Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: configurable authentication flows #1102

Merged
merged 10 commits into from
Dec 13, 2024
13 changes: 11 additions & 2 deletions src/keycloak/chart/templates/secret-kc-realm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "keycloak.fullname" . }}-realm-env
namespace: {{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
type: Opaque
Expand All @@ -16,4 +16,13 @@ data:
{{- else }}
REALM_{{ $key }}: {{ $value | b64enc }}
{{- end }}
{{- end }}
{{- end }}

SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }}
X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}
13 changes: 8 additions & 5 deletions src/keycloak/chart/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ spec:
{{- end }}
{{- if not .Values.devMode }}
annotations:
postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}
postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}
mjnagel marked this conversation as resolved.
Show resolved Hide resolved
kc-realm-hash: {{ include (print $.Template.BasePath "/secret-kc-realm.yaml") . | sha256sum }}
{{- end }}
spec:
securityContext:
Expand All @@ -52,13 +53,16 @@ spec:
mountPath: /opt/keycloak/themes
- name: conf
mountPath: /opt/keycloak/conf
envFrom:
- secretRef:
name: {{ include "keycloak.fullname" . }}-realm-env
containers:
- name: keycloak
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
command:
command:
- "/opt/keycloak/bin/kc.sh"
args:
{{- if .Values.devMode }}
Expand Down Expand Up @@ -128,14 +132,13 @@ spec:
- name: KC_CACHE_STACK
value: kubernetes
- name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE
value: "false"
value: "false"
# java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
# https://www.keycloak.org/server/caching
- name: JAVA_OPTS_APPEND
value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local

# Postgres database configuration
- name: KC_DB
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
valueFrom:
Expand Down
17 changes: 17 additions & 0 deletions src/keycloak/chart/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,23 @@
}
}
},
"realmAuthFlows": {
"type": "object",
"properties": {
"USERNAME_PASSWORD_AUTH_ENABLED": {
"type": "boolean"
},
"X509_AUTH_ENABLED": {
"type": "boolean"
},
"SOCIAL_AUTH_ENABLED": {
"type": "boolean"
},
"OTP_ENABLED": {
"type": "boolean"
}
}
},
"resources": {
"type": "object",
"properties": {
Expand Down
29 changes: 18 additions & 11 deletions src/keycloak/chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,24 @@ realm: uds
# UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
realmInitEnv:
GOOGLE_IDP_ENABLED: false
# GOOGLE_IDP_ID: ""
# GOOGLE_IDP_SIGNING_CERT: ""
# GOOGLE_IDP_NAME_ID_FORMAT: ""
# GOOGLE_IDP_CORE_ENTITY_ID: ""
# GOOGLE_IDP_ADMIN_GROUP: ""
# GOOGLE_IDP_AUDITOR_GROUP: ""
# PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
# EMAIL_VERIFICATION_ENABLED: true
# OTP_ENABLED: true
# TERMS_AND_CONDITIONS_ENABLED: true
# REALM_X509_OCSP_FAIL_OPEN: true
# GOOGLE_IDP_ID: ""
# GOOGLE_IDP_SIGNING_CERT: ""
# GOOGLE_IDP_NAME_ID_FORMAT: ""
# GOOGLE_IDP_CORE_ENTITY_ID: ""
# GOOGLE_IDP_ADMIN_GROUP: ""
# GOOGLE_IDP_AUDITOR_GROUP: ""
# PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
# EMAIL_VERIFICATION_ENABLED: true
# TERMS_AND_CONDITIONS_ENABLED: true
# X509_OCSP_FAIL_OPEN: true
# DISABLE_REGISTRATION_FIELDS: false

# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
realmAuthFlows:
USERNAME_PASSWORD_AUTH_ENABLED: true
X509_AUTH_ENABLED: true
SOCIAL_AUTH_ENABLED: true
OTP_ENABLED: true

# Generates an initial password for first admin user - only use if install is headless
# (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login
Expand Down
Loading