From 4f5d059ea61a9c9edcc4de88d065bbc1252566ae Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:06:16 +0300 Subject: [PATCH 1/4] fix: remove unnecessary mount for k8s setup --- charts/janssen-all-in-one/README.md | 4 +-- .../templates/configmap.yaml | 2 -- .../templates/deployment.yml | 5 --- .../janssen-all-in-one/templates/secret.yaml | 31 +++++-------------- charts/janssen-all-in-one/values.yaml | 8 ++--- charts/janssen/README.md | 8 ++--- .../charts/auth-server-key-rotation/README.md | 3 -- charts/janssen/charts/auth-server/README.md | 3 -- charts/janssen/charts/casa/README.md | 3 -- .../janssen/charts/cn-istio-ingress/README.md | 2 -- charts/janssen/charts/config-api/README.md | 3 -- .../charts/config/templates/configmaps.yaml | 2 -- .../charts/config/templates/secrets.yaml | 30 +++++------------- charts/janssen/charts/fido2/README.md | 3 -- charts/janssen/charts/kc-scheduler/README.md | 3 -- charts/janssen/charts/link/README.md | 3 -- charts/janssen/charts/nginx-ingress/README.md | 3 -- charts/janssen/charts/persistence/README.md | 3 -- charts/janssen/charts/saml/README.md | 3 -- .../charts/saml/templates/deployment.yaml | 3 -- charts/janssen/charts/scim/README.md | 3 -- charts/janssen/values.yaml | 8 ++--- .../reference/kubernetes/helm-chart.md | 3 +- 23 files changed, 29 insertions(+), 110 deletions(-) diff --git a/charts/janssen-all-in-one/README.md b/charts/janssen-all-in-one/README.md index b01b758eddb..5c08e1fd04d 100644 --- a/charts/janssen-all-in-one/README.md +++ b/charts/janssen-all-in-one/README.md @@ -208,6 +208,8 @@ Kubernetes: `>=v1.22.0-0` | configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | | configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | | configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.kcAdminPassword | string | `"Test1234#"` | Keycloak admin UI password | +| configmap.kcAdminUsername | string | `"admin"` | Keycloak admin UI username | | configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | | configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). | | configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name | @@ -296,8 +298,6 @@ Kubernetes: `>=v1.22.0-0` | kc-scheduler.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | kc-scheduler.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | kc-scheduler.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) | -| kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access | | lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `fqdn` is globally resolvable. | | lifecycle | object | `{}` | | | link.appLoggers | object | `{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | diff --git a/charts/janssen-all-in-one/templates/configmap.yaml b/charts/janssen-all-in-one/templates/configmap.yaml index d481b17288d..4843a077b55 100644 --- a/charts/janssen-all-in-one/templates/configmap.yaml +++ b/charts/janssen-all-in-one/templates/configmap.yaml @@ -202,8 +202,6 @@ data: KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }} KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }} KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }} - CN_SAML_KC_DB_PASSWORD_FILE: {{ .Values.kcDbPasswordFile | quote }} - CN_SAML_KC_ADMIN_CREDENTIALS_FILE: {{ .Values.kcAdminCredentialsFile | quote }} {{- end }} CN_LOCK_ENABLED: {{ index .Values "auth-server" "lockEnabled" | quote }} CN_OPA_URL: {{ .Values.configmap.cnOpaUrl | quote }} diff --git a/charts/janssen-all-in-one/templates/deployment.yml b/charts/janssen-all-in-one/templates/deployment.yml index d9ebdb6f331..2efb1351622 100644 --- a/charts/janssen-all-in-one/templates/deployment.yml +++ b/charts/janssen-all-in-one/templates/deployment.yml @@ -113,11 +113,6 @@ spec: mountPath: /scripts/updatelbip.py subPath: updatelbip.py {{- end }} - {{- if .Values.saml.enabled }} - - name: kc-db-pass - mountPath: {{ .Values.kcDbPasswordFile }} - subPath: kc_db_password - {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 10 }} readinessProbe: diff --git a/charts/janssen-all-in-one/templates/secret.yaml b/charts/janssen-all-in-one/templates/secret.yaml index 8a8cf81fab5..501844fb11e 100644 --- a/charts/janssen-all-in-one/templates/secret.yaml +++ b/charts/janssen-all-in-one/templates/secret.yaml @@ -34,6 +34,9 @@ stringData: "auth_enc_keys": {{ index .Values "auth-server" "authEncKeys" | quote }}, "optional_scopes": {{ list (include "janssen-all-in-one.optionalScopes" . | fromJsonArray | join ",") | quote }}, "init_keys_exp": {{ index .Values "auth-server-key-rotation" "initKeysLife" }} + {{- if .Values.saml.enabled }} + "kc_admin_username": {{ .Values.configmap.kcAdminUsername | quote }}, + {{- end }} }, "_secret": { "admin_password": {{ .Values.adminPassword | quote }}, @@ -59,30 +62,10 @@ stringData: "aws_replica_regions": {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson | b64enc | quote }}, {{- end }} "encoded_salt": {{ .Values.salt | quote }} + {{- if .Values.saml.enabled }} + "kc_db_password": {{ .Values.configmap.kcDbPassword | quote }}, + "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }} + {{- end }} } } {{- end }} - -{{- if .Values.saml.enabled }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-kc-db-pass - labels: -{{ include "janssen-all-in-one.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if or (.Values.additionalAnnotations) (.Values.customAnnotations.secret) }} - annotations: -{{- if .Values.additionalAnnotations }} -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -{{- if .Values.customAnnotations.secret }} -{{ toYaml .Values.customAnnotations.secret | indent 4 }} -{{- end }} -{{- end }} -data: - kc_db_password: {{ .Values.configmap.kcDbPassword | b64enc }} -{{- end}} diff --git a/charts/janssen-all-in-one/values.yaml b/charts/janssen-all-in-one/values.yaml index f62590dd2f6..6e448281e13 100644 --- a/charts/janssen-all-in-one/values.yaml +++ b/charts/janssen-all-in-one/values.yaml @@ -146,6 +146,10 @@ configmap: lbAddr: "" # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. quarkusTransactionEnableRecovery: true + # -- Keycloak admin UI password + kcAdminPassword: Test1234# + # -- Keycloak admin UI username + kcAdminUsername: admin # -- Keycloak logging level kcLogLevel: INFO # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. @@ -565,10 +569,6 @@ cnSqlPasswordFile: /etc/jans/conf/sql_password cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password # -- Path to Couchbase superuser password file cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password -# -- Path to file contains password for database access -kcDbPasswordFile: /etc/jans/conf/kc_db_password -# -- Path to file contains Keycloak admin credentials (username and password) -kcAdminCredentialsFile: /etc/jans/conf/kc_admin_creds # -- Path to configuration schema file cnConfiguratorConfigurationFile: /etc/jans/conf/configuration.json # -- Path to dumped configuration schema file diff --git a/charts/janssen/README.md b/charts/janssen/README.md index e2c7402f3db..693caa353d7 100644 --- a/charts/janssen/README.md +++ b/charts/janssen/README.md @@ -127,7 +127,7 @@ Kubernetes: `>=v1.22.0-0` | casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"janssen","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"janssen","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbjanssen.default.svc.cluster.local","cnCouchbaseUser":"janssen","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"janssen","cnGoogleSecretVersionId":"latest","cnJettyRequestHeaderSize":8192,"cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"support@jans.io","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.1.6_dev"},"lifecycle":{},"orgName":"Janssen","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"janssen","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"janssen","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbjanssen.default.svc.cluster.local","cnCouchbaseUser":"janssen","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"janssen","cnGoogleSecretVersionId":"latest","cnJettyRequestHeaderSize":8192,"cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcAdminPassword":"Test1234#","kcAdminUsername":"admin","kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"support@jans.io","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.1.6_dev"},"lifecycle":{},"orgName":"Janssen","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. | | config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.1.6_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | | config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | @@ -205,6 +205,8 @@ Kubernetes: `>=v1.22.0-0` | config.configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | | config.configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | | config.configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| config.configmap.kcAdminPassword | string | `"Test1234#"` | Keycloak admin UI password | +| config.configmap.kcAdminUsername | string | `"admin"` | Keycloak admin UI username | | config.configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | | config.configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may be using "public" schema). | | config.configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name. | @@ -271,7 +273,7 @@ Kubernetes: `>=v1.22.0-0` | fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| global | object | `{"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}},"lockEnabled":false},"auth-server-key-rotation":{"customAnnotations":{"cronjob":{},"secret":{},"service":{}},"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{}}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnConfiguratorConfigurationFile":"/etc/jans/conf/configuration.json","cnConfiguratorCustomSchema":{"secretName":""},"cnConfiguratorDumpFile":"/etc/jans/conf/configuration.out.json","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"customAnnotations":{"clusterRoleBinding":{},"configMap":{},"job":{},"role":{},"roleBinding":{},"secret":{},"service":{},"serviceAccount":{}},"enabled":true},"config-api":{"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","configApiServerServiceName":"config-api","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{}},"plugins":"fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{}}},"fqdn":"demoexample.jans.io","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kc-scheduler":{"enabled":false},"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","link":{"appLoggers":{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"persistence":{"customAnnotations":{"job":{},"secret":{},"service":{}},"enabled":true},"saml":{"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"samlAdditionalAnnotations":{},"samlEnabled":false,"samlLabels":{}},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{}},"scimServiceName":"scim"},"serviceAccountName":"default","storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global | object | `{"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}},"lockEnabled":false},"auth-server-key-rotation":{"customAnnotations":{"cronjob":{},"secret":{},"service":{}},"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{}}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnConfiguratorConfigurationFile":"/etc/jans/conf/configuration.json","cnConfiguratorCustomSchema":{"secretName":""},"cnConfiguratorDumpFile":"/etc/jans/conf/configuration.out.json","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"customAnnotations":{"clusterRoleBinding":{},"configMap":{},"job":{},"role":{},"roleBinding":{},"secret":{},"service":{},"serviceAccount":{}},"enabled":true},"config-api":{"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","configApiServerServiceName":"config-api","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{}},"plugins":"fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{}}},"fqdn":"demoexample.jans.io","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kc-scheduler":{"enabled":false},"lbIp":"22.22.22.22","link":{"appLoggers":{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"persistence":{"customAnnotations":{"job":{},"secret":{},"service":{}},"enabled":true},"saml":{"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"samlAdditionalAnnotations":{},"samlEnabled":false,"samlLabels":{}},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{}},"scimServiceName":"scim"},"serviceAccountName":"default","storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | | global.alb.ingress | bool | `false` | Activates ALB ingress | | global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | | global.auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours | @@ -405,8 +407,6 @@ Kubernetes: `>=v1.22.0-0` | global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | | global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | global.kc-scheduler.enabled | bool | `false` | Boolean flag to enable/disable the kc-scheduler cronjob chart. | -| global.kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) | -| global.kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access | | global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | | global.link.appLoggers | object | `{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | | global.link.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO | diff --git a/charts/janssen/charts/auth-server-key-rotation/README.md b/charts/janssen/charts/auth-server-key-rotation/README.md index e27c53d4279..f7a51cbd59c 100644 --- a/charts/janssen/charts/auth-server-key-rotation/README.md +++ b/charts/janssen/charts/auth-server-key-rotation/README.md @@ -48,6 +48,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/auth-server/README.md b/charts/janssen/charts/auth-server/README.md index 673f0d0e49e..c226c83c397 100644 --- a/charts/janssen/charts/auth-server/README.md +++ b/charts/janssen/charts/auth-server/README.md @@ -57,6 +57,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/casa/README.md b/charts/janssen/charts/casa/README.md index e1618cb8b88..69d82d9dd70 100644 --- a/charts/janssen/charts/casa/README.md +++ b/charts/janssen/charts/casa/README.md @@ -62,6 +62,3 @@ Kubernetes: `>=v1.21.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/cn-istio-ingress/README.md b/charts/janssen/charts/cn-istio-ingress/README.md index 12bc18d4a9c..a1c5479cc80 100644 --- a/charts/janssen/charts/cn-istio-ingress/README.md +++ b/charts/janssen/charts/cn-istio-ingress/README.md @@ -21,5 +21,3 @@ Istio Gateway Kubernetes: `>=v1.21.0-0` ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/config-api/README.md b/charts/janssen/charts/config-api/README.md index ed4c36f84a0..ba93a6a67aa 100644 --- a/charts/janssen/charts/config-api/README.md +++ b/charts/janssen/charts/config-api/README.md @@ -61,6 +61,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/config/templates/configmaps.yaml b/charts/janssen/charts/config/templates/configmaps.yaml index 85f40564793..5711c52cf99 100644 --- a/charts/janssen/charts/config/templates/configmaps.yaml +++ b/charts/janssen/charts/config/templates/configmaps.yaml @@ -205,8 +205,6 @@ data: KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }} KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }} KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }} - CN_SAML_KC_DB_PASSWORD_FILE: {{ .Values.global.kcDbPasswordFile | quote }} - CN_SAML_KC_ADMIN_CREDENTIALS_FILE: {{ .Values.global.kcAdminCredentialsFile | quote }} {{- end }} CN_LOCK_ENABLED: {{ index .Values "global" "auth-server" "lockEnabled" | quote }} CN_OPA_URL: {{ .Values.configmap.cnOpaUrl | quote }} diff --git a/charts/janssen/charts/config/templates/secrets.yaml b/charts/janssen/charts/config/templates/secrets.yaml index 36bf3095851..422470b3673 100644 --- a/charts/janssen/charts/config/templates/secrets.yaml +++ b/charts/janssen/charts/config/templates/secrets.yaml @@ -34,6 +34,9 @@ stringData: "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") | quote }}, "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} + {{- if .Values.global.saml.enabled }} + "kc_admin_username": {{ .Values.configmap.kcAdminUsername | quote }}, + {{- end }} }, "_secret": { "admin_password": {{ .Values.adminPassword | quote }}, @@ -59,30 +62,11 @@ stringData: "aws_replica_regions": {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson | b64enc | quote }}, {{- end }} "encoded_salt": {{ .Values.salt | quote }} + {{- if .Values.global.saml.enabled }} + "kc_db_password": {{ .Values.configmap.kcDbPassword | quote }}, + "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }} + {{- end }} } } {{- end -}} -{{- if .Values.global.saml.enabled }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-kc-db-pass - labels: -{{ include "config.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.secret) }} - annotations: -{{- if .Values.additionalAnnotations }} -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -{{- if .Values.global.config.customAnnotations.secret }} -{{ toYaml .Values.global.config.customAnnotations.secret | indent 4 }} -{{- end }} -{{- end }} -data: - kc_db_password: {{ .Values.configmap.kcDbPassword | b64enc }} -{{- end}} diff --git a/charts/janssen/charts/fido2/README.md b/charts/janssen/charts/fido2/README.md index 8588a838156..42d52f9dd0b 100644 --- a/charts/janssen/charts/fido2/README.md +++ b/charts/janssen/charts/fido2/README.md @@ -58,6 +58,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/kc-scheduler/README.md b/charts/janssen/charts/kc-scheduler/README.md index 6470336d7b7..8554230c8ac 100644 --- a/charts/janssen/charts/kc-scheduler/README.md +++ b/charts/janssen/charts/kc-scheduler/README.md @@ -46,6 +46,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/link/README.md b/charts/janssen/charts/link/README.md index 6281358f240..61915f5f228 100644 --- a/charts/janssen/charts/link/README.md +++ b/charts/janssen/charts/link/README.md @@ -61,6 +61,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/nginx-ingress/README.md b/charts/janssen/charts/nginx-ingress/README.md index 40723ec24ea..0fd8b4cc526 100644 --- a/charts/janssen/charts/nginx-ingress/README.md +++ b/charts/janssen/charts/nginx-ingress/README.md @@ -31,6 +31,3 @@ Kubernetes: `>=v1.22.0-0` | ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | | ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | | nameOverride | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/persistence/README.md b/charts/janssen/charts/persistence/README.md index 09c5ab21896..bc031f0bf3a 100644 --- a/charts/janssen/charts/persistence/README.md +++ b/charts/janssen/charts/persistence/README.md @@ -48,6 +48,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/saml/README.md b/charts/janssen/charts/saml/README.md index 339eeaeb4f2..7a51553d434 100644 --- a/charts/janssen/charts/saml/README.md +++ b/charts/janssen/charts/saml/README.md @@ -60,6 +60,3 @@ Kubernetes: `>=v1.21.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/charts/saml/templates/deployment.yaml b/charts/janssen/charts/saml/templates/deployment.yaml index 3650b5b2293..156dacf519f 100644 --- a/charts/janssen/charts/saml/templates/deployment.yaml +++ b/charts/janssen/charts/saml/templates/deployment.yaml @@ -110,9 +110,6 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - - name: kc-db-pass - mountPath: {{ .Values.global.kcDbPasswordFile }} - subPath: kc_db_password {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "saml.fullname" .}}-updatelbip mountPath: "/scripts" diff --git a/charts/janssen/charts/scim/README.md b/charts/janssen/charts/scim/README.md index 4f4f900f099..762cb772384 100644 --- a/charts/janssen/charts/scim/README.md +++ b/charts/janssen/charts/scim/README.md @@ -57,6 +57,3 @@ Kubernetes: `>=v1.22.0-0` | usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/janssen/values.yaml b/charts/janssen/values.yaml index 288dbcc43e9..c500bb33fac 100644 --- a/charts/janssen/values.yaml +++ b/charts/janssen/values.yaml @@ -308,6 +308,10 @@ config: lbAddr: "" # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. quarkusTransactionEnableRecovery: true + # -- Keycloak admin UI password + kcAdminPassword: Test1234# + # -- Keycloak admin UI username + kcAdminUsername: admin # -- Keycloak logging level kcLogLevel: INFO # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. @@ -1193,10 +1197,6 @@ global: cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password # -- Path to Couchbase superuser password file cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password - # -- Path to file contains password for database access - kcDbPasswordFile: /etc/jans/conf/kc_db_password - # -- Path to file contains Keycloak admin credentials (username and password) - kcAdminCredentialsFile: /etc/jans/conf/kc_admin_creds kc-scheduler: # -- Boolean flag to enable/disable the kc-scheduler cronjob chart. enabled: false diff --git a/docs/janssen-server/reference/kubernetes/helm-chart.md b/docs/janssen-server/reference/kubernetes/helm-chart.md index 85257b1ebad..b21cf4ac887 100644 --- a/docs/janssen-server/reference/kubernetes/helm-chart.md +++ b/docs/janssen-server/reference/kubernetes/helm-chart.md @@ -267,7 +267,7 @@ Kubernetes: `>=v1.22.0-0` | fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| global | object | `{"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}},"lockEnabled":false},"auth-server-key-rotation":{"customAnnotations":{"cronjob":{},"secret":{},"service":{}},"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{}}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnConfiguratorConfigurationFile":"/etc/jans/conf/configuration.json","cnConfiguratorCustomSchema":{"secretName":""},"cnConfiguratorDumpFile":"/etc/jans/conf/configuration.out.json","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"customAnnotations":{"clusterRoleBinding":{},"configMap":{},"job":{},"role":{},"roleBinding":{},"secret":{},"service":{},"serviceAccount":{}},"enabled":true},"config-api":{"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","configApiServerServiceName":"config-api","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{}},"plugins":"fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{}}},"fqdn":"demoexample.jans.io","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kc-scheduler":{"enabled":false},"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","link":{"appLoggers":{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"persistence":{"customAnnotations":{"job":{},"secret":{},"service":{}},"enabled":true},"saml":{"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"samlAdditionalAnnotations":{},"samlEnabled":false,"samlLabels":{}},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{}},"scimServiceName":"scim"},"serviceAccountName":"default","storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global | object | `{"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}},"lockEnabled":false},"auth-server-key-rotation":{"customAnnotations":{"cronjob":{},"secret":{},"service":{}},"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{}}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnConfiguratorConfigurationFile":"/etc/jans/conf/configuration.json","cnConfiguratorCustomSchema":{"secretName":""},"cnConfiguratorDumpFile":"/etc/jans/conf/configuration.out.json","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"customAnnotations":{"clusterRoleBinding":{},"configMap":{},"job":{},"role":{},"roleBinding":{},"secret":{},"service":{},"serviceAccount":{}},"enabled":true},"config-api":{"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","configApiServerServiceName":"config-api","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{}},"plugins":"fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{}}},"fqdn":"demoexample.jans.io","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kc-scheduler":{"enabled":false},"lbIp":"22.22.22.22","link":{"appLoggers":{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"persistence":{"customAnnotations":{"job":{},"secret":{},"service":{}},"enabled":true},"saml":{"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"samlAdditionalAnnotations":{},"samlEnabled":false,"samlLabels":{}},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{}},"scimServiceName":"scim"},"serviceAccountName":"default","storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | | global.alb.ingress | bool | `false` | Activates ALB ingress | | global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | | global.auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours | @@ -401,7 +401,6 @@ Kubernetes: `>=v1.22.0-0` | global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | | global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | global.kc-scheduler.enabled | bool | `false` | Boolean flag to enable/disable the kc-scheduler cronjob chart. | -| global.kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) | | global.kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access | | global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | | global.link.appLoggers | object | `{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | From 1cc91c042f0d89273a03d7e528ed954a224e98ae Mon Sep 17 00:00:00 2001 From: moabu <47318409+moabu@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:55:53 +0300 Subject: [PATCH 2/4] fix: possible error in helm installation with kc --- charts/janssen-all-in-one/templates/secret.yaml | 6 +++--- charts/janssen/charts/config/templates/secrets.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/janssen-all-in-one/templates/secret.yaml b/charts/janssen-all-in-one/templates/secret.yaml index 501844fb11e..a05588d3b8e 100644 --- a/charts/janssen-all-in-one/templates/secret.yaml +++ b/charts/janssen-all-in-one/templates/secret.yaml @@ -33,10 +33,10 @@ stringData: "auth_sig_keys": {{ index .Values "auth-server" "authSigKeys" | quote }}, "auth_enc_keys": {{ index .Values "auth-server" "authEncKeys" | quote }}, "optional_scopes": {{ list (include "janssen-all-in-one.optionalScopes" . | fromJsonArray | join ",") | quote }}, - "init_keys_exp": {{ index .Values "auth-server-key-rotation" "initKeysLife" }} {{- if .Values.saml.enabled }} "kc_admin_username": {{ .Values.configmap.kcAdminUsername | quote }}, {{- end }} + "init_keys_exp": {{ index .Values "auth-server-key-rotation" "initKeysLife" }} }, "_secret": { "admin_password": {{ .Values.adminPassword | quote }}, @@ -61,11 +61,11 @@ stringData: "aws_config": {{ include "janssen-all-in-one.aws-config" . | b64enc | quote }}, "aws_replica_regions": {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson | b64enc | quote }}, {{- end }} - "encoded_salt": {{ .Values.salt | quote }} {{- if .Values.saml.enabled }} "kc_db_password": {{ .Values.configmap.kcDbPassword | quote }}, - "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }} + "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }}, {{- end }} + "encoded_salt": {{ .Values.salt | quote }} } } {{- end }} diff --git a/charts/janssen/charts/config/templates/secrets.yaml b/charts/janssen/charts/config/templates/secrets.yaml index 422470b3673..5eaeebdc072 100644 --- a/charts/janssen/charts/config/templates/secrets.yaml +++ b/charts/janssen/charts/config/templates/secrets.yaml @@ -33,10 +33,10 @@ stringData: "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") | quote }}, - "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} {{- if .Values.global.saml.enabled }} "kc_admin_username": {{ .Values.configmap.kcAdminUsername | quote }}, {{- end }} + "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} }, "_secret": { "admin_password": {{ .Values.adminPassword | quote }}, @@ -61,11 +61,11 @@ stringData: "aws_config": {{ include "config.aws-config" . | b64enc | quote }}, "aws_replica_regions": {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson | b64enc | quote }}, {{- end }} - "encoded_salt": {{ .Values.salt | quote }} {{- if .Values.global.saml.enabled }} "kc_db_password": {{ .Values.configmap.kcDbPassword | quote }}, - "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }} + "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }}, {{- end }} + "encoded_salt": {{ .Values.salt | quote }} } } {{- end -}} From 54109e08a7ae257a442ebf0b4f81e9dc301a51f0 Mon Sep 17 00:00:00 2001 From: iromli Date: Tue, 12 Nov 2024 00:45:46 +0700 Subject: [PATCH 3/4] chore(charts): remove unused kc-db-pass volume Signed-off-by: iromli --- charts/janssen-all-in-one/templates/deployment.yml | 10 ++-------- charts/janssen/charts/saml/templates/deployment.yaml | 3 --- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/charts/janssen-all-in-one/templates/deployment.yml b/charts/janssen-all-in-one/templates/deployment.yml index 2efb1351622..4faf8da75dc 100644 --- a/charts/janssen-all-in-one/templates/deployment.yml +++ b/charts/janssen-all-in-one/templates/deployment.yml @@ -35,7 +35,7 @@ spec: sidecar.istio.io/rewriteAppHTTPProbers: "true" {{- end }} {{- if .Values.customAnnotations.pod }} - {{ toYaml .Values.customAnnotations.pod | indent 4 }} + {{ toYaml .Values.customAnnotations.pod | indent 4 }} {{- end }} {{- end }} spec: @@ -76,7 +76,7 @@ spec: {{- end }} python3 /scripts/tls_generator.py & /app/bin/entrypoint.sh - {{- end}} + {{- end}} {{- end}} ports: - name: {{ .Values.service.name }} @@ -144,9 +144,3 @@ spec: configMap: name: {{ .Release.Name }}-updatelbip {{- end }} - - {{- if .Values.saml.enabled }} - - name: kc-db-pass - secret: - secretName: {{ .Release.Name }}-kc-db-pass - {{- end }} diff --git a/charts/janssen/charts/saml/templates/deployment.yaml b/charts/janssen/charts/saml/templates/deployment.yaml index 156dacf519f..834d523a6e5 100644 --- a/charts/janssen/charts/saml/templates/deployment.yaml +++ b/charts/janssen/charts/saml/templates/deployment.yaml @@ -131,9 +131,6 @@ spec: {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} - - name: kc-db-pass - secret: - secretName: {{ .Release.Name }}-kc-db-pass {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "saml.fullname" . }}-updatelbip configMap: From 9869ecc092cefc572c2b7276889be9dd87110bee Mon Sep 17 00:00:00 2001 From: iromli Date: Tue, 12 Nov 2024 00:46:28 +0700 Subject: [PATCH 4/4] chore(docker-jans-saml): read kc db password from secrets Signed-off-by: iromli --- docker-jans-saml/scripts/bootstrap.py | 3 +-- docker-jans-saml/scripts/configure_kc.py | 11 +++++------ docker-jans-saml/scripts/utils.py | 17 ----------------- 3 files changed, 6 insertions(+), 25 deletions(-) delete mode 100644 docker-jans-saml/scripts/utils.py diff --git a/docker-jans-saml/scripts/bootstrap.py b/docker-jans-saml/scripts/bootstrap.py index 3d196539388..6871e1817db 100644 --- a/docker-jans-saml/scripts/bootstrap.py +++ b/docker-jans-saml/scripts/bootstrap.py @@ -38,7 +38,6 @@ from jans.pycloudlib.utils import exec_cmd from settings import LOGGING_CONFIG -from utils import get_kc_db_password if _t.TYPE_CHECKING: # pragma: no cover # imported objects for function type hint, completion, etc. @@ -60,7 +59,7 @@ def render_keycloak_conf(): ctx = { "hostname": hostname, "kc_hostname": hostname, - "kc_db_password": get_kc_db_password(), + "kc_db_password": os.environ.get("KC_DB_PASSWORD") or manager.secret.get("kc_db_password"), "idp_config_http_port": os.environ.get("CN_SAML_HTTP_PORT", "8083"), "idp_config_http_host": os.environ.get("CN_SAML_HTTP_HOST", "0.0.0.0"), # nosec: B104 "idp_config_data_dir": "/opt/keycloak", diff --git a/docker-jans-saml/scripts/configure_kc.py b/docker-jans-saml/scripts/configure_kc.py index 3c78d8c2c09..143e5872ca5 100644 --- a/docker-jans-saml/scripts/configure_kc.py +++ b/docker-jans-saml/scripts/configure_kc.py @@ -19,7 +19,6 @@ from healthcheck import run_healthcheck from settings import LOGGING_CONFIG -from utils import get_kc_db_password logging.config.dictConfig(LOGGING_CONFIG) logger = logging.getLogger("jans-saml") @@ -257,12 +256,12 @@ def _create_execution(config_fn, flow, authenticator): if code != 0: logger.warning(f"Unable to create execution config specified in {config_fn}; reason={err.decode()}") - def grant_xa_transaction_privilege(self): + def grant_xa_transaction_privilege(self, manager): recovery_enabled = as_boolean(os.environ.get("QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY", "false")) db_vendor = os.environ.get("KC_DB", "mysql") if recovery_enabled and db_vendor == "mysql": - mysql_kc = MysqlKeycloak() + mysql_kc = MysqlKeycloak(manager) if not mysql_kc.check_xa_recover_admin(): mysql_kc.grant_xa_recover_admin() @@ -346,12 +345,12 @@ def disable_first_login_update_profile(self): class MysqlKeycloak: - def __init__(self): + def __init__(self, manager): host = os.environ.get("KC_DB_URL_HOST", "localhost") port = os.environ.get("KC_DB_URL_PORT", "3306") database = os.environ.get("KC_DB_URL_DATABASE", "keycloak") self.user = os.environ.get("KC_DB_USERNAME", "keycloak") - password = get_kc_db_password() + password = os.environ.get("KC_DB_PASSWORD") or manager.secret.get("kc_db_password") self.engine = create_engine( f"mysql+pymysql://{self.user}:{password}@{host}:{port}/{database}", @@ -464,7 +463,7 @@ def main(): kc.disable_first_login_update_profile() # grant privilege (if required) - kc.grant_xa_transaction_privilege() + kc.grant_xa_transaction_privilege(manager) if __name__ == "__main__": diff --git a/docker-jans-saml/scripts/utils.py b/docker-jans-saml/scripts/utils.py deleted file mode 100644 index d8329e9f87f..00000000000 --- a/docker-jans-saml/scripts/utils.py +++ /dev/null @@ -1,17 +0,0 @@ -import os - - -def get_kc_db_password(): - db_password = os.environ.get("KC_DB_PASSWORD", "") - - if not db_password: - passwd_file = os.environ.get("CN_SAML_KC_DB_PASSWORD_FILE", "/etc/jans/conf/kc_db_password") - - try: - with open(passwd_file) as f: - db_password = f.read().strip() - except FileNotFoundError as exc: - raise ValueError(f"Unable to get password from {passwd_file}; reason={exc}") - - # resolved password - return db_password