From f1b3cb850ebc4a10b47afc0bf0100909ff02d699 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Mon, 9 Dec 2024 11:41:11 -0700 Subject: [PATCH 1/6] fix: identity config things --- src/keycloak/chart/templates/statefulset.yaml | 12 ++++--- src/keycloak/chart/values.yaml | 31 ++++++++++++------- 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 6f3a9e570..f63b6f53c 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -28,7 +28,7 @@ spec: {{- end }} {{- if not .Values.devMode }} annotations: - postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} + postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} {{- end }} spec: securityContext: @@ -52,13 +52,16 @@ spec: mountPath: /opt/keycloak/themes - name: conf mountPath: /opt/keycloak/conf + envFrom: + - secretRef: + name: {{ include "keycloak.fullname" . }}-realm-env containers: - name: keycloak image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - command: + command: - "/opt/keycloak/bin/kc.sh" args: {{- if .Values.devMode }} @@ -128,14 +131,13 @@ spec: - name: KC_CACHE_STACK value: kubernetes - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE - value: "false" + value: "false" # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack. # https://www.keycloak.org/server/caching - name: JAVA_OPTS_APPEND value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local - # Postgres database configuration - - name: KC_DB + - name: KC_DB value: postgres - name: KC_DB_URL_HOST valueFrom: diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 7f61f9012..dd9334787 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -27,17 +27,26 @@ realm: uds # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values realmInitEnv: GOOGLE_IDP_ENABLED: false -# GOOGLE_IDP_ID: "" -# GOOGLE_IDP_SIGNING_CERT: "" -# GOOGLE_IDP_NAME_ID_FORMAT: "" -# GOOGLE_IDP_CORE_ENTITY_ID: "" -# GOOGLE_IDP_ADMIN_GROUP: "" -# GOOGLE_IDP_AUDITOR_GROUP: "" -# PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" -# EMAIL_VERIFICATION_ENABLED: true -# OTP_ENABLED: true -# TERMS_AND_CONDITIONS_ENABLED: true -# REALM_X509_OCSP_FAIL_OPEN: true + # GOOGLE_IDP_ID: "" + # GOOGLE_IDP_SIGNING_CERT: "" + # GOOGLE_IDP_NAME_ID_FORMAT: "" + # GOOGLE_IDP_CORE_ENTITY_ID: "" + # GOOGLE_IDP_ADMIN_GROUP: "" + # GOOGLE_IDP_AUDITOR_GROUP: "" + # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" + # EMAIL_VERIFICATION_ENABLED: true + # OTP_ENABLED: true + # TERMS_AND_CONDITIONS_ENABLED: true + # X509_OCSP_FAIL_OPEN: true + # ENABLE_SOCIAL_LOGIN: false + # ENABLE_X509_LOGIN: false + # ENABLE_USERNAME_PASSWORD_AUTH: false + # ENABLE_REGISTER_BUTTON: false + # ENABLE_REGISTRATION_FIELDS: false + # deny_username_password: "DISABLED" + # reset_credential_flow: "REQUIRED" + # registration_form: "REQUIRED" + # otp_enabled: true # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login From 21e2d2dad6756338d7bb1c9738891d8613a093d9 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Thu, 12 Dec 2024 08:41:52 -0700 Subject: [PATCH 2/6] fix: update values and secret logic map --- src/keycloak/chart/templates/secret-kc-realm.yaml | 13 +++++++++++-- src/keycloak/chart/values.yaml | 13 ++++--------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index a41db2617..ead69ed1d 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "keycloak.fullname" . }}-realm-env - namespace: {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "keycloak.labels" . | nindent 4 }} type: Opaque @@ -16,4 +16,13 @@ data: {{- else }} REALM_{{ $key }}: {{ $value | b64enc }} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} + + ENABLE_SOCIAL_LOGIN: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }} + ENABLE_X509_LOGIN: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} + ENABLE_USERNAME_PASSWORD_AUTH: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} + ENABLE_REGISTER_BUTTON: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} + ENABLE_DENY_USERNAME_PASSWORD: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + ENABLE_RESET_CREDENTIAL_FLOW: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + ENABLE_REGISTRATION_FORM: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }} + ENABLE_REALM_OTP: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index dd9334787..76b753b06 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -27,6 +27,9 @@ realm: uds # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values realmInitEnv: GOOGLE_IDP_ENABLED: false + USERNAME_PASSWORD_AUTH_ENABLED: true + X509_AUTH_ENABLED: true + SOCIAL_AUTH_ENABLED: true # GOOGLE_IDP_ID: "" # GOOGLE_IDP_SIGNING_CERT: "" # GOOGLE_IDP_NAME_ID_FORMAT: "" @@ -38,15 +41,7 @@ realmInitEnv: # OTP_ENABLED: true # TERMS_AND_CONDITIONS_ENABLED: true # X509_OCSP_FAIL_OPEN: true - # ENABLE_SOCIAL_LOGIN: false - # ENABLE_X509_LOGIN: false - # ENABLE_USERNAME_PASSWORD_AUTH: false - # ENABLE_REGISTER_BUTTON: false - # ENABLE_REGISTRATION_FIELDS: false - # deny_username_password: "DISABLED" - # reset_credential_flow: "REQUIRED" - # registration_form: "REQUIRED" - # otp_enabled: true + # DISABLE_REGISTRATION_FIELDS: false # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login From 728b4be02616b95e1f436886e39660b6777b1ec2 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Thu, 12 Dec 2024 14:57:14 -0700 Subject: [PATCH 3/6] fix: update value names to fix breaking change --- .../chart/templates/secret-kc-realm.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index ead69ed1d..e02117658 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -18,11 +18,11 @@ data: {{- end }} {{- end }} - ENABLE_SOCIAL_LOGIN: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }} - ENABLE_X509_LOGIN: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} - ENABLE_USERNAME_PASSWORD_AUTH: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} - ENABLE_REGISTER_BUTTON: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} - ENABLE_DENY_USERNAME_PASSWORD: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} - ENABLE_RESET_CREDENTIAL_FLOW: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} - ENABLE_REGISTRATION_FORM: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }} - ENABLE_REALM_OTP: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} + SOCIAL_LOGIN_ENABLED: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }} + X509_LOGIN_ENABLED: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} + USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} + REGISTER_BUTTON_ENABLED: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} + DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }} + OTP_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} From b237a9709995232b790a7e09ca81901595bccba0 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Thu, 12 Dec 2024 15:04:49 -0700 Subject: [PATCH 4/6] fix: add checksum for kc-realm secret --- src/keycloak/chart/templates/statefulset.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index f63b6f53c..1e18ee733 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -29,6 +29,7 @@ spec: {{- if not .Values.devMode }} annotations: postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} + kc-realm-hash: {{ include (print $.Template.BasePath "/secret-kc-realm.yaml") . | sha256sum }} {{- end }} spec: securityContext: From 6a0cdca07b0b68bec9697c92b326d4bd91d1ec96 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Fri, 13 Dec 2024 10:41:22 -0700 Subject: [PATCH 5/6] fix: move auth toggles to new realm key --- .../chart/templates/secret-kc-realm.yaml | 16 ++++++++-------- src/keycloak/chart/values.schema.json | 17 +++++++++++++++++ src/keycloak/chart/values.yaml | 11 +++++++---- 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index e02117658..a8e5a20b3 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -18,11 +18,11 @@ data: {{- end }} {{- end }} - SOCIAL_LOGIN_ENABLED: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }} - X509_LOGIN_ENABLED: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} - USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} - REGISTER_BUTTON_ENABLED: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }} - DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} - RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} - REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }} - OTP_ENABLED: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} + SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }} + X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }} + USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }} + REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }} + DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }} + REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }} + OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }} diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index f05bdc3a8..9348c158d 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -292,6 +292,23 @@ } } }, + "realmAuthFlows": { + "type": "object", + "properties": { + "USERNAME_PASSWORD_AUTH_ENABLED": { + "type": "boolean" + }, + "X509_AUTH_ENABLED": { + "type": "boolean" + }, + "SOCIAL_AUTH_ENABLED": { + "type": "boolean" + }, + "OTP_ENABLED": { + "type": "boolean" + } + } + }, "resources": { "type": "object", "properties": { diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 76b753b06..ab2e4e872 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -27,9 +27,6 @@ realm: uds # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values realmInitEnv: GOOGLE_IDP_ENABLED: false - USERNAME_PASSWORD_AUTH_ENABLED: true - X509_AUTH_ENABLED: true - SOCIAL_AUTH_ENABLED: true # GOOGLE_IDP_ID: "" # GOOGLE_IDP_SIGNING_CERT: "" # GOOGLE_IDP_NAME_ID_FORMAT: "" @@ -38,11 +35,17 @@ realmInitEnv: # GOOGLE_IDP_AUDITOR_GROUP: "" # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" # EMAIL_VERIFICATION_ENABLED: true - # OTP_ENABLED: true # TERMS_AND_CONDITIONS_ENABLED: true # X509_OCSP_FAIL_OPEN: true # DISABLE_REGISTRATION_FIELDS: false +# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values +realmAuthFlows: + USERNAME_PASSWORD_AUTH_ENABLED: false + X509_AUTH_ENABLED: true + SOCIAL_AUTH_ENABLED: true + OTP_ENABLED: false + # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login insecureAdminPasswordGeneration: From 005f2f23cbd93cda0524dc8dd73b5c0b1a5b6956 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Fri, 13 Dec 2024 11:30:29 -0700 Subject: [PATCH 6/6] fix: values --- src/keycloak/chart/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index ab2e4e872..c4486d9a1 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -41,10 +41,10 @@ realmInitEnv: # UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values realmAuthFlows: - USERNAME_PASSWORD_AUTH_ENABLED: false + USERNAME_PASSWORD_AUTH_ENABLED: true X509_AUTH_ENABLED: true SOCIAL_AUTH_ENABLED: true - OTP_ENABLED: false + OTP_ENABLED: true # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login