From ba18e687b565962c7c29df84f949179cd6289401 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Fri, 28 Feb 2025 23:05:07 +0100
Subject: [PATCH] openidconnect, not yet working

---
 deployment/install.sh  | 29 ++++++++++++++++++++++++-----
 deployment/secrets.asc | 16 ++++++++++++----
 deployment/values.yml  | 10 +++++++++-
 3 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/deployment/install.sh b/deployment/install.sh
index ee42c53..7be850b 100755
--- a/deployment/install.sh
+++ b/deployment/install.sh
@@ -8,11 +8,15 @@ kubectl create namespace $NAMESPACE \
   -o yaml | \
   kubectl -f - apply
 
-SECRETS_FILE=`mktemp`
-gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output $SECRETS_FILE secrets.asc
-. $SECRETS_FILE
-rm $SECRETS_FILE
-# eval "`cat secrets.asc | /usr/local/bin/decrypt-secrets.sh`"
+if [ -f secrets.txt ]; then
+  . secrets.txt
+else
+  SECRETS_FILE=`mktemp`
+  gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output $SECRETS_FILE secrets.asc
+  . $SECRETS_FILE
+  rm $SECRETS_FILE
+  # eval "`cat secrets.asc | /usr/local/bin/decrypt-secrets.sh`"
+fi
 
 kubectl create secret generic defectdojo-postgresql-specific \
   --dry-run=client \
@@ -28,6 +32,21 @@ kubectl create secret generic defectdojo-redis-specific \
   --from-literal=redis-password="" | \
   kubectl apply -f - -n $NAMESPACE
 
+kubectl create secret generic defectdojo-extrasecrets \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=DD_SESSION_COOKIE_SECURE="True" \
+  --from-literal=DD_CSRF_COOKIE_SECURE="True" \
+  --from-literal=DD_SECURE_SSL_REDIRECT="True" \
+  --from-literal=DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED="True" \
+  --from-literal=DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY="$KEYCLOAK_PUBLIC_KEY" \
+  --from-literal=DD_SOCIAL_AUTH_KEYCLOAK_KEY="defectdojo" \
+  --from-literal=DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL="https://auth2.hottis.de/realms/hottis/protocol/openid-connect/auth" \
+  --from-literal=DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL="https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token" \
+  --from-literal=DD_SOCIAL_AUTH_KEYCLOAK_SECRET="$OPENID_SECRET" | \
+  kubectl apply -f - -n $NAMESPACE
+
 
 helm repo add defectdojo 'https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/helm-charts'
 helm repo update
diff --git a/deployment/secrets.asc b/deployment/secrets.asc
index 65ac0df..1f307b4 100644
--- a/deployment/secrets.asc
+++ b/deployment/secrets.asc
@@ -1,7 +1,15 @@
 -----BEGIN PGP MESSAGE-----
 
-jA0ECQMIBTFqH76O+EH80m0BfrFMTw8TSSx9cXepIYKzXVS40qB8WtHg4Dvu96jH
-E6DH3djCVjketkrTLm2n8gwT6FjcQXtinqhU8IqUiP1nLIu24ZHgy5+Y83MeGN4/
-dN/TcgiGmXiMM9N0VjGCJeUZ2aHNNunmQeSxVnrv
-=X3R9
+jA0ECQMI2OsWrWYS+jz50sElAUvKcwh3A7lF7F0DitbXDspCaXNemMJVxXLHQcdu
+OpMv6FfnBc9tUjNG33eVELCCB+vfCfsH2Syx5av6CgFwsiY9MFZwJigN2iv4/aEQ
+wiFd6hcQZPCx0PFsH5O6jm0I/3A2/bJd3IuK8ks0syU95kgPD+jjM37VLm4Dd/kY
+CDsWP44LR5aQNNGM/lqHgHjsvJEn9d086+2WH6jrotoeyGbv0NfreDf6r6vnGeUF
+cnRl8OvyaY4ApxHun27n8/l8DGswpg4+awBDchxFJ9ke4jJUiFcZo3MSuzZkk8FI
+4xFQ35t9re55coYo97ud6TNWzHNodbBxjR9GbJnGbsRT7TpPmbuy8SQ2FYpCAHFf
+I5Tn6SBB7logrzfs+Ui4fXMX7Rrwo7gZuG3GYiib0H6O24lWiA+GAxmMnVplLbXC
+TX2ja9FtiEOxoTtBzLMpTIVcmNSbV9tv8oBxmumOw1MihGobpBcmL1h66DTXPVml
+CqmdXZmuoKKbBVi/ZnVMghkNqo6PDkgkWQ9rcVegBFZmr/fxVWRaCwY1ui8Ri9C+
+vRmaTtiYVFWN8CgO4+1i6TjYZ9KroVk2ThBI0KLDPT/emeVAaF99tUTrtD1Dhwkb
+Zb/9M7KsBHRJj7dYO3j7tIphZoZWASU=
+=q37V
 -----END PGP MESSAGE-----
diff --git a/deployment/values.yml b/deployment/values.yml
index 937914f..4f0599f 100644
--- a/deployment/values.yml
+++ b/deployment/values.yml
@@ -9,6 +9,15 @@ alternativeHosts:
 django:
   ingress:
     enabled: false
+  mediaPersistentVolume:
+    enabled: true
+    name: defectdojo-media
+    type: pvc
+    persistentVolumeClaim:
+      create: true
+      size: 5Gi
+      accessModes:
+        - ReadWriteMany
 
 postgresql:
   enabled: false
@@ -21,4 +30,3 @@ redis:
 celery:
   path: "/6"
 
-