Add OIDC Configuration #122

JasonPowr · 2023-12-11T10:44:03Z

This pr allows for the configuration of an OIDC provider with the tas installer

Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster.

        This command performs a series of actions:
        1. Initializes the Kubernetes client to interact with your cluster
        2. Sets up necessary certificates
        3. Configures secrets
        4. Deploys TAS to openshift

Usage:
  tas-installer install [flags]

Flags:
      --chartVersion string      Version of the Helm chart (default "0.1.26")
  -h, --help                     help for install
      --oidc-client-id string    Specify the OIDC client ID
      --oidc-issuer-url string   Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]
      --oidc-type string         Specify the OIDC type
      --valuesFile string        Custom values file for chart configuration

Global Flags:
      --kubeconfig string   Specify the kubeconfig path (default "/home/japower/.kube/config")

It adds three new flags to the installer --oidc-client-id, --oidc-issuer-url and --oidc-type

JasonPowr · 2023-12-11T10:45:50Z

tas-installer/pkg/helm/helm.go

@@ -54,7 +56,7 @@ func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, tasNamespace,
 		}
 	} else {
 		// if no values passed, use the default templated values
-		tmpFile, err := ioutil.TempFile("", "values-*.yaml")
+		tmpFile, err := os.CreateTemp("", "values-*.yaml")


The ioutil.TempFile() is deprecated, so I swapped it out for os.CreateTemp()

JasonPowr · 2023-12-11T10:46:57Z

tas-installer/pkg/helm/helm.go

-func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, tasNamespace, tasReleaseName, pathToValuesFile, chartVersion string) error {
-	chartUrl := "oci://quay.io/redhat-user-workloads/arewm-tenant/sigstore-ocp/trusted-artifact-signer"
+func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, pathToValuesFile, chartVersion string) error {
+	chartUrl := "charts/trusted-artifact-signer"


Also changed this to the local chart, as the oci one does not have a 0.1.26 tag

oh great! and I have a PR to make the chartURL configureable, so I'll pull in this change - this filesystem url will be the default until we have a stable OCI chart

sallyom

Nice! I have a follow-up for the chartURL - we might rename it from chartURL to chartSomethingElse since with the local chart path it's not technically a URL - I'll add this to PR #127 though and let's merge this as/is!

allow for oidc configuration

6aea662

JasonPowr requested review from lance and sallyom December 11, 2023 10:44

JasonPowr commented Dec 11, 2023

View reviewed changes

sallyom approved these changes Dec 11, 2023

View reviewed changes

sallyom merged commit 76f7b6b into release-1.0.gamma Dec 11, 2023

JasonPowr deleted the add-oidc-configuration branch December 12, 2023 08:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add OIDC Configuration #122

Add OIDC Configuration #122

JasonPowr commented Dec 11, 2023

JasonPowr Dec 11, 2023

JasonPowr Dec 11, 2023

sallyom Dec 11, 2023

sallyom left a comment

Add OIDC Configuration #122

Add OIDC Configuration #122

Conversation

JasonPowr commented Dec 11, 2023

JasonPowr Dec 11, 2023

Choose a reason for hiding this comment

JasonPowr Dec 11, 2023

Choose a reason for hiding this comment

sallyom Dec 11, 2023

Choose a reason for hiding this comment

sallyom left a comment

Choose a reason for hiding this comment