Setup Single Sign-On of DefectDojo with Opstella

Prerequisites

To Setup Single Sign-On with Opstella, you need

• 📦Opstella Keycloak
  • Your dedicated Keycloak Realm. foobar-opstella ; Please change accordingly
  • Public Signing Key.
• 🔑OpenID Connect Credentials: Client ID, Client Secret.
  • Gather Client ID, Client Secret - from Procuring Keycloak Credentials

DefectDojo Single Sign-On Integration

Connect to Kubernetes Cluster

1. Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

   Set Kubeconfig File

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

Prepare DefectDojo Single Sign-On Configuration

1. Specify OIDC Authentication Information

   Using Opstella Keycloak Information

   • Opstella Keycloak Domain: ${KEYCLOAK_DOMAIN}, ${KEYCLOAK_REALM} are assumed to be exported as defined in the Shell Variables guide.

   • Opstella Keycloak Public Signing Key

     export KEYCLOAK_SIGNING_PUBKEY="CHANGEME"

   • Client ID: defectdojo

     export DEFECTDOJO_OIDC_CLIENT_ID="defectdojo"

   • Client secret: CHANGEME

     export DEFECTDOJO_OIDC_CLIENT_SECRET="CHANGEME"

2. Create OIDC Authentication Information as Kubernetes Secret

   Create Kubernetes Secret named defectdojo-oidc-configurations

   kubectl apply --namespace devsecops-system -f - <<EOF
   apiVersion: v1
   kind: Secret
   type: Opaque
   metadata:
     name: defectdojo-oidc-configurations
   stringData:
     client-id: ${DEFECTDOJO_OIDC_CLIENT_ID}
     client-secret: ${DEFECTDOJO_OIDC_CLIENT_SECRET}
     authorization-endpoint: https://${KEYCLOAK_DOMAIN}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth
     access-token-endpoint: https://${KEYCLOAK_DOMAIN}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token
     signing-public-key: ${KEYCLOAK_SIGNING_PUBKEY}
   
   EOF

   💡 Should return secret/defectdojo-oidc-credentials created message.

Reconfigure Installed DefectDojo Helm Values

1. Create Additional Helm Values that configures Single-Sign On

   cat <<EOF > $HOME/opstella-installation/helm-values/defectdojo-oidc-helm-values.yaml
   ---
   ## OPSTELLA_CUSTOMIZE/Application: Extra Configurations:
   ## - OIDC with Keycloak
   extraConfigs:
     DD_SECURE_SSL_REDIRECT: 'True'
     DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED: 'True'
     DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT: "Sign in with Opstella"
   
   ## OPSTELLA_CUSTOMIZE/Kubernetes/Application: Extra Environment Variables:
   ## - OIDC with Keycloak: Related Values for Setup
   extraEnv:
     - name: DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY
       valueFrom:
         secretKeyRef:
           name: defectdojo-oidc-configurations
           key: signing-public-key
     - name: DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL
       valueFrom:
         secretKeyRef:
           name: defectdojo-oidc-configurations
           key: authorization-endpoint
     - name: DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL
       valueFrom:
         secretKeyRef:
           name: defectdojo-oidc-configurations
           key: access-token-endpoint
     - name: DD_SOCIAL_AUTH_KEYCLOAK_KEY
       valueFrom:
         secretKeyRef:
           name: defectdojo-oidc-configurations
           key: client-id
     - name: DD_SOCIAL_AUTH_KEYCLOAK_SECRET
       valueFrom:
         secretKeyRef:
           name: defectdojo-oidc-configurations
           key: client-secret
   
   EOF

2. Apply Additional Configurations with Helm

   helm upgrade defectdojo defectdojo/defectdojo \
     --namespace devsecops-system --version 1.6.179 \
     --reuse-values \
     -f $HOME/opstella-installation/helm-values/defectdojo-oidc-helm-values.yaml