClient": false,
|
||||||
|
"authorizationServicesEnabled": false,
|
||||||
|
"serviceAccountsEnabled": false,
|
||||||
|
"implicitFlowEnabled": false,
|
||||||
|
"directAccessGrantsEnabled": true,
|
||||||
|
"standardFlowEnabled": true,
|
||||||
|
"frontchannelLogout": true,
|
||||||
|
"attributes": {
|
||||||
|
"saml_idp_initiated_sso_url_name": "",
|
||||||
|
"oauth2.device.authorization.grant.enabled": false,
|
||||||
|
"oidc.ciba.grant.enabled": false
|
||||||
|
},
|
||||||
|
"alwaysDisplayInConsole": false,
|
||||||
|
"rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443",
|
||||||
|
"baseUrl": "",
|
||||||
|
"redirectUris": [
|
||||||
|
"https://{{{ .Env.DOMAIN_GITEA }}}/*"
|
||||||
|
],
|
||||||
|
"webOrigins": [
|
||||||
|
"/*"
|
||||||
|
]
|
||||||
|
|
||||||
grafana-client-payload.json: |
|
grafana-client-payload.json: |
|
||||||
{
|
{
|
||||||
"clientId": "grafana",
|
"clientId": "grafana",
|
||||||
|
|
@ -400,13 +428,40 @@ spec:
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
|
||||||
|
|
||||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||||
|
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
|
echo "creating Forgejo client"
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X POST --data @/var/config/forgejo-client-payload.json \
|
||||||
|
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||||
|
|
||||||
|
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id')
|
||||||
|
|
||||||
|
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||||
|
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
|
FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
||||||
|
|
||||||
ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
|
ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
|
||||||
|
|
@ -424,6 +479,8 @@ spec:
|
||||||
ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
|
ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
|
||||||
BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
|
BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
|
||||||
BACKSTAGE_CLIENT_ID: backstage
|
BACKSTAGE_CLIENT_ID: backstage
|
||||||
|
FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
|
||||||
|
FORGEJO_CLIENT_ID: forgejo
|
||||||
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
||||||
GRAFANA_CLIENT_ID: grafana
|
GRAFANA_CLIENT_ID: grafana
|
||||||
" > /tmp/secret.yaml
|
" > /tmp/secret.yaml
|
||||||
|
|
|
||||||
Reference in a new issue