Merge pull request #45 from defenseunicorns/saml-configuration

README.md

@@ -32,4 +32,4 @@ The released packages can be found in [ghcr](https://github.com/defenseunicorns/
 
 ## Contributing
 
-Please see the [CONTRIBUTING.md](./CONTRIBUTING.md)
+Please see the [CONTRIBUTING.md](./CONTRIBUTING.md)

bundle/uds-bundle.yaml

@@ -12,3 +12,13 @@ packages:
     # x-release-please-start-version
     ref: 5.3.1-uds.0
     # x-release-please-end
+    overrides:
+      uds-jenkins-config:
+        uds-jenkins-config:
+          variables:
+            - name: JENKINS_SSO_ENABLED
+              description: "Boolean to enable or disable sso things"
+              path: "sso.enabled"
+            - name: JENKINS_SSO_PROTOCOL
+              description: "Protocol to use. Valid values are 'openid-connect' and 'saml'. Default value is 'saml'"
+              path: "sso.protocol"

chart/templates/uds-package.yaml

@@ -7,9 +7,59 @@ spec:
   {{- if .Values.sso.enabled }}
   sso:
     - name: Jenkins Login
-      clientId: uds-package-jenkins
       redirectUris:
         - "https://jenkins.{{ .Values.domain }}/securityRealm/finishLogin"
+    {{- if eq .Values.sso.protocol "saml" }}
+      clientId: uds-package-jenkins-saml
+
+      protocol: saml
+      defaultClientScopes:
+        - "mapper-saml-email-email"
+        - "mapper-saml-firstname-first_name"
+        - "mapper-saml-lastname-last_name"
+        - "mapper-saml-grouplist-groups"
+        - "mapper-saml-username-name"
+
+      attributes:
+        saml.client.signature: "false"
+
+      secretName: {{ .Values.sso.secretName }}
+      secretTemplate:
+        sso: |-
+          saml:
+                        advancedConfiguration:
+                          forceAuthn: false
+                          spEntityId: "uds-package-jenkins-saml"
+                        binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                        displayNameAttributeName: "name"
+                        emailAttributeName: "email"
+                        groupsAttributeName: "groups"
+                        idpMetadataConfiguration:
+                          period: 1440
+                          url: "https://sso.{{ .Values.domain }}/realms/uds/protocol/saml/descriptor"
+    {{- else if eq .Values.sso.protocol "openid-connect"  }}
+      clientId: uds-package-jenkins-openid-connect
+
+      protocol: openid-connect
+
+      secretName: {{ .Values.sso.secretName }}
+      secretTemplate:
+        sso: |-
+          oic:
+                        clientId: "uds-package-jenkins-openid-connect"
+                        clientSecret: "clientField(secret)"
+                        wellKnownOpenIDConfigurationUrl: "https://sso.{{ .Values.domain }}/realms/uds"
+                        tokenServerUrl: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/token"
+                        authorizationServerUrl: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/auth"
+                        scopes: "openid profile"
+                        disableSslVerification: false
+                        endSessionEndpoint: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/logout"
+                        escapeHatchEnabled: false
+                        logoutFromOpenidProvider: true
+                        userNameField: "preferred_username"
+                        emailFieldName: "email"
+                        groupsFieldName: "groups"
+    {{- end }}
   {{- end }}
 
   monitor:

chart/values.yaml

@@ -2,6 +2,9 @@ domain: "###ZARF_VAR_DOMAIN###"
 
 sso:
   enabled: true
+  secretName: jenkins-sso
+  # protocol should be either 'saml' or 'openid-connect'
+  protocol: saml
 
 # customNetworkPolicies:
 #    # Notice no `remoteGenerated` field here on custom internal rule

common/zarf.yaml

@@ -5,11 +5,12 @@ metadata:
   description: "UDS jenkins Common Package"
 
 variables:
-  - name: JENKINS_CLIENT_SECRET
-    default: ""
+  - name: JENKINS_SSO
+    default: "{}"
+    autoIndent: true
 
 components:
-  - name: jenkins-config
+  - name: uds-jenkins-config
     required: true
     description: "SSO secret for jenkins"
     charts:
@@ -22,14 +23,14 @@ components:
         after:
           - wait:
               cluster:
-                kind: package
+                kind: Packages
                 name: jenkins
                 namespace: jenkins
                 condition: "'{.status.phase}'=Ready"
-          - cmd: ./zarf tools kubectl get secrets sso-client-uds-package-jenkins -n jenkins -o=jsonpath='{.data.secret}' | base64 -d
+          - cmd: ./zarf tools kubectl get secret jenkins-sso -n jenkins -o=jsonpath='{.data.sso}' | base64 --decode
             mute: true
             setVariables:
-              - name: JENKINS_CLIENT_SECRET
+              - name: JENKINS_SSO
                 sensitive: true
   - name: jenkins
     required: true

values/common.yaml

@@ -23,27 +23,16 @@ controller:
     - oic-auth:4.269.va_7526f34f306
     - prometheus:773.v3b_62d8178eec
     - cloudbees-disk-usage-simple:203.v3f46a_7462b_1a_
+    - saml:4.464.vea_cb_75d7f5e0
   overwritePlugins: true
   JCasC:
     defaultConfig: true
     configScripts:
-      keycloak: |-
+      sso: |-
         jenkins:
           securityRealm:
-            oic:
-              clientId: "uds-package-jenkins"
-              clientSecret: "###ZARF_VAR_JENKINS_CLIENT_SECRET###"
-              wellKnownOpenIDConfigurationUrl: "https://sso.###ZARF_VAR_DOMAIN###/realms/uds"
-              tokenServerUrl: "https://sso.###ZARF_VAR_DOMAIN###/realms/uds/protocol/openid-connect/token"
-              authorizationServerUrl: "https://sso.###ZARF_VAR_DOMAIN###/realms/uds/protocol/openid-connect/auth"
-              scopes: "openid profile"
-              disableSslVerification: false
-              endSessionEndpoint: "https://sso.###ZARF_VAR_DOMAIN###/realms/uds/protocol/openid-connect/logout"
-              escapeHatchEnabled: false
-              logoutFromOpenidProvider: true
-              userNameField: "preferred_username"
-              emailFieldName: "email"
-              groupsFieldName: "groups"
+            ###ZARF_VAR_JENKINS_SSO###
+
   probes:
     startupProbe:
       periodSeconds: 10

zarf.yaml

@@ -13,7 +13,7 @@ variables:
     default: "uds.dev"
 
 components:
-  - name: jenkins-config
+  - name: uds-jenkins-config
     required: true
     description: "SSO secret for jenkins"
     import: