feat: migrate OIDC Configuration from Keycloak to Authentik (#327)

* Change: Authentik instead of Keycloak in CCP Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --------- Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>
2025-11-04 10:40:18 +01:00 · 2025-07-04 14:26:19 +02:00
parent 4c6f9e0f13
commit 8414604257
2 changed files with 19 additions and 5 deletions
--- a/ccp/vars
+++ b/ccp/vars
@@ -12,7 +12,7 @@ OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
 OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
 OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
 OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
-OIDC_URL="https://login.verbis.dkfz.de/realms/test-realm-01"
+OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"
 OIDC_GROUP_CLAIM="groups"

 for module in $PROJECT/modules/*.sh
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -301,19 +301,33 @@ function sync_secrets() {
    if [[ $secret_sync_args == "" ]]; then
        return
    fi
+
+    if [ "$PROJECT" == "bbmri" ]; then
+        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
+        proxy_id=$ERIC_PROXY_ID
+        broker_url=$ERIC_BROKER_URL
+        broker_id=$ERIC_BROKER_ID
+        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
+    else
+        proxy_id=$PROXY_ID
+        broker_url=$BROKER_URL
+        broker_id=$BROKER_ID
+        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
+    fi
+
    mkdir -p /var/cache/bridgehead/secrets/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/secrets/'. Please run sudo './bridgehead install $PROJECT' again."
    touch /var/cache/bridgehead/secrets/oidc
    docker run --rm \
        -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
        -e NO_PROXY=localhost,127.0.0.1 \
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$PROXY_ID \
-        -e BROKER_URL=$BROKER_URL \
-        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
+        -e PROXY_ID=$proxy_id \
+        -e BROKER_URL=$broker_url \
+        -e OIDC_PROVIDER=secret-sync-central.test-secret-sync.$broker_id \
        -e SECRET_DEFINITIONS=$secret_sync_args \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest