forked from DevFW-CICD/stacks
Compare commits
24 commits
developmen
...
IPCEICIS-2
| Author | SHA1 | Date | |
|---|---|---|---|
| d972b3846c | |||
| 68166e110e | |||
| c298530caa | |||
| 6b18ed0443 | |||
| d0fb858a81 | |||
| b804f2293f | |||
| a2b3e0cbd3 | |||
| b6677f4b63 | |||
| fd0df35b1a | |||
| 1b565de935 | |||
| d22ea7c82a | |||
| 95c45ded96 | |||
| 45f84b30b1 | |||
| 3c65ec704e | |||
| f3ad8444e8 | |||
| bc3a5ee0e2 | |||
| 456dc397f8 | |||
| 109198d96f | |||
| c2fa44adc3 | |||
| 348a27d7c0 | |||
| 97f4eb33d9 | |||
| d657841913 | |||
| 8b93796afe | |||
| ca54424fc4 |
3 changed files with 105 additions and 6 deletions
21
template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml
Normal file
21
template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: auth-generic-oauth-secret
|
||||
namespace: gitea
|
||||
spec:
|
||||
secretStoreRef:
|
||||
name: keycloak
|
||||
kind: ClusterSecretStore
|
||||
refreshInterval: "0"
|
||||
target:
|
||||
name: auth-generic-oauth-secret
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
client_secret: "{{.FORGEJO_CLIENT_SECRET}}"
|
||||
data:
|
||||
- secretKey: FORGEJO_CLIENT_SECRET
|
||||
remoteRef:
|
||||
key: keycloak-clients
|
||||
property: FORGEJO_CLIENT_SECRET
|
||||
|
|
@ -27,6 +27,17 @@ gitea:
|
|||
server:
|
||||
DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
|
||||
ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
|
||||
oauth2_client:
|
||||
ENABLE_AUTO_REGISTRATION: true
|
||||
ACCOUNT_LINKING: auto
|
||||
# oauth:
|
||||
# - name: 'Keycloak'
|
||||
# provider: 'openidConnect'
|
||||
# # key: 'forgejo'
|
||||
# # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
|
||||
# existingSecret: forgejo-oidc
|
||||
# autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'
|
||||
# # admin-group: is to specify which keycloak group has forgejo admin permissions
|
||||
|
||||
service:
|
||||
ssh:
|
||||
|
|
|
|||
|
|
@ -100,11 +100,11 @@ data:
|
|||
user-user1.json: |
|
||||
{
|
||||
"username": "user1",
|
||||
"email": "",
|
||||
"email": "user1@user.de",
|
||||
"firstName": "user",
|
||||
"lastName": "one",
|
||||
"requiredActions": [],
|
||||
"emailVerified": false,
|
||||
"emailVerified": true,
|
||||
"groups": [
|
||||
"/admin"
|
||||
],
|
||||
|
|
@ -113,11 +113,11 @@ data:
|
|||
user-user2.json: |
|
||||
{
|
||||
"username": "user2",
|
||||
"email": "",
|
||||
"email": "user2@user.de",
|
||||
"firstName": "user",
|
||||
"lastName": "two",
|
||||
"requiredActions": [],
|
||||
"emailVerified": false,
|
||||
"emailVerified": true,
|
||||
"groups": [
|
||||
"/base-user"
|
||||
],
|
||||
|
|
@ -181,6 +181,44 @@ data:
|
|||
]
|
||||
}
|
||||
|
||||
forgejo-client-payload.json: |
|
||||
{
|
||||
"protocol": "openid-connect",
|
||||
"clientId": "forgejo",
|
||||
"name": "Forgejo Client",
|
||||
"description": "Used for Forgejo SSO",
|
||||
"publicClient": false,
|
||||
"authorizationServicesEnabled": false,
|
||||
"serviceAccountsEnabled": false,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"standardFlowEnabled": true,
|
||||
"frontchannelLogout": true,
|
||||
"attributes": {
|
||||
"saml_idp_initiated_sso_url_name": "",
|
||||
"oauth2.device.authorization.grant.enabled": false,
|
||||
"oidc.ciba.grant.enabled": false
|
||||
},
|
||||
"alwaysDisplayInConsole": false,
|
||||
"rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443",
|
||||
"baseUrl": "",
|
||||
"redirectUris": [
|
||||
"https://{{{ .Env.DOMAIN_GITEA }}}/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"/*"
|
||||
]
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"acr",
|
||||
"offline_access",
|
||||
"roles",
|
||||
"profile",
|
||||
"groups",
|
||||
"email"
|
||||
]
|
||||
}
|
||||
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
|
@ -341,12 +379,39 @@ spec:
|
|||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
|
||||
|
||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||
|
||||
curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||
|
||||
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||
|
||||
echo "creating Forgejo client"
|
||||
curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X POST --data @/var/config/forgejo-client-payload.json \
|
||||
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||
|
||||
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id')
|
||||
|
||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||
|
||||
curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||
|
||||
FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||
|
||||
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
||||
|
||||
|
|
@ -365,6 +430,8 @@ spec:
|
|||
ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
|
||||
BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
|
||||
BACKSTAGE_CLIENT_ID: backstage
|
||||
FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
|
||||
FORGEJO_CLIENT_ID: forgejo
|
||||
" > /tmp/secret.yaml
|
||||
|
||||
./kubectl apply -f /tmp/secret.yaml
|
||||
|
|
|
|||
Loading…
Reference in a new issue