From 882c76c8a75f41ce20c0e2ecd47d211423eb6dfa Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Wed, 1 May 2024 06:47:25 -0500 Subject: [PATCH 01/12] feat: add saml support --- chart/templates/uds-package.yaml | 45 +++++++++++++------------------- values/common-values.yaml | 4 +-- 2 files changed, 20 insertions(+), 29 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 00da64fa..561df1f6 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -6,40 +6,31 @@ metadata: spec: {{- if .Values.sso.enabled }} sso: - - name: Gitlab SSO + - name: GitLab Login clientId: uds-swf-gitlab redirectUris: - - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback" + - "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback" + + protocol: saml + + attributes: + saml.client.signature: "false" + secretName: {{ .Values.sso.secretName }} secretTemplate: - # GitLab expects a providers JSON file that is documented more here: https://gitlab-org.gitlab.io/technical-writing-group/gitlab-docs-hugo/administration/auth/oidc/ + # GitLab expects a providers JSON file that is documented more here: https://docs.gitlab.com/ee/integration/saml.html # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL providers: | { - "name": "openid_connect", - "label": "SSO", - "args": { - "name": "openid_connect", - "scope": [ - "openid", - "profile" - ], - "response_type": "code", - "issuer": "https://sso.{{ .Values.domain }}/realms/uds", - "client_auth_method": "query", - "discovery": false, - "uid_field": "preferred_username", - "pkce": "true", - "client_options": { - "identifier": "clientField(clientId)", - "secret": "clientField(secret)", - "redirect_uri": "clientField(redirectUris)[0]", - "end_session_endpoint": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/logout", - "authorization_endpoint": "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/auth", - "token_endpoint": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/token", - "userinfo_endpoint": "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/userinfo", - "jwks_uri": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/certs" - } + "name":"saml", + "label":"SAML", + "args":{ + "assertion_consumer_service_url": "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback", + "idp_cert": "clientField(samlIdpCertificate)", + "idp_sso_target_url": "https://sso.{{ .Values.domain }}/realms/uds/protocol/saml", + "issuer": "https://gitlab.{{ .Values.domain }}", + "name_identifier_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + "attribute_statements": "{ \"username\": ['username'] }" } } {{- end }} diff --git a/values/common-values.yaml b/values/common-values.yaml index d120678a..f1c08abf 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -70,10 +70,10 @@ global: ## https://docs.gitlab.com/charts/charts/globals#omniauth omniauth: enabled: true - allowSingleSignOn: ['openid_connect'] + allowSingleSignOn: ['saml'] blockAutoCreatedUsers: false autoLinkUser: true - autoSignInWithProvider: openid_connect + autoSignInWithProvider: saml externalProviders: [] syncProfileAttributes: ['email'] syncProfileFromProvider: [] From 0a8fceaf9beaf312127b04a9a4a4cdf55d92f404 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Wed, 1 May 2024 12:09:06 -0500 Subject: [PATCH 02/12] feat: convert sso protocol to saml --- chart/templates/uds-package.yaml | 8 ++++++-- tasks.yaml | 6 ++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 561df1f6..d5bfa7df 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -12,6 +12,8 @@ spec: - "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback" protocol: saml + defaultClientScopes: + - "mapper-saml-email-email" attributes: saml.client.signature: "false" @@ -20,6 +22,8 @@ spec: secretTemplate: # GitLab expects a providers JSON file that is documented more here: https://docs.gitlab.com/ee/integration/saml.html # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL + +# "attribute_statements": "{ \"username\": ['username'] }" providers: | { "name":"saml", @@ -28,9 +32,9 @@ spec: "assertion_consumer_service_url": "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback", "idp_cert": "clientField(samlIdpCertificate)", "idp_sso_target_url": "https://sso.{{ .Values.domain }}/realms/uds/protocol/saml", - "issuer": "https://gitlab.{{ .Values.domain }}", + "issuer": "clientField(clientId)", "name_identifier_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", - "attribute_statements": "{ \"username\": ['username'] }" + } } {{- end }} diff --git a/tasks.yaml b/tasks.yaml index 96cc3979..5da9fb95 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -39,6 +39,12 @@ tasks: - task: dependencies:create - task: create:test-bundle + - name: dev + description: deploy against running cluster + actions: + - task: create-gl-test-bundle + - task: deploy:test-bundle + # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names - name: test-package From 18412d4645993542e8f95af9ecbad0e73fce269e Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 3 May 2024 11:21:36 -0500 Subject: [PATCH 03/12] wip --- bundle/uds-bundle.yaml | 6 ++++ bundle/uds-config.yaml | 1 + chart/templates/uds-package.yaml | 48 ++++++++++++++++++++++++++++---- chart/values.yaml | 1 + values/common-values.yaml | 2 +- 5 files changed, 51 insertions(+), 7 deletions(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 687b64af..422f1f5d 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -46,11 +46,17 @@ packages: - name: GITLAB_SSO_ENABLED description: "Boolean to enable or disable sso things" path: "sso.enabled" + - name: GITLAB_SSO_PROTOCOL + description: "Protocol to use. Valid values are 'openid_connect' and 'saml'. Default value is 'saml'" + path: "sso.protocol" gitlab: variables: - name: GITLAB_SSO_ENABLED description: "Boolean to enable or disable sso things" path: "global.appConfig.omniauth.enabled" + - name: GITLAB_SSO_PROTOCOL + description: "Protocol to use. Valid values are 'openid_connect' and 'saml'. Default value is 'saml'" + path: "global.appConfig.omniauth.autoSignInWithProvider" - name: MIGRATIONS_RESOURCES description: "Gitlab Migrations Resources" path: "gitlab.migrations.resources" diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index b484aea5..60d017cd 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -32,6 +32,7 @@ variables: gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true + GITLAB_SSO_PROTOCOL: openid_connect # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 webservice_resources: diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index d5bfa7df..1e45203c 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,7 +4,46 @@ metadata: name: gitlab namespace: {{ .Release.Namespace }} spec: - {{- if .Values.sso.enabled }} + {{- if and (.Values.sso.enabled) (eq .Values.sso.protocol "openid_connect") }} + sso: + - name: GitLab Login + clientId: uds-swf-gitlab + redirectUris: + - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback" + + secretName: {{ .Values.sso.secretName }} + secretTemplate: + # GitLab expects a providers JSON file that is documented more here: https://gitlab-org.gitlab.io/technical-writing-group/gitlab-docs-hugo/administration/auth/oidc/ + # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL + providers: | + { + "name": "openid_connect", + "label": "SSO", + "args": { + "name": "openid_connect", + "scope": [ + "openid", + "profile" + ], + "response_type": "code", + "issuer": "https://sso.{{ .Values.domain }}/realms/uds", + "client_auth_method": "query", + "discovery": false, + "uid_field": "preferred_username", + "pkce": "true", + "client_options": { + "identifier": "clientField(clientId)", + "secret": "clientField(secret)", + "redirect_uri": "clientField(redirectUris)[0]", + "end_session_endpoint": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/logout", + "authorization_endpoint": "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/auth", + "token_endpoint": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/token", + "userinfo_endpoint": "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/userinfo", + "jwks_uri": "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/certs" + } + } + } + {{- else if and (.Values.sso.enabled) (eq .Values.sso.protocol "saml") }} sso: - name: GitLab Login clientId: uds-swf-gitlab @@ -14,6 +53,7 @@ spec: protocol: saml defaultClientScopes: - "mapper-saml-email-email" + - "mapper-saml-username-name" attributes: saml.client.signature: "false" @@ -21,20 +61,16 @@ spec: secretName: {{ .Values.sso.secretName }} secretTemplate: # GitLab expects a providers JSON file that is documented more here: https://docs.gitlab.com/ee/integration/saml.html - # Note: the `authorization_endpoint`, `issuer`, and `userinfo_endpoint` must be the external URL - -# "attribute_statements": "{ \"username\": ['username'] }" providers: | { "name":"saml", - "label":"SAML", + "label":"SSO", "args":{ "assertion_consumer_service_url": "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback", "idp_cert": "clientField(samlIdpCertificate)", "idp_sso_target_url": "https://sso.{{ .Values.domain }}/realms/uds/protocol/saml", "issuer": "clientField(clientId)", "name_identifier_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", - } } {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index ad587a63..5c4437f1 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,6 +1,7 @@ domain: "###ZARF_VAR_DOMAIN###" sso: enabled: true + protocol: saml secretName: gitlab-sso storage: # Set to false to use external storage diff --git a/values/common-values.yaml b/values/common-values.yaml index f1c08abf..c92567d2 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -70,7 +70,7 @@ global: ## https://docs.gitlab.com/charts/charts/globals#omniauth omniauth: enabled: true - allowSingleSignOn: ['saml'] + allowSingleSignOn: true blockAutoCreatedUsers: false autoLinkUser: true autoSignInWithProvider: saml From 064454f1b3eca186423d61f3cbf3b41bd9181f90 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 3 May 2024 12:05:10 -0500 Subject: [PATCH 04/12] wip --- bundle/uds-config.yaml | 2 +- chart/templates/uds-package.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 60d017cd..60c455c1 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -32,7 +32,7 @@ variables: gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true - GITLAB_SSO_PROTOCOL: openid_connect + #GITLAB_SSO_PROTOCOL: openid_connect # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 webservice_resources: diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 1e45203c..35ecdde4 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -46,7 +46,7 @@ spec: {{- else if and (.Values.sso.enabled) (eq .Values.sso.protocol "saml") }} sso: - name: GitLab Login - clientId: uds-swf-gitlab + clientId: uds-swf-gitlab-saml redirectUris: - "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback" From fc8dd0b41a48075464a6b151ecacd502cf772857 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Mon, 6 May 2024 16:33:42 -0500 Subject: [PATCH 05/12] wip --- chart/templates/uds-package.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 35ecdde4..ddb8e2ba 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -53,7 +53,9 @@ spec: protocol: saml defaultClientScopes: - "mapper-saml-email-email" - - "mapper-saml-username-name" + - "mapper-saml-firstname-first_name" + - "mapper-saml-lastname-last_name" + - "mapper-saml-grouplist-groups" attributes: saml.client.signature: "false" @@ -65,6 +67,8 @@ spec: { "name":"saml", "label":"SSO", + "groups_attribute": "Groups", + "admin_groups": ["/Gitlab Admins"], "args":{ "assertion_consumer_service_url": "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback", "idp_cert": "clientField(samlIdpCertificate)", From 2f0aa0cba92770cdbfca9729f9bf57b387bd5be3 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Mon, 13 May 2024 14:51:23 -0500 Subject: [PATCH 06/12] make admin_groups configurable --- bundle/uds-bundle.yaml | 3 +++ bundle/uds-config.yaml | 1 + chart/templates/uds-package.yaml | 2 +- chart/values.yaml | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 422f1f5d..b14150b3 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -49,6 +49,9 @@ packages: - name: GITLAB_SSO_PROTOCOL description: "Protocol to use. Valid values are 'openid_connect' and 'saml'. Default value is 'saml'" path: "sso.protocol" + - name: GITLAB_ADMIN_GROUPS + description: "Array of group names that grant admin role gitlab." + path: "sso.adminGroups" gitlab: variables: - name: GITLAB_SSO_ENABLED diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 60c455c1..146dd921 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -32,6 +32,7 @@ variables: gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true + GITLAB_ADMIN_GROUPS: ["/Group Override", "/Another Group Override"] #GITLAB_SSO_PROTOCOL: openid_connect # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index ddb8e2ba..2427308d 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -68,7 +68,7 @@ spec: "name":"saml", "label":"SSO", "groups_attribute": "Groups", - "admin_groups": ["/Gitlab Admins"], + "admin_groups": {{ .Values.sso.adminGroups | toJson }}, "args":{ "assertion_consumer_service_url": "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback", "idp_cert": "clientField(samlIdpCertificate)", diff --git a/chart/values.yaml b/chart/values.yaml index 5c4437f1..afc2fcbf 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,6 +3,7 @@ sso: enabled: true protocol: saml secretName: gitlab-sso + adminGroups: ["/GitLab Admins"] storage: # Set to false to use external storage internal: true From 87e52acca8605971e8c5f0efb40c1af10af3f3d6 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Mon, 20 May 2024 15:15:17 -0500 Subject: [PATCH 07/12] fix so upgrading from oidc to saml auto links accounts --- bundle/uds-bundle.yaml | 2 +- bundle/uds-config.yaml | 4 ++-- values/common-values.yaml | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index b14150b3..0d9219ed 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -50,7 +50,7 @@ packages: description: "Protocol to use. Valid values are 'openid_connect' and 'saml'. Default value is 'saml'" path: "sso.protocol" - name: GITLAB_ADMIN_GROUPS - description: "Array of group names that grant admin role gitlab." + description: "Array of group names that grant admin role gitlab when saml protocol is active." path: "sso.adminGroups" gitlab: variables: diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 146dd921..1127c6a0 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -32,8 +32,8 @@ variables: gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true - GITLAB_ADMIN_GROUPS: ["/Group Override", "/Another Group Override"] - #GITLAB_SSO_PROTOCOL: openid_connect + #GITLAB_ADMIN_GROUPS: ["/Group Override", "/Another Group Override"] + #GITLAB_SSO_PROTOCOL: saml # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 webservice_resources: diff --git a/values/common-values.yaml b/values/common-values.yaml index c92567d2..b6822589 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -73,6 +73,7 @@ global: allowSingleSignOn: true blockAutoCreatedUsers: false autoLinkUser: true + autoLinkSamlUser: true autoSignInWithProvider: saml externalProviders: [] syncProfileAttributes: ['email'] From a537cc7d3c4d983ba9744bf88b0b220d3744dee8 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 23 May 2024 18:04:40 -0500 Subject: [PATCH 08/12] saml by default --- bundle/uds-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 1127c6a0..d63c0860 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -33,7 +33,7 @@ variables: DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true #GITLAB_ADMIN_GROUPS: ["/Group Override", "/Another Group Override"] - #GITLAB_SSO_PROTOCOL: saml + GITLAB_SSO_PROTOCOL: saml # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 webservice_resources: From 5791946bb4dd6e3c601448262b49bf3db291c9fa Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 23 May 2024 18:47:04 -0500 Subject: [PATCH 09/12] uds-common version --- tasks.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks.yaml b/tasks.yaml index b96e34de..c78b9f6f 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,11 +2,11 @@ includes: - cleanup: ./tasks/cleanup.yaml - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.3/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.3/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.3/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.3/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.3/tasks/setup.yaml tasks: - name: default From 3fe41606550e851471169193fbee375404a54bb7 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 24 May 2024 10:04:31 -0500 Subject: [PATCH 10/12] change saml client name to avoid errors on keycloak side --- bundle/uds-config.yaml | 2 +- chart/templates/uds-package.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index d63c0860..545f91a1 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -32,7 +32,7 @@ variables: gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true - #GITLAB_ADMIN_GROUPS: ["/Group Override", "/Another Group Override"] + GITLAB_ADMIN_GROUPS: ["/GitLab Admins", "/UDS Core/Admin"] GITLAB_SSO_PROTOCOL: saml # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 11307d03..69eb27a4 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -7,7 +7,7 @@ spec: {{- if and (.Values.sso.enabled) (eq .Values.sso.protocol "openid_connect") }} sso: - name: GitLab Login - clientId: uds-swf-gitlab + clientId: uds-swf-gitlab-saml redirectUris: - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback" @@ -46,7 +46,7 @@ spec: {{- else if and (.Values.sso.enabled) (eq .Values.sso.protocol "saml") }} sso: - name: GitLab Login - clientId: uds-swf-gitlab-saml + clientId: uds-swf-gitlab redirectUris: - "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback" From a456d922a53c6069c1380b1f991f05b627cbf865 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 24 May 2024 10:10:25 -0500 Subject: [PATCH 11/12] tweak default admin group list --- bundle/uds-config.yaml | 2 +- chart/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 545f91a1..4e681b26 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -32,7 +32,7 @@ variables: gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true - GITLAB_ADMIN_GROUPS: ["/GitLab Admins", "/UDS Core/Admin"] + GITLAB_ADMIN_GROUPS: ["/GitLab Admin", "/UDS Core/Admin"] GITLAB_SSO_PROTOCOL: saml # # Overrides for scaled down cluster for local dev and CI webservice_replicas: 1 diff --git a/chart/values.yaml b/chart/values.yaml index 40677afb..ba25da0c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,7 +3,7 @@ sso: enabled: true protocol: saml secretName: gitlab-sso - adminGroups: ["/GitLab Admins"] + adminGroups: ["/GitLab Admin", "/UDS Core/Admin"] storage: # Set to false to use external storage internal: true From 4cd135ee1c62d56c4414ebe9b785910c7455f245 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 24 May 2024 10:51:47 -0500 Subject: [PATCH 12/12] flip flopped the names --- chart/templates/uds-package.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 69eb27a4..11307d03 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -7,7 +7,7 @@ spec: {{- if and (.Values.sso.enabled) (eq .Values.sso.protocol "openid_connect") }} sso: - name: GitLab Login - clientId: uds-swf-gitlab-saml + clientId: uds-swf-gitlab redirectUris: - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback" @@ -46,7 +46,7 @@ spec: {{- else if and (.Values.sso.enabled) (eq .Values.sso.protocol "saml") }} sso: - name: GitLab Login - clientId: uds-swf-gitlab + clientId: uds-swf-gitlab-saml redirectUris: - "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback"