diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index a41db2617..a8e5a20b3 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "keycloak.fullname" . }}-realm-env - namespace: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "keycloak.labels" . | nindent 4 }} type: Opaque @@ -16,4 +16,13 @@ data: {{- else }} REALM_{{ $key }}: {{ $value | b64enc }} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} + + SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }} + X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }} + USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} + REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }} + DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }} + OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 6f3a9e570..1e18ee733 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -28,7 +28,8 @@ spec: {{- end }} {{- if not .Values.devMode }} annotations: - postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} + postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} + kc-realm-hash: {{ include (print $.Template.BasePath "/secret-kc-realm.yaml") . | sha256sum }} {{- end }} spec: securityContext: @@ -52,13 +53,16 @@ spec: mountPath: /opt/keycloak/themes - name: conf mountPath: /opt/keycloak/conf + envFrom: + - secretRef: + name: {{ include "keycloak.fullname" . }}-realm-env containers: - name: keycloak image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - command: + command: - "/opt/keycloak/bin/kc.sh" args: {{- if .Values.devMode }} @@ -128,14 +132,13 @@ spec: - name: KC_CACHE_STACK value: kubernetes - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE - value: "false" + value: "false" # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack. # https://www.keycloak.org/server/caching - name: JAVA_OPTS_APPEND value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local - # Postgres database configuration - - name: KC_DB + - name: KC_DB value: postgres - name: KC_DB_URL_HOST valueFrom: diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index f05bdc3a8..9348c158d 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -292,6 +292,23 @@ } } }, + "realmAuthFlows": { + "type": "object", + "properties": { + "USERNAME_PASSWORD_AUTH_ENABLED": { + "type": "boolean" + }, + "X509_AUTH_ENABLED": { + "type": "boolean" + }, + "SOCIAL_AUTH_ENABLED": { + "type": "boolean" + }, + "OTP_ENABLED": { + "type": "boolean" + } + } + }, "resources": { "type": "object", "properties": { diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 7f61f9012..c4486d9a1 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -27,17 +27,24 @@ realm: uds # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values realmInitEnv: GOOGLE_IDP_ENABLED: false -# GOOGLE_IDP_ID: "" -# GOOGLE_IDP_SIGNING_CERT: "" -# GOOGLE_IDP_NAME_ID_FORMAT: "" -# GOOGLE_IDP_CORE_ENTITY_ID: "" -# GOOGLE_IDP_ADMIN_GROUP: "" -# GOOGLE_IDP_AUDITOR_GROUP: "" -# PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" -# EMAIL_VERIFICATION_ENABLED: true -# OTP_ENABLED: true -# TERMS_AND_CONDITIONS_ENABLED: true -# REALM_X509_OCSP_FAIL_OPEN: true + # GOOGLE_IDP_ID: "" + # GOOGLE_IDP_SIGNING_CERT: "" + # GOOGLE_IDP_NAME_ID_FORMAT: "" + # GOOGLE_IDP_CORE_ENTITY_ID: "" + # GOOGLE_IDP_ADMIN_GROUP: "" + # GOOGLE_IDP_AUDITOR_GROUP: "" + # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" + # EMAIL_VERIFICATION_ENABLED: true + # TERMS_AND_CONDITIONS_ENABLED: true + # X509_OCSP_FAIL_OPEN: true + # DISABLE_REGISTRATION_FIELDS: false + +# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values +realmAuthFlows: + USERNAME_PASSWORD_AUTH_ENABLED: true + X509_AUTH_ENABLED: true + SOCIAL_AUTH_ENABLED: true + OTP_ENABLED: true # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login