feat: configurable authentication flows

src/keycloak/chart/templates/secret-kc-realm.yaml

@@ -5,7 +5,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "keycloak.fullname" . }}-realm-env
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "keycloak.labels" . | nindent 4 }}
 type: Opaque
@@ -16,4 +16,13 @@ data:
   {{- else }}
   REALM_{{ $key }}: {{ $value | b64enc }}
   {{- end }}
-  {{- end }}
+  {{- end }}
+
+  ENABLE_SOCIAL_LOGIN: {{ .Values.realmInitEnv.SOCIAL_AUTH_ENABLED | toString | b64enc }}
+  ENABLE_X509_LOGIN: {{ .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }}
+  ENABLE_USERNAME_PASSWORD_AUTH: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  ENABLE_REGISTER_BUTTON: {{ or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED | toString | b64enc }}
+  ENABLE_DENY_USERNAME_PASSWORD: {{ ternary "DISABLED" "REQUIRED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  ENABLE_RESET_CREDENTIAL_FLOW: {{ ternary "REQUIRED" "DISABLED" (.Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  ENABLE_REGISTRATION_FORM: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmInitEnv.X509_AUTH_ENABLED) | b64enc }}
+  ENABLE_REALM_OTP: {{ .Values.realmInitEnv.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}

src/keycloak/chart/templates/statefulset.yaml

@@ -28,7 +28,7 @@ spec:
         {{- end }}
        {{- if not .Values.devMode }}
       annotations:
-        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}        
+        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}
       {{- end }}
     spec:
       securityContext:
@@ -52,13 +52,16 @@ spec:
               mountPath: /opt/keycloak/themes
             - name: conf
               mountPath: /opt/keycloak/conf
+          envFrom:
+            - secretRef:
+                name: {{ include "keycloak.fullname" . }}-realm-env
       containers:
         - name: keycloak
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-          command: 
+          command:
             - "/opt/keycloak/bin/kc.sh"
           args:
             {{- if .Values.devMode }}
@@ -128,14 +131,13 @@ spec:
             - name: KC_CACHE_STACK
               value: kubernetes
             - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE
-              value: "false"               
+              value: "false"
             # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
             # https://www.keycloak.org/server/caching
             - name: JAVA_OPTS_APPEND
               value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local
-
             # Postgres database configuration
-            - name: KC_DB 
+            - name: KC_DB
               value: postgres
             - name: KC_DB_URL_HOST
               valueFrom:

src/keycloak/chart/values.yaml

@@ -27,17 +27,21 @@ realm: uds
 # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
 realmInitEnv:
   GOOGLE_IDP_ENABLED: false
-#   GOOGLE_IDP_ID: ""
-#   GOOGLE_IDP_SIGNING_CERT: ""
-#   GOOGLE_IDP_NAME_ID_FORMAT: ""
-#   GOOGLE_IDP_CORE_ENTITY_ID: ""
-#   GOOGLE_IDP_ADMIN_GROUP: ""
-#   GOOGLE_IDP_AUDITOR_GROUP: ""
-#   PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
-#   EMAIL_VERIFICATION_ENABLED: true
-#   OTP_ENABLED: true
-#   TERMS_AND_CONDITIONS_ENABLED: true
-#   REALM_X509_OCSP_FAIL_OPEN: true
+  USERNAME_PASSWORD_AUTH_ENABLED: true
+  X509_AUTH_ENABLED: true
+  SOCIAL_AUTH_ENABLED: true
+  # GOOGLE_IDP_ID: ""
+  # GOOGLE_IDP_SIGNING_CERT: ""
+  # GOOGLE_IDP_NAME_ID_FORMAT: ""
+  # GOOGLE_IDP_CORE_ENTITY_ID: ""
+  # GOOGLE_IDP_ADMIN_GROUP: ""
+  # GOOGLE_IDP_AUDITOR_GROUP: ""
+  # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
+  # EMAIL_VERIFICATION_ENABLED: true
+  # OTP_ENABLED: true
+  # TERMS_AND_CONDITIONS_ENABLED: true
+  # X509_OCSP_FAIL_OPEN: true
+  # DISABLE_REGISTRATION_FIELDS: false
 
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login