From bcef167b50d6c710fe47ddf14bb200634402d6e7 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 13 Jan 2026 20:42:26 -0300
Subject: [PATCH] harbor: enable keycloak oidc settings

---
 services/harbor/helmrelease.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/services/harbor/helmrelease.yaml b/services/harbor/helmrelease.yaml
index 75f8be3..5b384d7 100644
--- a/services/harbor/helmrelease.yaml
+++ b/services/harbor/helmrelease.yaml
@@ -117,6 +117,21 @@ spec:
       existingSecret: harbor-core
       existingXsrfSecret: harbor-core
       existingXsrfSecretKey: CSRF_KEY
+      # OIDC config; client secret is stored out-of-band.
+      configureUserSettings: |
+        {
+          "auth_mode": "oidc_auth",
+          "oidc_name": "Keycloak",
+          "oidc_endpoint": "https://sso.bstein.dev/realms/atlas",
+          "oidc_client_id": "harbor",
+          "oidc_verify_cert": true,
+          "oidc_auto_onboard": true,
+          "oidc_scope": "openid,profile,email,groups",
+          "oidc_groups_claim": "groups",
+          "oidc_user_claim": "preferred_username",
+          "oidc_admin_group": "admin",
+          "oidc_logout": true
+        }
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution: