feat: add saml sso support as the default (#118)

## Description

This PR adds saml protocol support for SSO and sets it as the default.
To go back to OIDC, set the value `sso.protocol` to `openid_connect`
(example in `bundle/uds-config.yaml`)

Also, when `saml` is set as the protocol, this also enables granting
admin access to gitlab using keycloak group membership. By default,
being a member of either `/GitLab Admin` or `/UDS Core/Admin` in
keycloak will grant GitLab admin access.

## Related Issue

Relates to #102 

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Co-authored-by: Wayne Starr <[email protected]>

bundle/uds-bundle.yaml

@@ -46,11 +46,20 @@ packages:
             - name: GITLAB_SSO_ENABLED
               description: "Boolean to enable or disable sso things"
               path: "sso.enabled"
+            - name: GITLAB_SSO_PROTOCOL
+              description: "Protocol to use. Valid values are 'openid_connect' and 'saml'. Default value is 'saml'"
+              path: "sso.protocol"
+            - name: GITLAB_ADMIN_GROUPS
+              description: "Array of group names that grant admin role gitlab when saml protocol is active."
+              path: "sso.adminGroups"
         gitlab:
           variables:
             - name: GITLAB_SSO_ENABLED
               description: "Boolean to enable or disable sso things"
               path: "global.appConfig.omniauth.enabled"
+            - name: GITLAB_SSO_PROTOCOL
+              description: "Protocol to use. Valid values are 'openid_connect' and 'saml'. Default value is 'saml'"
+              path: "global.appConfig.omniauth.autoSignInWithProvider"
             - name: MIGRATIONS_RESOURCES
               description: "Gitlab Migrations Resources"
               path: "gitlab.migrations.resources"

bundle/uds-config.yaml

@@ -32,6 +32,8 @@ variables:
     gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local"
     DISABLE_REGISTRY_REDIRECT: "true"
     GITLAB_PAGES_ENABLED: true
+    GITLAB_ADMIN_GROUPS: ["/GitLab Admin", "/UDS Core/Admin"]
+    GITLAB_SSO_PROTOCOL: saml
     # # Overrides for scaled down cluster for local dev and CI
     webservice_replicas: 1
     webservice_resources:

chart/templates/uds-package.yaml

@@ -4,12 +4,13 @@ metadata:
   name: gitlab
   namespace: {{ .Release.Namespace }}
 spec:
-  {{- if .Values.sso.enabled }}
+  {{- if and (.Values.sso.enabled) (eq .Values.sso.protocol "openid_connect") }}
   sso:
-    - name: Gitlab SSO
+    - name: GitLab Login
       clientId: uds-swf-gitlab
       redirectUris:
         - "https://gitlab.{{ .Values.domain }}/users/auth/openid_connect/callback"
+
       secretName: {{ .Values.sso.secretName }}
       secretTemplate:
         # GitLab expects a providers JSON file that is documented more here: https://gitlab-org.gitlab.io/technical-writing-group/gitlab-docs-hugo/administration/auth/oidc/
@@ -42,6 +43,40 @@ spec:
               }
             }
           }
+  {{- else if and (.Values.sso.enabled) (eq .Values.sso.protocol "saml") }}
+  sso:
+    - name: GitLab Login
+      clientId: uds-swf-gitlab-saml
+      redirectUris:
+        - "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback"
+
+      protocol: saml
+      defaultClientScopes:
+        - "mapper-saml-email-email"
+        - "mapper-saml-firstname-first_name"
+        - "mapper-saml-lastname-last_name"
+        - "mapper-saml-grouplist-groups"
+
+      attributes:
+        saml.client.signature: "false"
+
+      secretName: {{ .Values.sso.secretName }}
+      secretTemplate:
+        # GitLab expects a providers JSON file that is documented more here: https://docs.gitlab.com/ee/integration/saml.html
+        providers: |
+          {
+            "name":"saml",
+            "label":"SSO",
+            "groups_attribute": "Groups",
+            "admin_groups": {{ .Values.sso.adminGroups | toJson }},
+            "args":{
+                "assertion_consumer_service_url": "https://gitlab.{{ .Values.domain }}/users/auth/saml/callback",
+                "idp_cert": "clientField(samlIdpCertificate)",
+                "idp_sso_target_url": "https://sso.{{ .Values.domain }}/realms/uds/protocol/saml",
+                "issuer": "clientField(clientId)",
+                "name_identifier_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+            }
+          }
   {{- end }}
   network:
     expose:

chart/values.yaml

@@ -1,7 +1,9 @@
 domain: "###ZARF_VAR_DOMAIN###"
 sso:
   enabled: true
+  protocol: saml
   secretName: gitlab-sso
+  adminGroups: ["/GitLab Admin", "/UDS Core/Admin"]
 storage:
   # Set to false to use external storage
   internal: true

tasks.yaml

@@ -39,6 +39,12 @@ tasks:
       - task: dependencies:create
       - task: create:test-bundle
 
+  - name: dev
+    description: deploy against running cluster
+    actions:
+      - task: create-gl-test-bundle
+      - task: deploy:test-bundle
+
 # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names
 
   - name: test-package

values/common-values.yaml

@@ -70,10 +70,11 @@ global:
     ## https://docs.gitlab.com/charts/charts/globals#omniauth
     omniauth:
       enabled: true
-      allowSingleSignOn: ['openid_connect']
+      allowSingleSignOn: true
       blockAutoCreatedUsers: false
       autoLinkUser: true
-      autoSignInWithProvider: openid_connect
+      autoLinkSamlUser: true
+      autoSignInWithProvider: saml
       externalProviders: []
       syncProfileAttributes: ['email']
       syncProfileFromProvider: []