Add oidc to harbor

2026-04-12 23:14:45 +03:00 · 2026-04-12 23:14:45 +03:00 · 66f77d3fb6
commit 66f77d3fb6
parent fdeebee9f4
6 changed files with 15 additions and 131 deletions
--- a/application-template.yaml
+++ b/application-template.yaml
@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: application-template
-  namespace: argocd
-spec:
-  project: dev-tools
-  source:
-    repoURL: 'ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git'
-    targetRevision: HEAD
-    path: charts/application-template
-    helm:
-      valueFiles:
-        - ../../manifests/application-template/values.yaml
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: dev-tools
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
--- a/argocd-apps/oidc-bootstrap.yaml
+++ b/argocd-apps/oidc-bootstrap.yaml
@ -1,17 +0,0 @@
-# apiVersion: argoproj.io/v1alpha1
-# kind: Application
-# metadata:
-#   name: oidc-bootstrap-dev-tools
-#   namespace: argocd
-# spec:
-#   project: dev-tools
-#   source:
-#     repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git
-#     targetRevision: HEAD
-#     path: manifests/oidc-bootstrap
-#     directory:
-#       recurse: true
-#   destination:
-#     server: https://kubernetes.default.svc
-#     namespace: dev-tools
-#   syncPolicy: {}
--- a/letsencrypt-staging-issuer.yaml
+++ b/letsencrypt-staging-issuer.yaml
@ -1,17 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    # Let's Encrypt Staging server - no rate limits for testing
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: dvirlabs@gmail.com
-    privateKeySecretRef:
-      name: letsencrypt-staging-account-key
-    solvers:
-    - dns01:
-        cloudflare:
-          apiTokenSecretRef:
-            key: api-token
-            name: cloudflare-api-token
--- a/manifests/harbor/values.yaml
+++ b/manifests/harbor/values.yaml
@ -17,6 +17,21 @@ externalURL: https://harbor.dvirlabs.com

 harborAdminPassword: "Harbor12345"

+core:
+  configureUserSettings: |
+    {
+      "auth_mode": "oidc_auth",
+      "oidc_name": "keycloak",
+      "oidc_endpoint": "https://keycloak.dvirlabs.com/realms/lab",
+      "oidc_client_id": "harbor",
+      "oidc_client_secret": "XWYmXRJufVHEXncdrVLPIeQWgyBnuq4v",
+      "oidc_scope": "openid,profile,email",
+      "oidc_verify_cert": true,
+      "oidc_auto_onboard": true,
+      "oidc_user_claim": "preferred_username",
+      "oidc_groups_claim": "groups"
+    }
+
 notary:
  enabled: false

--- a/manifests/oidc-bootstrap/harbor/harbor-add-project-admins.yaml
+++ b/manifests/oidc-bootstrap/harbor/harbor-add-project-admins.yaml
@ -1,41 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: harbor-add-project-admins
-  namespace: dev-tools
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: apply-group
-          image: curlimages/curl
-          command:
-            - /bin/sh
-            - -c
-            - |
-              apk add --no-cache jq
-
-              echo "📡 Fetching Harbor projects..."
-              projects=$(curl -sk -u admin:SuperSecurePassword123 https://harbor.dvirlabs.com/api/v2.0/projects | jq -r '.[].name')
-
-              for project in $projects; do
-                echo "🔍 Checking if 'project-admins' group is already in project: $project"
-                existing=$(curl -sk -u admin:SuperSecurePassword123 https://harbor.dvirlabs.com/api/v2.0/projects/$project/members | jq -r '.[] | select(.member_group.group_name=="project-admins") | .id')
-
-                if [ -z "$existing" ]; then
-                  echo "➕ Adding group 'project-admins' to project $project as Project Admin..."
-                  curl -sk -u admin:SuperSecurePassword123 \
-                    -X POST https://harbor.dvirlabs.com/api/v2.0/projects/$project/members \
-                    -H "Content-Type: application/json" \
-                    -d '{
-                      "role_id": 1,
-                      "member_group": {
-                        "group_name": "project-admins",
-                        "group_type": 1
-                      }
-                    }'
-                else
-                  echo "✅ Group already exists in project $project, skipping."
-                fi
-              done
--- a/manifests/oidc-bootstrap/harbor/harbor-oidc.yaml
+++ b/manifests/oidc-bootstrap/harbor/harbor-oidc.yaml
@ -1,35 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: harbor-oidc-setup
-  namespace: dev-tools
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: setup
-          image: curlimages/curl:latest
-          command:
-            - /bin/sh
-            - -c
-            - |
-              echo "Waiting for Harbor..."
-              until curl -k -s https://harbor.dvirlabs.com/api/v2.0/ping; do sleep 5; done
-
-              echo "Applying OIDC settings..."
-              curl -k -u admin:SuperSecurePassword123 \
-                -X PUT https://harbor.dvirlabs.com/api/v2.0/configurations \
-                -H "Content-Type: application/json" \
-                -d '{
-                  "auth_mode": "oidc_auth",
-                  "oidc_name": "keycloak",
-                  "oidc_endpoint": "https://keycloak.dvirlabs.com/realms/lab",
-                  "oidc_client_id": "harbor",
-                  "oidc_client_secret": "XWYmXRJufVHEXncdrVLPIeQWgyBnuq4v",
-                  "oidc_scope": "openid,profile,email",
-                  "oidc_verify_cert": false,
-                  "oidc_auto_onboard": true,
-                  "oidc_user_claim": "preferred_username",
-                  "oidc_groups_claim": "groups"
-                }'