RHTPA: Microsoft Entra ID OIDC integration

charts/rhtpa-operator/files/trustedprofileanalyzer-template.yaml

@@ -15,7 +15,8 @@
     spec:
       appDomain: "APP_DOMAIN"
       TLS_CONFIG
-      OIDC_CONFIG
+OIDC_CONFIG
+AUTHENTICATOR_CONFIG
       createDatabase:
         name: DATABASE_NAME
         username: rhtpa
@@ -25,7 +26,7 @@
               name: rhtpa-db-secret
               key: password
       migrateDatabase: {}
-      MODULES_CONFIG
+MODULES_CONFIG
       SIGSTORE_CONFIG
       database:
         host: rhtpa-db.RHTPA_NAMESPACE.svc.cluster.local

charts/rhtpa-operator/templates/_helpers.tpl

@@ -49,12 +49,91 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Generate the Keycloak OIDC Issuer URL
-This evaluates any template variables (like {{ $.Values.global.clusterDomain }})
-and appends the realm name.
+Generate the URL of the OIDC service
 */}}
-{{- define "rhtpa-operator.keycloakOIDCIssuer" -}}
-{{- $keycloakUrl := tpl .Values.rhtpa.zeroTrust.keycloak.url . -}}
-{{- printf "%s/realms/%s" $keycloakUrl .Values.rhtpa.zeroTrust.keycloak.realm -}}
+{{- define "rhtpa-operator.oidc.url" -}}
+{{- if not .Values.rhtpa.zeroTrust.oidc.authServerUrl }}
+{{- printf "https://keycloak.%s/realms/%s" .Values.global.localClusterDomain .Values.rhtpa.zeroTrust.oidc.realm -}}
+{{- else }}
+{{- printf "%s" .Values.rhtpa.zeroTrust.oidc.authServerUrl -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate the OIDC configuration
+*/}}
+{{- define "rhtpa-operator.oidc.config" -}}
+oidc:
+  issuerUrl: {{ include "rhtpa-operator.oidc.url" . }}
+{{- if ne .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId "" }}
+  uiScope: >-
+    openid profile email offline_access
+    api://{{ .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId }}/create:document
+    api://{{ .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId }}/read:document
+    api://{{ .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId }}/update:document
+    api://{{ .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId }}/delete:document
+  loadUser: false
+{{- end }}
+  clients:
+    frontend:
+      clientId: {{ .Values.rhtpa.zeroTrust.oidc.clients.frontend.clientId }}
+    cli:
+      clientId: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.clientId }}
+      clientSecret:
+        valueFrom:
+          secretKeyRef:
+            name: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.secretName }}
+            key: client-secret
+{{- end }}
+
+{{/*
+Generate the authenticator configuration
+*/}}
+{{- define "rhtpa-operator.authenticator.config" -}}
+{{- if ne .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId "" }}
+authenticator:
+  configMapRef:
+    name: server-entra-auth
+    key: auth.yaml
+{{- end }}
 {{- end }}
 
+{{/*
+Generate the modules configuration
+*/}}
+{{- define "rhtpa-operator.modules.config" -}}
+modules:
+  migrateDatabase:
+    enabled: true
+  createDatabase:
+    enabled: {{ .Values.rhtpa.modules.createDatabase.enabled | default true }}
+  createImporters:
+    enabled: {{ .Values.rhtpa.modules.createImporters.enabled | default true }}
+    importers:
+{{- if .Values.rhtpa.modules.createImporters.importers }}
+{{- toYaml .Values.rhtpa.modules.createImporters.importers | nindent 6 }}
+{{- end }}
+  importer:
+    replicas: {{ .Values.rhtpa.modules.importer.replicas | default 1 | int }}
+    resources:
+      requests:
+        cpu: {{ .Values.rhtpa.modules.importer.resources.requests.cpu | default 0.5 | toString | quote }}
+        memory: {{ .Values.rhtpa.modules.importer.resources.requests.memory | default "4Gi" | toString }}
+    enabled: true
+  server:
+    replicas: {{ .Values.rhtpa.modules.server.replicas | default 1 | int }}
+    resources:
+      requests:
+        cpu: {{ .Values.rhtpa.modules.server.resources.requests.cpu | default 0.5 | toString | quote }}
+        memory: {{ .Values.rhtpa.modules.server.resources.requests.memory | default "4Gi" | toString }}
+    enabled: true
+{{- if or (ne .Values.rhtpa.modules.server.rust.logFilter "info") .Values.rhtpa.modules.server.rust.backtrace }}
+    rust:
+{{- if ne .Values.rhtpa.modules.server.rust.logFilter "info" }}
+      logFilter: {{ .Values.rhtpa.modules.server.rust.logFilter }}
+{{- end }}
+{{- if .Values.rhtpa.modules.server.rust.backtrace }}
+      backtrace: {{ .Values.rhtpa.modules.server.rust.backtrace }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/rhtpa-operator/templates/auth-config.yaml

@@ -0,0 +1,98 @@
+{{- if and (eq .Values.rhtpa.zeroTrust.oidc.enabled true) (ne .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId "") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: server-entra-auth
+  namespace: {{ .Release.Namespace }}
+data:
+  auth.yaml: |
+    authentication:
+      clients:
+        # Microsoft Entra ID Frontend Client (for user sign-in)
+        - clientId: {{ .Values.rhtpa.zeroTrust.oidc.clients.frontend.clientId }}
+          issuerUrl: {{ .Values.rhtpa.zeroTrust.oidc.authServerUrl }}
+          requiredAudience: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId }}
+          scopeMappings:
+            "read:document":
+              - "ai"
+              - "read.sbom"
+              - "read.advisory"
+              - "read.importer"
+              - "read.metadata"
+              - "read.sbomGroup"
+              - "read.weakness"
+              - "read.systemInformation"
+            "create:document":
+              - "create.sbom"
+              - "create.advisory"
+              - "create.importer"
+              - "create.metadata"
+              - "create.sbomGroup"
+              - "create.weakness"
+              - "update.sbom"
+              - "update.advisory"
+              - "update.importer"
+              - "update.metadata"
+              - "update.sbomGroup"
+              - "update.weakness"
+              - "upload.dataset"
+            "update:document":
+              - "update.sbom"
+              - "update.advisory"
+              - "update.importer"
+              - "update.metadata"
+              - "update.sbomGroup"
+              - "update.weakness"
+            "delete:document":
+              - "delete.sbom"
+              - "delete.advisory"
+              - "delete.importer"
+              - "delete.metadata"
+              - "delete.sbomGroup"
+              - "delete.vulnerability"
+              - "delete.weakness"
+        # Microsoft Entra ID CLI/API Client (for client credentials)
+        - clientId: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.clientId }}
+          issuerUrl: {{ .Values.rhtpa.zeroTrust.oidc.authServerUrl }}
+          requiredAudience: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.apiId }}
+          scopeSelector: "$['scope','scp','roles']"
+          scopeMappings:
+            "App.Read.Document":
+              - "ai"
+              - "read.sbom"
+              - "read.advisory"
+              - "read.importer"
+              - "read.metadata"
+              - "read.sbomGroup"
+              - "read.weakness"
+              - "read.systemInformation"
+            "App.Create.Document":
+              - "create.sbom"
+              - "create.advisory"
+              - "create.importer"
+              - "create.metadata"
+              - "create.sbomGroup"
+              - "create.weakness"
+              - "update.sbom"
+              - "update.advisory"
+              - "update.importer"
+              - "update.metadata"
+              - "update.sbomGroup"
+              - "update.weakness"
+              - "upload.dataset"
+            "App.Update.Document":
+              - "update.sbom"
+              - "update.advisory"
+              - "update.importer"
+              - "update.metadata"
+              - "update.sbomGroup"
+              - "update.weakness"
+            "App.Delete.Document":
+              - "delete.sbom"
+              - "delete.advisory"
+              - "delete.importer"
+              - "delete.metadata"
+              - "delete.sbomGroup"
+              - "delete.vulnerability"
+              - "delete.weakness"
+{{- end }}

charts/rhtpa-operator/templates/oidc-cli-secret.yaml

@@ -1,9 +1,9 @@
-{{- if .Values.rhtpa.zeroTrust.keycloak.enabled }}
+{{- if .Values.rhtpa.zeroTrust.oidc.enabled }}
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: {{ .Values.rhtpa.zeroTrust.keycloak.clients.cli.secretName | default "rhtpa-oidc-cli-secret" }}
+  name: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.secretName | default "rhtpa-oidc-cli-secret" }}
   namespace: {{ .Values.rhtpa.namespace }}
   labels:
     {{- include "rhtpa-operator.labels" . | nindent 4 }}
@@ -15,12 +15,15 @@ spec:
     name: {{ .Values.global.secretStore.name }}
     kind: {{ .Values.global.secretStore.kind }}
   target:
-    name: {{ .Values.rhtpa.zeroTrust.keycloak.clients.cli.secretName | default "rhtpa-oidc-cli-secret" }}
-    creationPolicy: Owner
+    name: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.secretName | default "rhtpa-oidc-cli-secret" }}
+    template:
+      type: Opaque
+      data:
+        client-secret: "{{ `{{ .client_secret | trim }}` }}"
   data:
-  - secretKey: client-secret
+  - secretKey: client_secret
     remoteRef:
-      key: {{ .Values.rhtpa.zeroTrust.keycloak.clients.cli.secretVaultPath }}
+      key: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.secretVaultPath }}
       property: client-secret
 {{- end }}
 

charts/rhtpa-operator/templates/trusted-profile-analyzer.yaml

@@ -45,45 +45,18 @@ spec:
 {{- $template = replace "TLS_CONFIG" "" $template }}
 {{- end }}
 {{- /* OIDC Config */ -}}
-{{- if and .Values.rhtpa.zeroTrust .Values.rhtpa.zeroTrust.keycloak .Values.rhtpa.zeroTrust.keycloak.enabled }}
-{{- /* Construct Keycloak URL from global.localClusterDomain if not provided */ -}}
-{{- $keycloakUrl := .Values.rhtpa.zeroTrust.keycloak.url }}
-{{- if not $keycloakUrl }}
-{{- $keycloakUrl = printf "https://keycloak.%s" .Values.global.localClusterDomain }}
-{{- end }}
-{{- $oidcConfig := printf `oidc:
-        clients:
-          frontend:
-            clientId: %s
-            issuerUrl: %s/realms/%s
-          cli:
-            clientId: %s
-            issuerUrl: %s/realms/%s
-            clientSecret:
-              valueFrom:
-                secretKeyRef:
-                  name: %s
-                  key: client-secret` .Values.rhtpa.zeroTrust.keycloak.clients.frontend.clientId $keycloakUrl .Values.rhtpa.zeroTrust.keycloak.realm .Values.rhtpa.zeroTrust.keycloak.clients.cli.clientId $keycloakUrl .Values.rhtpa.zeroTrust.keycloak.realm .Values.rhtpa.zeroTrust.keycloak.clients.cli.secretName }}
+{{- if and .Values.rhtpa.zeroTrust .Values.rhtpa.zeroTrust.oidc .Values.rhtpa.zeroTrust.oidc.enabled }}
+{{- $oidcConfig := include "rhtpa-operator.oidc.config" . | indent 6 }}
 {{- $template = replace "OIDC_CONFIG" $oidcConfig $template }}
+{{- $authenticatorConfig := include "rhtpa-operator.authenticator.config" . | indent 6 }}
+{{- $template = replace "AUTHENTICATOR_CONFIG" $authenticatorConfig $template }}
 {{- else }}
 {{- $template = replace "OIDC_CONFIG" "" $template }}
+{{- $template = replace "AUTHENTICATOR_CONFIG" "" $template }}
 {{- end }}
 {{- /* Modules Config */ -}}
 {{- if and .Values.rhtpa.modules .Values.rhtpa.modules.createImporters .Values.rhtpa.modules.createImporters.enabled }}
-{{- $createDB := .Values.rhtpa.modules.createDatabase.enabled | default true }}
-{{- $createImporters := .Values.rhtpa.modules.createImporters.enabled | default true }}
-{{- $importerReplicas := .Values.rhtpa.modules.importer.replicas | default 1 | int }}
-{{- $importerCPU := .Values.rhtpa.modules.importer.resources.requests.cpu | default 0.5 | toString }}
-{{- $importerMemory := .Values.rhtpa.modules.importer.resources.requests.memory | default "4Gi" | toString }}
-{{- $serverReplicas := .Values.rhtpa.modules.server.replicas | default 1 | int }}
-{{- $serverCPU := .Values.rhtpa.modules.server.resources.requests.cpu | default 0.5 | toString }}
-{{- $serverMemory := .Values.rhtpa.modules.server.resources.requests.memory | default "4Gi" | toString }}
-{{- $modulesConfig := printf "modules:\n        migrateDatabase:\n          enabled: true\n        createDatabase:\n          enabled: %t\n        createImporters:\n          enabled: %t\n          importers:" $createDB $createImporters }}
-{{- if .Values.rhtpa.modules.createImporters.importers }}
-{{- $importersYaml := toYaml .Values.rhtpa.modules.createImporters.importers | nindent 12 }}
-{{- $modulesConfig = printf "%s\n%s" $modulesConfig $importersYaml }}
-{{- end }}
-{{- $modulesConfig = printf "%s\n        importer:\n          replicas: %d\n          resources:\n            requests:\n              cpu: \"%s\"\n              memory: %s\n          enabled: true\n        server:\n          replicas: %d\n          resources:\n            requests:\n              cpu: \"%s\"\n              memory: %s\n          enabled: true" $modulesConfig $importerReplicas $importerCPU $importerMemory $serverReplicas $serverCPU $serverMemory }}
+{{- $modulesConfig := include "rhtpa-operator.modules.config" . | indent 6 }}
 {{- $template = replace "MODULES_CONFIG" $modulesConfig $template }}
 {{- else }}
 {{- $template = replace "MODULES_CONFIG" "" $template }}

charts/rhtpa-operator/values.yaml

@@ -5,19 +5,19 @@
 rhtpa:
   # Enable/disable RHTPA deployment
   enabled: true
-  
+
   # TrustedProfileAnalyzer CR name
   name: "trusted-profile-analyzer"
-  
+
   # Namespace for RHTPA deployment
   namespace: trusted-profile-analyzer
-  
+
   # Route hostname prefix
   # This prefix is prepended to the cluster domain to form the route hostname
   # NOTE: Due to RHTPA operator bug, "server" is prepended to the result
   # Example: "trustify" with domain "apps.domain.com" generates: servertrustify.apps.domain.com
   routePrefix: "trustify"
-  
+
   # Zero Trust Integration
   zeroTrust:
     vault:
@@ -28,10 +28,10 @@ rhtpa:
       policy: "rhtpa-secrets"
       # RHTPA DB password path (infra)
       secretPath: "secret/data/hub/infra/rhtpa/rhtpa-db"
-    keycloak:
+    oidc:
       enabled: true
-      url: ""  # Constructed dynamically from global.localClusterDomain in templates
-      realm: "ztvp"
+      authServerUrl: ""  # Constructed dynamically from global.localClusterDomain in templates
+      realm: "ztvp"  # Used to construct the authentication URL if authServerUrl is not provided
       namespace: "keycloak-system"  # Namespace where Keycloak is deployed
       instanceName: "keycloak"  # Name of the Keycloak CR
       # User credentials - stored in infra users path
@@ -43,9 +43,10 @@ rhtpa:
         cli:
           clientId: "rhtpa-cli"  # Confidential client for RHTPA CLI/API
           secretName: "rhtpa-oidc-cli-secret"  # Kubernetes secret containing client secret
+          apiId: ""  # API client ID, used in Azure Entra ID integration
           # RHTPA OIDC CLI secret path (infra)
           secretVaultPath: "secret/data/hub/infra/rhtpa/rhtpa-oidc-cli"
-  
+
   # TLS Configuration
   tls:
     ingressCA:
@@ -126,7 +127,10 @@ rhtpa:
         limits:
           cpu: 1.0
           memory: 8Gi
-
+      rust:
+        logFilter: "info"
+        backtrace: false
+
   # PostgreSQL Database Configuration
   database:
     create: true
@@ -137,7 +141,7 @@ rhtpa:
     passwordVaultKey: "secret/data/hub/infra/rhtpa/rhtpa-db"
     storageSize: "10Gi"
     image: "registry.redhat.io/rhel8/postgresql-16"
-  
+
   # Object Storage Configuration (NooBaa MCG)
   objectStorage:
     enabled: true
@@ -147,11 +151,11 @@ rhtpa:
       name: "rhtpa-s3-storage"
       bucketName: "trustify"
       storageClass: "openshift-storage.noobaa.io"
-  
+
   # Monitoring configuration
   monitoring:
     enabled: true
-  
+
   # External access configuration
   externalAccess:
     enabled: true