SSO: Wire Harbor → Keycloak OIDC #338

New issue

Closed

opened 2026-05-05 04:06:26 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-05-05 04:06:26 +00:00

Contributor

Type

Feature

Lineage

Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform admin
I want to access my container registry via SSO
So that I can manage images without a separate Harbor login

Context

Harbor supports OIDC auth natively. Configuration is done via Harbor's system settings (admin API or Helm values). The OIDC provider URL points to the Keycloak platform realm. Harbor maps OIDC groups to Harbor roles.

File Targets

Files the agent should modify or create:

terraform/modules/harbor/main.tf — add OIDC auth config to Harbor Helm values

Files the agent should NOT touch:

Harbor robot accounts — those are for CI, not human auth
terraform/modules/keycloak/main.tf — realm managed separately

Acceptance Criteria

Harbor login page shows OIDC login option
ldraney can authenticate via Keycloak and has admin privileges
No second login prompt when navigating from pal-e-admin
Robot accounts for CI continue to work (not affected by OIDC switch)

Test Expectations

Integration: authenticate via Keycloak, verify Harbor session
Verify: robot account tokens still authenticate for image push/pull
Run command: curl -s https://harbor.tail5b443a.ts.net/api/v2.0/health | jq .

Constraints

Robot accounts must remain functional (CI depends on them)
OIDC client secret stored in k8s secret
Keep local admin as emergency fallback

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform — platform project

### Type Feature ### Lineage Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform admin I want to access my container registry via SSO So that I can manage images without a separate Harbor login ### Context Harbor supports OIDC auth natively. Configuration is done via Harbor's system settings (admin API or Helm values). The OIDC provider URL points to the Keycloak platform realm. Harbor maps OIDC groups to Harbor roles. ### File Targets Files the agent should modify or create: - `terraform/modules/harbor/main.tf` — add OIDC auth config to Harbor Helm values Files the agent should NOT touch: - Harbor robot accounts — those are for CI, not human auth - `terraform/modules/keycloak/main.tf` — realm managed separately ### Acceptance Criteria - [ ] Harbor login page shows OIDC login option - [ ] ldraney can authenticate via Keycloak and has admin privileges - [ ] No second login prompt when navigating from pal-e-admin - [ ] Robot accounts for CI continue to work (not affected by OIDC switch) ### Test Expectations - [ ] Integration: authenticate via Keycloak, verify Harbor session - [ ] Verify: robot account tokens still authenticate for image push/pull - Run command: `curl -s https://harbor.tail5b443a.ts.net/api/v2.0/health | jq .` ### Constraints - Robot accounts must remain functional (CI depends on them) - OIDC client secret stored in k8s secret - Keep local admin as emergency fallback ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform project