Add OIDC Configuration

tas-installer/cmd/install.go

@@ -7,6 +7,7 @@ import (
 
 	"securesign/sigstore-ocp/tas-installer/internal/install"
 	"securesign/sigstore-ocp/tas-installer/pkg/certs"
+	"securesign/sigstore-ocp/tas-installer/pkg/oidc"
 	"securesign/sigstore-ocp/tas-installer/pkg/secrets"
 
 	"github.com/spf13/cobra"
@@ -19,6 +20,7 @@ const (
 var (
 	helmChartVersion string
 	helmValuesFile   string
+	oidcConfig       oidc.OIDCConfig
 )
 
 var installCmd = &cobra.Command{
@@ -68,7 +70,7 @@ func installTas(tasNamespace string) error {
 		},
 		func() error {
 			log.Print("installing helm chart")
-			if err := install.HandleHelmChartInstall(kc, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil {
+			if err := install.HandleHelmChartInstall(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil {
 				return err
 			}
 			return nil
@@ -85,6 +87,9 @@ func installTas(tasNamespace string) error {
 func init() {
 	installCmd.PersistentFlags().StringVar(&helmChartVersion, "chartVersion", "0.1.26", "Version of the Helm chart")
 	installCmd.PersistentFlags().StringVar(&helmValuesFile, "valuesFile", "", "Custom values file for chart configuration")
+	installCmd.PersistentFlags().StringVar(&oidcConfig.IssuerURL, "oidc-issuer-url", "", "Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]")
+	installCmd.PersistentFlags().StringVar(&oidcConfig.ClientID, "oidc-client-id", "", "Specify the OIDC client ID")
+	installCmd.PersistentFlags().StringVar(&oidcConfig.Type, "oidc-type", "", "Specify the OIDC type")
 }
 
 func getFulcioSecretFiles() map[string]string {

tas-installer/internal/install/install.go

@@ -7,13 +7,14 @@ import (
 	"securesign/sigstore-ocp/tas-installer/pkg/certs"
 	"securesign/sigstore-ocp/tas-installer/pkg/helm"
 	"securesign/sigstore-ocp/tas-installer/pkg/kubernetes"
+	"securesign/sigstore-ocp/tas-installer/pkg/oidc"
 	"securesign/sigstore-ocp/tas-installer/pkg/secrets"
 	"securesign/sigstore-ocp/tas-installer/ui"
 	"time"
 )
 
-func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion string) error {
-	if err := helm.InstallTrustedArtifactSigner(kc, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil {
+func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion string) error {
+	if err := helm.InstallTrustedArtifactSigner(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil {
 		return err
 	}
 	return nil

tas-installer/pkg/helm/helm.go

@@ -2,10 +2,10 @@ package helm
 
 import (
 	"embed"
-	"io/ioutil"
 	"log"
 	"os"
 	"securesign/sigstore-ocp/tas-installer/pkg/kubernetes"
+	"securesign/sigstore-ocp/tas-installer/pkg/oidc"
 	"text/template"
 
 	"gopkg.in/yaml.v3"
@@ -26,6 +26,7 @@ var (
 
 type templatedValues struct {
 	OpenShiftAppsSubdomain string
+	OIDCconfig             oidc.OIDCConfig
 }
 
 func UninstallTrustedArtifactSigner(tasNamespace, tasReleaseName string) (*release.UninstallReleaseResponse, error) {
@@ -36,11 +37,12 @@ func UninstallTrustedArtifactSigner(tasNamespace, tasReleaseName string) (*relea
 	return action.NewUninstall(actionConfig).Run(tasReleaseName)
 }
 
-func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, tasNamespace, tasReleaseName, pathToValuesFile, chartVersion string) error {
-	chartUrl := "oci://quay.io/redhat-user-workloads/arewm-tenant/sigstore-ocp/trusted-artifact-signer"
+func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, pathToValuesFile, chartVersion string) error {
+	chartUrl := "charts/trusted-artifact-signer"
 
 	tv := templatedValues{
 		OpenShiftAppsSubdomain: kc.ClusterCommonName,
+		OIDCconfig:             oidcConfig,
 	}
 
 	tmpl, err := template.ParseFS(templateFS, templateValuesFile)
@@ -54,7 +56,7 @@ func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, tasNamespace,
 		}
 	} else {
 		// if no values passed, use the default templated values
-		tmpFile, err := ioutil.TempFile("", "values-*.yaml")
+		tmpFile, err := os.CreateTemp("", "values-*.yaml")
 		if err != nil {
 			return err
 		}

tas-installer/pkg/helm/values-openshift.tmpl

@@ -24,10 +24,17 @@ scaffold:
     config:
       contents:
         OIDCIssuers:
-          ? https://oauth2.sigstore.dev/auth
-          : IssuerURL: https://oauth2.sigstore.dev/auth
-            ClientID: sigstore
-            Type: email
+          {{- if .OIDCconfig.IssuerURL }}
+          {{ .OIDCconfig.IssuerURL }}:
+            IssuerURL: "{{ .OIDCconfig.IssuerURL }}"
+            ClientID: "{{ if .OIDCconfig.ClientID }}{{ .OIDCconfig.ClientID }}{{ else }}sigstore{{ end }}"
+            Type: "{{ if .OIDCconfig.Type }}{{ .OIDCconfig.Type }}{{ else }}email{{ end }}"
+          {{- else }}
+          "https://oauth2.sigstore.dev/auth":
+            IssuerURL: "https://oauth2.sigstore.dev/auth"
+            ClientID: "sigstore"
+            Type: "email"
+          {{- end }}
   rekor:
     server:
       ingress:

tas-installer/pkg/oidc/type.go

@@ -0,0 +1,8 @@
+package oidc
+
+// defines the type for the OIDC provider
+type OIDCConfig struct {
+	IssuerURL string
+	ClientID  string
+	Type      string
+}