templates/composer: Verify against mass sso and rh sso
This commit is contained in:
Sanne Raymaekers
Ondřej Budai
parent
91d9417f5a
commit
b05723a37e
6 changed files with 13 additions and 15 deletions
|
|
@ -221,9 +221,6 @@ func (c *Composer) Start() error {
|
||||||
var err error
|
var err error
|
||||||
if c.config.Worker.EnableJWT {
|
if c.config.Worker.EnableJWT {
|
||||||
keysURLs := c.config.Worker.JWTKeysURLs
|
keysURLs := c.config.Worker.JWTKeysURLs
|
||||||
if c.config.Worker.JWTKeysURL != "" {
|
|
||||||
keysURLs = append(keysURLs, c.config.Worker.JWTKeysURL)
|
|
||||||
}
|
|
||||||
handler, err = auth.BuildJWTAuthHandler(
|
handler, err = auth.BuildJWTAuthHandler(
|
||||||
keysURLs,
|
keysURLs,
|
||||||
c.config.Worker.JWTKeysCA,
|
c.config.Worker.JWTKeysCA,
|
||||||
|
|
@ -270,9 +267,6 @@ func (c *Composer) Start() error {
|
||||||
var err error
|
var err error
|
||||||
if c.config.Koji.EnableJWT {
|
if c.config.Koji.EnableJWT {
|
||||||
keysURLs := c.config.Koji.JWTKeysURLs
|
keysURLs := c.config.Koji.JWTKeysURLs
|
||||||
if c.config.Koji.JWTKeysURL != "" {
|
|
||||||
keysURLs = append(keysURLs, c.config.Koji.JWTKeysURL)
|
|
||||||
}
|
|
||||||
handler, err = auth.BuildJWTAuthHandler(
|
handler, err = auth.BuildJWTAuthHandler(
|
||||||
keysURLs,
|
keysURLs,
|
||||||
c.config.Koji.JWTKeysCA,
|
c.config.Koji.JWTKeysCA,
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,6 @@ type KojiAPIConfig struct {
|
||||||
EnableTLS bool `toml:"enable_tls"`
|
EnableTLS bool `toml:"enable_tls"`
|
||||||
EnableMTLS bool `toml:"enable_mtls"`
|
EnableMTLS bool `toml:"enable_mtls"`
|
||||||
EnableJWT bool `toml:"enable_jwt"`
|
EnableJWT bool `toml:"enable_jwt"`
|
||||||
JWTKeysURL string `toml:"jwt_keys_url"`
|
|
||||||
JWTKeysURLs []string `toml:"jwt_keys_urls"`
|
JWTKeysURLs []string `toml:"jwt_keys_urls"`
|
||||||
JWTKeysCA string `toml:"jwt_ca_file"`
|
JWTKeysCA string `toml:"jwt_ca_file"`
|
||||||
JWTACLFile string `toml:"jwt_acl_file"`
|
JWTACLFile string `toml:"jwt_acl_file"`
|
||||||
|
|
@ -51,7 +50,6 @@ type WorkerAPIConfig struct {
|
||||||
EnableTLS bool `toml:"enable_tls"`
|
EnableTLS bool `toml:"enable_tls"`
|
||||||
EnableMTLS bool `toml:"enable_mtls"`
|
EnableMTLS bool `toml:"enable_mtls"`
|
||||||
EnableJWT bool `toml:"enable_jwt"`
|
EnableJWT bool `toml:"enable_jwt"`
|
||||||
JWTKeysURL string `toml:"jwt_keys_url"`
|
|
||||||
JWTKeysURLs []string `toml:"jwt_keys_urls"`
|
JWTKeysURLs []string `toml:"jwt_keys_urls"`
|
||||||
JWTKeysCA string `toml:"jwt_ca_file"`
|
JWTKeysCA string `toml:"jwt_ca_file"`
|
||||||
JWTACLFile string `toml:"jwt_acl_file"`
|
JWTACLFile string `toml:"jwt_acl_file"`
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,7 @@ func TestConfig(t *testing.T) {
|
||||||
require.Equal(t, "composer-db", config.Worker.PGDatabase)
|
require.Equal(t, "composer-db", config.Worker.PGDatabase)
|
||||||
|
|
||||||
require.False(t, config.Koji.EnableJWT)
|
require.False(t, config.Koji.EnableJWT)
|
||||||
require.Equal(t, "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs", config.Koji.JWTKeysURL)
|
require.Equal(t, []string{"https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"}, config.Koji.JWTKeysURLs)
|
||||||
require.Equal(t, "", config.Koji.JWTKeysCA)
|
require.Equal(t, "", config.Koji.JWTKeysCA)
|
||||||
require.Equal(t, "/var/lib/osbuild-composer/acl", config.Koji.JWTACLFile)
|
require.Equal(t, "/var/lib/osbuild-composer/acl", config.Koji.JWTACLFile)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
2
cmd/osbuild-composer/testdata/test.toml
vendored
2
cmd/osbuild-composer/testdata/test.toml
vendored
|
|
@ -2,7 +2,7 @@
|
||||||
allowed_domains = [ "osbuild.org" ]
|
allowed_domains = [ "osbuild.org" ]
|
||||||
ca = "/etc/osbuild-composer/ca-crt.pem"
|
ca = "/etc/osbuild-composer/ca-crt.pem"
|
||||||
enable_jwt = false
|
enable_jwt = false
|
||||||
jwt_keys_url = "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"
|
jwt_keys_urls = ["https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"]
|
||||||
jwt_acl_file = "/var/lib/osbuild-composer/acl"
|
jwt_acl_file = "/var/lib/osbuild-composer/acl"
|
||||||
|
|
||||||
[worker]
|
[worker]
|
||||||
|
|
|
||||||
|
|
@ -201,13 +201,15 @@ objects:
|
||||||
acl.yml: |
|
acl.yml: |
|
||||||
- claim: user_id
|
- claim: user_id
|
||||||
pattern: ^(54629121|54629180|54597799|54676085)$
|
pattern: ^(54629121|54629180|54597799|54676085)$
|
||||||
|
- claim: rh-org-id
|
||||||
|
pattern: ^(13826359)$
|
||||||
osbuild-composer.toml: |
|
osbuild-composer.toml: |
|
||||||
log_level = "info"
|
log_level = "info"
|
||||||
[koji]
|
[koji]
|
||||||
enable_tls = false
|
enable_tls = false
|
||||||
enable_mtls = false
|
enable_mtls = false
|
||||||
enable_jwt = true
|
enable_jwt = true
|
||||||
jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs"
|
jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs", "${MAS_SSO_BASE_URL}/protocol/openid-connect/certs"]
|
||||||
jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
|
jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
|
||||||
[koji.aws_config]
|
[koji.aws_config]
|
||||||
bucket = "imagebuilder.service.staging"
|
bucket = "imagebuilder.service.staging"
|
||||||
|
|
@ -218,7 +220,7 @@ objects:
|
||||||
enable_tls = false
|
enable_tls = false
|
||||||
enable_mtls = false
|
enable_mtls = false
|
||||||
enable_jwt = true
|
enable_jwt = true
|
||||||
jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs"
|
jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs", "${MAS_SSO_BASE_URL}/protocol/openid-connect/certs"]
|
||||||
jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
|
jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
|
||||||
|
|
||||||
- apiVersion: batch/v1
|
- apiVersion: batch/v1
|
||||||
|
|
@ -328,9 +330,13 @@ parameters:
|
||||||
name: PGMAXCONNS
|
name: PGMAXCONNS
|
||||||
value: "20"
|
value: "20"
|
||||||
- description: base sso url
|
- description: base sso url
|
||||||
name: SSO_BASE_URL
|
name: RH_SSO_BASE_URL
|
||||||
required: true
|
required: true
|
||||||
value: "https://sso.redhat.com/auth/realms/redhat-external"
|
value: "https://sso.redhat.com/auth/realms/redhat-external"
|
||||||
|
- description: base sso url
|
||||||
|
name: MAS_SSO_BASE_URL
|
||||||
|
required: true
|
||||||
|
value: "https://identity.api.openshift.com/auth/realms/rhoas"
|
||||||
- description: base sso url
|
- description: base sso url
|
||||||
name: COMPOSER_CONFIG_DIR
|
name: COMPOSER_CONFIG_DIR
|
||||||
required: true
|
required: true
|
||||||
|
|
|
||||||
|
|
@ -1262,7 +1262,7 @@ cat <<EOF | sudo tee "/etc/osbuild-composer/osbuild-composer.toml"
|
||||||
enable_tls = false
|
enable_tls = false
|
||||||
enable_mtls = false
|
enable_mtls = false
|
||||||
enable_jwt = true
|
enable_jwt = true
|
||||||
jwt_keys_url = "https://localhost:8080/certs"
|
jwt_keys_urls = ["https://localhost:8080/certs"]
|
||||||
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
|
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
|
||||||
jwt_acl_file = ""
|
jwt_acl_file = ""
|
||||||
[worker]
|
[worker]
|
||||||
|
|
@ -1276,7 +1276,7 @@ pg_ssl_mode = "disable"
|
||||||
enable_tls = true
|
enable_tls = true
|
||||||
enable_mtls = false
|
enable_mtls = false
|
||||||
enable_jwt = true
|
enable_jwt = true
|
||||||
jwt_keys_url = "https://localhost:8080/certs"
|
jwt_keys_urls = ["https://localhost:8080/certs"]
|
||||||
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
|
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue