DevFW-CICD/stacks
12
0
Fork 1
Code Issues Pull requests 2 Projects Releases Packages Wiki Activity Actions

WIP: IPCEICIS-2435_oidc_in_argocd #15

Closed
Franz.Germann wants to merge 14 commits from feature/IPCEICIS-2435_oidc_in_argocd into development
pull from: feature/IPCEICIS-2435_oidc_in_argocd
merge into: DevFW-CICD:development
Conversation 0 Commits 14 Files changed 4 +139 -12
4 changed files with 139 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
template/stacks/core/argocd-sso.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd-sso
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/argocd-sso"
destination:
server: "https://kubernetes.default.svc"
namespace: argocd
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

21
template/stacks/core/argocd-sso/argocd-secret.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: argocd
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
data:
- secretKey: ARGOCD_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: ARGOCD_CLIENT_SECRET

6
template/stacks/core/argocd/values.yaml
View file

@ -22,6 +22,12 @@ configs:
- "*" - "*"
accounts.provider-argocd: apiKey accounts.provider-argocd: apiKey
url: https://{{{ .Env.DOMAIN }}}/argocd url: https://{{{ .Env.DOMAIN }}}/argocd
oidc.config: |
name: Keycloak
issuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe
clientID: argocd
clientSecret: $keycloak-oidc:clientSecret
requestedScopes: ["openid", "profile", "email", "groups"]
rbac: rbac:
policy.csv: 'g, provider-argocd, role:admin' policy.csv: 'g, provider-argocd, role:admin'

81
template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
View file

@ -219,6 +219,44 @@ data:
] ]
} }
argocd-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "argocd",
"name": "ArgoCD Client",
"description": "Used for ArgoCD SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN }}}/*"
],
"webOrigins": [
"/*"
],
"defaultClientScopes": [
"web-origins",
"acr",
"offline_access",
"roles",
"profile",
"groups",
"email"
]
}
--- ---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
@ -383,8 +421,13 @@ spec:
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -400,13 +443,40 @@ spec:
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating ArgoCD client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argocd-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
@ -426,7 +496,8 @@ spec:
BACKSTAGE_CLIENT_ID: backstage BACKSTAGE_CLIENT_ID: backstage
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
GRAFANA_CLIENT_ID: grafana GRAFANA_CLIENT_ID: grafana
ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
ARGOCD_CLIENT_ID: argocd
" > /tmp/secret.yaml " > /tmp/secret.yaml
./kubectl apply -f /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml