Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

OpenID configuration parameters added #13

Merged
merged 15 commits into from
Jul 22, 2024
4 changes: 2 additions & 2 deletions charts/testops/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: testops
version: 5.5.0
appVersion: 5.5.0
version: 5.6.0
appVersion: 5.6.0

description: TestOps

Expand Down
39 changes: 39 additions & 0 deletions charts/testops/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,45 @@
{{- end }}
{{- end }}

{{- define "renderOPENIDEnvs" }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_CLIENTNAME
value: {{ .Values.auth.openid.clientName }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_CLIENTID
valueFrom:
secretKeyRef:
name: {{ template "allure-testops.secret.name" . }}
key: openIdClientId
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_CLIENTSECRET
valueFrom:
secretKeyRef:
name: {{ template "allure-testops.secret.name" . }}
key: openIdClientSecret
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_REDIRECTURI
value: {{ .Values.auth.openid.redirectUri }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_SCOPE
value: {{ .Values.auth.openid.scope }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OPENID_AUTHORIZATIONGRANTTYPE
value: {{ .Values.auth.openid.authorizationGrantType }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_AUTHORIZATIONURI
value: {{ .Values.auth.openid.authorizationUri }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_USERINFOURI
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_ISSUERURI
value: {{ .Values.auth.openid.issuerUri }}
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OPENID_USERNAMEATTRIBUTE
value: {{ .Values.auth.openid.usernameAttribute }}
- name: ALLURE_LOGIN_OPENID_DEFAULTROLE
value: {{ .Values.auth.openid.defaultRole }}
{{- if .Values.auth.openid.syncRoles }}
- name: ALLURE_LOGIN_OPENID_SYNCROLES:
value: "true"
- name: ALLURE_LOGIN_OPENID_GROUPROLEATTRIBUTE
value: {{ .Values.auth.openid.groupRoleAttribute }}
- name: ALLURE_LOGIN_OPENID_GROUPAUTHORITIES_ROLEUSERGROUPS
value: {{ .Values.auth.openid.roleUserGroups }}
- name: ALLURE_LOGIN_OPENID_GROUPAUTHORITIES_ROLEADMINGROUPS
value: {{ .Values.auth.openid.roleAdminGroups }}
{{- end }}
{{- end }}

{{- define "renderCryptoEnvs" }}
- name: ALLURE_CRYPTO_PASSWORD
Expand Down
5 changes: 5 additions & 0 deletions charts/testops/templates/infra/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,4 +59,9 @@ data:
ldapPass: {{ .Values.auth.ldap.auth.pass | b64enc | quote }}
{{- end }}

{{- if .Values.auth.openid.enabled }}
openIdClientSecret: {{ .Values.auth.openid.clientSecret | b64enc | quote }}
openIdClientId: {{ .Values.auth.openid.clientId | b64enc | quote }}
{{- end }}

{{- end }}
16 changes: 16 additions & 0 deletions charts/testops/templates/infra/vault.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,12 @@ spec:
key: "ldapUser"
- objectName: "ldapPass"
key: "ldapPass"
{{- end }}
{{- if .Values.auth.openid.enabled }}
- objectName: "openIdClientSecret"
key: "openIdClientSecret"
- objectName: "openIdClientId"
key: "openIdClientId"
{{- end }}
parameters:
{{- if .Values.vault.url }}
Expand Down Expand Up @@ -140,4 +146,14 @@ spec:
secretKey: "ldap_pass"
{{- end }}

{{- if .Values.auth.openid.enabled }}
- objectName: "openIdClientSecret"
secretPath: "{{ .Values.vault.secretPath }}"
secretKey: "openid_client_secret"

- objectName: "openIdClientId"
secretPath: "{{ .Values.vault.secretPath }}"
secretKey: "openid_client_id"
{{- end }}

{{- end }}
4 changes: 4 additions & 0 deletions charts/testops/templates/testops/testops-dep.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ spec:
{{- include "renderSAMLEnvs" . | indent 10 }}
{{- end }}

{{- if .Values.auth.openid.enabled }}
{{- include "renderOPENIDEnvs" . | indent 10 }}
{{- end }}

{{- if eq .Values.storage.type "S3" }}
{{- include "renderS3Envs" . | indent 10 }}
{{- end }}
Expand Down
49 changes: 36 additions & 13 deletions charts/testops/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ version: 5.5.0
# this section needs to be updated as follows:
# - registry – the name of the registry described in the documentation of the deployment with the Helm Chart or used by your company as a proxy
# - repository – the name of the repo described in the documentation of the deployment with the Helm Chart or used by your company
# - imageName - name of the image to be pulled. Leave as is and do not change without consulting with the support.
# - username - the username for images registry either owned by Qameta Software or managed by your organisation
# - password - password for images registry either owned by Qameta Software or managed by your organisation
# - credsKubeSecretName is the label for the secret where chart should store registry authentication info
Expand Down Expand Up @@ -104,18 +105,20 @@ resources:
timeZone: "Europe/London"

############################################################################################################
# Email address to send the invitation for user authorization with admin rights.
# Ensure SMTP is configured to send the invite.
# Email address of the very first user of TestOps instance to send the invitation.
# This is in fact the first admin of the system, that will invite other users.
# Make sure SMTP parameters are set to send the invite.
# SMTP server setting are mandatory for the creation of first user.
############################################################################################################
email: [email protected]

############################################################################################################
# cryptoPass parameter is used to encrypt sensitive data (passwords, API tokens in the database)
# create a phrase (e.g. in the secret below we used https://help.qameta.io), then use base64 encoding,
# and paste encoded value here.
# Come up with some phrase, then use Base64 encoding, and paste encoded value here.
# In this example we user phrase "This phrase must be kept in a dark dry place." and encoded it as Base64
# phrase mustn't be changed over time, otherwise your integrations would stop working and you will need to re-submit data
############################################################################################################
cryptoPass: aHR0cHM6Ly9oZWxwLnFhbWV0YS5pbw==
cryptoPass: VGhpcyBwaHJhc2UgbXVzdCBiZSBrZXB0IGluIGEgZGFyayBkcnkgcGxhY2Uu

############################################################################################################
# jwtSecret is a seed phrase for the generation of bearer tokens used for authentication of API calls
Expand Down Expand Up @@ -237,17 +240,19 @@ datasources:
# appMaxDBConnection defines the number of database connections used by single replica of Allure Testops service
# total allowed DB connections are defined by appMaxDBConnection multiplied by value of replicaCount
# these connections are shared between end users accessing the data via UI
# if uploaderDatasource is set to disabled, pleae make sure you are setting appMaxDBConnection at least equal to 10
############################################################################################################
appMaxDBConnection: 2
appMaxDBConnection: 10
sslMode: prefer
############################################################################################################
# App related
# uploaderDatasource.appMaxDBConnection defines the DB connection pool used by single replica of Allure Testops service
# for processing of the test result upload
# if disabled, pleae make sure you are setting appMaxDBConnection at least equal to 10
############################################################################################################
uploaderDatasource:
enabled: false
appMaxDBConnection: 3
appMaxDBConnection: 5
appConnectionTimeout: 60000
############################################################################################################
# App related
Expand Down Expand Up @@ -282,27 +287,28 @@ proxy:

############################################################################################################
# App related
# Configuration of SMTP is a must for
# THIS IS TO BE SET to enabled: true. Configuration of SMTP is a must for the folowing.
# - first application run and initialisation
# - adding new local users to Allure TestOps instance
# - restoring (resetting) lost passwords
# SMTP must be enabled and correctly configured for a production system
# below we have correct synthetic and hence non-working example
# please note, gmail does not allow using the real password for SMTP authentication, you need to create and use
# so-called application password
# the example parameters below are suitable for usage with gmail smtp (you need to add real username and password, though)
############################################################################################################
smtp:
enabled: false
enabled: true
host: smtp.gmail.com
port: 465
port: 587
authEnabled: true
from: [email protected]
username: sa-testops-smtp
password: ThisMUstBeRealPasswordOrAppPassword
# https://en.wikipedia.org/wiki/Opportunistic_TLS
startTLSEnabled: true
startTLSRequired: true
sslEnabled: true
sslEnabled: false
sslTrust: smtp.gmail.com

############################################################################################################
Expand Down Expand Up @@ -407,7 +413,7 @@ logging:
baseLogLevel: warn
# Security Logging Level Configuration
securityLogLevel: warn
# Hikari Logging Level Configuration
# Hikari (related to the working with the database) Logging Level Configuration
hikariLogLevel: warn

############################################################################################################
Expand Down Expand Up @@ -470,7 +476,7 @@ network:
# defaultRole allowed values are ROLE_GUEST, ROLE_USER, ROLE_ADMIN
############################################################################################################
auth:
# Available options system / saml2 / ldap
# Available options system / saml2 / ldap / openid
primary: system
# Allowed roles: ROLE_ADMIN, ROLE_USER, ROLE_GUEST
defaultRole: ROLE_GUEST
Expand Down Expand Up @@ -522,6 +528,23 @@ auth:
groupRoleAttribute: groupRoleAttribute
roleUserGroups: roleUserGroups
roleAdminGroups: roleAdminGroups
openid:
enabled: false
clientName: keycloak
clientId: you_client_id
clientSecret: your_client_secret
redirectUri: https://<your-domain>/login/oauth2/code/openid
scope: openid,email,profile
authorizationGrantType: authorization_code
authorizationUri: http://keycloak/realms/<you_realm>/protocol/openid-connect/auth
userinfoUri: http://keycloak/realms/<you_realm>/protocol/openid-connect/userinfo
issuerUri: http://keycloak/realms/<you_realm>
usernameAttribute: preferred_username
defaultRole: ROLE_GUEST
syncRoles: false
groupRoleAttribute: groupRoleAttribute
roleUserGroups: roleUserGroups
roleAdminGroups: roleAdminGroups

############################################################################################################
# parameters define whether users can or cannot register via UI without involving administrator
Expand Down
Loading