diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index 76d42051..ca417afa 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -100,14 +100,14 @@ dependencies: | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | -| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. | -| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. | | realmSeeding.bpn | string | `"BPNL00000003CRHK"` | Set value for the 'bpn' user attribute for the initial user and the base service account users. | | realmSeeding.sharedidp | string | `"https://sharedidp.example.org"` | Set sharedidp address to enable the identity provider connection to CX-Operator realm. | -| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is "changeme". | +| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is autogenerated. | | realmSeeding.extraServiceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. | | realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index e2001be1..062d3797 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -65,6 +65,8 @@ spec: value: "central" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" value: "CX-Central" + - name: "KEYCLOAKSEEDING__REALMS__0__SSLREQUIRED" + value: "{{ .Values.realmSeeding.sslRequired }}" ############################# ## INITIAL USER diff --git a/charts/centralidp/templates/secret-base-service-accounts.yaml b/charts/centralidp/templates/secret-base-service-accounts.yaml index 77a193a7..b91a74c8 100644 --- a/charts/centralidp/templates/secret-base-service-accounts.yaml +++ b/charts/centralidp/templates/secret-base-service-accounts.yaml @@ -18,14 +18,26 @@ */}} {{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.serviceAccounts.existingSecret) -}} +{{- $secretName := include "centralidp.secret.serviceAccounts" . -}} apiVersion: v1 kind: Secret metadata: name: {{ include "centralidp.secret.serviceAccounts" . }} namespace: {{ .Release.Namespace }} type: Opaque +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{ if $secret -}} +data: + # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on) + # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret + # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} + {{ .clientId }}: {{ coalesce ( .clientSecret | b64enc ) ( index $secret.data .clientId ) | default ( randAlphaNum 32 ) | quote }} + {{- end }} +{{ else -}} stringData: {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} - {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} + {{ .clientId }}: {{ .clientSecret | default ( randAlphaNum 32 ) | quote }} {{- end }} +{{ end }} {{- end -}} diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml index f92bf601..ae2adeae 100644 --- a/charts/centralidp/templates/secret-clients.yaml +++ b/charts/centralidp/templates/secret-clients.yaml @@ -18,15 +18,29 @@ */}} {{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.clients.existingSecret) -}} +{{- $secretName := include "centralidp.secret.clients" . -}} apiVersion: v1 kind: Secret metadata: name: {{ include "centralidp.secret.clients" . }} namespace: {{ .Release.Namespace }} type: Opaque +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{ if $secret -}} +data: + # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on) + # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret + # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too + miw: {{ coalesce ( .Values.realmSeeding.clients.miw.clientSecret | b64enc ) ( index $secret.data "miw" ) | default ( randAlphaNum 32 ) | quote }} + bpdm: {{ coalesce ( .Values.realmSeeding.clients.bpdm.clientSecret | b64enc ) ( index $secret.data "bpdm" ) | default ( randAlphaNum 32 ) | quote }} + bpdm-gate: {{ coalesce ( .Values.realmSeeding.clients.bpdmGate.clientSecret | b64enc ) ( index $secret.data "bpdm-gate" ) | default ( randAlphaNum 32 ) | quote }} + bpdm-orchestrator: {{ coalesce ( .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | b64enc ) ( index $secret.data "bpdm-orchestrator" ) | default ( randAlphaNum 32 ) | quote }} +{{ else -}} stringData: - miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }} - bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }} - bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} - bpdm-orchestrator: {{ .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | default "changeme" | quote }} + # if secret doesn't exist, use provided value from values file or generate a random one + miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default ( randAlphaNum 32 ) | quote }} + bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default ( randAlphaNum 32 ) | quote }} + bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default ( randAlphaNum 32 ) | quote }} + bpdm-orchestrator: {{ .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | default ( randAlphaNum 32 ) | quote }} +{{ end }} {{- end -}} diff --git a/charts/centralidp/templates/secret-extra-service-accounts.yaml b/charts/centralidp/templates/secret-extra-service-accounts.yaml index f9ffa3fc..8b31e332 100644 --- a/charts/centralidp/templates/secret-extra-service-accounts.yaml +++ b/charts/centralidp/templates/secret-extra-service-accounts.yaml @@ -18,14 +18,27 @@ */}} {{- if and (.Values.realmSeeding.enabled) (.Values.realmSeeding.extraServiceAccounts.clientSecrets) (not .Values.realmSeeding.extraServiceAccounts.existingSecret) -}} +{{- $secretName := include "centralidp.secret.extraServiceAccounts" . -}} apiVersion: v1 kind: Secret metadata: name: {{ include "centralidp.secret.extraServiceAccounts" . }} namespace: {{ .Release.Namespace }} type: Opaque +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{ if $secret -}} +data: + # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on) + # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret + # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too + {{- range .Values.realmSeeding.extraServiceAccounts.clientSecrets }} + {{ .clientId }}: {{ coalesce ( .clientSecret | b64enc ) ( index $secret.data .clientId ) | default ( randAlphaNum 32 ) | quote }} + {{- end }} +{{ else -}} stringData: + # if secret doesn't exist, use provided value from values file or generate a random one {{- range .Values.realmSeeding.extraServiceAccounts.clientSecrets }} - {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} + {{ .clientId }}: {{ .clientSecret | default ( randAlphaNum 32 ) | quote }} {{- end }} +{{ end }} {{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 97ad25cc..3684973f 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -33,14 +33,14 @@ keycloak: # -- Setting the path relative to '/' for serving resources: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed - httpRelativePath: "/auth/" + httpRelativePath: /auth/ replicaCount: 1 extraVolumes: - name: themes emptyDir: {} extraVolumeMounts: - name: themes - mountPath: "/opt/bitnami/keycloak/themes/catenax-central" + mountPath: /opt/bitnami/keycloak/themes/catenax-central initContainers: - name: import image: docker.io/tractusx/portal-iam:v3.0.1 @@ -53,15 +53,15 @@ keycloak: echo "Copying themes..." cp -R /import/themes/catenax-central/* /themes volumeMounts: - - name: themes - mountPath: "/themes" + - name: themes + mountPath: /themes service: sessionAffinity: ClientIP ingress: enabled: false - ingressClassName: "nginx" + ingressClassName: nginx # -- Provide default path for the ingress record. - hostname: "centralidp.example.org" + hostname: centralidp.example.org annotations: # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; @@ -87,17 +87,17 @@ keycloak: - get - list postgresql: - # -- PostgreSQL chart configuration (recommended for demonstration purposes only); - # default configurations: - # host: "centralidp-postgresql", - # port: 5432; + # -- PostgreSQL chart configuration (recommended for demonstration purposes only); + # default configurations: + # host: "centralidp-postgresql", + # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true # -- Setting to Postgres version 15 as that is the aligned version, # https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions). # Keycloak helm-chart from Bitnami has moved on to version 16. image: - tag: "15-debian-11" + tag: 15-debian-11 commonLabels: app.kubernetes.io/version: "15" auth: @@ -113,8 +113,8 @@ keycloak: existingSecret: "" architecture: standalone externalDatabase: - # -- External PostgreSQL configuration - # IMPORTANT: non-root db user needs needs to be created beforehand on external database. + # -- External PostgreSQL configuration + # IMPORTANT: non-root db user needs needs to be created beforehand on external database. host: "" # -- Database port number. port: 5432 @@ -131,7 +131,6 @@ keycloak: existingSecretUserKey: "" existingSecretDatabaseKey: "" existingSecretPasswordKey: "" - # -- Seeding job to create and update the CX-Central realm: # besides creating the CX-Central realm, the job can be used to update # the configuration of the realm when upgrading to a new version; @@ -139,9 +138,10 @@ keycloak: # for configuration possibly not covered by the seeding job. realmSeeding: enabled: true + sslRequired: external # -- Set redirect addresses and - in the case of confidential clients - clients secrets # for clients which are part of the basic CX-Central realm setup; - # SET client secrets for all non-testing and non-local purposes, default value is "changeme". + # SET client secrets for all non-testing and non-local purposes, default value is autogenerated. clients: registration: redirects: @@ -170,53 +170,53 @@ realmSeeding: # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. existingSecret: "" # -- Client secrets for service accounts which are part of the basic CX-Central realm setup; - # SET client secrets for all non-testing and non-local purposes, default value is "changeme". + # SET client secrets for all non-testing and non-local purposes, default value is autogenerated. serviceAccounts: clientSecrets: - - clientId: "sa-cl1-reg-2" + - clientId: sa-cl1-reg-2 clientSecret: "" - - clientId: "sa-cl2-01" + - clientId: sa-cl2-01 clientSecret: "" - - clientId: "sa-cl2-02" + - clientId: sa-cl2-02 clientSecret: "" - - clientId: "sa-cl2-03" + - clientId: sa-cl2-03 clientSecret: "" - - clientId: "sa-cl2-04" + - clientId: sa-cl2-04 clientSecret: "" - - clientId: "sa-cl2-05" + - clientId: sa-cl2-05 clientSecret: "" - - clientId: "sa-cl3-cx-1" + - clientId: sa-cl3-cx-1 clientSecret: "" - - clientId: "sa-cl5-custodian-2" + - clientId: sa-cl5-custodian-2 clientSecret: "" - - clientId: "sa-cl7-cx-1" + - clientId: sa-cl7-cx-1 clientSecret: "" - - clientId: "sa-cl7-cx-5" + - clientId: sa-cl7-cx-5 clientSecret: "" - - clientId: "sa-cl7-cx-7" + - clientId: sa-cl7-cx-7 clientSecret: "" - - clientId: "sa-cl8-cx-1" + - clientId: sa-cl8-cx-1 clientSecret: "" - - clientId: "sa-cl21-01" + - clientId: sa-cl21-01 clientSecret: "" - - clientId: "sa-cl22-01" + - clientId: sa-cl22-01 clientSecret: "" - - clientId: "sa-cl24-01" + - clientId: sa-cl24-01 clientSecret: "" - - clientId: "sa-cl25-cx-1" + - clientId: sa-cl25-cx-1 clientSecret: "" - - clientId: "sa-cl25-cx-2" + - clientId: sa-cl25-cx-2 clientSecret: "" - - clientId: "sa-cl25-cx-3" + - clientId: sa-cl25-cx-3 clientSecret: "" # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. existingSecret: "" # -- Set value for the 'bpn' user attribute for the initial user and the base service account users. - bpn: "BPNL00000003CRHK" + bpn: BPNL00000003CRHK # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm. - sharedidp: "https://sharedidp.example.org" + sharedidp: https://sharedidp.example.org # -- Set client secrets and bpn user attribute for additional service accounts; - # meant to enable possible test data, default value for client secrets is "changeme". + # meant to enable possible test data, default value for client secrets is autogenerated. extraServiceAccounts: clientSecretsAndBpn: [] # - clientId: "sa-test-01" @@ -228,12 +228,12 @@ realmSeeding: # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. existingSecret: "" image: - name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" - pullPolicy: "IfNotPresent" + name: docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1 + pullPolicy: IfNotPresent initContainer: image: - name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" - pullPolicy: "IfNotPresent" + name: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 + pullPolicy: IfNotPresent portContainer: 8080 keycloakServicePort: 80 keycloakServiceTls: false diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index 1fb45ec9..f9144048 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -106,7 +106,7 @@ dependencies: | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"},"sslRequired":"external"},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | | realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm. | | realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"}` | Configure initial user in CX-Operator realm. | | realmSeeding.realms.cxOperator.initialUser.username | string | `"cx-operator@tx.org"` | SET username for all non-testing and non-local purposes. | @@ -114,9 +114,9 @@ dependencies: | realmSeeding.realms.cxOperator.mailing | object | `{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}` | Set mailing configuration for CX-Operator realm. | | realmSeeding.realms.cxOperator.existingSecret | string | `""` | Option to provide an existingSecret for initial user and mailing configuration. | | realmSeeding.realms.master.serviceAccounts.provisioning | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to provision new realms. | -| realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.realms.master.serviceAccounts.saCxOperator | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to manage the CX-Operator realm. | -| realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.realms.master.existingSecret | string | `""` | Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value. | | realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 0d8ac6a6..bc668796 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -71,6 +71,8 @@ spec: value: "CX-Operator" - name: "KEYCLOAKSEEDING__REALMS__1__REALM" value: "master" + - name: "KEYCLOAKSEEDING__REALMS__0__SSLREQUIRED" + value: "{{ .Values.realmSeeding.realms.cxOperator.sslRequired }}" ############################# ## CX-OPERATOR CLIENT diff --git a/charts/sharedidp/templates/secret-seeding-master-realm.yaml b/charts/sharedidp/templates/secret-seeding-master-realm.yaml index 5f3e0dbe..6242d884 100644 --- a/charts/sharedidp/templates/secret-seeding-master-realm.yaml +++ b/charts/sharedidp/templates/secret-seeding-master-realm.yaml @@ -18,13 +18,25 @@ */}} {{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.realms.master.existingSecret) -}} +{{- $secretName := include "sharedidp.secret.realmSeeding.master" . -}} apiVersion: v1 kind: Secret metadata: name: {{ include "sharedidp.secret.realmSeeding.master" . }} namespace: {{ .Release.Namespace }} type: Opaque +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{ if $secret -}} +data: + # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on) + # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret + # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too + sa-provisioning: {{ coalesce ( .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | b64enc ) ( index $secret.data "sa-provisioning" ) | default ( randAlphaNum 32 ) | quote }} + sa-cx-operator: {{ coalesce ( .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | b64enc ) ( index $secret.data "sa-cx-operator" ) | default ( randAlphaNum 32 ) | quote }} +{{ else -}} stringData: - sa-provisioning: {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | default "changeme" | quote }} - sa-cx-operator: {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | default "changeme" | quote }} + # if secret doesn't exist, use provided value from values file or generate a random one + sa-provisioning: {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | default ( randAlphaNum 32 ) | quote }} + sa-cx-operator: {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | default ( randAlphaNum 32 ) | quote }} +{{ end }} {{- end -}} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index f9a7f01d..1887107f 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -33,7 +33,7 @@ keycloak: # -- Setting the path relative to '/' for serving resources: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed - httpRelativePath: "/auth/" + httpRelativePath: /auth/ replicaCount: 1 extraVolumes: - name: themes-catenax-shared @@ -42,9 +42,9 @@ keycloak: emptyDir: {} extraVolumeMounts: - name: themes-catenax-shared - mountPath: "/opt/bitnami/keycloak/themes/catenax-shared" + mountPath: /opt/bitnami/keycloak/themes/catenax-shared - name: themes-catenax-shared-portal - mountPath: "/opt/bitnami/keycloak/themes/catenax-shared-portal" + mountPath: /opt/bitnami/keycloak/themes/catenax-shared-portal initContainers: - name: import image: docker.io/tractusx/portal-iam:v3.0.1 @@ -59,17 +59,17 @@ keycloak: echo "Copying themes-catenax-shared-portal..." cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal volumeMounts: - - name: themes-catenax-shared - mountPath: "/themes-catenax-shared" - - name: themes-catenax-shared-portal - mountPath: "/themes-catenax-shared-portal" + - name: themes-catenax-shared + mountPath: /themes-catenax-shared + - name: themes-catenax-shared-portal + mountPath: /themes-catenax-shared-portal service: sessionAffinity: ClientIP ingress: enabled: false - ingressClassName: "nginx" + ingressClassName: nginx # -- Provide default path for the ingress record. - hostname: "sharedidp.example.org" + hostname: sharedidp.example.org annotations: # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; @@ -95,17 +95,17 @@ keycloak: - get - list postgresql: - # -- PostgreSQL chart configuration (recommended for demonstration purposes only); - # default configurations: - # host: "sharedidp-postgresql", - # port: 5432; + # -- PostgreSQL chart configuration (recommended for demonstration purposes only); + # default configurations: + # host: "sharedidp-postgresql", + # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true # -- Setting to Postgres version 15 as that is the aligned version, # https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions). # Keycloak helm-chart from Bitnami has moved on to version 16. image: - tag: "15-debian-11" + tag: 15-debian-11 commonLabels: app.kubernetes.io/version: "15" auth: @@ -121,8 +121,8 @@ keycloak: existingSecret: "" architecture: standalone externalDatabase: - # -- External PostgreSQL configuration - # IMPORTANT: non-root db user needs needs to be created beforehand on external database. + # -- External PostgreSQL configuration + # IMPORTANT: non-root db user needs needs to be created beforehand on external database. host: "" # -- Database port number. port: 5432 @@ -139,7 +139,6 @@ keycloak: existingSecretUserKey: "" existingSecretDatabaseKey: "" existingSecretPasswordKey: "" - # -- Seeding job to create and update the CX-Operator and master realms: # besides creating those realm, the job can be used to update # the configuration of the realms when upgrading to a new version; @@ -149,46 +148,47 @@ realmSeeding: enabled: true realms: cxOperator: + sslRequired: external # -- Set centralidp address for the connection to the CX-Central realm. - centralidp: "https://centralidp.example.org" - # -- Configure initial user in CX-Operator realm. + centralidp: https://centralidp.example.org + # -- Configure initial user in CX-Operator realm. initialUser: # -- SET username for all non-testing and non-local purposes. - username: "cx-operator@tx.org" + username: cx-operator@tx.org # -- SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X". password: "" - firstName: "Operator" - lastName: "CX Admin" - eMail: "cx-operator@tx.org" + firstName: Operator + lastName: CX Admin + eMail: cx-operator@tx.org # -- Set mailing configuration for CX-Operator realm. mailing: - host: "smtp.example.org" - port: "123" - username: "smtp-user" + host: smtp.example.org + port: '123' + username: smtp-user password: "" - from: "email@example.org" - replyTo: "email@example.org" + from: email@example.org + replyTo: email@example.org # -- Option to provide an existingSecret for initial user and mailing configuration. existingSecret: "" master: serviceAccounts: # -- Set clients secret for the service account which enables the portal to provision new realms. provisioning: - # -- SET client secret for all non-testing and non-local purposes, default value is "changeme". + # -- SET client secret for all non-testing and non-local purposes, default value is autogenerated. clientSecret: "" # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm. saCxOperator: - # -- SET client secret for all non-testing and non-local purposes, default value is "changeme". + # -- SET client secret for all non-testing and non-local purposes, default value is autogenerated. clientSecret: "" # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value. existingSecret: "" image: - name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" - pullPolicy: "IfNotPresent" + name: docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1 + pullPolicy: IfNotPresent initContainer: image: - name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" - pullPolicy: "IfNotPresent" + name: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 + pullPolicy: IfNotPresent portContainer: 8080 keycloakServicePort: 80 keycloakServiceTls: false diff --git a/charts/values-test-centralidp.yaml b/charts/values-test-centralidp.yaml index 6916c740..1c16f10c 100644 --- a/charts/values-test-centralidp.yaml +++ b/charts/values-test-centralidp.yaml @@ -30,10 +30,10 @@ keycloak: echo "Copying themes..." cp -R /import/themes/catenax-central/* /themes volumeMounts: - - name: themes - mountPath: "/themes" + - name: themes + mountPath: /themes realmSeeding: initContainer: image: - name: "kind-registry:5000/iam:testing" - pullPolicy: "Always" + name: kind-registry:5000/iam:testing + pullPolicy: Always diff --git a/charts/values-test-sharedidp.yaml b/charts/values-test-sharedidp.yaml index b9650b69..9848bfd9 100644 --- a/charts/values-test-sharedidp.yaml +++ b/charts/values-test-sharedidp.yaml @@ -32,12 +32,12 @@ keycloak: echo "Copying themes-catenax-shared-portal..." cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal volumeMounts: - - name: themes-catenax-shared - mountPath: "/themes-catenax-shared" - - name: themes-catenax-shared-portal - mountPath: "/themes-catenax-shared-portal" + - name: themes-catenax-shared + mountPath: /themes-catenax-shared + - name: themes-catenax-shared-portal + mountPath: /themes-catenax-shared-portal realmSeeding: initContainer: image: - name: "kind-registry:5000/iam:testing" - pullPolicy: "Always" + name: kind-registry:5000/iam:testing + pullPolicy: Always diff --git a/charts/values-test-upgrade.yaml b/charts/values-test-upgrade.yaml index 5021b4c5..ea83fac7 100644 --- a/charts/values-test-upgrade.yaml +++ b/charts/values-test-upgrade.yaml @@ -23,15 +23,15 @@ keycloak: postgresql: auth: # -- Non-root user password. - password: "password" + password: password # -- Root user password. - postgresPassword: "password" + postgresPassword: password architecture: standalone secrets: postgresql: auth: existingSecret: - postgrespassword: "password" - password: "password" + postgrespassword: password + password: password realmSeeding: enabled: false diff --git a/docs/consultation/environments/centralidp/blue/postgresql-db-central-blue-statefulset.yaml b/docs/consultation/environments/centralidp/blue/postgresql-db-central-blue-statefulset.yaml index ccce79c8..53d0b7b7 100644 --- a/docs/consultation/environments/centralidp/blue/postgresql-db-central-blue-statefulset.yaml +++ b/docs/consultation/environments/centralidp/blue/postgresql-db-central-blue-statefulset.yaml @@ -73,5 +73,5 @@ spec: selector: app: postgresql-db-central-blue ports: - - port: 5432 - targetPort: 5432 + - port: 5432 + targetPort: 5432 diff --git a/docs/consultation/environments/sharedidp/blue/kc-shared-blue-values.yaml b/docs/consultation/environments/sharedidp/blue/kc-shared-blue-values.yaml index f01c1c37..23634be3 100644 --- a/docs/consultation/environments/sharedidp/blue/kc-shared-blue-values.yaml +++ b/docs/consultation/environments/sharedidp/blue/kc-shared-blue-values.yaml @@ -27,7 +27,7 @@ secrets: adminpassword: adminshared managementpassword: managershared externalDatabase: - password: password + password: password # Variables to use by Bitname Keycloak Helm Chart keycloak: diff --git a/docs/consultation/environments/sharedidp/blue/postgresql-db-shared-blue-statefulset.yaml b/docs/consultation/environments/sharedidp/blue/postgresql-db-shared-blue-statefulset.yaml index 5ca348c5..dd5e8a77 100644 --- a/docs/consultation/environments/sharedidp/blue/postgresql-db-shared-blue-statefulset.yaml +++ b/docs/consultation/environments/sharedidp/blue/postgresql-db-shared-blue-statefulset.yaml @@ -73,5 +73,5 @@ spec: selector: app: postgresql-db-shared-blue ports: - - port: 5432 - targetPort: 5432 + - port: 5432 + targetPort: 5432 diff --git a/environments/argocd-app-templates/sharedidp/appsetup-int.yaml b/environments/argocd-app-templates/sharedidp/appsetup-int.yaml index 54494acc..59beeb63 100644 --- a/environments/argocd-app-templates/sharedidp/appsetup-int.yaml +++ b/environments/argocd-app-templates/sharedidp/appsetup-int.yaml @@ -35,4 +35,4 @@ spec: value: vault-secret - name: helm_args value: '-f values.yaml -f ../../environments/helm-values/sharedidp/values-int.yaml' - project: project-portal \ No newline at end of file + project: project-portal