Add oidc configuration

goharbor · Sep 17, 2024 · 16b6926 · 16b6926
1 parent 44f6a8f
commit 16b6926
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 3 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -579,3 +579,35 @@ app: "{{ template "harbor.name" . }}"
 {{- define "harbor.ingress.kubeVersion" -}}
   {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}}
 {{- end -}}
+
+{{/* oidc configuration */}}
+{{- define "harbor.oidcConfigSecret" -}}
+	{{- if .Values.core.oidc }}
+{
+  "auth_mode": "oidc_auth",
+  "oidc_name": "{{ .Values.core.oidc.name }}",
+  "oidc_endpoint": "{{ .Values.core.oidc.endpoint }}",
+	"oidc_extra_redirect_parms": "{{ .Values.core.oidc.extraRedirectParms | default "{}" }}",
+  "oidc_client_id":  "{{ .Values.core.oidc.clientId }}",
+  "oidc_client_secret": "{{ .Values.core.oidc.clientSecret | default (include "harbor.oidc.rawClientSecret" .) }}",
+  "oidc_groups_claim":  "{{ .Values.core.oidc.groupsClaim | default "" }}",
+  "oidc_admin_group":  "{{ .Values.core.oidc.adminGroup | default "" }}",
+  "oidc_scope": "{{ .Values.core.oidc.scope }}",
+  "oidc_verify_cert": "{{ .Values.core.oidc.verifyCert | default "true" }}",
+  "oidc_auto_onboard": "{{ .Values.core.oidc.autoOnboard | default "false" }}",
+  "oidc_user_claim": "{{ .Values.core.oidc.userClaim | default "name" }}"
+}
+	{{- end -}}
+{{- end -}}
+
+{{/* oidc lookup for existing client secret */}}
+{{- define "harbor.oidc.rawClientSecret" -}}
+	{{ if .Values.core.oidc.existingClientSecretName }}
+		{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace .Values.core.oidc.existingClientSecretName -}}
+		{{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data .Values.core.oidc.existingClientSecretKey) -}}
+			{{- .Values.core.oidc.clientSecret | default (b64dec (index $existingSecret.data .Values.core.oidc.existingClientSecretKey)) -}}
+		{{- else -}}
+			{{- .Values.core.oidc.clientSecret | default "" -}}
+		{{- end -}}
+	{{- end -}}
+{{- end -}}
diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -31,7 +31,7 @@ data:
   {{- if not .Values.core.existingXsrfSecret }}
   CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
   {{- end }}
-{{- if .Values.core.configureUserSettings }}
-  CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
-{{- end }}
+  {{- if or (not (quote .Values.core.configureUserSettings | empty))  .Values.core.oidc }}
+  CONFIG_OVERWRITE_JSON: {{ (toString (toJson (merge (fromJson (.Values.core.configureUserSettings | default "{}")) (fromJson (include "harbor.oidcConfigSecret" . | default "{}"))))) | b64enc | quote }}
+  {{- end }}
   {{- template "harbor.traceJaegerPassword" . }}
diff --git a/values.yaml b/values.yaml
@@ -596,6 +596,20 @@ core:
   #   command: [ 'sh', '-c', "sleep 20" ]
   ## User settings configuration json string
   configureUserSettings:
+  ## Configure oidc authentication
+  # Example:
+  #   name: keycloak
+  #   endpoint: https://keycloak/realms/harbor
+  #   groupsClaim: roles
+  #   adminGroup: admin
+  #   clientId: harbor
+  #   clientSecret: ""
+  #   scope: openid,email,offline_access,profile,roles
+  #   verifyCert: false
+  #   autoOnboard: true
+  #   userClaim: email
+  # If clientSecret is not specified, set existingClientSecretName and existingClientSecretKey to use an existing secret
+  oidc: {}
   # The provider for updating project quota(usage), there are 2 options, redis or db.
   # By default it is implemented by db but you can configure it to redis which
   # can improve the performance of high concurrent pushing to the same project,