Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provision GitHub OAuth using secret #1773

Merged
merged 14 commits into from
Jan 13, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Add proc
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
tolusha committed Jan 13, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 298f009276aa8c762c44a382925547f214c140b1
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
// Module included in the following assemblies:
//
// Configuring GitHub OAuth


[id="configuring-github-oauth_{context}"]
= Configuring GitHub OAuth

OAuth for GitHub allows for automatic SSH key upload to GitHub.

.Prerequisites

* The `{orch-cli}` tool is available.

.Procedure

* Create a link:https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app[OAuth application in GitHub] using {prod-short} URL as the value for the application `Homepage URL` and {identity-provider} GitHub endpoint URL as the value for Authorization callback URL. The default values are `https://{prod-deployment}-{prod-namespace}.<DOMAIN>/` and `https://keycloak-{prod-namespace}.<DOMAIN>/auth/realms/{prod-deployment}/broker/github/endpoint` respectively, where `<DOMAIN>` is {orch-name} cluster domain.

ifeval::["{project-context}" == "che"]
* For {prod-short} deployed in multi-user mode:
+
endif::[]

. Create a new secret in the {orch-namespace} where {prod-short} is deployed.
+
[subs="+quotes,+attributes"]
----
$ {orch-cli} apply -f - <<EOF
kind: Secret
apiVersion: v1
metadata:
name: github-oauth-credentials
namespace: <...> <1>
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: keycloak-secret
annotations:
che.eclipse.org/github-oauth-credentials: 'true'
che.eclipse.org/mount-as: env
che.eclipse.org/id_env-name: GITHUB_CLIENT_ID
che.eclipse.org/secret_env-name: GITHUB_SECRET
data:
id: <...> <2>
secret: <...> <3>
type: Opaque
EOF
----
<1> {prod-short} namespace. The default is {prod-namespace}
<2> base64 encoded GitHub OAuth Client ID
<3> base64 encoded GitHub OAuth Client Secret

. If {prod-short} was already installed wait until rollout of {identity-provider} component finishes.

ifeval::["{project-context}" == "che"]
+

* For {prod-short} deployed in single-user mode:
. On {platforms-name}, update the deployment configuration (see xref:installation-guide:configuring-the-che-installation.adoc[] and xref:installation-guide:advanced-configuration-options-for-the-che-server-component.adoc#authentication-parameters[]).
+
[subs=+quotes]
----
CHE_OAUTH_GITHUB_CLIENTID=__<your-github-client-ID>__
CHE_OAUTH_GITHUB_CLIENTSECRET=__<your-github-secret>__
----

. In the *Authorization callback URL* field of the GitHub OAuth application, enter `__<prod-url__/api/oauth/callback`.
+
[NOTE]
====
* Substitute `_<prod-url>_` with the URL and port of the {prod-short} installation.
* Substitute `_<your-github-client-ID>_` and `_<your-github-secret>_` with your GitHub client ID and secret.
* This configuration only applies to single-user deployments of {prod-short}.
====
endif::[]