IAM: Configure GitHub IdP

w-scho · w-scho · commit e0879e1b2d61 · 2026-06-09T15:39:43.000+02:00
diff --git a/argocd/eoepca/iam/parts/kustomization.yaml b/argocd/eoepca/iam/parts/kustomization.yaml
@@ -1,7 +1,5 @@
 
 resources:
-  #- app-keycloak.yaml
-  #- app-opal.yaml
   - app-iam-core.yaml
 #  - pvc-kc-database.yaml
   #- ss-kc-postgres.yaml
@@ -11,11 +9,9 @@ resources:
   # Preliminary configuration for path-based routing (to be removed later)
   - apisixroute-pathbased.yaml
   #- apisixroute-hostbased.yaml
-  # Removing this one as it makes no sense
-  # - ingress-pathbased.yaml
-  #- naming-workaround.yaml
   - iam-management-ns.yaml
   - eoepca-admin.yaml
   - ss-iam-keycloak.yaml
   - ss-opa-route.yaml
   - ss-keycloak-admin.yaml
+  - ss-eoepca-realm.yaml
diff --git a/argocd/eoepca/iam/parts/ss-eoepca-realm.yaml b/argocd/eoepca/iam/parts/ss-eoepca-realm.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: eoepca-realm
+  namespace: iam
+spec:
+  encryptedData:
+    github_client_secret: AgBNeTejlaFXnSYa9aPQMnkKaRort+URN8+s4zy+I66i4Vp2nsmOtZ5BWRLfCbgHE3IgBHmKc2oS56MNusffgpmXD6wgno7Mjb+aQ36pbg3JkS1NjdXHzgf78GW7bi1a52gfBFbdwb8LV/iBm+6fYvKukAC1AQgqQQ0Y+kNfFTkdOUlgxGsdTc66NGn6D1z56xjHfugvFrdNdiuM6FgKjkr1J4OcQlf7HF3KzqRblh6PLhh8nkff1XBVl76gkFogTuarZ74oA+cUPTiJXweQXS0eAecNhqu+vvQRSfKbroWb7kbECy9RinLdglB9JZJG3q6w7X4+Iu9fyJHLqftWZNQY5msBtOQAZsLTYv0On85heNb18BfdQuleCz6f5HrDcDt2HNUnerLrlufif0dMNU8xicgdJB2Ct1ez2zwCzlUOqybYOQl+cKRdd8ir2cxQWT2fc78fuzeI4btYjbHA/exGLo/5cmgnHMX8xdzIik8gmHL1cDE01z00bOKmipyVsu8T//9JJXdt9QJukN1WzbUvw0bp3rVwEYXlh4M6G69RLWc73+dz5et7HkXbtAVGNWAKAHSV7n0VAzNkKAz1i27ghjJxcnKLHz+fzwZmJdiqryvCPEjnGKv8RWtyvEkMc1mY+G0lWNMV9hinl17YKnPPzFMcYw3ISG/PUUdIZAisGNOnJQlhC3PVjIZo8uYNkvc6aGYrKA7yHScsZfv4kIFqUmSyMN7T8jyyUoKxrw15qecpNYhy1wfH
+    smtp_password: AgAHKJbvzE/kAYLUpXBwtcW/3336PmfRHT3sux4lbafW7gVPqJh/GgdDPyBYrPGrWNlKEB226ljyCobaFuTM/1BIiL9H4Yvw8MOCoeticJyKj7gqtTtYDV2KKdv0r59dViZZqaHXtGTqJnxe7+zp8GBFNz9BIWfbdG3r49yHuk4ANxAW3UXCy6jBT5cN0w2KYASH5EHyhIcMr38ckhFtFy+CObcqNjoDbeV4+nHLs1Mx75zQxGrbh+iGNIH5PcPEBefIsnYlKtZ3vgeuETmlCeyOtezcLQ5itqoHKV5J7a3Z8F39VAQJPoQbxG2WlKVE3BrQjftSQWbMyDnrypqSaTzXewsdagOpjNnYHJzTe/fE57Hv6SZULYJ+t+Qd/hYkds3CFTcsYqHAU54JK54OTNL57EPOhQ52OVHXVEIFWYaU49b+mKasMYb4zq9ofI3RbW5hc2WFfhdoeAJ3uHGYlYWe98BI/BtyIuaDlDG9ld9B1kNMk8xvTnY1Fe6JR0/d22BVaTJMeNirbsiopRzpyYTkStJ15EXEIkBlBmLzhMs9nD6Z3hsiDYnnzVDM90Ie0tumtQ+gsXZ9GfabdPwMMz6yG83vlhHEk+ZqrcfVXsawZPkHB35z6caxfs4XZYIvJkZw7LZWMl2cpM+xTzU3lp0xkxqzWfsv47OE0YNmwIBm7ZcCBPHgujB9ItH9QwmPlXDNjEMlr6MciuqoH9LxjfFH5OCy
+  template:
+    metadata:
+      creationTimestamp: null
+      name: eoepca-realm
+      namespace: iam
diff --git a/argocd/eoepca/iam/parts/values/iam-values.yaml b/argocd/eoepca/iam/parts/values/iam-values.yaml
@@ -79,11 +79,16 @@ iam: &iam
         name: eoepca
         displayName: EOEPCA
         # Declaration of placeholders used in customClients, customUsers and customSettings
-        customPlaceholders:
+        customPlaceholders: &placeholders
           smtp_password:
             secret:
               name: eoepca-realm
               key: smtp_password
+          github_client_secret:
+            secret:
+              name: eoepca-realm
+              key: github_client_secret
+        placeholders: *placeholders # TODO: Remove after Helm chart update
 #          eoiam_client_secret:
 #            secret:
 #              name: eoepca-realm
@@ -118,7 +123,7 @@ iam: &iam
             user: "eoepca@gmail.com"
             password: ${smtp_password}
             # Possible identity provider configuration (taken from develop cluster, may be reduced):
-#            identityProviders: [
+            identityProviders:
 #              {
 #                "alias": "eoiam",
 #                "displayName": "ESA EO IAM",
@@ -161,31 +166,26 @@ iam: &iam
 #                  "passMaxAge": "false"
 #                }
 #              },
-#              {
-#                "alias": "github",
-#                "displayName": "GitHub",
-#                "internalId": "0b3fb53b-3064-42ab-86c9-b7799ecbb074",
-#                "providerId": "github",
-#                "enabled": true,
-#                "updateProfileFirstLoginMode": "on",
-#                "trustEmail": false,
-#                "storeToken": false,
-#                "addReadTokenRoleOnCreate": false,
-#                "authenticateByDefault": false,
-#                "linkOnly": false,
-#                "hideOnLogin": false,
-#                "config": {
-#                  "clientId": "Ov23liUYGFVlE779am5e",
-#                  "acceptsPromptNoneForwardFromClient": "false",
-#                  "disableUserInfo": "false",
-#                  "filteredByClaim": "false",
-#                  "syncMode": "FORCE",
-#                  "clientSecret": "${github_client_secret}",
-#                  "caseSensitiveOriginalUsername": "false"
-#                }
-#              }
-#            ],
-#            "identityProviderMappers": [
+              - alias: "github"
+                displayName: "GitHub"
+                providerId: "github"
+                enabled: true
+                updateProfileFirstLoginMode": "on"
+                trustEmail: false
+                storeToken: false
+                addReadTokenRoleOnCreate: false
+                authenticateByDefault: false
+                linkOnly: false
+                hideOnLogin: false
+                config:
+                  clientId: "Ov23liNXqUxucibgSQ93"
+                  acceptsPromptNoneForwardFromClient: "false"
+                  disableUserInfo: "false"
+                  filteredByClaim: "false"
+                  syncMode: "FORCE"
+                  clientSecret: "${github_client_secret}"
+                  caseSensitiveOriginalUsername: "false"
+#            identityProviderMappers: [
 #              {
 #                "id": "acc5183d-7cca-4124-89b6-51e04929ef42",
 #                "name": "given_name",
diff --git a/argocd/eoepca/iam/ss-eoepca-realm.sh b/argocd/eoepca/iam/ss-eoepca-realm.sh
@@ -16,17 +16,17 @@ SECRET_NAME="eoepca-realm"
 NAMESPACE="iam"
 
 SMTP_PASSWORD="${1:-${SMTP_PASSWORD:-changeme}}"
-#EOIAM_CLIENT_SECRET="${2:-${EOIAM_CLIENT_SECRET:-changeme}}"
-#GITHUB_CLIENT_SECRET="${3:-${GITHUB_CLIENT_SECRET:-changeme}}"
+GITHUB_CLIENT_SECRET="${2:-${GITHUB_CLIENT_SECRET:-changeme}}"
+#EOIAM_CLIENT_SECRET="${3:-${EOIAM_CLIENT_SECRET:-changeme}}"
 
 secretYaml() {
   kubectl -n "${NAMESPACE}" create secret generic "${SECRET_NAME}" \
     --from-literal="smtp_password=${SMTP_PASSWORD}" \
+    --from-literal="github_client_secret=${GITHUB_CLIENT_SECRET}" \
     --dry-run=client -o yaml
 }
 # TODO: Add when needed:
 #    --from-literal="eoiam_client_secret=${EOIAM_CLIENT_SECRET}" \
-#    --from-literal="github_client_secret=${GITHUB_CLIENT_SECRET}" \
 
 # Create Secret and then pipe to kubeseal to create the SealedSecret
 secretYaml \
