fix: move auth toggles to new realm key

defenseunicorns · Dec 13, 2024 · 6a0cdca · 6a0cdca
1 parent 7f88c47
commit 6a0cdca
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 12 deletions.
diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -18,11 +18,11 @@ data:
   {{- end }}
   {{- end }}
 
-  SOCIAL_LOGIN_ENABLED: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }}
-  X509_LOGIN_ENABLED: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }}
-  USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
-  REGISTER_BUTTON_ENABLED: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }}
-  DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
-  RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
-  REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }}
-  OTP_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }}
+  X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
+  OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}
diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json
@@ -292,6 +292,23 @@
         }
       }
     },
+    "realmAuthFlows": {
+      "type": "object",
+      "properties": {
+        "USERNAME_PASSWORD_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "X509_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "SOCIAL_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "OTP_ENABLED": {
+          "type": "boolean"
+        }
+      }
+    },
     "resources": {
       "type": "object",
       "properties": {

diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
@@ -27,9 +27,6 @@ realm: uds
 # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
 realmInitEnv:
   GOOGLE_IDP_ENABLED: false
-  USERNAME_PASSWORD_AUTH_ENABLED: true
-  X509_AUTH_ENABLED: true
-  SOCIAL_AUTH_ENABLED: true
   # GOOGLE_IDP_ID: ""
   # GOOGLE_IDP_SIGNING_CERT: ""
   # GOOGLE_IDP_NAME_ID_FORMAT: ""
@@ -38,11 +35,17 @@ realmInitEnv:
   # GOOGLE_IDP_AUDITOR_GROUP: ""
   # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
   # EMAIL_VERIFICATION_ENABLED: true
-  # OTP_ENABLED: true
   # TERMS_AND_CONDITIONS_ENABLED: true
   # X509_OCSP_FAIL_OPEN: true
   # DISABLE_REGISTRATION_FIELDS: false
 
+# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
+realmAuthFlows:
+  USERNAME_PASSWORD_AUTH_ENABLED: false
+  X509_AUTH_ENABLED: true
+  SOCIAL_AUTH_ENABLED: true
+  OTP_ENABLED: false
+
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login
 insecureAdminPasswordGeneration: