Setup Single Sign-On of DefectDojo with Opstella

This content is not available in your language yet.

Prerequisites

To Setup Single Sign-On with Opstella, you need

📦Opstella Keycloak
- Your dedicated Keycloak Realm. foobar-opstella ; Please change accordingly
- Public Signing Key.
🔑OpenID Connect Credentials: Client ID, Client Secret.
- Gather Client ID, Client Secret - from Procuring Keycloak Credentials

DefectDojo Single Sign-On Integration

Connect to Kubernetes Cluster

Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

Set Kubeconfig File
Terminal window
```
export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"
```

Prepare DefectDojo Single Sign-On Configuration

Specify OIDC Authentication Information

Using Opstella Keycloak Information
- Opstella Keycloak Domain: ${KEYCLOAK_DOMAIN}, ${KEYCLOAK_REALM} are assumed to be exported as defined in the Shell Variables guide.
- Opstella Keycloak Public Signing Key
```
export KEYCLOAK_SIGNING_PUBKEY="CHANGEME"
```
- Client ID: defectdojo
```
export DEFECTDOJO_OIDC_CLIENT_ID="defectdojo"
```
- Client secret: CHANGEME
```
export DEFECTDOJO_OIDC_CLIENT_SECRET="CHANGEME"
```

Create OIDC Authentication Information as Kubernetes Secret

Create Kubernetes Secret named defectdojo-oidc-configurations

kubectl apply --namespace devsecops-system -f - <<EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: defectdojo-oidc-configurations
stringData:
  client-id: ${DEFECTDOJO_OIDC_CLIENT_ID}
  client-secret: ${DEFECTDOJO_OIDC_CLIENT_SECRET}
  authorization-endpoint: https://${KEYCLOAK_DOMAIN}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth
  access-token-endpoint: https://${KEYCLOAK_DOMAIN}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token
  signing-public-key: ${KEYCLOAK_SIGNING_PUBKEY}

EOF

💡 Should return secret/defectdojo-oidc-credentials created message.

Reconfigure Installed DefectDojo Helm Values

Create Additional Helm Values that configures Single-Sign On

cat <<EOF > $HOME/opstella-installation/helm-values/defectdojo-oidc-helm-values.yaml
---
## OPSTELLA_CUSTOMIZE/Application: Extra Configurations:
## - OIDC with Keycloak
extraConfigs:
  DD_SECURE_SSL_REDIRECT: 'True'
  DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED: 'True'
  DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT: "Sign in with Opstella"

## OPSTELLA_CUSTOMIZE/Kubernetes/Application: Extra Environment Variables:
## - OIDC with Keycloak: Related Values for Setup
extraEnv:
  - name: DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY
    valueFrom:
      secretKeyRef:
        name: defectdojo-oidc-configurations
        key: signing-public-key
  - name: DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL
    valueFrom:
      secretKeyRef:
        name: defectdojo-oidc-configurations
        key: authorization-endpoint
  - name: DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL
    valueFrom:
      secretKeyRef:
        name: defectdojo-oidc-configurations
        key: access-token-endpoint
  - name: DD_SOCIAL_AUTH_KEYCLOAK_KEY
    valueFrom:
      secretKeyRef:
        name: defectdojo-oidc-configurations
        key: client-id
  - name: DD_SOCIAL_AUTH_KEYCLOAK_SECRET
    valueFrom:
      secretKeyRef:
        name: defectdojo-oidc-configurations
        key: client-secret

EOF

Apply Additional Configurations with Helm

helm upgrade defectdojo defectdojo/defectdojo \
  --namespace devsecops-system --version 1.6.179 \
  --reuse-values \
  -f $HOME/opstella-installation/helm-values/defectdojo-oidc-helm-values.yaml

Finished?

Use the below navigation to proceed