diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f6249b399..bdaa6bf91 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -579,3 +579,35 @@ app: "{{ template "harbor.name" . }}" {{- define "harbor.ingress.kubeVersion" -}} {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} {{- end -}} + +{{/* oidc configuration */}} +{{- define "harbor.oidcConfigSecret" -}} + {{- if .Values.core.oidc }} +{ + "auth_mode": "oidc_auth", + "oidc_name": "{{ .Values.core.oidc.name }}", + "oidc_endpoint": "{{ .Values.core.oidc.endpoint }}", + "oidc_extra_redirect_parms": "{{ .Values.core.oidc.extraRedirectParms | default "{}" }}", + "oidc_client_id": "{{ .Values.core.oidc.clientId }}", + "oidc_client_secret": "{{ .Values.core.oidc.clientSecret | default (include "harbor.oidc.rawClientSecret" .) }}", + "oidc_groups_claim": "{{ .Values.core.oidc.groupsClaim | default "" }}", + "oidc_admin_group": "{{ .Values.core.oidc.adminGroup | default "" }}", + "oidc_scope": "{{ .Values.core.oidc.scope }}", + "oidc_verify_cert": "{{ .Values.core.oidc.verifyCert | default "true" }}", + "oidc_auto_onboard": "{{ .Values.core.oidc.autoOnboard | default "false" }}", + "oidc_user_claim": "{{ .Values.core.oidc.userClaim | default "name" }}" +} + {{- end -}} +{{- end -}} + +{{/* oidc lookup for existing client secret */}} +{{- define "harbor.oidc.rawClientSecret" -}} + {{ if .Values.core.oidc.existingClientSecretName }} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace .Values.core.oidc.existingClientSecretName -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data .Values.core.oidc.existingClientSecretKey) -}} + {{- .Values.core.oidc.clientSecret | default (b64dec (index $existingSecret.data .Values.core.oidc.existingClientSecretKey)) -}} + {{- else -}} + {{- .Values.core.oidc.clientSecret | default "" -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index ea9d4cfab..e5ea95a6f 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -31,7 +31,7 @@ data: {{- if not .Values.core.existingXsrfSecret }} CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} {{- end }} -{{- if .Values.core.configureUserSettings }} - CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} -{{- end }} + {{- if or (not (quote .Values.core.configureUserSettings | empty)) .Values.core.oidc }} + CONFIG_OVERWRITE_JSON: {{ (toString (toJson (merge (fromJson (.Values.core.configureUserSettings | default "{}")) (fromJson (include "harbor.oidcConfigSecret" . | default "{}"))))) | b64enc | quote }} + {{- end }} {{- template "harbor.traceJaegerPassword" . }} diff --git a/test/unittest/core_secret_test.yaml b/test/unittest/core_secret_test.yaml index 4f08c1e61..9097215da 100644 --- a/test/unittest/core_secret_test.yaml +++ b/test/unittest/core_secret_test.yaml @@ -29,7 +29,7 @@ tests: value: "dGVzdC1hZG1pbi1wYXNzd29yZA==" - equal: path: data.CONFIG_OVERWRITE_JSON - value: "eyJ0ZXN0IjogInRlc3QifQ==" + value: "eyJ0ZXN0IjoidGVzdCJ9" - it: ExistingSecretSecretKey set: diff --git a/values.yaml b/values.yaml index c862337d0..e35e45e8b 100644 --- a/values.yaml +++ b/values.yaml @@ -596,6 +596,20 @@ core: # command: [ 'sh', '-c', "sleep 20" ] ## User settings configuration json string configureUserSettings: + ## Configure oidc authentication + # Example: + # name: keycloak + # endpoint: https://keycloak/realms/harbor + # groupsClaim: roles + # adminGroup: admin + # clientId: harbor + # clientSecret: "" + # scope: openid,email,offline_access,profile,roles + # verifyCert: false + # autoOnboard: true + # userClaim: email + # If clientSecret is not specified, set existingClientSecretName and existingClientSecretKey to use an existing secret + oidc: {} # The provider for updating project quota(usage), there are 2 options, redis or db. # By default it is implemented by db but you can configure it to redis which # can improve the performance of high concurrent pushing to the same project,