From 66f77d3fb6b0ed42081e52b2a9f01173b1cc2d68 Mon Sep 17 00:00:00 2001 From: dvirlabs Date: Sun, 12 Apr 2026 23:14:45 +0300 Subject: [PATCH] Add oidc to harbor --- application-template.yaml | 21 ---------- argocd-apps/oidc-bootstrap.yaml | 17 -------- letsencrypt-staging-issuer.yaml | 17 -------- manifests/harbor/values.yaml | 15 +++++++ .../harbor/harbor-add-project-admins.yaml | 41 ------------------- .../oidc-bootstrap/harbor/harbor-oidc.yaml | 35 ---------------- 6 files changed, 15 insertions(+), 131 deletions(-) delete mode 100644 application-template.yaml delete mode 100644 argocd-apps/oidc-bootstrap.yaml delete mode 100644 letsencrypt-staging-issuer.yaml delete mode 100644 manifests/oidc-bootstrap/harbor/harbor-add-project-admins.yaml delete mode 100644 manifests/oidc-bootstrap/harbor/harbor-oidc.yaml diff --git a/application-template.yaml b/application-template.yaml deleted file mode 100644 index 27ac699..0000000 --- a/application-template.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: application-template - namespace: argocd -spec: - project: dev-tools - source: - repoURL: 'ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git' - targetRevision: HEAD - path: charts/application-template - helm: - valueFiles: - - ../../manifests/application-template/values.yaml - destination: - server: https://kubernetes.default.svc - namespace: dev-tools - syncPolicy: - automated: - prune: true - selfHeal: true diff --git a/argocd-apps/oidc-bootstrap.yaml b/argocd-apps/oidc-bootstrap.yaml deleted file mode 100644 index a591021..0000000 --- a/argocd-apps/oidc-bootstrap.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: oidc-bootstrap-dev-tools -# namespace: argocd -# spec: -# project: dev-tools -# source: -# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git -# targetRevision: HEAD -# path: manifests/oidc-bootstrap -# directory: -# recurse: true -# destination: -# server: https://kubernetes.default.svc -# namespace: dev-tools -# syncPolicy: {} diff --git a/letsencrypt-staging-issuer.yaml b/letsencrypt-staging-issuer.yaml deleted file mode 100644 index 9d14da0..0000000 --- a/letsencrypt-staging-issuer.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - # Let's Encrypt Staging server - no rate limits for testing - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: dvirlabs@gmail.com - privateKeySecretRef: - name: letsencrypt-staging-account-key - solvers: - - dns01: - cloudflare: - apiTokenSecretRef: - key: api-token - name: cloudflare-api-token diff --git a/manifests/harbor/values.yaml b/manifests/harbor/values.yaml index fd51218..057cb64 100644 --- a/manifests/harbor/values.yaml +++ b/manifests/harbor/values.yaml @@ -17,6 +17,21 @@ externalURL: https://harbor.dvirlabs.com harborAdminPassword: "Harbor12345" +core: + configureUserSettings: | + { + "auth_mode": "oidc_auth", + "oidc_name": "keycloak", + "oidc_endpoint": "https://keycloak.dvirlabs.com/realms/lab", + "oidc_client_id": "harbor", + "oidc_client_secret": "XWYmXRJufVHEXncdrVLPIeQWgyBnuq4v", + "oidc_scope": "openid,profile,email", + "oidc_verify_cert": true, + "oidc_auto_onboard": true, + "oidc_user_claim": "preferred_username", + "oidc_groups_claim": "groups" + } + notary: enabled: false diff --git a/manifests/oidc-bootstrap/harbor/harbor-add-project-admins.yaml b/manifests/oidc-bootstrap/harbor/harbor-add-project-admins.yaml deleted file mode 100644 index 95a8ecf..0000000 --- a/manifests/oidc-bootstrap/harbor/harbor-add-project-admins.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: harbor-add-project-admins - namespace: dev-tools -spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: apply-group - image: curlimages/curl - command: - - /bin/sh - - -c - - | - apk add --no-cache jq - - echo "📡 Fetching Harbor projects..." - projects=$(curl -sk -u admin:SuperSecurePassword123 https://harbor.dvirlabs.com/api/v2.0/projects | jq -r '.[].name') - - for project in $projects; do - echo "🔍 Checking if 'project-admins' group is already in project: $project" - existing=$(curl -sk -u admin:SuperSecurePassword123 https://harbor.dvirlabs.com/api/v2.0/projects/$project/members | jq -r '.[] | select(.member_group.group_name=="project-admins") | .id') - - if [ -z "$existing" ]; then - echo "➕ Adding group 'project-admins' to project $project as Project Admin..." - curl -sk -u admin:SuperSecurePassword123 \ - -X POST https://harbor.dvirlabs.com/api/v2.0/projects/$project/members \ - -H "Content-Type: application/json" \ - -d '{ - "role_id": 1, - "member_group": { - "group_name": "project-admins", - "group_type": 1 - } - }' - else - echo "✅ Group already exists in project $project, skipping." - fi - done diff --git a/manifests/oidc-bootstrap/harbor/harbor-oidc.yaml b/manifests/oidc-bootstrap/harbor/harbor-oidc.yaml deleted file mode 100644 index d6d7782..0000000 --- a/manifests/oidc-bootstrap/harbor/harbor-oidc.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: harbor-oidc-setup - namespace: dev-tools -spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: setup - image: curlimages/curl:latest - command: - - /bin/sh - - -c - - | - echo "Waiting for Harbor..." - until curl -k -s https://harbor.dvirlabs.com/api/v2.0/ping; do sleep 5; done - - echo "Applying OIDC settings..." - curl -k -u admin:SuperSecurePassword123 \ - -X PUT https://harbor.dvirlabs.com/api/v2.0/configurations \ - -H "Content-Type: application/json" \ - -d '{ - "auth_mode": "oidc_auth", - "oidc_name": "keycloak", - "oidc_endpoint": "https://keycloak.dvirlabs.com/realms/lab", - "oidc_client_id": "harbor", - "oidc_client_secret": "XWYmXRJufVHEXncdrVLPIeQWgyBnuq4v", - "oidc_scope": "openid,profile,email", - "oidc_verify_cert": false, - "oidc_auto_onboard": true, - "oidc_user_claim": "preferred_username", - "oidc_groups_claim": "groups" - }'