Merge branch '444-nextcloud-single-sign-on' into 'master'

Resolve "nextcloud single-sign-on"

Closes #444

See merge request openappstack/openappstack!190

ansible/group_vars/all/oas.yml

@@ -30,6 +30,7 @@ grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafan
 
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
+nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"
 userbackend_postgres_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_postgres_password chars=ascii_letters') }}"
 userbackend_admin_username: "admin"
 userbackend_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_admin_password chars=ascii_letters') }}"

ansible/roles/apps/tasks/flux.yml

@@ -53,13 +53,5 @@
   #   helm-operator
   #   # Chart name
   #   helm-operator
-  #   # enable cusrom Helm repositories
-  #   --set configureRepositories.enable=true
-  #   # Add the stable default Helm repository
-  #   --set configureRepositories.repositories[0].name=stable
-  #   --set configureRepositories.repositories[0].url=https://kubernetes-charts.storage.googleapis.com
-  #   # Add the ory repository that is required for the single-sign-on helmchart
-  #   --set configureRepositories.repositories[1].name=ory
-  #   --set configureRepositories.repositories[1].url=https://k8s.ory.sh/helm/charts
 
-  shell: helm upgrade --install --repo "https://charts.fluxcd.io" --namespace oas --version 0.3.0 --set createCRD=true helm-operator helm-operator --set configureRepositories.enable=true --set configureRepositories.repositories[0].name=stable --set configureRepositories.repositories[0].url=https://kubernetes-charts.storage.googleapis.com  --set configureRepositories.repositories[1].name=ory --set configureRepositories.repositories[1].url=https://k8s.ory.sh/helm/charts
+  shell: helm upgrade --install --repo "https://charts.fluxcd.io" --namespace oas --version 0.3.0 --set createCRD=true helm-operator helm-operator

ansible/roles/apps/templates/nextcloud-settings.yaml

@@ -90,3 +90,9 @@ postgresql:
 rabbitmq:
   rabbitmq:
     password: "{{ onlyoffice_rabbitmq_password }}"
+
+sociallogin:
+  server_name: "sso.{{ domain }}"
+  client_id: nextcloud
+  client_secret: "{{ nextcloud_oauth_client_secret }}"
+  groups_claim: "openappstack_roles"

ansible/roles/apps/templates/single-sign-on-settings.yaml

 replicaCount: 1
 
 consentProviderImage:
-  << : &IMAGE_DEFAULTS_SSO { tag: "integration-user-panel", pullPolicy: "Always" }
+  << : &IMAGE_DEFAULTS_SSO { tag: "0.2.0", pullPolicy: "Always" }
   repository: "open.greenhost.net:4567/openappstack/single-sign-on/consent_provider"
 loginProviderImage:
   << : *IMAGE_DEFAULTS_SSO
@@ -10,17 +10,22 @@ loginProviderImage:
 singleSignOnHost: &SSO_HOST "sso.{{ domain }}"
 
 userpanel:
+  applicationName: &USER_PANEL user-panel
   image:
-    << : &IMAGE_DEFAULTS_USER_PANEL { tag: "master", pullPolicy: "Always" }
+    << : &IMAGE_DEFAULTS_USER_PANEL { tag: "1.2.0", pullPolicy: "Always" }
     repository: "open.greenhost.net:4567/openappstack/user-panel/frontend"
   ingress:
     host: "admin.{{ domain }}"
-  oAuthClientSecret: "{{ userpanel_oauth_client_secret }}"
 
 userbackend:
   image:
     << : *IMAGE_DEFAULTS_USER_PANEL
     repository: "open.greenhost.net:4567/openappstack/user-panel/backend"
+  applications:
+    - name: *USER_PANEL
+      description: Administration interface to manage user accounts
+    - name: &NEXTCLOUD nextcloud
+      description: "Nextcloud Files offers an on-premise Universal File Access and sync platform with powerful collaboration capabilities and desktop, mobile and web interfaces."
   username: "{{ userbackend_admin_username }}"
   password: "{{ userbackend_admin_password }}"
   email: "{{ userbackend_admin_email }}"
@@ -34,9 +39,7 @@ userbackend:
 
 hydra:
   hydra:
-    dangerousForceHttp: true
     config:
-      dsn: memory
       urls:
         self:
           issuer: "https://sso.{{ domain }}"
@@ -58,3 +61,30 @@ hydra:
           secretName: hydra-public.tls
     admin:
       enabled: false
+
+oAuthClients:
+- clientName: *USER_PANEL
+  clientSecret: "{{ userpanel_oauth_client_secret }}"
+  redirectUri: "https://admin.{{ domain }}/callback"
+  scopes: "openid profile email openappstack_roles"
+  clientUri: "https://admin.{{ domain }}"
+  clientLogoUri: "https://admin.{{ domain }}/favicon.ico"
+  tokenEndpointAuthMethod: "client_secret_basic"
+  responseTypes:
+    - "token"
+  grantTypes:
+    - "implicit"
+- clientName: *NEXTCLOUD
+  clientSecret: "{{ nextcloud_oauth_client_secret }}"
+  redirectUri: "https://files.{{ domain }}/apps/sociallogin/custom_oidc/oas"
+  scopes: "openid profile email openappstack_roles"
+  clientUri: "https://files.{{ domain }}"
+  clientLogoUri: "https://files.{{ domain }}/core/img/favicon-touch.png"
+  tokenEndpointAuthMethod: "client_secret_post"
+  responseTypes:
+    - "code"
+    - "id_token"
+  grantTypes:
+    - "authorization_code"
+    - "refresh_token"
+    - "client_credentials"

flux/nextcloud.yaml

@@ -11,7 +11,7 @@ spec:
   releaseName: nc
   chart:
     git: https://open.greenhost.net/openappstack/nextcloud
-    ref: bef4c1940082df69a9dab931f5b02665228be733
+    ref: 7a493d320b7a41b08ca78c1b785365239a23ed62
     path: .
   valuesFrom:
     - secretKeyRef:

flux/single-sign-on.yaml

@@ -10,7 +10,7 @@ spec:
   releaseName: single-sign-on
   chart:
     git: https://open.greenhost.net/openappstack/single-sign-on
-    ref: d0a4553a2b7e01bf7a0cde58f093cb78d85222aa
+    ref: 0.2.0
     path: ./helmchart/single-sign-on/
   valuesFrom:
     - secretKeyRef: