Add SSO config & secret

.github/environments/values.dev.yaml

@@ -25,6 +25,10 @@ config:
     SERVER_OIDC_IDENTITYKEY: idir_user_guid,bceid_user_guid,github_id
     SERVER_OIDC_PUBLICKEY: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuy7zfh2ZgpDV5mH/aXyLDTddZK81rGakJcTy4KvCNOkDDxt1KAhW02lmbCo8YhHCOzjNZBp1+Vi6QiMRgBqAe2GTPZYEiV70aXfROGZe3Nvwcjbtki6HoyRte3SpqLJEIPL2F+hjJkw1UPGnjPTWZkEx9p74b9i3BjuE8RnjJ0Sza2MWw83zoQUZEJRGiopSL0yuVej6t2LO2btVdVf7QuZfPt9ehkcQYlPKpVvJA+pfeqPAdnNt7OjEIeYxinjurZr8Z04hz8UhkRefcWlSbFzFQYmL7O7iArjW0bsSvq8yNUd5r0KCOQkFduwZy26yTzTxj8OLFT91fEmbBBl4rQIDAQAB
     SERVER_PORT: "8080"
+    SERVER_SSO_APIPATH: https://api.loginproxy.gov.bc.ca/api/v1
+    SERVER_SSO_TOKENURL: https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/token
+    SERVER_SSO_CLIENTID: service-account-team-1850-5484
+    SERVER_SSO_INTEGRATION: "5138"
 
 patroni:
   enabled: true

.github/environments/values.prod.yaml

@@ -25,6 +25,10 @@ config:
     SERVER_OIDC_IDENTITYKEY: idir_user_guid,bceid_user_guid
     SERVER_OIDC_PUBLICKEY: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmHiuPKOkpkq4GXN1ktr23rJtDl6Vdu/Y37ZAd3PnQ8/IDfAODvy1Y81aAUZicKe9egolv+OTRANN3yOg+TAbRhkeXLE5p/473EK0aQ0NazTCuWo6Am3oDQ7Yt8x0pw56/qcLtkTuXNyo5EnVV2Z2BzCnnaL31JOhyitolku0DNT6GDoRBmT4o2ItqEVHk5nM25cf1t2zbwI2790W6if1B2qVRkxxivS8tbH7nYC61Is3XCPockKptkH22cm2ZQJmtYd5sZKuXaGsvtyzHmn8/l0Kd1xnHmUu4JNuQ67YiNZGu3hOkrF0Js3BzAk1Qm4kvYRaxbJFCs/qokLZ4Z0W9wIDAQAB
     SERVER_PORT: "8080"
+    SERVER_SSO_APIPATH: https://api.loginproxy.gov.bc.ca/api/v1
+    SERVER_SSO_TOKENURL: https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/token
+    SERVER_SSO_CLIENTID: service-account-team-1850-5484
+    SERVER_SSO_INTEGRATION: "5138"
 
 patroni:
   enabled: true

.github/environments/values.test.yaml

@@ -25,6 +25,10 @@ config:
     SERVER_OIDC_IDENTITYKEY: idir_user_guid,bceid_user_guid
     SERVER_OIDC_PUBLICKEY: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiFdv9GA83uHuy8Eu9yiZHGGF9j6J8t7FkbcpaN81GDjwbjsIJ0OJO9dKRAx6BAtTC4ubJTBJMPvQER5ikOhIeBi4o25fg61jpgsU6oRZHkCXc9gX6mrjMjbsPaf3/bjjYxP5jicBDJQeD1oRa24+tiGggoQ7k6gDEN+cRYqqNpzC/GQbkUPk8YsgroncEgu8ChMh/3ERsLV2zorchMANUq76max16mHrhtWIQxrb/STpSt4JuSlUzzBV/dcXjJe5gywZHe0jAutFhNqjHzHdgyaC4RAd3eYQo+Kl/JOgy2AZrnx+CiPmvOJKe9tAW4k4H087ng8aVE40v4HW/FEbnwIDAQAB
     SERVER_PORT: "8080"
+    SERVER_SSO_APIPATH: https://api.loginproxy.gov.bc.ca/api/v1
+    SERVER_SSO_TOKENURL: https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/token
+    SERVER_SSO_CLIENTID: service-account-team-1850-5484
+    SERVER_SSO_INTEGRATION: "5138"
 
 patroni:
   enabled: true

app/config/custom-environment-variables.json

@@ -69,6 +69,13 @@
       "identityKey": "SERVER_OIDC_IDENTITYKEY",
       "publicKey": "SERVER_OIDC_PUBLICKEY"
     },
-    "port": "SERVER_PORT"
+    "port": "SERVER_PORT",
+    "sso": {
+      "apiPath": "SERVER_SSO_APIPATH",
+      "tokenUrl": "SERVER_SSO_TOKENURL",
+      "clientId": "SERVER_SSO_CLIENTID",
+      "clientSecret": "SERVER_SSO_CLIENTSECRET",
+      "integration": "SERVER_SSO_INTEGRATION"
+    }
   }
 }

charts/pcns/templates/deploymentconfig.yaml

@@ -160,6 +160,11 @@ spec:
                 secretKeyRef:
                   key: password
                   name: {{ include "pcns.configname" . }}-oidc
+            - name: SERVER_SSO_CLIENTSECRET
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: {{ include "pcns.configname" . }}-sso
           envFrom:
             - configMapRef:
                 name: {{ include "pcns.configname" . }}-config

charts/pcns/templates/secret.yaml

@@ -8,6 +8,8 @@
 {{- $chesUsername := (randAlphaNum 32) }}
 {{- $oPassword := (randAlphaNum 32) }}
 {{- $oUsername := (randAlphaNum 32) }}
+{{- $ssoPassword := (randAlphaNum 32) }}
+{{- $ssoUsername := (randAlphaNum 32) }}
 
 {{- $dbSecretName := printf "%s-%s" (include "pcns.configname" .) "passphrase" }}
 {{- $dbSecret := (lookup "v1" "Secret" .Release.Namespace $dbSecretName ) }}
@@ -19,6 +21,8 @@
 {{- $chesSecret := (lookup "v1" "Secret" .Release.Namespace $chesSecretName ) }}
 {{- $oSecretName := printf "%s-%s" (include "pcns.configname" .) "oidc" }}
 {{- $oSecret := (lookup "v1" "Secret" .Release.Namespace $oSecretName ) }}
+{{- $ssoSecretName := printf "%s-%s" (include "pcns.configname" .) "sso" }}
+{{- $ssoSecret := (lookup "v1" "Secret" .Release.Namespace $ssoSecretName ) }}
 
 {{- if and (not $dbSecret) (not .Values.patroni.enabled) }}
 ---
@@ -101,4 +105,18 @@ type: kubernetes.io/basic-auth
 data:
   password: {{ .Values.oidcSecretOverride.password | default $oPassword | b64enc | quote }}
   username: {{ .Values.oidcSecretOverride.username | default $oUsername | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- if not .Values.config.releaseScoped }}
+  annotations:
+    "helm.sh/resource-policy": keep
+  {{- end }}
+  name: {{ $ssoSecretName }}
+  labels: {{ include "pcns.labels" . | nindent 4 }}
+type: kubernetes.io/basic-auth
+data:
+  password: {{ .Values.ssoSecretOverride.password | default $ssoPassword | b64enc | quote }}
+  username: {{ .Values.ssoSecretOverride.username | default $ssoUsername | b64enc | quote }}
 {{- end }}

charts/pcns/values.yaml

@@ -159,12 +159,18 @@ config:
 
     # SERVER_LOGFILE: ~
     SERVER_LOGLEVEL: http
-    SERVER_PORT: "8080"
 
     SERVER_OIDC_AUTHORITY: ~
     SERVER_OIDC_IDENTITYKEY: ~
     SERVER_OIDC_PUBLICKEY: ~
 
+    SERVER_PORT: "8080"
+
+    SERVER_SSO_APIPATH: ~
+    SERVER_SSO_TOKENURL: ~
+    SERVER_SSO_CLIENTID: ~
+    SERVER_SSO_INTEGRATION: ~
+
 # Modify the following variables if you need to acquire secret values from a custom-named resource
 dbSecretOverride:
   username: ~
@@ -181,6 +187,9 @@ chesSecretOverride:
 oidcSecretOverride:
   username: ~
   password: ~
+ssoSecretOverride:
+  username: ~
+  password: ~
 
 # Patroni subchart configuration overrides
 patroni: