-
Notifications
You must be signed in to change notification settings - Fork 164
/
keycloak.gotmpl
62 lines (62 loc) · 2.67 KB
/
keycloak.gotmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
{{- $v := .Environment.Values }}
{{- $teams := $v.teamConfig.teams }}
{{- $teamNames := list }}
{{- $teamsMapping := dict }}
{{- range $name, $team := $teams }}
{{- $teamNames = print "team-" $name | append $teamNames -}}
{{- if ($team | get "oidc.groupMapping" false) }}
{{- $teamsMapping = set $teamsMapping (printf "team-%s" $name) $team.oidc.groupMapping -}}
{{- end -}}
{{- end -}}
{{- $c := $v.charts }}
{{- $cm := $c | get "cert-manager" -}}
{{- $k := $c | get "keycloak" dict }}
{{- $skipVerify := eq ($cm | get "stage") "staging" }}
tasks:
keycloak:
type: job
description: Configure OIDC as a primary auhentication method and populate teams to harbor projects
enabled: true
init:
image:
repository: badouralix/curl-http2
script: |
{{ if $skipVerify }}export INSECURE='--insecure'{{ end }}
echo "Waiting until keycloak is accessible at https://keycloak.{{ $v.cluster.domain }}"
until $(curl $INSECURE --output /dev/null --silent --head --fail -I https://keycloak.{{ $v.cluster.domain }}); do
printf '.'
sleep 5
done
echo READY!
image:
repository: {{ $c | get "jobs.keycloak.image.repository" "otomi/tasks" }}
tag: {{ $c | get "jobs.keycloak.image.tag" "v0.2.1" }}
pullPolicy: {{ $c | get "jobs.keycloak.image.pullPolicy" "IfNotPresent" }}
env:
KEYCLOAK_THEME_LOGIN: {{ $k | get "theme" "default" }}
secret:
KEYCLOAK_ADDRESS: https://keycloak.{{ $v.cluster.domain }}
KEYCLOAK_ADMIN: {{ $k | get "admin.username" "admin" }}
KEYCLOAK_ADMIN_PASSWORD: {{ $k | get "admin.password" "bladibla" }}
KEYCLOAK_REALM: master
KEYCLOAK_CLIENT_ID: {{ $k.idp | get "clientID" "otomi" }}
KEYCLOAK_CLIENT_SECRET: {{ $k.idp.clientSecret }}
TENANT_ID: {{ $v.oidc.tenantID }}
TENANT_CLIENT_ID: {{ $v.oidc.clientID }}
TENANT_CLIENT_SECRET: {{ $v.oidc.clientSecret }}
IDP_ALIAS: {{ $k.idp.alias }}
IDP_GROUP_OTOMI_ADMIN: {{ $v.oidc.adminGroupID }}
IDP_GROUP_TEAM_ADMIN: {{ $v.oidc.teamAdminGroupID }}
IDP_GROUP_MAPPINGS_TEAMS: '{{ $teamsMapping | toJson }}'
IDP_OIDC_URL: {{ $v.oidc.issuer }}
REDIRECT_URIS: '[
"https://otomi.{{ $v.cluster.domain }}",
"https://auth.{{ $v.cluster.domain }}/*",
"https://apps.{{ $v.cluster.domain }}/*",
"https://otomi.{{ $v.cluster.domain }}/*",
{{- range $name, $team := $teams }}
"https://apps.team-{{ $name }}.{{ $v.cluster.domain }}/*",
{{- end }}
"https://harbor.{{ $v.cluster.domain }}/*"
]'
script: {{ if $skipVerify }}export NODE_EXTRA_CA_CERTS=/fakeroot.pem && {{ end }}npm run tasks:keycloak