feat: integrate with keycloak (#44)

## Description Updates to enable sso by default using SSO Secret Templating using the sso spec on the UDS package CR. ## Related Issue Fixes #37 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-mattermost/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
defenseunicorns · May 3, 2024 · ce05b45 · ce05b45
1 parent 32eb363
commit ce05b45
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 30 deletions.
diff --git a/chart/templates/mattermost-sso-secret.yaml b/chart/templates/mattermost-sso-secret.yaml
@@ -0,0 +1,15 @@
+# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. 
+# Mattermost needs to mount the secret and creating it this way avoids creating an unnecessary 
+# client in the keycloak realm and unnecessary secret data in the cluster.
+{{- if not .Values.sso.enabled }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.sso.secretName }}
+  namespace:  {{ .Release.Namespace }}
+type: "Opaque"
+stringData:
+  MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}"
+
+{{- end }}
diff --git a/chart/templates/mattermost-sso.yaml b/chart/templates/mattermost-sso.yaml
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -4,6 +4,30 @@ metadata:
   name: mattermost
   namespace: {{ .Release.Namespace }}
 spec:
+  {{- if .Values.sso.enabled }}
+  sso:
+    - name: Mattermost Login
+      clientId: uds-swf-mattermost
+      redirectUris:
+        - "https://chat.uds.dev/*"
+      defaultClientScopes:
+        - "openid"
+        - "mapper-oidc-username-username"
+        - "mapper-oidc-mattermostid-id"
+        - "mapper-oidc-email-email" 
+
+      secretName: {{ .Values.sso.secretName }}
+      secretTemplate:
+        MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}"
+        MM_GITLABSETTINGS_ID: "clientField(clientId)"
+        MM_GITLABSETTINGS_SECRET: "clientField(secret)"
+        MM_GITLABSETTINGS_AUTHENDPOINT: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/auth"
+        MM_GITLABSETTINGS_TOKENENDPOINT: "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/token"
+        MM_GITLABSETTINGS_USERAPIENDPOINT: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/userinfo"
+        MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email | toString }}"
+        MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}"
+        MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}"
+  {{- end }}
   network:
     expose:
       - service: mattermost-enterprise-edition

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1,3 +1,5 @@
+domain: "###ZARF_VAR_DOMAIN###"
+
 objectStorage:
   secure: true
   accessKey: ""
@@ -16,16 +18,13 @@ postgres:
   connectionOptions: ""
 
 sso:
-  enabled: false
-  client_id: ""
-  client_secret: ""
-  auth_endpoint: ""
-  token_endpoint: ""
-  user_api_endpoint: ""
+  enabled: true
+  secretName: mattermost-sso
+
   # These should typically be disabled if SSO is enabled
-  enable_sign_up_with_email: true
-  enable_sign_in_with_email: true
-  enable_sign_in_with_username: true
+  enable_sign_up_with_email: false
+  enable_sign_in_with_email: false
+  enable_sign_in_with_username: false
 
 # The subdomain for the mattermost server, will be prefixed to your domain (ex: mattermost.example.com)
 subdomain: "chat"

diff --git a/tasks.yaml b/tasks.yaml
@@ -2,11 +2,11 @@ includes:
   - cleanup: ./tasks/cleanup.yaml
   - dependencies: ./tasks/dependencies.yaml
   - test: ./tasks/test.yaml
-  - create: https://github.com/raw/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml
-  - lint: https://github.com/raw/defenseunicorns/uds-common/v0.4.0/tasks/lint.yaml
-  - pull: https://github.com/raw/defenseunicorns/uds-common/v0.4.0/tasks/pull.yaml
-  - deploy: https://github.com/raw/defenseunicorns/uds-common/v0.4.0/tasks/deploy.yaml
-  - setup: https://github.com/raw/defenseunicorns/uds-common/v0.4.0/tasks/setup.yaml
+  - create: https://github.com/raw/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml
+  - lint: https://github.com/raw/defenseunicorns/uds-common/v0.4.2/tasks/lint.yaml
+  - pull: https://github.com/raw/defenseunicorns/uds-common/v0.4.2/tasks/pull.yaml
+  - deploy: https://github.com/raw/defenseunicorns/uds-common/v0.4.2/tasks/deploy.yaml
+  - setup: https://github.com/raw/defenseunicorns/uds-common/v0.4.2/tasks/setup.yaml
 
 tasks:
   - name: default
@@ -39,6 +39,12 @@ tasks:
       - task: dependencies:create
       - task: create:test-bundle
 
+  - name: dev
+    description: Create and deploy the bundle on an existing cluster (for iteration/dev speed)
+    actions:
+      - task: create-mm-test-bundle
+      - task: deploy:test-bundle
+
 # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names
 
   - name: test-package