Nest Keycloak settings

dominodatalab · Jun 21, 2023 · b3284d9 · b3284d9
1 parent 9b256ce
commit b3284d9
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/deployments/helm/hephaestus/templates/controller/secret.yaml b/deployments/helm/hephaestus/templates/controller/secret.yaml
@@ -15,6 +15,14 @@ stringData:
       labels:
         {{- .labels | toYaml | nindent 8 }}
       {{- end }}
+    keycloak:
+      {{- with .Values.keycloak }}
+      enabled: {{ .enabled }}
+      server: {{ .server }}
+      realm: {{ .realm }}
+      clientId: {{ .clientId }}
+      clientSecret: {{ .clientSecret }}
+      {{- end }}
     buildkit:
       namespace: {{ .Release.Namespace }}
       daemonPort: {{ .Values.buildkit.service.port }}

diff --git a/deployments/helm/hephaestus/values.yaml b/deployments/helm/hephaestus/values.yaml
@@ -40,8 +40,8 @@ istio:
 keycloak:
   # Enable support for acquiring a Keycloak JWT for this service and making it available to builds
   enabled: false
-  # Address of the Keycloak endpoint
-  server: "http://keycloak-http"
+  # Address of the Keycloak endpoint - auth may or may not be required depending on KeyCloak version and its configuration
+  server: "http://keycloak-http/auth/"
   # Realm where the given client id logs in
   realm: "DominoRealm"
   # Identifies the client for use in API calls

diff --git a/pkg/controller/imagebuild/component/builddispatcher.go b/pkg/controller/imagebuild/component/builddispatcher.go
@@ -185,18 +185,17 @@ func (c *BuildDispatcherComponent) Reconcile(ctx *core.Context) (ctrl.Result, er
 	}
 	clientInitSeg.End()
 
-	secrets := c.cfg.Secrets
 	// TODO: look at the CR value to determine if JWT injection is enabled
 	if true {
 		kc := gocloak.NewClient(c.keycloakCfg.Server)
-		// grant type client_credentials
-		// cfg.Scopes...
 		jwt, err := kc.LoginClient(buildCtx, c.keycloakCfg.ClientID, c.keycloakCfg.ClientSecret, c.keycloakCfg.Realm)
 		if err != nil {
-			log.Error(err, fmt.Sprintf("Failed to acquire Keycloak credentials %s", c.keycloakCfg.ClientID))
+			log.Error(err, fmt.Sprintf(
+				"Failed to acquire [%s] Keycloak creds at [%s]", c.keycloakCfg.ClientID, c.keycloakCfg.Server))
 		} else {
-			secrets["SERVICE_TOKEN"] = jwt.AccessToken
-			log.Info(fmt.Sprintf("Injected JWT as SERVICE_TOKEN into builder for Keycloak client %s", c.keycloakCfg.ClientID))
+			obj.Spec.BuildArgs = append(obj.Spec.BuildArgs, fmt.Sprintf("%s=%s", "SERVICE_TOKEN", jwt.AccessToken))
+			// c.cfg.Secrets["SERVICE_TOKEN"] = jwt.AccessToken
+			log.Info(fmt.Sprintf("Injected JWT as SERVICE_TOKEN into builder for Keycloak client [%s]", c.keycloakCfg.ClientID))
 		}
 	}
 
@@ -207,7 +206,7 @@ func (c *BuildDispatcherComponent) Reconcile(ctx *core.Context) (ctrl.Result, er
 		NoCache:                  obj.Spec.DisableLocalBuildCache,
 		ImportCache:              obj.Spec.ImportRemoteBuildCache,
 		DisableInlineCacheExport: obj.Spec.DisableCacheLayerExport,
-		Secrets:                  secrets,
+		Secrets:                  c.cfg.Secrets,
 		FetchAndExtractTimeout:   c.cfg.FetchAndExtractTimeout,
 	}
 	log.Info("Dispatching image build", "images", buildOpts.Images)