feat: enable sso for neuvector (#351)

## Description Adds Keycloak client creation and SSO configuration for Neuvector. ## Related Issue Fixes #91 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
defenseunicorns · Apr 18, 2024 · 597353e · 597353e
1 parent 1153ba0
commit 597353e
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 20 deletions.
diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml
@@ -4,6 +4,25 @@ metadata:
   name: neuvector
   namespace: {{ .Release.Namespace }}
 spec:
+  sso:
+    - name: Neuvector
+      clientId: uds-core-admin-neuvector
+      redirectUris:
+        - "https://neuvector.admin.{{ .Values.domain }}/openId_auth"
+      secretName: neuvector-secret
+      secretTemplate:
+        oidcinitcfg.yaml: |-
+          always_reload: true
+          client_id: clientField(clientId)
+          client_secret: clientField(secret)
+          enable: true
+          group_claim: groups
+          issuer: https://sso.{{ .Values.domain }}/realms/uds
+          group_mapped_roles:
+            - group: /UDS Core/Admin
+              global_role: admin
+            - group: /UDS Core/Auditor
+              global_role: reader
   network:
     expose:
       - service: neuvector-service-webui
@@ -26,6 +45,12 @@ spec:
         selector:
           app: neuvector-controller-pod
 
+      # Access to SSO for OIDC
+      - direction: Egress
+        remoteGenerated: Anywhere
+        selector:
+          app: neuvector-controller-pod
+
       - direction: Egress
         remoteGenerated: KubeAPI
         selector:

diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml
@@ -1,2 +1,4 @@
+domain: "###ZARF_VAR_DOMAIN###"
+
 grafana:
   enabled: false
diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml
@@ -43,3 +43,7 @@ components:
                 name: neuvector
                 namespace: neuvector
                 condition: "'{.status.phase}'=Ready"
+          - description: Annotate Controller deployment for Neuvector SSO secret
+            cmd: |
+              SSO_CHECKSUM=$(./zarf tools kubectl get secret neuvector-secret -o json -n neuvector | sha256sum | cut -d' ' -f1)
+              ./zarf tools kubectl patch deployment neuvector-controller-pod -n neuvector -p "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"checksum/uds-sso-secret\":\"$SSO_CHECKSUM\"}}}}}"
diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml
@@ -13,32 +13,19 @@ controller:
 
   apisvc:
     type: ClusterIP
-  secret:
+  configmap:
     enabled: true
     data:
-      oidcinitcfg.yaml:
-        always_reload: true
-        client_id: null
-        client_secret: null
-        default_role: null
-        enable: true
-        issuer: https://login.dso.mil/auth/realms/baby-yoda
-      sysinitcfg.yaml:
+      sysinitcfg.yaml: |
         always_reload: true
         no_telemetry_report: true
         scan_config:
           auto_scan: true
-      userinitcfg.yaml:
-        always_reload: true
-        users:
-          - fullname: metrics
-            password: admin
-            role: reader
-            username: metrics
-          - fullname: admin
-            password: admin
-            role: admin
-            username: admin
+  secret:
+    enabled: false
+  env:
+    - name: NO_DEFAULT_ADMIN
+      value: "1"
 
 cve:
   scanner: