From aad16726ffe5342d1fb17dadd1f78cdae0b6c5ca Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 01/55] fea(centralidp)t: WIP enable seeding for variables and secrets - remove realm import with Dkeycloak.migration.action=import - start enabling of CX-Central realm import with seeding job (up to now the seeding job was only used when upgrading the realm config) - start enabling of client secret seeding --- charts/centralidp/templates/_helpers.tpl | 13 ++++++++ charts/centralidp/templates/job-seeding.yaml | 25 ++++++++++++++- .../centralidp/templates/secret-seeding.yaml | 31 +++++++++++++++++++ charts/centralidp/values.yaml | 27 +++++++--------- 4 files changed, 79 insertions(+), 17 deletions(-) create mode 100644 charts/centralidp/templates/secret-seeding.yaml diff --git a/charts/centralidp/templates/_helpers.tpl b/charts/centralidp/templates/_helpers.tpl index eefa1099..5dbb3ce5 100644 --- a/charts/centralidp/templates/_helpers.tpl +++ b/charts/centralidp/templates/_helpers.tpl @@ -15,7 +15,9 @@ * under the License. * * SPDX-License-Identifier: Apache-2.0 +*/}} +{{/* Define "centralidp.fullname" like ""common.names.fullname" in the bitnami common chart but setting ".Chart.Name" to "keycloak". This is necessary to retrieve the keycloak service name for the execution of the seeding job. */}} @@ -31,3 +33,14 @@ This is necessary to retrieve the keycloak service name for the execution of the {{- end -}} {{- end -}} {{- end -}} + +{{/* +Define secret name for realm seeding. +*/}} +{{- define "centralidp.seeding.secretName" -}} +{{- if .Values.seeding.existingSecret -}} +{{- .Values.seeding.existingSecret }} +{{- else -}} +{{- include "centralidp.fullname" . -}}-realm-seeding +{{- end -}} +{{- end -}} diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index e29bb327..004c4b38 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -25,7 +25,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: "batch.kubernetes.io/job-tracking": "true" - "helm.sh/hook": post-upgrade + "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "-5" spec: template: @@ -65,6 +65,29 @@ spec: value: "{{ .Values.seeding.excludedUserAttributes.attribute0 }}" - name: "KEYCLOAKSEEDING__EXCLUDEDUSERATTRIBUTES__1" value: "{{ .Values.seeding.excludedUserAttributes.attribute1 }}" + - name: "KeycloakSeeding__Realms__0__Realm" + value: "CX-Central" + - name: "KeycloakSeeding__Realms__0__Clients__100__ClientId" + value: "Cl2-CX-Portal" + - name: "KeycloakSeeding__Realms__0__Clients__100__RedirectUris__0" + value: "http://redirect.test" + + ############################# + ## SERVICE ACCOUNTS + ############################# + + {{- $index := 0 }} + {{- $secret := include "centralidp.seeding.secretName" . -}} + {{- range .Values.seeding.clients }} + - name: KeycloakSeeding__Realms__0__Clients__{{ $index }}__ClientId + value: {{ .clientId | quote }} + - name: KeycloakSeeding__Realms__0__Clients__{{ $index }}__Secret + valueFrom: + secretKeyRef: + name: {{ $secret }} + key: {{ .clientId }} + {{- $index = add1 $index }} + {{- end }} ports: - name: http containerPort: {{ .Values.seeding.portContainer }} diff --git a/charts/centralidp/templates/secret-seeding.yaml b/charts/centralidp/templates/secret-seeding.yaml new file mode 100644 index 00000000..e19536cb --- /dev/null +++ b/charts/centralidp/templates/secret-seeding.yaml @@ -0,0 +1,31 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.seeding.enabled) (not .Values.seeding.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "centralidp.seeding.secretName" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{- range .Values.seeding.clients }} + {{ .clientId }}: {{ .clientSecret | default ( randAlphaNum 32 ) | quote }} + {{- end }} +{{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index cbb71ffc..ee3f0a86 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -32,20 +32,13 @@ keycloak: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed httpRelativePath: "/auth/" - extraEnvVars: - - name: KEYCLOAK_EXTRA_ARGS - value: "-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realms/CX-Central-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING" replicaCount: 3 extraVolumes: - name: themes emptyDir: {} - - name: realms - emptyDir: {} extraVolumeMounts: - name: themes mountPath: "/opt/bitnami/keycloak/themes/catenax-central" - - name: realms - mountPath: "/realms" initContainers: - name: import image: docker.io/tractusx/portal-iam:v3.0.1 @@ -57,13 +50,9 @@ keycloak: - | echo "Copying themes..." cp -R /import/themes/catenax-central/* /themes - echo "Copying realms..." - cp -R /import/catenax-central/realms/* /realms volumeMounts: - name: themes mountPath: "/themes" - - name: realms - mountPath: "/realms" service: sessionAffinity: ClientIP ingress: @@ -155,15 +144,21 @@ seeding: # enable to upgrade the configuration of the CX-Central realm from previous version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job - enabled: false - image: "docker.io/tractusx/portal-iam-seeding:v3.0.1-iam" - imagePullPolicy: "IfNotPresent" + enabled: true + image: "192.168.49.2:5000/iam-seeding:latest" + imagePullPolicy: "Always" portContainer: 8080 authRealm: "master" useAuthTrail: "true" dataPaths: dataPath0: "realms/CX-Central-realm.json" instanceName: "central" + existingSecret: "" + clients: + - clientId: "sa-cl2-01" + clientSecret: "" + - clientId: "sa-cl2-02" + clientSecret: "" excludedUserAttributes: attribute0: "bpn" attribute1: "organisation" @@ -183,8 +178,8 @@ seeding: mountPath: "app/realms" initContainers: - name: init-cx-central - image: docker.io/tractusx/portal-iam:v3.0.1 - imagePullPolicy: IfNotPresent + image: 192.168.49.2:5000/iam:latest + imagePullPolicy: Always command: - sh args: From 0ebaae1441e91964ed1db5140a7afac60e91f615 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 02/55] chore: improve secret handling and remove obsolete secrets --- charts/centralidp/templates/job-seeding.yaml | 2 +- .../templates/secret-centralidp.yaml | 38 -------------- .../templates/secret-external-db.yaml | 39 --------------- .../templates/secret-postgres-init.yaml | 44 ---------------- charts/centralidp/values.yaml | 50 ++++++++----------- 5 files changed, 22 insertions(+), 151 deletions(-) delete mode 100644 charts/centralidp/templates/secret-centralidp.yaml delete mode 100644 charts/centralidp/templates/secret-external-db.yaml delete mode 100644 charts/centralidp/templates/secret-postgres-init.yaml diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 004c4b38..37184d36 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -51,7 +51,7 @@ spec: - name: "KEYCLOAK__CENTRAL__PASSWORD" valueFrom: secretKeyRef: - name: "{{ .Values.keycloak.auth.existingSecret }}" + name: "{{ template "centralidp.fullname" . }}" key: "admin-password" - name: "KEYCLOAK__CENTRAL__AUTHREALM" value: "{{ .Values.seeding.authRealm }}" diff --git a/charts/centralidp/templates/secret-centralidp.yaml b/charts/centralidp/templates/secret-centralidp.yaml deleted file mode 100644 index 7af8a6d4..00000000 --- a/charts/centralidp/templates/secret-centralidp.yaml +++ /dev/null @@ -1,38 +0,0 @@ -############################################################### -# Copyright (c) 2022 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################### - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} diff --git a/charts/centralidp/templates/secret-external-db.yaml b/charts/centralidp/templates/secret-external-db.yaml deleted file mode 100644 index 6570900c..00000000 --- a/charts/centralidp/templates/secret-external-db.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if not .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.externalDatabase.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.externalDatabase.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - password: {{ ( .Values.keycloak.externalDatabase.password | b64enc ) | default $secret.data.password | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} diff --git a/charts/centralidp/templates/secret-postgres-init.yaml b/charts/centralidp/templates/secret-postgres-init.yaml deleted file mode 100644 index a741dd6d..00000000 --- a/charts/centralidp/templates/secret-postgres-init.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.postgresql.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.postgresql.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc ) | default ( index $secret.data "postgres-password" ) | quote }} - password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password | quote }} - replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc ) | default ( index $secret.data "replication-password" ) | quote}} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 ) | quote }} - password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 ) | quote }} - replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index ee3f0a86..3a43f52b 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -20,8 +20,9 @@ keycloak: auth: adminUser: admin + adminPassword: "" # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. - existingSecret: "centralidp-keycloak" + existingSecret: "" # -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. production: false # -- reverse Proxy mode edge, reencrypt, passthrough or none; @@ -101,46 +102,37 @@ keycloak: auth: # -- Non-root username. username: kccentral + # -- Non-root user password. + password: "" + # -- Root user password. + postgresPassword: "" # -- Database name. database: iamcentralidp # -- Secret containing the passwords for root usernames postgres and non-root username kccentral. - existingSecret: "centralidp-postgres" + existingSecret: "" architecture: replication externalDatabase: # -- External PostgreSQL configuration # IMPORTANT: non-root db user needs needs to be created beforehand on external database. - # Database host ('-primary' is added as postfix). - host: "centralidp-postgresql-external-db" + host: "" # -- Database port number. port: 5432 - # -- Non-root username for centralidp. - user: "kccentral" + # -- Non-root username. + user: "" # -- Database name. - database: "iamcentralidp" - # -- Password for the non-root username (default 'kccentral'). Secret-key 'password'. + database: "" + # -- Password for the non-root username. password: "" - # -- Secret containing the password non-root username, (default 'kccentral'). - existingSecret: "centralidp-keycloak-external-db" - # -- Name of an existing secret key containing the database credentials. - existingSecretPasswordKey: "password" - -secrets: - auth: - existingSecret: - # -- Password for the admin username 'admin'. Secret-key 'admin-password'. - adminpassword: "" - postgresql: - auth: - existingSecret: - # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. - postgrespassword: "" - # -- Password for the non-root username 'kccentral'. Secret-key 'password'. - password: "" - # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. - replicationPassword: "" + # -- Secret containing the database credentials + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" seeding: -# -- Seeding job to upgrade CX_Central realm: +# -- Seeding job to create and upgrade CX_Central realm: # enable to upgrade the configuration of the CX-Central realm from previous version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job @@ -178,7 +170,7 @@ seeding: mountPath: "app/realms" initContainers: - name: init-cx-central - image: 192.168.49.2:5000/iam:latest + image: 192.168.49.2:5000/iam:test imagePullPolicy: Always command: - sh From 31669e462b99aec926e53e4726c9b4d12cedf8f3 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 03/55] chore: remove hook from seeding job --- charts/centralidp/templates/job-seeding.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 37184d36..a9c62211 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -23,10 +23,6 @@ kind: Job metadata: name: {{ include "centralidp.fullname" . }}-upgrade-seeding namespace: {{ .Release.Namespace }} - annotations: - "batch.kubernetes.io/job-tracking": "true" - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" spec: template: metadata: From eed905aa0f5820c56e702845ff84d277869b8967 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 04/55] feat: await keycloak service before starting seeding job --- charts/centralidp/templates/job-seeding.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index a9c62211..1c57ea3d 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -93,6 +93,9 @@ spec: volumeMounts: {{- toYaml .Values.seeding.extraVolumeMounts | nindent 10 }} initContainers: + - name: wait-for-keycloak + image: appropriate/curl:latest + command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] {{- toYaml .Values.seeding.initContainers | nindent 8 }} volumes: {{- toYaml .Values.seeding.extraVolumes | nindent 8 }} From 615fbc1f6602b6fbbfc49fc6234f0054dc573044 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 05/55] chore: create unique job names at helm upgrade to avoid running into "field is immutable" error --- charts/centralidp/templates/job-seeding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 1c57ea3d..ea095e1e 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -21,7 +21,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "centralidp.fullname" . }}-upgrade-seeding + name: {{ include "centralidp.fullname" . }}-upgrade-seeding-{{ .Release.Revision }} namespace: {{ .Release.Namespace }} spec: template: From f72802d2d3cc165bfd117c5c9736852e9db76260 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 06/55] chore: move to standalone arch for db dependency --- charts/centralidp/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 3a43f52b..a8e6cf84 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -110,7 +110,7 @@ keycloak: database: iamcentralidp # -- Secret containing the passwords for root usernames postgres and non-root username kccentral. existingSecret: "" - architecture: replication + architecture: standalone externalDatabase: # -- External PostgreSQL configuration # IMPORTANT: non-root db user needs needs to be created beforehand on external database. From ab0b2f5ba648ebd937f98bc25bd96a4008f9483e Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 07/55] chore: rename seeding job --- charts/centralidp/templates/job-seeding.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index ea095e1e..6d86bcb0 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -21,16 +21,16 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "centralidp.fullname" . }}-upgrade-seeding-{{ .Release.Revision }} + name: {{ include "centralidp.fullname" . }}-realm-seeding-{{ .Release.Revision }} namespace: {{ .Release.Namespace }} spec: template: metadata: - name: {{ include "centralidp.fullname" . }}-upgrade-seeding + name: {{ include "centralidp.fullname" . }}-realm-seeding spec: restartPolicy: Never containers: - - name: {{ include "centralidp.fullname" . }}-upgrade-seeding + - name: {{ include "centralidp.fullname" . }}-realm-seeding securityContext: allowPrivilegeEscalation: false capabilities: From e9817208775a159cf8c58004ae2a7bb0d32db030 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 08/55] chore: set default replica count to 1 --- charts/centralidp/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index a8e6cf84..9ae70430 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -33,7 +33,7 @@ keycloak: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed httpRelativePath: "/auth/" - replicaCount: 3 + replicaCount: 1 extraVolumes: - name: themes emptyDir: {} From 668416907408ca016309ab50ee53d8ea663d9af4 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 10:00:33 +0200 Subject: [PATCH 09/55] feat(realm-seeing): enable config of redirects, client secrets and bpn improve secrets remove excludedUserAttributes, not needed anymore increase resource settings update docs --- charts/centralidp/templates/_helpers.tpl | 32 +++- charts/centralidp/templates/job-seeding.yaml | 149 +++++++++++++++--- ...yaml => secret-base-service-accounts.yaml} | 8 +- .../centralidp/templates/secret-clients.yaml | 31 ++++ .../secret-extra-service-accounts.yaml | 31 ++++ charts/centralidp/values.yaml | 116 +++++++++++--- 6 files changed, 322 insertions(+), 45 deletions(-) rename charts/centralidp/templates/{secret-seeding.yaml => secret-base-service-accounts.yaml} (75%) create mode 100644 charts/centralidp/templates/secret-clients.yaml create mode 100644 charts/centralidp/templates/secret-extra-service-accounts.yaml diff --git a/charts/centralidp/templates/_helpers.tpl b/charts/centralidp/templates/_helpers.tpl index 5dbb3ce5..5a318ecc 100644 --- a/charts/centralidp/templates/_helpers.tpl +++ b/charts/centralidp/templates/_helpers.tpl @@ -35,12 +35,34 @@ This is necessary to retrieve the keycloak service name for the execution of the {{- end -}} {{/* -Define secret name for realm seeding. +Define secret name for clients secrets of clients (realm seeding). */}} -{{- define "centralidp.seeding.secretName" -}} -{{- if .Values.seeding.existingSecret -}} -{{- .Values.seeding.existingSecret }} +{{- define "centralidp.secret.clients" -}} +{{- if .Values.seeding.clients.existingSecret -}} +{{- .Values.seeding.clients.existingSecret }} {{- else -}} -{{- include "centralidp.fullname" . -}}-realm-seeding +{{- include "centralidp.fullname" . -}}-clients +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of base service accounts (realm seeding). +*/}} +{{- define "centralidp.secret.serviceAccounts" -}} +{{- if .Values.seeding.serviceAccounts.existingSecret -}} +{{- .Values.seeding.serviceAccounts.existingSecret }} +{{- else -}} +{{- include "centralidp.fullname" . -}}-base-service-accounts +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of additional service accounts (realm seeding). +*/}} +{{- define "centralidp.secret.extraServiceAccounts" -}} +{{- if .Values.seeding.extraServiceAccounts.existingSecret -}} +{{- .Values.seeding.extraServiceAccounts.existingSecret }} +{{- else -}} +{{- include "centralidp.fullname" . -}}-extra-service-accounts {{- end -}} {{- end -}} diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 6d86bcb0..d4f06f02 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -54,36 +54,148 @@ spec: - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" value: "{{ .Values.seeding.useAuthTrail }}" - name: "KEYCLOAKSEEDING__DATAPATHES__0" - value: "{{ .Values.seeding.dataPaths.dataPath0 }}" + value: "{{ .Values.seeding.dataPath }}" - name: "KEYCLOAKSEEDING__INSTANCENAME" - value: "{{ .Values.seeding.instanceName }}" - - name: "KEYCLOAKSEEDING__EXCLUDEDUSERATTRIBUTES__0" - value: "{{ .Values.seeding.excludedUserAttributes.attribute0 }}" - - name: "KEYCLOAKSEEDING__EXCLUDEDUSERATTRIBUTES__1" - value: "{{ .Values.seeding.excludedUserAttributes.attribute1 }}" - - name: "KeycloakSeeding__Realms__0__Realm" - value: "CX-Central" - - name: "KeycloakSeeding__Realms__0__Clients__100__ClientId" - value: "Cl2-CX-Portal" - - name: "KeycloakSeeding__Realms__0__Clients__100__RedirectUris__0" - value: "http://redirect.test" + value: "central" + - name: "KEYCLOAKSEEDING__REALMS__0__REALM" + value: "{{ .Values.seeding.realm }}" + ########### + ## CLIENTS + ########### + + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" + value: "{{ .Values.seeding.clients.registration.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.registration.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__CLIENTID" + value: "{{ .Values.seeding.clients.portal.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.portal.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__CLIENTID" + value: "{{ .Values.seeding.clients.semantics.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.semantics.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__CLIENTID" + value: "{{ .Values.seeding.clients.semantics.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.semantics.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" + value: "{{ .Values.seeding.clients.miw.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.miw.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__SECRET + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "{{ .Values.seeding.clients.miw.clientId }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" + value: "{{ .Values.seeding.clients.bpdm.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.bpdm.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__SECRET + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "{{ .Values.seeding.clients.bpdm.clientId }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__CLIENTID" + value: "{{ .Values.seeding.clients.bpdmGate.clientId }}" + {{- range $index, $redirects := .Values.seeding.clients.bpdmGate.redirects }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__REDIRECTURIS__{{ $index }} + value: {{ $redirects | quote }} + {{- end }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__SECRET + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "{{ .Values.seeding.clients.bpdmGate.clientId }}" + + ############################# + ## BASE SERVICE ACCOUNTS ############################# - ## SERVICE ACCOUNTS + + {{- $index := 20 }} + {{- $secretBaseSa := include "centralidp.secret.serviceAccounts" . -}} + {{- range .Values.seeding.serviceAccounts.clientSecrets }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID + value: {{ .clientId | quote }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET + valueFrom: + secretKeyRef: + name: {{ $secretBaseSa }} + key: {{ .clientId }} + {{- $index = add1 $index }} + {{- end }} + ############################# + ## BPN USER ATTRIBUTE + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" + value: "{{ .Values.seeding.bpnUserAttribute.initialUser }}" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__NAME" + value: "bpn" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__VALUES__0" + value: "{{ .Values.seeding.bpnUserAttribute.bpn }}" + # Comment out until fix for seeding script + # {{- $index := 1 }} + # {{- $bpn := .Values.seeding.bpnUserAttribute.bpn -}} + # {{- range .Values.seeding.serviceAccounts.clientSecrets }} + # - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME + # value: {{ printf "service-account-%s" .clientId | quote }} + # - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__VALUES__0 + # value: {{ $bpn }} + # {{- $index = add1 $index }} + # {{- end }} + + ############################# + ## IDENTITY PROVIDER + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__ALIAS" + value: "{{ .Values.seeding.identityProvider.alias }}" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__TOKENURL" + value: "{{ .Values.seeding.identityProvider.tokenUrl }}" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__JWKSURL" + value: "{{ .Values.seeding.identityProvider.jwksUrl }}" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__AUTHORIZATIONURL" + value: "{{ .Values.seeding.identityProvider.authorizationUrl }}" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__LOGOUTURL" + value: "{{ .Values.seeding.identityProvider.logoutUrl }}" - {{- $index := 0 }} - {{- $secret := include "centralidp.seeding.secretName" . -}} - {{- range .Values.seeding.clients }} - - name: KeycloakSeeding__Realms__0__Clients__{{ $index }}__ClientId + ############################### + ## EXTRA SERVICE ACCOUNTS + ############################### + + {{- $index := 100 }} + {{- $secret := include "centralidp.secret.extraServiceAccounts" . -}} + {{- range .Values.seeding.extraServiceAccounts.clientSecretsAndBpn }} + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID value: {{ .clientId | quote }} - - name: KeycloakSeeding__Realms__0__Clients__{{ $index }}__Secret + - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET valueFrom: secretKeyRef: name: {{ $secret }} key: {{ .clientId }} + - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME + value: {{ printf "service-account-%s" .clientId | quote }} + - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__VALUES__0 + value: {{ .bpn | quote }} {{- $index = add1 $index }} {{- end }} + ports: - name: http containerPort: {{ .Values.seeding.portContainer }} @@ -96,6 +208,7 @@ spec: - name: wait-for-keycloak image: appropriate/curl:latest command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + imagePullPolicy: IfNotPresent {{- toYaml .Values.seeding.initContainers | nindent 8 }} volumes: {{- toYaml .Values.seeding.extraVolumes | nindent 8 }} diff --git a/charts/centralidp/templates/secret-seeding.yaml b/charts/centralidp/templates/secret-base-service-accounts.yaml similarity index 75% rename from charts/centralidp/templates/secret-seeding.yaml rename to charts/centralidp/templates/secret-base-service-accounts.yaml index e19536cb..9f8d01e4 100644 --- a/charts/centralidp/templates/secret-seeding.yaml +++ b/charts/centralidp/templates/secret-base-service-accounts.yaml @@ -17,15 +17,15 @@ * SPDX-License-Identifier: Apache-2.0 */}} -{{- if and (.Values.seeding.enabled) (not .Values.seeding.existingSecret) -}} +{{- if and (.Values.seeding.enabled) (not .Values.seeding.serviceAccounts.existingSecret) -}} apiVersion: v1 kind: Secret metadata: - name: {{ include "centralidp.seeding.secretName" . }} + name: {{ include "centralidp.secret.serviceAccounts" . }} namespace: {{ .Release.Namespace }} type: Opaque stringData: - {{- range .Values.seeding.clients }} - {{ .clientId }}: {{ .clientSecret | default ( randAlphaNum 32 ) | quote }} + {{- range .Values.seeding.serviceAccounts.clientSecrets }} + {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} {{- end }} {{- end -}} diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml new file mode 100644 index 00000000..609e0f69 --- /dev/null +++ b/charts/centralidp/templates/secret-clients.yaml @@ -0,0 +1,31 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.seeding.enabled) (not .Values.seeding.clients.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "centralidp.secret.clients" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{ .Values.seeding.clients.miw.clientId }}: {{ .Values.seeding.clients.miw.clientSecret | default "changeme" | quote }} + {{ .Values.seeding.clients.bpdm.clientId }}: {{ .Values.seeding.clients.bpdm.clientSecret | default "changeme" | quote }} + {{ .Values.seeding.clients.bpdmGate.clientId }}: {{ .Values.seeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} +{{- end -}} diff --git a/charts/centralidp/templates/secret-extra-service-accounts.yaml b/charts/centralidp/templates/secret-extra-service-accounts.yaml new file mode 100644 index 00000000..d7ff5311 --- /dev/null +++ b/charts/centralidp/templates/secret-extra-service-accounts.yaml @@ -0,0 +1,31 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.seeding.enabled) (.Values.seeding.extraServiceAccounts.clientSecrets) (not .Values.seeding.extraServiceAccounts.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "centralidp.secret.extraServiceAccounts" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{- range .Values.seeding.extraServiceAccounts.clientSecrets }} + {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} + {{- end }} +{{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 9ae70430..aa5dbd31 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -132,36 +132,116 @@ keycloak: existingSecretPasswordKey: "" seeding: -# -- Seeding job to create and upgrade CX_Central realm: -# enable to upgrade the configuration of the CX-Central realm from previous version; +# -- Seeding job to create and update the CX-Central realm: +# besides creating the CX-Central realm, the job can be used to update +# the configuration of the realm when upgrading to a new version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job enabled: true + realm: "CX-Central" + # -- Set redirect addresses and - in the case of confidential clients - clients secrets + # for clients which are part of the basic CX-Central realm setup + # PLEASE SET CLIENT SECRETS for all non-testing and non-local purposes, default value is "changeme" + clients: + registration: + clientId: "Cl1-CX-Registration" + redirects: + - https://portal.example.org + portal: + clientId: "Cl2-CX-Portal" + rootUrl: https://portal.example.org/home + redirects: + - https://portal.example.org + semantics: + clientId: "Cl3-CX-Semantic" + redirects: + - https://portal.example.org/* + miw: + clientId: "Cl5-CX-Custodian" + clientSecret: "" + redirects: + - https://managed-identity-wallets.example.org/* + bpdm: + clientId: "Cl7-CX-BPDM" + clientSecret: "" + redirects: + - https://partners-pool.example.org/* + bpdmGate: + clientId: "Cl16-CX-BPDMGate" + clientSecret: "" + redirects: + - https://partners-gate.example.org/* + # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value + existingSecret: "" + # -- Set client secrets for service accounts which are part of the basic CX-Central realm setup + # PLEASE SET CLIENT SECRETS for all non-testing and non-local purposes, default value is "changeme" + serviceAccounts: + clientSecrets: + - clientId: "sa-cl1-reg-2" + clientSecret: "" + - clientId: "sa-cl2-01" + clientSecret: "" + - clientId: "sa-cl2-02" + clientSecret: "" + - clientId: "sa-cl2-03" + clientSecret: "" + - clientId: "sa-cl2-04" + clientSecret: "" + - clientId: "sa-cl2-05" + clientSecret: "" + - clientId: "sa-cl3-cx-1" + clientSecret: "" + - clientId: "sa-cl5-custodian-2" + clientSecret: "" + - clientId: "sa-cl7-cx-5" + clientSecret: "" + - clientId: "sa-cl8-cx-1" + clientSecret: "" + - clientId: "sa-cl21-01" + clientSecret: "" + - clientId: "sa-cl22-01" + clientSecret: "" + - clientId: "sa-cl24-01" + clientSecret: "" + # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value + existingSecret: "" + # -- Set value for the 'bpn' user attribute for the initial user and the base service account users + # initialUser refers to the username + bpnUserAttribute: + bpn: "BPNL00000003CRHK" + initialUser: "ac1cf001-7fbc-1f2f-817f-bce058020006" + identityProvider: + alias: "CX-Operator" + tokenUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/token" + jwksUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/certs" + authorizationUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/auth" + logoutUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/logout" + # -- Set client secrets and bpn user attribute for additional service accounts; + # meant to enable possible test data, default value for client secrets is "changeme" + extraServiceAccounts: + clientSecretsAndBpn: [] + # - clientId: "sa-test-01" + # clientSecret: "" + # bpn: "TBD1" + # - clientId: "sa-test-02" + # clientSecret: "" + # bpn: "TBD2" + # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value + existingSecret: "" image: "192.168.49.2:5000/iam-seeding:latest" imagePullPolicy: "Always" portContainer: 8080 authRealm: "master" useAuthTrail: "true" - dataPaths: - dataPath0: "realms/CX-Central-realm.json" - instanceName: "central" - existingSecret: "" - clients: - - clientId: "sa-cl2-01" - clientSecret: "" - - clientId: "sa-cl2-02" - clientSecret: "" - excludedUserAttributes: - attribute0: "bpn" - attribute1: "organisation" + dataPath: "realms/CX-Central-realm.json" # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: - cpu: 75m - memory: 200M + cpu: 250m + memory: 600M limits: - cpu: 225m - memory: 200M + cpu: 500m + memory: 600M extraVolumes: - name: realms emptyDir: {} From d4bfe593c5204ee3d5db0bd5d826f29bc8c7aef1 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 11:29:12 +0200 Subject: [PATCH 10/55] chore: fix seeding of bpn for service account user --- charts/centralidp/templates/job-seeding.yaml | 21 ++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index d4f06f02..77757a0e 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -149,16 +149,17 @@ spec: value: "bpn" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__VALUES__0" value: "{{ .Values.seeding.bpnUserAttribute.bpn }}" - # Comment out until fix for seeding script - # {{- $index := 1 }} - # {{- $bpn := .Values.seeding.bpnUserAttribute.bpn -}} - # {{- range .Values.seeding.serviceAccounts.clientSecrets }} - # - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME - # value: {{ printf "service-account-%s" .clientId | quote }} - # - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__VALUES__0 - # value: {{ $bpn }} - # {{- $index = add1 $index }} - # {{- end }} + {{- $index := 1 }} + {{- $bpn := .Values.seeding.bpnUserAttribute.bpn -}} + {{- range .Values.seeding.serviceAccounts.clientSecrets }} + - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME + value: {{ printf "service-account-%s" .clientId | quote }} + - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__NAME + value: "bpn" + - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__VALUES__0 + value: {{ $bpn }} + {{- $index = add1 $index }} + {{- end }} ############################# ## IDENTITY PROVIDER From 8c1c4c00e79d8a74522b067dacbf23339bc3656b Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 11:34:53 +0200 Subject: [PATCH 11/55] chore: rename to realm seeding --- charts/centralidp/templates/_helpers.tpl | 12 +-- charts/centralidp/templates/job-seeding.yaml | 80 +++++++++---------- .../secret-base-service-accounts.yaml | 4 +- .../centralidp/templates/secret-clients.yaml | 8 +- .../secret-extra-service-accounts.yaml | 4 +- charts/centralidp/values.yaml | 2 +- 6 files changed, 55 insertions(+), 55 deletions(-) diff --git a/charts/centralidp/templates/_helpers.tpl b/charts/centralidp/templates/_helpers.tpl index 5a318ecc..dfe2674f 100644 --- a/charts/centralidp/templates/_helpers.tpl +++ b/charts/centralidp/templates/_helpers.tpl @@ -38,8 +38,8 @@ This is necessary to retrieve the keycloak service name for the execution of the Define secret name for clients secrets of clients (realm seeding). */}} {{- define "centralidp.secret.clients" -}} -{{- if .Values.seeding.clients.existingSecret -}} -{{- .Values.seeding.clients.existingSecret }} +{{- if .Values.realmSeeding.clients.existingSecret -}} +{{- .Values.realmSeeding.clients.existingSecret }} {{- else -}} {{- include "centralidp.fullname" . -}}-clients {{- end -}} @@ -49,8 +49,8 @@ Define secret name for clients secrets of clients (realm seeding). Define secret name for clients secrets of base service accounts (realm seeding). */}} {{- define "centralidp.secret.serviceAccounts" -}} -{{- if .Values.seeding.serviceAccounts.existingSecret -}} -{{- .Values.seeding.serviceAccounts.existingSecret }} +{{- if .Values.realmSeeding.serviceAccounts.existingSecret -}} +{{- .Values.realmSeeding.serviceAccounts.existingSecret }} {{- else -}} {{- include "centralidp.fullname" . -}}-base-service-accounts {{- end -}} @@ -60,8 +60,8 @@ Define secret name for clients secrets of base service accounts (realm seeding). Define secret name for clients secrets of additional service accounts (realm seeding). */}} {{- define "centralidp.secret.extraServiceAccounts" -}} -{{- if .Values.seeding.extraServiceAccounts.existingSecret -}} -{{- .Values.seeding.extraServiceAccounts.existingSecret }} +{{- if .Values.realmSeeding.extraServiceAccounts.existingSecret -}} +{{- .Values.realmSeeding.extraServiceAccounts.existingSecret }} {{- else -}} {{- include "centralidp.fullname" . -}}-extra-service-accounts {{- end -}} diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 77757a0e..185732c4 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -17,7 +17,7 @@ * SPDX-License-Identifier: Apache-2.0 */}} -{{- if .Values.seeding.enabled -}} +{{- if .Values.realmSeeding.enabled -}} apiVersion: batch/v1 kind: Job metadata: @@ -37,8 +37,8 @@ spec: drop: - ALL runAsNonRoot: true - image: "{{ .Values.seeding.image }}" - imagePullPolicy: "{{ .Values.seeding.imagePullPolicy }}" + image: "{{ .Values.realmSeeding.image }}" + imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" env: - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING" value: "http://{{ template "centralidp.fullname" . }}" @@ -50,47 +50,47 @@ spec: name: "{{ template "centralidp.fullname" . }}" key: "admin-password" - name: "KEYCLOAK__CENTRAL__AUTHREALM" - value: "{{ .Values.seeding.authRealm }}" + value: "{{ .Values.realmSeeding.authRealm }}" - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" - value: "{{ .Values.seeding.useAuthTrail }}" + value: "{{ .Values.realmSeeding.useAuthTrail }}" - name: "KEYCLOAKSEEDING__DATAPATHES__0" - value: "{{ .Values.seeding.dataPath }}" + value: "{{ .Values.realmSeeding.dataPath }}" - name: "KEYCLOAKSEEDING__INSTANCENAME" value: "central" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" - value: "{{ .Values.seeding.realm }}" + value: "{{ .Values.realmSeeding.realm }}" ########### ## CLIENTS ########### - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" - value: "{{ .Values.seeding.clients.registration.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.registration.redirects }} + value: "{{ .Values.realmSeeding.clients.registration.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.registration.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__CLIENTID" - value: "{{ .Values.seeding.clients.portal.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.portal.redirects }} + value: "{{ .Values.realmSeeding.clients.portal.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.portal.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__CLIENTID" - value: "{{ .Values.seeding.clients.semantics.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.semantics.redirects }} + value: "{{ .Values.realmSeeding.clients.semantics.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__CLIENTID" - value: "{{ .Values.seeding.clients.semantics.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.semantics.redirects }} + value: "{{ .Values.realmSeeding.clients.semantics.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" - value: "{{ .Values.seeding.clients.miw.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.miw.redirects }} + value: "{{ .Values.realmSeeding.clients.miw.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.miw.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} @@ -98,10 +98,10 @@ spec: valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" - key: "{{ .Values.seeding.clients.miw.clientId }}" + key: "{{ .Values.realmSeeding.clients.miw.clientId }}" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" - value: "{{ .Values.seeding.clients.bpdm.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.bpdm.redirects }} + value: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.bpdm.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} @@ -109,10 +109,10 @@ spec: valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" - key: "{{ .Values.seeding.clients.bpdm.clientId }}" + key: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__CLIENTID" - value: "{{ .Values.seeding.clients.bpdmGate.clientId }}" - {{- range $index, $redirects := .Values.seeding.clients.bpdmGate.redirects }} + value: "{{ .Values.realmSeeding.clients.bpdmGate.clientId }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.bpdmGate.redirects }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__REDIRECTURIS__{{ $index }} value: {{ $redirects | quote }} {{- end }} @@ -120,7 +120,7 @@ spec: valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" - key: "{{ .Values.seeding.clients.bpdmGate.clientId }}" + key: "{{ .Values.realmSeeding.clients.bpdmGate.clientId }}" ############################# ## BASE SERVICE ACCOUNTS @@ -128,7 +128,7 @@ spec: {{- $index := 20 }} {{- $secretBaseSa := include "centralidp.secret.serviceAccounts" . -}} - {{- range .Values.seeding.serviceAccounts.clientSecrets }} + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID value: {{ .clientId | quote }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET @@ -144,14 +144,14 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" - value: "{{ .Values.seeding.bpnUserAttribute.initialUser }}" + value: "{{ .Values.realmSeeding.bpnUserAttribute.initialUser }}" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__NAME" value: "bpn" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__VALUES__0" - value: "{{ .Values.seeding.bpnUserAttribute.bpn }}" + value: "{{ .Values.realmSeeding.bpnUserAttribute.bpn }}" {{- $index := 1 }} - {{- $bpn := .Values.seeding.bpnUserAttribute.bpn -}} - {{- range .Values.seeding.serviceAccounts.clientSecrets }} + {{- $bpn := .Values.realmSeeding.bpnUserAttribute.bpn -}} + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME value: {{ printf "service-account-%s" .clientId | quote }} - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__NAME @@ -166,15 +166,15 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__ALIAS" - value: "{{ .Values.seeding.identityProvider.alias }}" + value: "{{ .Values.realmSeeding.identityProvider.alias }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__TOKENURL" - value: "{{ .Values.seeding.identityProvider.tokenUrl }}" + value: "{{ .Values.realmSeeding.identityProvider.tokenUrl }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__JWKSURL" - value: "{{ .Values.seeding.identityProvider.jwksUrl }}" + value: "{{ .Values.realmSeeding.identityProvider.jwksUrl }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__AUTHORIZATIONURL" - value: "{{ .Values.seeding.identityProvider.authorizationUrl }}" + value: "{{ .Values.realmSeeding.identityProvider.authorizationUrl }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__LOGOUTURL" - value: "{{ .Values.seeding.identityProvider.logoutUrl }}" + value: "{{ .Values.realmSeeding.identityProvider.logoutUrl }}" ############################### ## EXTRA SERVICE ACCOUNTS @@ -182,7 +182,7 @@ spec: {{- $index := 100 }} {{- $secret := include "centralidp.secret.extraServiceAccounts" . -}} - {{- range .Values.seeding.extraServiceAccounts.clientSecretsAndBpn }} + {{- range .Values.realmSeeding.extraServiceAccounts.clientSecretsAndBpn }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID value: {{ .clientId | quote }} - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET @@ -199,18 +199,18 @@ spec: ports: - name: http - containerPort: {{ .Values.seeding.portContainer }} + containerPort: {{ .Values.realmSeeding.portContainer }} protocol: TCP resources: - {{- toYaml .Values.seeding.resources | nindent 10 }} + {{- toYaml .Values.realmSeeding.resources | nindent 10 }} volumeMounts: - {{- toYaml .Values.seeding.extraVolumeMounts | nindent 10 }} + {{- toYaml .Values.realmSeeding.extraVolumeMounts | nindent 10 }} initContainers: - name: wait-for-keycloak image: appropriate/curl:latest command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] imagePullPolicy: IfNotPresent - {{- toYaml .Values.seeding.initContainers | nindent 8 }} + {{- toYaml .Values.realmSeeding.initContainers | nindent 8 }} volumes: - {{- toYaml .Values.seeding.extraVolumes | nindent 8 }} + {{- toYaml .Values.realmSeeding.extraVolumes | nindent 8 }} {{- end -}} diff --git a/charts/centralidp/templates/secret-base-service-accounts.yaml b/charts/centralidp/templates/secret-base-service-accounts.yaml index 9f8d01e4..77a193a7 100644 --- a/charts/centralidp/templates/secret-base-service-accounts.yaml +++ b/charts/centralidp/templates/secret-base-service-accounts.yaml @@ -17,7 +17,7 @@ * SPDX-License-Identifier: Apache-2.0 */}} -{{- if and (.Values.seeding.enabled) (not .Values.seeding.serviceAccounts.existingSecret) -}} +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.serviceAccounts.existingSecret) -}} apiVersion: v1 kind: Secret metadata: @@ -25,7 +25,7 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - {{- range .Values.seeding.serviceAccounts.clientSecrets }} + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} {{- end }} {{- end -}} diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml index 609e0f69..e7eb2283 100644 --- a/charts/centralidp/templates/secret-clients.yaml +++ b/charts/centralidp/templates/secret-clients.yaml @@ -17,7 +17,7 @@ * SPDX-License-Identifier: Apache-2.0 */}} -{{- if and (.Values.seeding.enabled) (not .Values.seeding.clients.existingSecret) -}} +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.clients.existingSecret) -}} apiVersion: v1 kind: Secret metadata: @@ -25,7 +25,7 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - {{ .Values.seeding.clients.miw.clientId }}: {{ .Values.seeding.clients.miw.clientSecret | default "changeme" | quote }} - {{ .Values.seeding.clients.bpdm.clientId }}: {{ .Values.seeding.clients.bpdm.clientSecret | default "changeme" | quote }} - {{ .Values.seeding.clients.bpdmGate.clientId }}: {{ .Values.seeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} + {{ .Values.realmSeeding.clients.miw.clientId }}: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }} + {{ .Values.realmSeeding.clients.bpdm.clientId }}: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }} + {{ .Values.realmSeeding.clients.bpdmGate.clientId }}: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} {{- end -}} diff --git a/charts/centralidp/templates/secret-extra-service-accounts.yaml b/charts/centralidp/templates/secret-extra-service-accounts.yaml index d7ff5311..f9ffa3fc 100644 --- a/charts/centralidp/templates/secret-extra-service-accounts.yaml +++ b/charts/centralidp/templates/secret-extra-service-accounts.yaml @@ -17,7 +17,7 @@ * SPDX-License-Identifier: Apache-2.0 */}} -{{- if and (.Values.seeding.enabled) (.Values.seeding.extraServiceAccounts.clientSecrets) (not .Values.seeding.extraServiceAccounts.existingSecret) -}} +{{- if and (.Values.realmSeeding.enabled) (.Values.realmSeeding.extraServiceAccounts.clientSecrets) (not .Values.realmSeeding.extraServiceAccounts.existingSecret) -}} apiVersion: v1 kind: Secret metadata: @@ -25,7 +25,7 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - {{- range .Values.seeding.extraServiceAccounts.clientSecrets }} + {{- range .Values.realmSeeding.extraServiceAccounts.clientSecrets }} {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} {{- end }} {{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index aa5dbd31..755e90ef 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -131,7 +131,7 @@ keycloak: existingSecretDatabaseKey: "" existingSecretPasswordKey: "" -seeding: +realmSeeding: # -- Seeding job to create and update the CX-Central realm: # besides creating the CX-Central realm, the job can be used to update # the configuration of the realm when upgrading to a new version; From 982ba2b6b927d4e6ae277ba2220274814e5163ef Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 11:45:59 +0200 Subject: [PATCH 12/55] chore: WIP change chart testing --- charts/values-test-centralidp.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/charts/values-test-centralidp.yaml b/charts/values-test-centralidp.yaml index ef3f22bd..9c4b8bf7 100644 --- a/charts/values-test-centralidp.yaml +++ b/charts/values-test-centralidp.yaml @@ -18,21 +18,22 @@ ############################################################### keycloak: + # set secret to enable upgrade from chart version 3.0.0 + postgresql: + auth: + existingSecret: "centralidp-postgresql" +realmSeeding: initContainers: - - name: import + - name: init-cx-central image: kind-registry:5000/iam:testing - imagePullPolicy: IfNotPresent + imagePullPolicy: Always command: - sh args: - -c - | - echo "Copying themes..." - cp -R /import/themes/catenax-central/* /themes - echo "Copying realms..." - cp -R /import/catenax-central/realms/* /realms + echo "Copying CX Central realm..." + cp -R /import/catenax-central/realms/* /app/realms volumeMounts: - - name: themes - mountPath: "/themes" - name: realms - mountPath: "/realms" + mountPath: "app/realms" From 82b07fbd71894c4adef2ac30a77fc91a85fc4d12 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 13:27:09 +0200 Subject: [PATCH 13/55] chore: update chart testing for upgrade --- .github/workflows/centralidp-chart-test.yaml | 4 +-- charts/values-test-upgrade.yaml | 37 ++++++++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 charts/values-test-upgrade.yaml diff --git a/.github/workflows/centralidp-chart-test.yaml b/.github/workflows/centralidp-chart-test.yaml index 5a076a2a..dbf78c55 100644 --- a/.github/workflows/centralidp-chart-test.yaml +++ b/.github/workflows/centralidp-chart-test.yaml @@ -103,7 +103,7 @@ jobs: run: | helm repo add bitnami-full-index https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev - helm install centralidp tractusx-dev/centralidp --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug + helm install centralidp tractusx-dev/centralidp -f charts/values-test-upgrade.yaml --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug helm dependency update charts/centralidp - helm upgrade centralidp charts/centralidp -f charts/values-test-centralidp.yaml --namespace upgrade --debug + helm upgrade centralidp charts/centralidp -f charts/values-test-upgrade.yaml --namespace upgrade --debug if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' diff --git a/charts/values-test-upgrade.yaml b/charts/values-test-upgrade.yaml new file mode 100644 index 00000000..5021b4c5 --- /dev/null +++ b/charts/values-test-upgrade.yaml @@ -0,0 +1,37 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +# set credentials and architecture to test upgrade from chart version 3.0.0 to 4.0.0 +keycloak: + replicaCount: 1 + postgresql: + auth: + # -- Non-root user password. + password: "password" + # -- Root user password. + postgresPassword: "password" + architecture: standalone +secrets: + postgresql: + auth: + existingSecret: + postgrespassword: "password" + password: "password" +realmSeeding: + enabled: false From e0735973b03b5a61b35640a5440571ee11921804 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 13:31:11 +0200 Subject: [PATCH 14/55] chore(centralidp): update chart testing --- charts/values-test-centralidp.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/charts/values-test-centralidp.yaml b/charts/values-test-centralidp.yaml index 9c4b8bf7..3ce8f50b 100644 --- a/charts/values-test-centralidp.yaml +++ b/charts/values-test-centralidp.yaml @@ -18,10 +18,20 @@ ############################################################### keycloak: - # set secret to enable upgrade from chart version 3.0.0 - postgresql: - auth: - existingSecret: "centralidp-postgresql" + initContainers: + - name: import + image: kind-registry:5000/iam:testing + imagePullPolicy: Always + command: + - sh + args: + - -c + - | + echo "Copying themes..." + cp -R /import/themes/catenax-central/* /themes + volumeMounts: + - name: themes + mountPath: "/themes" realmSeeding: initContainers: - name: init-cx-central From 2a510525cde8a4905f61398e39a7f413414c43e1 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 13:36:42 +0200 Subject: [PATCH 15/55] chore: set automountServiceAccountToken to false --- charts/centralidp/templates/job-seeding.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 185732c4..63444817 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -213,4 +213,5 @@ spec: {{- toYaml .Values.realmSeeding.initContainers | nindent 8 }} volumes: {{- toYaml .Values.realmSeeding.extraVolumes | nindent 8 }} + automountServiceAccountToken: false {{- end -}} From bf84e02f3595e59a28fb060b8d9d90076670ed05 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 13:49:00 +0200 Subject: [PATCH 16/55] chore: set readOnlyRootFilesystem --- charts/centralidp/templates/job-seeding.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 63444817..6e982431 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -36,6 +36,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true runAsNonRoot: true image: "{{ .Values.realmSeeding.image }}" imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" From 0264afe1936433689bc2beefdbeab38504e03a0c Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 21:35:13 +0200 Subject: [PATCH 17/55] feat(sharedicp): add user and mail config to overall import file for CX-Operator --- .../catenax-shared/CX-Operator-realm.json | 27 ++++++++++++++++++- .../catenax-shared/CX-Operator-users-0.json | 18 ------------- 2 files changed, 26 insertions(+), 19 deletions(-) delete mode 100644 import/realm-config/generic/catenax-shared/CX-Operator-users-0.json diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-realm.json b/import/realm-config/generic/catenax-shared/CX-Operator-realm.json index c1ee1b7b..1de79481 100644 --- a/import/realm-config/generic/catenax-shared/CX-Operator-realm.json +++ b/import/realm-config/generic/catenax-shared/CX-Operator-realm.json @@ -453,6 +453,21 @@ "webAuthnPolicyPasswordlessCreateTimeout": 0, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users" : [ { + "id" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", + "username" : "cx-operator@cx.com", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Operator", + "lastName" : "CX Admin", + "email" : "tobeadded@cx.com", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "notBefore" : 0, + "groups" : [ ] + } ], "scopeMappings": [ { "clientScope": "offline_access", @@ -1332,7 +1347,17 @@ "xXSSProtection": "1; mode=block", "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, - "smtpServer": {}, + "smtpServer": { + "password": "**********", + "starttls": "true", + "auth": "true", + "port": "123", + "host": "smtp.example.org", + "replyTo": "email@example.org", + "from": "email@example.org", + "ssl": "", + "user": "smtp-user" + }, "eventsEnabled": false, "eventsListeners": [ "jboss-logging" diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json deleted file mode 100644 index cd08ed40..00000000 --- a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "realm" : "CX-Operator", - "users" : [ { - "id" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", - "username" : "cx-operator@cx.com", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Operator", - "lastName" : "CX Admin", - "email" : "tobeadded@cx.com", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "notBefore" : 0, - "groups" : [ ] - } ] -} \ No newline at end of file From 1256eeb76865f0badf8100f8cacffc520d1c7ba6 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 21:40:14 +0200 Subject: [PATCH 18/55] chore(sharedidp): align with improvement from centralidp --- charts/sharedidp/templates/_helpers.tpl | 57 ++++++++ charts/sharedidp/templates/job-seeding.yaml | 137 +++++++++++++++++ .../templates/secret-external-db.yaml | 39 ----- .../templates/secret-postgres-init.yaml | 44 ------ .../secret-seeding-cx-operator-realm.yaml | 34 +++++ .../secret-seeding-master-realm.yaml | 30 ++++ .../templates/secret-sharedidp-realms.yaml | 36 ----- .../sharedidp/templates/secret-sharedidp.yaml | 38 ----- charts/sharedidp/values.yaml | 138 ++++++++++++------ charts/values-test-sharedidp.yaml | 19 ++- 10 files changed, 370 insertions(+), 202 deletions(-) create mode 100644 charts/sharedidp/templates/_helpers.tpl create mode 100644 charts/sharedidp/templates/job-seeding.yaml delete mode 100644 charts/sharedidp/templates/secret-external-db.yaml delete mode 100644 charts/sharedidp/templates/secret-postgres-init.yaml create mode 100644 charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml create mode 100644 charts/sharedidp/templates/secret-seeding-master-realm.yaml delete mode 100644 charts/sharedidp/templates/secret-sharedidp-realms.yaml delete mode 100644 charts/sharedidp/templates/secret-sharedidp.yaml diff --git a/charts/sharedidp/templates/_helpers.tpl b/charts/sharedidp/templates/_helpers.tpl new file mode 100644 index 00000000..80f8fdf6 --- /dev/null +++ b/charts/sharedidp/templates/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{/* +Define "sharedidp.fullname" like ""common.names.fullname" in the bitnami common chart but setting ".Chart.Name" to "keycloak". +This is necessary to retrieve the keycloak service name for the execution of the seeding job. +*/}} +{{- define "sharedidp.fullname" -}} +{{- if .Values.keycloak.fullnameOverride -}} +{{- .Values.keycloak.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "keycloak" .Values.keycloak.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of clients (realm seeding). +*/}} +{{- define "sharedidp.secret.realmSeeding.cxOperator" -}} +{{- if .Values.realmSeeding.realms.cxOperator.existingSecret -}} +{{- .Values.realmSeeding.realms.cxOperator.existingSecret }} +{{- else -}} +{{- include "sharedidp.fullname" . -}}-cx-operator-realm-seeding +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of clients (realm seeding). +*/}} +{{- define "sharedidp.secret.realmSeeding.master" -}} +{{- if .Values.realmSeeding.realms.master.existingSecret -}} +{{- .Values.realmSeeding.realms.master.existingSecret }} +{{- else -}} +{{- include "sharedidp.fullname" . -}}-master-realm-seeding +{{- end -}} +{{- end -}} diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml new file mode 100644 index 00000000..10eb4748 --- /dev/null +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -0,0 +1,137 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if .Values.realmSeeding.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "sharedidp.fullname" . }}-realm-seeding-{{ .Release.Revision }} + namespace: {{ .Release.Namespace }} +spec: + template: + metadata: + name: {{ include "sharedidp.fullname" . }}-realm-seeding + spec: + restartPolicy: Never + containers: + - name: {{ include "sharedidp.fullname" . }}-realm-seeding + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "{{ .Values.realmSeeding.image }}" + imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" + env: + - name: "KEYCLOAK__SHARED__CONNECTIONSTRING" + value: "http://{{ template "sharedidp.fullname" . }}" + - name: "KEYCLOAK__SHARED__USER" + value: "{{ .Values.keycloak.auth.adminUser }}" + - name: "KEYCLOAK__SHARED__PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.fullname" . }}" + key: "admin-password" + - name: "KEYCLOAK__SHARED__AUTHREALM" + value: "{{ .Values.realmSeeding.authRealm }}" + - name: "KEYCLOAK__SHARED__USEAUTHTRAIL" + value: "{{ .Values.realmSeeding.useAuthTrail }}" + - name: "KEYCLOAKSEEDING__DATAPATHES__0" + value: "{{ .Values.realmSeeding.dataPaths.path0 }}" + - name: "KEYCLOAKSEEDING__DATAPATHES__1" + value: "{{ .Values.realmSeeding.dataPaths.path1 }}" + - name: "KEYCLOAKSEEDING__INSTANCENAME" + value: "shared" + - name: "KEYCLOAKSEEDING__REALMS__0__REALM" + value: "{{ .Values.realmSeeding.realms.cxOperator.name }}" + - name: "KEYCLOAKSEEDING__REALMS__1__REALM" + value: "{{ .Values.realmSeeding.realms.master.name }}" + + ############################# + ## CX-OPERATOR CLIENT + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" + value: "{{ .Values.realmSeeding.realms.cxOperator.cxCentralConnection.clientId }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__0" + value: "{{ .Values.realmSeeding.realms.cxOperator.cxCentralConnection.redirect }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__NAME" + value: "jwks.url" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__VALUE" + value: "{{ .Values.realmSeeding.realms.cxOperator.cxCentralConnection.jwksUrl }}" + + ############################# + ## CX-OPERATOR MAIL CONFIG + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__HOST" + value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.host }}" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__PORT" + value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.port }}" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__USER" + value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.user }}" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__FROM" + value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.from }}" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__REPLYTO" + value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo }}" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "password" + + ############################# + ## MASTER SERVICE ACCOUNTS + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__CLIENTID" + value: "{{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}" + - name: KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__SECRET + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" + key: "{{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}" + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__CLIENTID" + value: "{{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}" + - name: KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__SECRET + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" + key: "{{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}" + + ports: + - name: http + containerPort: {{ .Values.realmSeeding.portContainer }} + protocol: TCP + resources: + {{- toYaml .Values.realmSeeding.resources | nindent 10 }} + volumeMounts: + {{- toYaml .Values.realmSeeding.extraVolumeMounts | nindent 10 }} + initContainers: + - name: wait-for-keycloak + image: appropriate/curl:latest + command: [ 'sh', '-c', 'until curl -s http://{{ template "sharedidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + imagePullPolicy: IfNotPresent + {{- toYaml .Values.realmSeeding.initContainers | nindent 8 }} + volumes: + {{- toYaml .Values.realmSeeding.extraVolumes | nindent 8 }} + automountServiceAccountToken: false +{{- end -}} diff --git a/charts/sharedidp/templates/secret-external-db.yaml b/charts/sharedidp/templates/secret-external-db.yaml deleted file mode 100644 index 1bd5cd08..00000000 --- a/charts/sharedidp/templates/secret-external-db.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if not .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.externalDatabase.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.externalDatabase.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - password: {{ ( .Values.keycloak.externalDatabase.password | b64enc ) | default $secret.data.password | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} diff --git a/charts/sharedidp/templates/secret-postgres-init.yaml b/charts/sharedidp/templates/secret-postgres-init.yaml deleted file mode 100644 index 0422263d..00000000 --- a/charts/sharedidp/templates/secret-postgres-init.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.postgresql.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.postgresql.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc ) | default ( index $secret.data "postgres-password" ) | quote }} - password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password | quote }} - replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc ) | default ( index $secret.data "replication-password" ) | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 ) | quote }} - password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 ) | quote }} - replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} \ No newline at end of file diff --git a/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml new file mode 100644 index 00000000..e7b836be --- /dev/null +++ b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml @@ -0,0 +1,34 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.realms.cxOperator.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "sharedidp.secret.realmSeeding.cxOperator" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + host: {{ .Values.realmSeeding.realms.cxOperator.mailing.host | quote }} + port: {{ .Values.realmSeeding.realms.cxOperator.mailing.port | quote }} + user: {{ .Values.realmSeeding.realms.cxOperator.mailing.user | quote }} + password: {{ .Values.realmSeeding.realms.cxOperator.mailing.password | default "changeme" | quote }} + from: {{ .Values.realmSeeding.realms.cxOperator.mailing.from | quote }} + replyTo: {{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo | quote }} +{{- end -}} diff --git a/charts/sharedidp/templates/secret-seeding-master-realm.yaml b/charts/sharedidp/templates/secret-seeding-master-realm.yaml new file mode 100644 index 00000000..3f9350ce --- /dev/null +++ b/charts/sharedidp/templates/secret-seeding-master-realm.yaml @@ -0,0 +1,30 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.realms.master.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "sharedidp.secret.realmSeeding.master" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}: {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | default "changeme" | quote }} + {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}: {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | default "changeme" | quote }} +{{- end -}} diff --git a/charts/sharedidp/templates/secret-sharedidp-realms.yaml b/charts/sharedidp/templates/secret-sharedidp-realms.yaml deleted file mode 100644 index d6492576..00000000 --- a/charts/sharedidp/templates/secret-sharedidp-realms.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if .Values.secrets.realmuser.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: secret-sharedidp-realms - namespace: {{ .Release.Namespace }} -type: Opaque -data: - CX-Test-Access-users-0.json: {{ .Values.secrets.realmuser.cxtestaccessuser }} - Company-1-users-0.json: {{ .Values.secrets.realmuser.company1user }} - Company-2-users-0.json: {{ .Values.secrets.realmuser.company2user }} - Security-Company-users-0.json: {{ .Values.secrets.realmuser.securitycompany }} - CX-Operator-users-0.json: {{ .Values.secrets.realmuser.cxoperator }} - Service-Provider-users-0.json: {{ .Values.secrets.realmuser.serviceprovider }} - App-Provider-users-0.json: {{ .Values.secrets.realmuser.appprovider }} - Onboarding-Provider-users-0.json: {{ .Values.secrets.realmuser.onboardingprovider }} -{{- end -}} \ No newline at end of file diff --git a/charts/sharedidp/templates/secret-sharedidp.yaml b/charts/sharedidp/templates/secret-sharedidp.yaml deleted file mode 100644 index 7af8a6d4..00000000 --- a/charts/sharedidp/templates/secret-sharedidp.yaml +++ /dev/null @@ -1,38 +0,0 @@ -############################################################### -# Copyright (c) 2022 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################### - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 79270b3b..5b1bd7d7 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -20,8 +20,9 @@ keycloak: auth: adminUser: admin + adminPassword: "" # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. - existingSecret: "sharedidp-keycloak" + existingSecret: "" # -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. production: false # -- reverse Proxy mode edge, reencrypt, passthrough or none; @@ -32,24 +33,17 @@ keycloak: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed httpRelativePath: "/auth/" - extraEnvVars: - - name: KEYCLOAK_EXTRA_ARGS - value: "-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/realms -Dkeycloak.migration.strategy=IGNORE_EXISTING" - replicaCount: 3 + replicaCount: 1 extraVolumes: - name: themes-catenax-shared emptyDir: {} - name: themes-catenax-shared-portal emptyDir: {} - - name: realms - emptyDir: {} extraVolumeMounts: - name: themes-catenax-shared mountPath: "/opt/bitnami/keycloak/themes/catenax-shared" - name: themes-catenax-shared-portal mountPath: "/opt/bitnami/keycloak/themes/catenax-shared-portal" - - name: realms - mountPath: "/realms" initContainers: - name: import image: docker.io/tractusx/portal-iam:v3.0.1 @@ -63,15 +57,11 @@ keycloak: cp -R /import/themes/catenax-shared/* /themes-catenax-shared echo "Copying themes-catenax-shared-portal..." cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal - echo "Copying realms..." - cp -R /import/catenax-shared/realms/* /realms volumeMounts: - name: themes-catenax-shared mountPath: "/themes-catenax-shared" - name: themes-catenax-shared-portal mountPath: "/themes-catenax-shared-portal" - - name: realms - mountPath: "/realms" service: sessionAffinity: ClientIP ingress: @@ -120,43 +110,109 @@ keycloak: auth: # -- Non-root username. username: kcshared + # -- Non-root user password. + password: "" + # -- Root user password. + postgresPassword: "" # -- Database name. database: iamsharedidp # -- Secret containing the passwords for root usernames postgres and non-root username kcshared. - existingSecret: "sharedidp-postgres" - architecture: replication + existingSecret: "" + architecture: standalone externalDatabase: # -- External PostgreSQL configuration # IMPORTANT: non-root db user needs needs to be created beforehand on external database. - # Database host ('-primary' is added as postfix). - host: "sharedidp-postgresql-external-db" + host: "" # -- Database port number. port: 5432 - # -- Non-root username for sharedidp. - user: "kcshared" + # -- Non-root username. + user: "" # -- Database name. - database: "iamsharedidp" - # -- Password for the non-root username (default 'kcshared'). Secret-key 'password'. + database: "" + # -- Password for the non-root username. password: "" - # -- Secret containing the password non-root username, (default 'kcshared'). - existingSecret: "sharedidp-keycloak-external-db" - # -- Name of an existing secret key containing the database credentials. - existingSecretPasswordKey: "password" + # -- Secret containing the database credentials + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" -secrets: - auth: - existingSecret: - # -- Password for the admin username 'admin'. Secret-key 'admin-password'. - adminpassword: "" - postgresql: - auth: - existingSecret: - # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. - postgrespassword: "" - # -- Password for the non-root username 'kcshared'. Secret-key 'password'. +realmSeeding: +# -- Seeding job to create and update the CX-Central realm: +# besides creating the CX-Central realm, the job can be used to update +# the configuration of the realm when upgrading to a new version; +# Please also refer to the 'Post-Upgrade Configuration' section in the README.md +# for configuration possibly not covered by the seeding job + enabled: true + realms: + cxOperator: + name: "CX-Operator" + # -- Set redirect and jwks addresses as well as clients secret for the connection to the CX-Central (centralidp) + cxCentralConnection: + clientId: "central-idp" + # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" + clientSecret: "" + redirect: "http://centralidp.example.org/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" + jwksUrl: "http://centralidp.example.org/auth/realms/CX-Central/protocol/openid-connect/certs" + mailing: + host: "smtp.example.org" + port: "123" + user: "smtp-user" password: "" - # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. - replicationPassword: "" - realmuser: - # Enables the import of test users via secret. - enabled: false + from: "email@example.org" + replyTo: "email@example.org" + # -- Option to provide an existingSecret for mailing configuration + existingSecret: "" + master: + name: "master" + serviceAccounts: + # -- Set clients secret for the service account which enables the portal to provision new realms + provisioning: + clientId: "sa-cl1-reg-1" + # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" + clientSecret: "" + # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm + saCxOperator: + clientId: "saCX-Operator" + # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" + clientSecret: "" + # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value + existingSecret: "" + image: "192.168.49.2:5000/iam-seeding:latest" + imagePullPolicy: "Always" + portContainer: 8080 + authRealm: "master" + useAuthTrail: "true" + dataPaths: + path0: "realms/CX-Operator-realm.json" + path1: "realms/master-realm.json" + # -- We recommend to review the default resource limits as this should a conscious choice. + resources: + requests: + cpu: 250m + memory: 600M + limits: + cpu: 500m + memory: 600M + extraVolumes: + - name: realms + emptyDir: {} + extraVolumeMounts: + - name: realms + mountPath: "app/realms" + initContainers: + - name: init-cx-central + image: 192.168.49.2:5000/iam:test + imagePullPolicy: Always + command: + - sh + args: + - -c + - | + echo "Copying realms..." + cp -R /import/catenax-shared/realms/* /app/realms + volumeMounts: + - name: realms + mountPath: "app/realms" diff --git a/charts/values-test-sharedidp.yaml b/charts/values-test-sharedidp.yaml index c1fca5cc..f5f50c13 100644 --- a/charts/values-test-sharedidp.yaml +++ b/charts/values-test-sharedidp.yaml @@ -21,7 +21,7 @@ keycloak: initContainers: - name: import image: kind-registry:5000/iam:testing - imagePullPolicy: IfNotPresent + imagePullPolicy: Always command: - sh args: @@ -31,12 +31,23 @@ keycloak: cp -R /import/themes/catenax-shared/* /themes-catenax-shared echo "Copying themes-catenax-shared-portal..." cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal - echo "Copying realms..." - cp -R /import/catenax-shared/realms/* /realms volumeMounts: - name: themes-catenax-shared mountPath: "/themes-catenax-shared" - name: themes-catenax-shared-portal mountPath: "/themes-catenax-shared-portal" +realmSeeding: + initContainers: + - name: init-cx-central + image: kind-registry:5000/iam:testing + imagePullPolicy: Always + command: + - sh + args: + - -c + - | + echo "Copying realms..." + cp -R /import/catenax-shared/realms/* /app/realms + volumeMounts: - name: realms - mountPath: "/realms" + mountPath: "app/realms" From 53e268e47c31a324202d8cc8e46755c744db3178 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 21:55:39 +0200 Subject: [PATCH 19/55] chore: set ephemeral-storage --- charts/centralidp/values.yaml | 2 ++ charts/sharedidp/values.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 755e90ef..028bc690 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -239,9 +239,11 @@ realmSeeding: requests: cpu: 250m memory: 600M + ephemeral-storage: 50Mi limits: cpu: 500m memory: 600M + ephemeral-storage: 1024Mi extraVolumes: - name: realms emptyDir: {} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 5b1bd7d7..a286e16c 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -193,9 +193,11 @@ realmSeeding: requests: cpu: 250m memory: 600M + ephemeral-storage: 50Mi limits: cpu: 500m memory: 600M + ephemeral-storage: 1024Mi extraVolumes: - name: realms emptyDir: {} From f4d53788777833756c0ccbfd40df8dac714d276e Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 22:00:58 +0200 Subject: [PATCH 20/55] chore(sharedidp): enable upgrade --- .github/workflows/sharedidp-chart-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sharedidp-chart-test.yaml b/.github/workflows/sharedidp-chart-test.yaml index 3eaf39ea..fa9df825 100644 --- a/.github/workflows/sharedidp-chart-test.yaml +++ b/.github/workflows/sharedidp-chart-test.yaml @@ -103,7 +103,7 @@ jobs: run: | helm repo add bitnami-full-index https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev - helm install sharedidp tractusx-dev/sharedidp --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug + helm install sharedidp tractusx-dev/sharedidp -f charts/values-test-upgrade.yaml --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug helm dependency update charts/sharedidp - helm upgrade sharedidp charts/sharedidp -f charts/values-test-sharedidp.yaml --namespace upgrade --debug + helm upgrade sharedidp charts/sharedidp -f charts/values-test-upgrade.yaml --namespace upgrade --debug if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' From a6068cafea4533ed1ec436e9f9cd2d725607c6d5 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 22:58:15 +0200 Subject: [PATCH 21/55] chore: improve config --- charts/centralidp/templates/job-seeding.yaml | 10 +++++----- charts/centralidp/values.yaml | 14 ++++++++------ charts/sharedidp/templates/job-seeding.yaml | 6 +++--- charts/sharedidp/values.yaml | 9 +++++---- 4 files changed, 21 insertions(+), 18 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 6e982431..2869ab96 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -167,15 +167,15 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__ALIAS" - value: "{{ .Values.realmSeeding.identityProvider.alias }}" + value: "{{ .Values.realmSeeding.sharedidp.idpAlias }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__TOKENURL" - value: "{{ .Values.realmSeeding.identityProvider.tokenUrl }}" + value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.tokenPath }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__JWKSURL" - value: "{{ .Values.realmSeeding.identityProvider.jwksUrl }}" + value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.jwksPath }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__AUTHORIZATIONURL" - value: "{{ .Values.realmSeeding.identityProvider.authorizationUrl }}" + value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.authorizationPath }}" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__LOGOUTURL" - value: "{{ .Values.realmSeeding.identityProvider.logoutUrl }}" + value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.logoutPath }}" ############################### ## EXTRA SERVICE ACCOUNTS diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 028bc690..53bd4a47 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -210,12 +210,14 @@ realmSeeding: bpnUserAttribute: bpn: "BPNL00000003CRHK" initialUser: "ac1cf001-7fbc-1f2f-817f-bce058020006" - identityProvider: - alias: "CX-Operator" - tokenUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/token" - jwksUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/certs" - authorizationUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/auth" - logoutUrl: "https://sharedidp.example.org/auth/realms/CX-Operator/protocol/openid-connect/logout" + # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm (sharedidp) + sharedidp: + address: "https://sharedidp.example.org" + idpAlias: "CX-Operator" + tokenPath: "/auth/realms/CX-Operator/protocol/openid-connect/token" + jwksPath: "/auth/realms/CX-Operator/protocol/openid-connect/certs" + authorizationPath: "/auth/realms/CX-Operator/protocol/openid-connect/auth" + logoutPath: "/auth/realms/CX-Operator/protocol/openid-connect/logout" # -- Set client secrets and bpn user attribute for additional service accounts; # meant to enable possible test data, default value for client secrets is "changeme" extraServiceAccounts: diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 10eb4748..013ab693 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -70,13 +70,13 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" - value: "{{ .Values.realmSeeding.realms.cxOperator.cxCentralConnection.clientId }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.clientId }}" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__0" - value: "{{ .Values.realmSeeding.realms.cxOperator.cxCentralConnection.redirect }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.address }}{{ .Values.realmSeeding.realms.cxOperator.centralidp.redirectPath }}" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__NAME" value: "jwks.url" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__VALUE" - value: "{{ .Values.realmSeeding.realms.cxOperator.cxCentralConnection.jwksUrl }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.address }}{{ .Values.realmSeeding.realms.cxOperator.centralidp.jwksPath }}" ############################# ## CX-OPERATOR MAIL CONFIG diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index a286e16c..6bb53a4f 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -149,13 +149,14 @@ realmSeeding: realms: cxOperator: name: "CX-Operator" - # -- Set redirect and jwks addresses as well as clients secret for the connection to the CX-Central (centralidp) - cxCentralConnection: + # -- Set centralidp address and clients secret for the connection to the CX-Central (centralidp) + centralidp: + address: "https://centralidp.example.org" clientId: "central-idp" # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" clientSecret: "" - redirect: "http://centralidp.example.org/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" - jwksUrl: "http://centralidp.example.org/auth/realms/CX-Central/protocol/openid-connect/certs" + redirectPath: "/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" + jwksPath: "/auth/realms/CX-Central/protocol/openid-connect/certs" mailing: host: "smtp.example.org" port: "123" From 8b8fa30dbd819d8c43b0b0da29fa73c05725eb07 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 23:02:53 +0200 Subject: [PATCH 22/55] chore: remove obsolete config --- charts/sharedidp/values.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 6bb53a4f..3a89e6cd 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -149,12 +149,10 @@ realmSeeding: realms: cxOperator: name: "CX-Operator" - # -- Set centralidp address and clients secret for the connection to the CX-Central (centralidp) + # -- Set centralidp address for the connection to the CX-Central (centralidp) centralidp: address: "https://centralidp.example.org" clientId: "central-idp" - # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" - clientSecret: "" redirectPath: "/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" jwksPath: "/auth/realms/CX-Central/protocol/openid-connect/certs" mailing: From 2b3d28592bd69aa66db4e270407dced4e7dcca8a Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 23:04:39 +0200 Subject: [PATCH 23/55] chore: improve docs --- charts/sharedidp/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 3a89e6cd..d1feb989 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -155,6 +155,7 @@ realmSeeding: clientId: "central-idp" redirectPath: "/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" jwksPath: "/auth/realms/CX-Central/protocol/openid-connect/certs" + # -- Set mailing configuration for CX-Operator realm mailing: host: "smtp.example.org" port: "123" From 9e0145714f91a7d656e5efed211b8bac59de5021 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 27 Jun 2024 23:19:49 +0200 Subject: [PATCH 24/55] chore: clean formatting --- charts/centralidp/templates/job-seeding.yaml | 42 ++++++++++---------- charts/sharedidp/templates/job-seeding.yaml | 4 +- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 2869ab96..63f6d5d2 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -68,34 +68,34 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" value: "{{ .Values.realmSeeding.clients.registration.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.registration.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__CLIENTID" value: "{{ .Values.realmSeeding.clients.portal.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.portal.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__CLIENTID" value: "{{ .Values.realmSeeding.clients.semantics.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__CLIENTID" value: "{{ .Values.realmSeeding.clients.semantics.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" value: "{{ .Values.realmSeeding.clients.miw.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.miw.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__SECRET + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__SECRET" valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" @@ -103,10 +103,10 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" value: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.bpdm.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__SECRET + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__SECRET" valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" @@ -114,10 +114,10 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__CLIENTID" value: "{{ .Values.realmSeeding.clients.bpdmGate.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.bpdmGate.redirects }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__REDIRECTURIS__{{ $index }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__SECRET + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__SECRET" valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" @@ -130,13 +130,13 @@ spec: {{- $index := 20 }} {{- $secretBaseSa := include "centralidp.secret.serviceAccounts" . -}} {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID" value: {{ .clientId | quote }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET" valueFrom: secretKeyRef: - name: {{ $secretBaseSa }} - key: {{ .clientId }} + name: "{{ $secretBaseSa }}" + key: "{{ .clientId }}" {{- $index = add1 $index }} {{- end }} @@ -153,11 +153,11 @@ spec: {{- $index := 1 }} {{- $bpn := .Values.realmSeeding.bpnUserAttribute.bpn -}} {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} - - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME" value: {{ printf "service-account-%s" .clientId | quote }} - - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__NAME + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__NAME" value: "bpn" - - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__VALUES__0 + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__VALUES__0" value: {{ $bpn }} {{- $index = add1 $index }} {{- end }} @@ -184,16 +184,16 @@ spec: {{- $index := 100 }} {{- $secret := include "centralidp.secret.extraServiceAccounts" . -}} {{- range .Values.realmSeeding.extraServiceAccounts.clientSecretsAndBpn }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID" value: {{ .clientId | quote }} - - name: KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET" valueFrom: secretKeyRef: name: {{ $secret }} key: {{ .clientId }} - - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME" value: {{ printf "service-account-%s" .clientId | quote }} - - name: KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__Attributes__0__VALUES__0 + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__VALUES__0" value: {{ .bpn | quote }} {{- $index = add1 $index }} {{- end }} diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 013ab693..a36bcd4f 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -104,14 +104,14 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__CLIENTID" value: "{{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}" - - name: KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__SECRET + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__SECRET" valueFrom: secretKeyRef: name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" key: "{{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}" - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__CLIENTID" value: "{{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}" - - name: KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__SECRET + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__SECRET" valueFrom: secretKeyRef: name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" From e7b59a4a1e99204a0377aabdff5fcdc69fcd5c1c Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Sun, 30 Jun 2024 11:14:14 +0200 Subject: [PATCH 25/55] chore: fix duplicated clientId for semantics --- charts/centralidp/templates/job-seeding.yaml | 26 +++++++++----------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 63f6d5d2..a4c72b71 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -73,6 +73,8 @@ spec: {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__CLIENTID" value: "{{ .Values.realmSeeding.clients.portal.clientId }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__ROOTURL" + value: "{{ .Values.realmSeeding.clients.portal.rootUrl }}" {{- range $index, $redirects := .Values.realmSeeding.clients.portal.redirects }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} @@ -84,40 +86,34 @@ spec: value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__CLIENTID" - value: "{{ .Values.realmSeeding.clients.semantics.clientId }}" - {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }}" - value: {{ $redirects | quote }} - {{- end }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" value: "{{ .Values.realmSeeding.clients.miw.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.miw.redirects }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__SECRET" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__SECRET" valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" key: "{{ .Values.realmSeeding.clients.miw.clientId }}" - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" value: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.bpdm.redirects }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__SECRET" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__SECRET" valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" key: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__CLIENTID" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" value: "{{ .Values.realmSeeding.clients.bpdmGate.clientId }}" {{- range $index, $redirects := .Values.realmSeeding.clients.bpdmGate.redirects }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__REDIRECTURIS__{{ $index }}" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__SECRET" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__SECRET" valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" @@ -158,7 +154,7 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__NAME" value: "bpn" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__VALUES__0" - value: {{ $bpn }} + value: {{ $bpn | quote }} {{- $index = add1 $index }} {{- end }} From e26dfcb46736f4bf3e05211ec8f67245827fe371 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 1 Oct 2024 17:17:40 +0200 Subject: [PATCH 26/55] fix: avoid unhandled exception https://github.com/eclipse-tractusx/portal-backend/issues/1039 --- .../generic/catenax-shared/master-realm.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/import/realm-config/generic/catenax-shared/master-realm.json b/import/realm-config/generic/catenax-shared/master-realm.json index 90292184..b8730206 100644 --- a/import/realm-config/generic/catenax-shared/master-realm.json +++ b/import/realm-config/generic/catenax-shared/master-realm.json @@ -796,7 +796,8 @@ "web-origins", "profile", "roles", - "email" + "email", + "acr" ], "optionalClientScopes": [ "address", @@ -889,7 +890,8 @@ "web-origins", "profile", "roles", - "email" + "email", + "acr" ], "optionalClientScopes": [ "address", @@ -1263,7 +1265,8 @@ "web-origins", "profile", "roles", - "email" + "email", + "acr" ], "optionalClientScopes": [ "address", From f919e94fa36168aa9982988a96ba0cb8ba760735 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 16:29:06 +0200 Subject: [PATCH 27/55] fix: enable multiple data paths per realm for separate users import --- charts/centralidp/templates/job-seeding.yaml | 4 ++-- charts/sharedidp/templates/job-seeding.yaml | 12 +++++++----- charts/sharedidp/values.yaml | 7 ++++--- .../catenax-shared/CX-Operator-realm.json | 15 --------------- .../catenax-shared/CX-Operator-users-0.json | 18 ++++++++++++++++++ 5 files changed, 31 insertions(+), 25 deletions(-) create mode 100644 import/realm-config/generic/catenax-shared/CX-Operator-users-0.json diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index a4c72b71..5daa2588 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -54,9 +54,9 @@ spec: value: "{{ .Values.realmSeeding.authRealm }}" - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" value: "{{ .Values.realmSeeding.useAuthTrail }}" - - name: "KEYCLOAKSEEDING__DATAPATHES__0" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHES__0" value: "{{ .Values.realmSeeding.dataPath }}" - - name: "KEYCLOAKSEEDING__INSTANCENAME" + - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" value: "central" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" value: "{{ .Values.realmSeeding.realm }}" diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index a36bcd4f..4c1e993e 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -54,11 +54,13 @@ spec: value: "{{ .Values.realmSeeding.authRealm }}" - name: "KEYCLOAK__SHARED__USEAUTHTRAIL" value: "{{ .Values.realmSeeding.useAuthTrail }}" - - name: "KEYCLOAKSEEDING__DATAPATHES__0" - value: "{{ .Values.realmSeeding.dataPaths.path0 }}" - - name: "KEYCLOAKSEEDING__DATAPATHES__1" - value: "{{ .Values.realmSeeding.dataPaths.path1 }}" - - name: "KEYCLOAKSEEDING__INSTANCENAME" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHES__0" + value: "{{ .Values.realmSeeding.cxOperator.dataPaths.path0 }}" + - name: "KEYCLOAKSEEDING__REALMS__1__DATAPATHES__0" + value: "{{ .Values.realmSeeding.master.dataPath }}" + - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" + value: "shared" + - name: "KEYCLOAKSEEDING__REALMS__1__INSTANCENAME" value: "shared" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" value: "{{ .Values.realmSeeding.realms.cxOperator.name }}" diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index d1feb989..6e66536c 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -149,6 +149,9 @@ realmSeeding: realms: cxOperator: name: "CX-Operator" + dataPaths: + path0: "realms/CX-Operator-realm.json" + path1: "realms/CX-Operator-users-0.json" # -- Set centralidp address for the connection to the CX-Central (centralidp) centralidp: address: "https://centralidp.example.org" @@ -167,6 +170,7 @@ realmSeeding: existingSecret: "" master: name: "master" + dataPath: "realms/master-realm.json" serviceAccounts: # -- Set clients secret for the service account which enables the portal to provision new realms provisioning: @@ -185,9 +189,6 @@ realmSeeding: portContainer: 8080 authRealm: "master" useAuthTrail: "true" - dataPaths: - path0: "realms/CX-Operator-realm.json" - path1: "realms/master-realm.json" # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-realm.json b/import/realm-config/generic/catenax-shared/CX-Operator-realm.json index 1de79481..28b38da0 100644 --- a/import/realm-config/generic/catenax-shared/CX-Operator-realm.json +++ b/import/realm-config/generic/catenax-shared/CX-Operator-realm.json @@ -453,21 +453,6 @@ "webAuthnPolicyPasswordlessCreateTimeout": 0, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users" : [ { - "id" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", - "username" : "cx-operator@cx.com", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Operator", - "lastName" : "CX Admin", - "email" : "tobeadded@cx.com", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "notBefore" : 0, - "groups" : [ ] - } ], "scopeMappings": [ { "clientScope": "offline_access", diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json new file mode 100644 index 00000000..f16b46c4 --- /dev/null +++ b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json @@ -0,0 +1,18 @@ +{ + "realm" : "CX-Operator", + "users" : [ { + "id" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", + "username" : "cx-operator@tx.test", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Operator", + "lastName" : "CX Admin", + "email" : "tobeadded@cx.com", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "notBefore" : 0, + "groups" : [ ] + } ] +} \ No newline at end of file From 73dcb1b8c88f49c47c771b716d4854a7105d76ad Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 16:52:14 +0200 Subject: [PATCH 28/55] feat(sharedidp): WIP enable initial user --- charts/sharedidp/templates/job-seeding.yaml | 18 ++++++++++++++++++ .../secret-seeding-cx-operator-realm.yaml | 2 ++ charts/sharedidp/values.yaml | 5 +++++ 3 files changed, 25 insertions(+) diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 4c1e993e..b550a23a 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -80,6 +80,24 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__VALUE" value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.address }}{{ .Values.realmSeeding.realms.cxOperator.centralidp.jwksPath }}" + ############################# + ## CX-OPERATOR INITIAL USER + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHES__1" + value: "{{ .Values.realmSeeding.realms.cxOperator.dataPaths.path1 }}" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" + value: "{{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.username }}" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__TEMPORARY" + value: "false" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__TYPE" + value: "password" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__VALUE" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initialuserpassword" + ############################# ## CX-OPERATOR MAIL CONFIG ############################# diff --git a/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml index e7b836be..82e670a9 100644 --- a/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml +++ b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml @@ -31,4 +31,6 @@ stringData: password: {{ .Values.realmSeeding.realms.cxOperator.mailing.password | default "changeme" | quote }} from: {{ .Values.realmSeeding.realms.cxOperator.mailing.from | quote }} replyTo: {{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo | quote }} + initialusername: {{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.username | quote }} + initialuserpassword: {{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.password | default "!3changemeTractus-X" | quote }} {{- end -}} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 6e66536c..8e9aca7b 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -158,6 +158,11 @@ realmSeeding: clientId: "central-idp" redirectPath: "/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" jwksPath: "/auth/realms/CX-Central/protocol/openid-connect/certs" + initialUserCredentials: + # PLEASE SET INITIAL USERNAME for all non-testing and non-local purposes + username: "cx-operator@tx.org" + # PLEASE SET INITIAL PASSWORD for all non-testing and non-local purposes, default value is "!3changemeTractus-X" + password: "" # -- Set mailing configuration for CX-Operator realm mailing: host: "smtp.example.org" From 4711cc2ecce4c6d5ed36dc53bfc1338d2d9cfa58 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 17:41:13 +0200 Subject: [PATCH 29/55] chore: fix config - typo in DATAPATHS --- charts/centralidp/templates/job-seeding.yaml | 2 +- charts/sharedidp/templates/job-seeding.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 5daa2588..e3a23177 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -54,7 +54,7 @@ spec: value: "{{ .Values.realmSeeding.authRealm }}" - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" value: "{{ .Values.realmSeeding.useAuthTrail }}" - - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHES__0" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" value: "{{ .Values.realmSeeding.dataPath }}" - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" value: "central" diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index b550a23a..e23c8e48 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -54,10 +54,10 @@ spec: value: "{{ .Values.realmSeeding.authRealm }}" - name: "KEYCLOAK__SHARED__USEAUTHTRAIL" value: "{{ .Values.realmSeeding.useAuthTrail }}" - - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHES__0" - value: "{{ .Values.realmSeeding.cxOperator.dataPaths.path0 }}" - - name: "KEYCLOAKSEEDING__REALMS__1__DATAPATHES__0" - value: "{{ .Values.realmSeeding.master.dataPath }}" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" + value: "{{ .Values.realmSeeding.realms.cxOperator.dataPaths.path0 }}" + - name: "KEYCLOAKSEEDING__REALMS__1__DATAPATHS__0" + value: "{{ .Values.realmSeeding.realms.master.dataPath }}" - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" value: "shared" - name: "KEYCLOAKSEEDING__REALMS__1__INSTANCENAME" @@ -84,7 +84,7 @@ spec: ## CX-OPERATOR INITIAL USER ############################# - - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHES__1" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" value: "{{ .Values.realmSeeding.realms.cxOperator.dataPaths.path1 }}" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" value: "{{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.username }}" From 1b15e74ae7639c24a0e521b9d87d45322e0c5815 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 17:42:53 +0200 Subject: [PATCH 30/55] chore: remove testing values for images in pull policy --- charts/centralidp/values.yaml | 8 ++++---- charts/sharedidp/values.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 53bd4a47..37cb1614 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -230,8 +230,8 @@ realmSeeding: # bpn: "TBD2" # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value existingSecret: "" - image: "192.168.49.2:5000/iam-seeding:latest" - imagePullPolicy: "Always" + image: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" + imagePullPolicy: "IfNotPresent" portContainer: 8080 authRealm: "master" useAuthTrail: "true" @@ -254,8 +254,8 @@ realmSeeding: mountPath: "app/realms" initContainers: - name: init-cx-central - image: 192.168.49.2:5000/iam:test - imagePullPolicy: Always + image: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 + imagePullPolicy: IfNotPresent command: - sh args: diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 8e9aca7b..8f8d6b37 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -189,8 +189,8 @@ realmSeeding: clientSecret: "" # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value existingSecret: "" - image: "192.168.49.2:5000/iam-seeding:latest" - imagePullPolicy: "Always" + image: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" + imagePullPolicy: "IfNotPresent" portContainer: 8080 authRealm: "master" useAuthTrail: "true" @@ -212,8 +212,8 @@ realmSeeding: mountPath: "app/realms" initContainers: - name: init-cx-central - image: 192.168.49.2:5000/iam:test - imagePullPolicy: Always + image: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 + imagePullPolicy: IfNotPresent command: - sh args: From 33cf75356ca1d2976be951748436145a32110614 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 19:15:09 +0200 Subject: [PATCH 31/55] feat(sharedidp): enable initial user for operator, improve mailing --- charts/sharedidp/templates/job-seeding.yaml | 53 ++++++++++++++++--- .../secret-seeding-cx-operator-realm.yaml | 19 ++++--- charts/sharedidp/values.yaml | 18 ++++--- .../catenax-shared/CX-Operator-users-0.json | 16 +----- 4 files changed, 69 insertions(+), 37 deletions(-) diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index e23c8e48..a1c90aab 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -86,8 +86,30 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" value: "{{ .Values.realmSeeding.realms.cxOperator.dataPaths.path1 }}" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__ID" + value: "656e8a94-188b-4a3e-9eec-b45d8efd8347" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" - value: "{{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.username }}" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-username" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__ENABLED" + value: "true" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__FIRSTNAME" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-first-name" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__LASTNAME" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-last-name" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__EMAIL" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-email" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__TEMPORARY" value: "false" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__TYPE" @@ -96,27 +118,42 @@ spec: valueFrom: secretKeyRef: name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" - key: "initialuserpassword" + key: "initial-user-password" ############################# ## CX-OPERATOR MAIL CONFIG ############################# - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__HOST" - value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.host }}" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-host" - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__PORT" - value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.port }}" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-port" - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__USER" - value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.user }}" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-username" - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__FROM" - value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.from }}" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-from" - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__REPLYTO" - value: "{{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo }}" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-reply-to" - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__PASSWORD" valueFrom: secretKeyRef: name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" - key: "password" + key: "mailing-password" ############################# ## MASTER SERVICE ACCOUNTS diff --git a/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml index 82e670a9..f75b8014 100644 --- a/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml +++ b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml @@ -25,12 +25,15 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - host: {{ .Values.realmSeeding.realms.cxOperator.mailing.host | quote }} - port: {{ .Values.realmSeeding.realms.cxOperator.mailing.port | quote }} - user: {{ .Values.realmSeeding.realms.cxOperator.mailing.user | quote }} - password: {{ .Values.realmSeeding.realms.cxOperator.mailing.password | default "changeme" | quote }} - from: {{ .Values.realmSeeding.realms.cxOperator.mailing.from | quote }} - replyTo: {{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo | quote }} - initialusername: {{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.username | quote }} - initialuserpassword: {{ .Values.realmSeeding.realms.cxOperator.initialUserCredentials.password | default "!3changemeTractus-X" | quote }} + initial-user-username: {{ .Values.realmSeeding.realms.cxOperator.initialUser.username | quote }} + initial-user-password: {{ .Values.realmSeeding.realms.cxOperator.initialUser.password | default "!3changemeTractus-X" | quote }} + initial-user-first-name: {{ .Values.realmSeeding.realms.cxOperator.initialUser.firstName | quote }} + initial-user-last-name: {{ .Values.realmSeeding.realms.cxOperator.initialUser.lastName | quote }} + initial-user-email: {{ .Values.realmSeeding.realms.cxOperator.initialUser.eMail | quote }} + mailing-host: {{ .Values.realmSeeding.realms.cxOperator.mailing.host | quote }} + mailing-port: {{ .Values.realmSeeding.realms.cxOperator.mailing.port | quote }} + mailing-username: {{ .Values.realmSeeding.realms.cxOperator.mailing.username | quote }} + mailing-password: {{ .Values.realmSeeding.realms.cxOperator.mailing.password | default "changeme" | quote }} + mailing-from: {{ .Values.realmSeeding.realms.cxOperator.mailing.from | quote }} + mailing-reply-to: {{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo | quote }} {{- end -}} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 8f8d6b37..8999ffbb 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -158,16 +158,22 @@ realmSeeding: clientId: "central-idp" redirectPath: "/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" jwksPath: "/auth/realms/CX-Central/protocol/openid-connect/certs" - initialUserCredentials: - # PLEASE SET INITIAL USERNAME for all non-testing and non-local purposes + initialUser: + # -- SET username for initial user for all non-testing and non-local purposes username: "cx-operator@tx.org" - # PLEASE SET INITIAL PASSWORD for all non-testing and non-local purposes, default value is "!3changemeTractus-X" + # -- SET password for initial user for all non-testing and non-local purposes, default value is "!3changemeTractus-X" password: "" + # -- Set first name for initial user + firstName: "Operator" + # -- Set last name for initial user + lastName: "CX Admin" + # -- Set e-mail for initial user + eMail: "email@example.org" # -- Set mailing configuration for CX-Operator realm mailing: host: "smtp.example.org" port: "123" - user: "smtp-user" + username: "smtp-user" password: "" from: "email@example.org" replyTo: "email@example.org" @@ -180,12 +186,12 @@ realmSeeding: # -- Set clients secret for the service account which enables the portal to provision new realms provisioning: clientId: "sa-cl1-reg-1" - # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" + # -- SET client secret for all non-testing and non-local purposes, default value is "changeme" clientSecret: "" # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm saCxOperator: clientId: "saCX-Operator" - # PLEASE SET CLIENT SECRET for all non-testing and non-local purposes, default value is "changeme" + # -- SET client secret for all non-testing and non-local purposes, default value is "changeme" clientSecret: "" # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value existingSecret: "" diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json index f16b46c4..dbac9eca 100644 --- a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json +++ b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json @@ -1,18 +1,4 @@ { "realm" : "CX-Operator", - "users" : [ { - "id" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", - "username" : "cx-operator@tx.test", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Operator", - "lastName" : "CX Admin", - "email" : "tobeadded@cx.com", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "notBefore" : 0, - "groups" : [ ] - } ] + "users" : [ ] } \ No newline at end of file From 839ce5b08686a383d80fdddf92a5c89ec5572af4 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 19:15:25 +0200 Subject: [PATCH 32/55] docs: improve comments --- charts/centralidp/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 37cb1614..4ad7228d 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -141,7 +141,7 @@ realmSeeding: realm: "CX-Central" # -- Set redirect addresses and - in the case of confidential clients - clients secrets # for clients which are part of the basic CX-Central realm setup - # PLEASE SET CLIENT SECRETS for all non-testing and non-local purposes, default value is "changeme" + # -- SET client secrets for all non-testing and non-local purposes, default value is "changeme" clients: registration: clientId: "Cl1-CX-Registration" @@ -173,8 +173,8 @@ realmSeeding: - https://partners-gate.example.org/* # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value existingSecret: "" - # -- Set client secrets for service accounts which are part of the basic CX-Central realm setup - # PLEASE SET CLIENT SECRETS for all non-testing and non-local purposes, default value is "changeme" + # Client secrets for service accounts which are part of the basic CX-Central realm setup; + # SET client secrets for all non-testing and non-local purposes, default value is "changeme" serviceAccounts: clientSecrets: - clientId: "sa-cl1-reg-2" From 63b06c47ecbdab5b3f1c37df76f071baf0ae9601 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 19:55:27 +0200 Subject: [PATCH 33/55] chore(sharedidp): change default email --- charts/sharedidp/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 8999ffbb..d4a479a8 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -168,7 +168,7 @@ realmSeeding: # -- Set last name for initial user lastName: "CX Admin" # -- Set e-mail for initial user - eMail: "email@example.org" + eMail: "cx-operator@tx.org" # -- Set mailing configuration for CX-Operator realm mailing: host: "smtp.example.org" From dfe9a3d41c71619f8d5e516776f2c93295f2fac6 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 19:56:20 +0200 Subject: [PATCH 34/55] feat(centralidp): enable initial user in separate file --- charts/centralidp/templates/job-seeding.yaml | 9 ++++- charts/centralidp/values.yaml | 4 ++- .../catenax-central/CX-Central-realm.json | 29 ---------------- .../catenax-central/CX-Central-users-0.json | 34 +++++++++++++++++++ 4 files changed, 45 insertions(+), 31 deletions(-) create mode 100644 import/realm-config/generic/catenax-central/CX-Central-users-0.json diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index e3a23177..0a27f69f 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -55,12 +55,19 @@ spec: - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" value: "{{ .Values.realmSeeding.useAuthTrail }}" - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" - value: "{{ .Values.realmSeeding.dataPath }}" + value: "{{ .Values.realmSeeding.dataPaths.path0 }}" - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" value: "central" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" value: "{{ .Values.realmSeeding.realm }}" + ################# + ## INITIAL USER + ################# + + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" + value: "{{ .Values.realmSeeding.dataPaths.path1 }}" + ########### ## CLIENTS ########### diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 4ad7228d..15a189fa 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -235,7 +235,9 @@ realmSeeding: portContainer: 8080 authRealm: "master" useAuthTrail: "true" - dataPath: "realms/CX-Central-realm.json" + dataPaths: + path0: "realms/CX-Central-realm.json" + path1: "realms/CX-Central-users-0.json" # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: diff --git a/import/realm-config/generic/catenax-central/CX-Central-realm.json b/import/realm-config/generic/catenax-central/CX-Central-realm.json index ea0e8a7d..c02662be 100644 --- a/import/realm-config/generic/catenax-central/CX-Central-realm.json +++ b/import/realm-config/generic/catenax-central/CX-Central-realm.json @@ -2795,35 +2795,6 @@ "webAuthnPolicyPasswordlessAcceptableAaguids": [], "webAuthnPolicyPasswordlessExtraOrigins": [], "users": [ - { - "id" : "502dabcf-01c7-47d9-a88e-0be4279097b5", - "createdTimestamp" : 1652788086549, - "username" : "ac1cf001-7fbc-1f2f-817f-bce058020006", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Operator", - "lastName" : "CX Admin", - "email" : "tobeadded@cx.com", - "attributes" : { - "bpn" : [ "BPNL00000003CRHK" ], - "organisation" : [ "CX-Operator" ] - }, - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "federatedIdentities" : [ { - "identityProvider" : "CX-Operator", - "userId" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", - "userName" : "cx-operator@cx.com" - } ], - "realmRoles" : [ "default-roles-cx-central" ], - "clientRoles" : { - "Cl2-CX-Portal" : [ "CX Admin" ] - }, - "notBefore" : 0, - "groups" : [ ] - }, { "id": "e69c1397-eee8-434a-b83b-dc7944bb9bdd", "createdTimestamp": 1651730911692, diff --git a/import/realm-config/generic/catenax-central/CX-Central-users-0.json b/import/realm-config/generic/catenax-central/CX-Central-users-0.json new file mode 100644 index 00000000..c9855e0a --- /dev/null +++ b/import/realm-config/generic/catenax-central/CX-Central-users-0.json @@ -0,0 +1,34 @@ +{ + "realm" : "CX-Central", + "users" : [ + { + "id" : "502dabcf-01c7-47d9-a88e-0be4279097b5", + "createdTimestamp" : 1652788086549, + "username" : "ac1cf001-7fbc-1f2f-817f-bce058020006", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Operator", + "lastName" : "CX Admin", + "email" : "cx-operator@tx.org", + "attributes" : { + "bpn" : [ "BPNL00000003CRHK" ], + "organisation" : [ "CX-Operator" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "federatedIdentities" : [ { + "identityProvider" : "CX-Operator", + "userId" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", + "userName" : "cx-operator@tx.org" + } ], + "realmRoles" : [ "default-roles-cx-central" ], + "clientRoles" : { + "Cl2-CX-Portal" : [ "CX Admin" ] + }, + "notBefore" : 0, + "groups" : [ ] + } + ] +} \ No newline at end of file From 5f0b9603bc3ab6e23099451f6efe4c745d0ac3d0 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 20:27:20 +0200 Subject: [PATCH 35/55] chore: increase cpu limits --- charts/centralidp/values.yaml | 2 +- charts/sharedidp/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 15a189fa..b0ca9f16 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -245,7 +245,7 @@ realmSeeding: memory: 600M ephemeral-storage: 50Mi limits: - cpu: 500m + cpu: 750m memory: 600M ephemeral-storage: 1024Mi extraVolumes: diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index d4a479a8..bec4f227 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -207,7 +207,7 @@ realmSeeding: memory: 600M ephemeral-storage: 50Mi limits: - cpu: 500m + cpu: 750m memory: 600M ephemeral-storage: 1024Mi extraVolumes: From 29ad91cc628dd5d36a0ebff4579f60c4b0e645ca Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 21:01:23 +0200 Subject: [PATCH 36/55] feat: enable option for tls connection at realm seeding --- charts/centralidp/templates/job-seeding.yaml | 7 ++++++- charts/centralidp/values.yaml | 1 + charts/sharedidp/templates/job-seeding.yaml | 7 ++++++- charts/sharedidp/values.yaml | 1 + 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 0a27f69f..3e22f83b 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -42,7 +42,12 @@ spec: imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" env: - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING" - value: "http://{{ template "centralidp.fullname" . }}" + value: | + {{ if .Values.realmSeeding.tls }} + "https://{{ template "centralidp.fullname" . }}" + {{ else }} + "http://{{ template "centralidp.fullname" . }}" + {{ end }} - name: "KEYCLOAK__CENTRAL__USER" value: "{{ .Values.keycloak.auth.adminUser }}" - name: "KEYCLOAK__CENTRAL__PASSWORD" diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index b0ca9f16..5d3a1f2b 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -248,6 +248,7 @@ realmSeeding: cpu: 750m memory: 600M ephemeral-storage: 1024Mi + tls: false extraVolumes: - name: realms emptyDir: {} diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index a1c90aab..2c0d5ed0 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -42,7 +42,12 @@ spec: imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" env: - name: "KEYCLOAK__SHARED__CONNECTIONSTRING" - value: "http://{{ template "sharedidp.fullname" . }}" + value: | + {{ if .Values.realmSeeding.tls }} + "https://{{ template "sharedidp.fullname" . }}" + {{ else }} + "http://{{ template "sharedidp.fullname" . }}" + {{ end }} - name: "KEYCLOAK__SHARED__USER" value: "{{ .Values.keycloak.auth.adminUser }}" - name: "KEYCLOAK__SHARED__PASSWORD" diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index bec4f227..5eb0530b 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -210,6 +210,7 @@ realmSeeding: cpu: 750m memory: 600M ephemeral-storage: 1024Mi + tls: false extraVolumes: - name: realms emptyDir: {} From 4f1d1a152846bf8a978f543394da63af10a57e19 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 21:07:23 +0200 Subject: [PATCH 37/55] docs: improve comment --- charts/centralidp/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 5d3a1f2b..1dd92fcd 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -210,8 +210,8 @@ realmSeeding: bpnUserAttribute: bpn: "BPNL00000003CRHK" initialUser: "ac1cf001-7fbc-1f2f-817f-bce058020006" - # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm (sharedidp) sharedidp: + # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm (sharedidp) address: "https://sharedidp.example.org" idpAlias: "CX-Operator" tokenPath: "/auth/realms/CX-Operator/protocol/openid-connect/token" From b237a76dba8a49873e4a4525a4cf5d2f2422f91c Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 21:46:53 +0200 Subject: [PATCH 38/55] chore: move config out of values into job for easier configurability --- charts/centralidp/templates/job-seeding.yaml | 46 +++++++++++------ charts/centralidp/values.yaml | 52 ++++---------------- 2 files changed, 40 insertions(+), 58 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 3e22f83b..173027d4 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -56,22 +56,22 @@ spec: name: "{{ template "centralidp.fullname" . }}" key: "admin-password" - name: "KEYCLOAK__CENTRAL__AUTHREALM" - value: "{{ .Values.realmSeeding.authRealm }}" + value: "master" - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" - value: "{{ .Values.realmSeeding.useAuthTrail }}" + value: "true" - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" - value: "{{ .Values.realmSeeding.dataPaths.path0 }}" + value: "realms/CX-Central-realm.json" - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" value: "central" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" - value: "{{ .Values.realmSeeding.realm }}" + value: "CX-Central" ################# ## INITIAL USER ################# - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" - value: "{{ .Values.realmSeeding.dataPaths.path1 }}" + value: "realms/CX-Central-users-0.json" ########### ## CLIENTS @@ -153,13 +153,13 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" - value: "{{ .Values.realmSeeding.bpnUserAttribute.initialUser }}" + value: "ac1cf001-7fbc-1f2f-817f-bce058020006" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__NAME" value: "bpn" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__VALUES__0" - value: "{{ .Values.realmSeeding.bpnUserAttribute.bpn }}" + value: "{{ .Values.realmSeeding.bpn }}" {{- $index := 1 }} - {{- $bpn := .Values.realmSeeding.bpnUserAttribute.bpn -}} + {{- $bpn := .Values.realmSeeding.bpn -}} {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME" value: {{ printf "service-account-%s" .clientId | quote }} @@ -175,15 +175,15 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__ALIAS" - value: "{{ .Values.realmSeeding.sharedidp.idpAlias }}" + value: "CX-Operator" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__TOKENURL" - value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.tokenPath }}" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/token" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__JWKSURL" - value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.jwksPath }}" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/certs" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__AUTHORIZATIONURL" - value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.authorizationPath }}" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/auth" - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__LOGOUTURL" - value: "{{ .Values.realmSeeding.sharedidp.address }}{{ .Values.realmSeeding.sharedidp.logoutPath }}" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/logout" ############################### ## EXTRA SERVICE ACCOUNTS @@ -213,14 +213,28 @@ spec: resources: {{- toYaml .Values.realmSeeding.resources | nindent 10 }} volumeMounts: - {{- toYaml .Values.realmSeeding.extraVolumeMounts | nindent 10 }} + - name: realms + mountPath: "app/realms" initContainers: + - name: init-cx-central + image: {{ .Values.realmSeeding.initContainer.image }} + imagePullPolicy: {{ .Values.realmSeeding.initContainer.imagePullPolicy }} + command: + - sh + args: + - -c + - | + echo "Copying CX Central realm..." + cp -R /import/catenax-central/realms/* /app/realms + volumeMounts: + - name: realms + mountPath: "app/realms" - name: wait-for-keycloak image: appropriate/curl:latest command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] imagePullPolicy: IfNotPresent - {{- toYaml .Values.realmSeeding.initContainers | nindent 8 }} volumes: - {{- toYaml .Values.realmSeeding.extraVolumes | nindent 8 }} + - name: realms + emptyDir: {} automountServiceAccountToken: false {{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 1dd92fcd..90ae24f8 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -131,17 +131,16 @@ keycloak: existingSecretDatabaseKey: "" existingSecretPasswordKey: "" -realmSeeding: # -- Seeding job to create and update the CX-Central realm: # besides creating the CX-Central realm, the job can be used to update # the configuration of the realm when upgrading to a new version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job +realmSeeding: enabled: true - realm: "CX-Central" # -- Set redirect addresses and - in the case of confidential clients - clients secrets - # for clients which are part of the basic CX-Central realm setup - # -- SET client secrets for all non-testing and non-local purposes, default value is "changeme" + # for clients which are part of the basic CX-Central realm setup; + # SET client secrets for all non-testing and non-local purposes, default value is "changeme" clients: registration: clientId: "Cl1-CX-Registration" @@ -206,18 +205,9 @@ realmSeeding: # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value existingSecret: "" # -- Set value for the 'bpn' user attribute for the initial user and the base service account users - # initialUser refers to the username - bpnUserAttribute: - bpn: "BPNL00000003CRHK" - initialUser: "ac1cf001-7fbc-1f2f-817f-bce058020006" - sharedidp: - # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm (sharedidp) - address: "https://sharedidp.example.org" - idpAlias: "CX-Operator" - tokenPath: "/auth/realms/CX-Operator/protocol/openid-connect/token" - jwksPath: "/auth/realms/CX-Operator/protocol/openid-connect/certs" - authorizationPath: "/auth/realms/CX-Operator/protocol/openid-connect/auth" - logoutPath: "/auth/realms/CX-Operator/protocol/openid-connect/logout" + bpn: "BPNL00000003CRHK" + # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm + sharedidp: "https://sharedidp.example.org" # -- Set client secrets and bpn user attribute for additional service accounts; # meant to enable possible test data, default value for client secrets is "changeme" extraServiceAccounts: @@ -232,12 +222,11 @@ realmSeeding: existingSecret: "" image: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" imagePullPolicy: "IfNotPresent" + initContainer: + image: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" + imagePullPolicy: "IfNotPresent" + tls: false portContainer: 8080 - authRealm: "master" - useAuthTrail: "true" - dataPaths: - path0: "realms/CX-Central-realm.json" - path1: "realms/CX-Central-users-0.json" # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: @@ -248,24 +237,3 @@ realmSeeding: cpu: 750m memory: 600M ephemeral-storage: 1024Mi - tls: false - extraVolumes: - - name: realms - emptyDir: {} - extraVolumeMounts: - - name: realms - mountPath: "app/realms" - initContainers: - - name: init-cx-central - image: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 - imagePullPolicy: IfNotPresent - command: - - sh - args: - - -c - - | - echo "Copying CX Central realm..." - cp -R /import/catenax-central/realms/* /app/realms - volumeMounts: - - name: realms - mountPath: "app/realms" From 606557b9131b76dc73207cc3ee536dae4fddb3e7 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 21:56:58 +0200 Subject: [PATCH 39/55] chore: move into job --- charts/centralidp/templates/job-seeding.yaml | 18 +++++++++--------- .../centralidp/templates/secret-clients.yaml | 6 +++--- charts/centralidp/values.yaml | 6 ------ 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 173027d4..34ce14ca 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -78,13 +78,13 @@ spec: ########### - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" - value: "{{ .Values.realmSeeding.clients.registration.clientId }}" + value: "Cl1-CX-Registration" {{- range $index, $redirects := .Values.realmSeeding.clients.registration.redirects }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__CLIENTID" - value: "{{ .Values.realmSeeding.clients.portal.clientId }}" + value: "Cl2-CX-Portal" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__ROOTURL" value: "{{ .Values.realmSeeding.clients.portal.rootUrl }}" {{- range $index, $redirects := .Values.realmSeeding.clients.portal.redirects }} @@ -92,13 +92,13 @@ spec: value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__CLIENTID" - value: "{{ .Values.realmSeeding.clients.semantics.clientId }}" + value: "Cl3-CX-Semantic" {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} {{- end }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__CLIENTID" - value: "{{ .Values.realmSeeding.clients.miw.clientId }}" + value: "Cl5-CX-Custodian" {{- range $index, $redirects := .Values.realmSeeding.clients.miw.redirects }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} @@ -107,9 +107,9 @@ spec: valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" - key: "{{ .Values.realmSeeding.clients.miw.clientId }}" + key: "miw" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" - value: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" + value: "Cl7-CX-BPDM" {{- range $index, $redirects := .Values.realmSeeding.clients.bpdm.redirects }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} @@ -118,9 +118,9 @@ spec: valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" - key: "{{ .Values.realmSeeding.clients.bpdm.clientId }}" + key: "bpdm" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" - value: "{{ .Values.realmSeeding.clients.bpdmGate.clientId }}" + value: "Cl16-CX-BPDMGate" {{- range $index, $redirects := .Values.realmSeeding.clients.bpdmGate.redirects }} - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }}" value: {{ $redirects | quote }} @@ -129,7 +129,7 @@ spec: valueFrom: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" - key: "{{ .Values.realmSeeding.clients.bpdmGate.clientId }}" + key: "bpdm-gate" ############################# ## BASE SERVICE ACCOUNTS diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml index e7eb2283..5c67b941 100644 --- a/charts/centralidp/templates/secret-clients.yaml +++ b/charts/centralidp/templates/secret-clients.yaml @@ -25,7 +25,7 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - {{ .Values.realmSeeding.clients.miw.clientId }}: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }} - {{ .Values.realmSeeding.clients.bpdm.clientId }}: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }} - {{ .Values.realmSeeding.clients.bpdmGate.clientId }}: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} + miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }} + bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }} + bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} {{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 90ae24f8..b475c7f4 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -143,30 +143,24 @@ realmSeeding: # SET client secrets for all non-testing and non-local purposes, default value is "changeme" clients: registration: - clientId: "Cl1-CX-Registration" redirects: - https://portal.example.org portal: - clientId: "Cl2-CX-Portal" rootUrl: https://portal.example.org/home redirects: - https://portal.example.org semantics: - clientId: "Cl3-CX-Semantic" redirects: - https://portal.example.org/* miw: - clientId: "Cl5-CX-Custodian" clientSecret: "" redirects: - https://managed-identity-wallets.example.org/* bpdm: - clientId: "Cl7-CX-BPDM" clientSecret: "" redirects: - https://partners-pool.example.org/* bpdmGate: - clientId: "Cl16-CX-BPDMGate" clientSecret: "" redirects: - https://partners-gate.example.org/* From 0e258fb3516145f69e954a7a967962ca13a90c90 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:15:17 +0200 Subject: [PATCH 40/55] chore: move into job --- charts/sharedidp/templates/job-seeding.yaml | 40 +++++++++++++------- charts/sharedidp/values.yaml | 41 +++------------------ 2 files changed, 33 insertions(+), 48 deletions(-) diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 2c0d5ed0..8f6a2a29 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -56,41 +56,41 @@ spec: name: "{{ template "sharedidp.fullname" . }}" key: "admin-password" - name: "KEYCLOAK__SHARED__AUTHREALM" - value: "{{ .Values.realmSeeding.authRealm }}" + value: "master" - name: "KEYCLOAK__SHARED__USEAUTHTRAIL" - value: "{{ .Values.realmSeeding.useAuthTrail }}" + value: "true" - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" - value: "{{ .Values.realmSeeding.realms.cxOperator.dataPaths.path0 }}" + value: "realms/CX-Operator-realm.json" - name: "KEYCLOAKSEEDING__REALMS__1__DATAPATHS__0" - value: "{{ .Values.realmSeeding.realms.master.dataPath }}" + value: "realms/master-realm.json" - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" value: "shared" - name: "KEYCLOAKSEEDING__REALMS__1__INSTANCENAME" value: "shared" - name: "KEYCLOAKSEEDING__REALMS__0__REALM" - value: "{{ .Values.realmSeeding.realms.cxOperator.name }}" + value: "CX-Operator" - name: "KEYCLOAKSEEDING__REALMS__1__REALM" - value: "{{ .Values.realmSeeding.realms.master.name }}" + value: "master" ############################# ## CX-OPERATOR CLIENT ############################# - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" - value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.clientId }}" + value: "central-idp" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__0" - value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.address }}{{ .Values.realmSeeding.realms.cxOperator.centralidp.redirectPath }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/broker/CX-Operator/endpoint/* }}" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__NAME" value: "jwks.url" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__VALUE" - value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp.address }}{{ .Values.realmSeeding.realms.cxOperator.centralidp.jwksPath }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/protocol/openid-connect/certs }}" ############################# ## CX-OPERATOR INITIAL USER ############################# - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" - value: "{{ .Values.realmSeeding.realms.cxOperator.dataPaths.path1 }}" + value: "realms/CX-Operator-users-0.json" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__ID" value: "656e8a94-188b-4a3e-9eec-b45d8efd8347" - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" @@ -186,14 +186,28 @@ spec: resources: {{- toYaml .Values.realmSeeding.resources | nindent 10 }} volumeMounts: - {{- toYaml .Values.realmSeeding.extraVolumeMounts | nindent 10 }} + - name: realms + mountPath: "app/realms" initContainers: + - name: init-cx-central + image: {{ .Values.realmSeeding.initContainer.image }} + imagePullPolicy: {{ .Values.realmSeeding.initContainer.imagePullPolicy }} + command: + - sh + args: + - -c + - | + echo "Copying realms..." + cp -R /import/catenax-shared/realms/* /app/realms + volumeMounts: + - name: realms + mountPath: "app/realms" - name: wait-for-keycloak image: appropriate/curl:latest command: [ 'sh', '-c', 'until curl -s http://{{ template "sharedidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] imagePullPolicy: IfNotPresent - {{- toYaml .Values.realmSeeding.initContainers | nindent 8 }} volumes: - {{- toYaml .Values.realmSeeding.extraVolumes | nindent 8 }} + - name: realms + emptyDir: {} automountServiceAccountToken: false {{- end -}} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 5eb0530b..f8b0fda8 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -139,25 +139,17 @@ keycloak: existingSecretDatabaseKey: "" existingSecretPasswordKey: "" -realmSeeding: # -- Seeding job to create and update the CX-Central realm: # besides creating the CX-Central realm, the job can be used to update # the configuration of the realm when upgrading to a new version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job +realmSeeding: enabled: true realms: cxOperator: - name: "CX-Operator" - dataPaths: - path0: "realms/CX-Operator-realm.json" - path1: "realms/CX-Operator-users-0.json" # -- Set centralidp address for the connection to the CX-Central (centralidp) - centralidp: - address: "https://centralidp.example.org" - clientId: "central-idp" - redirectPath: "/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" - jwksPath: "/auth/realms/CX-Central/protocol/openid-connect/certs" + centralidp: "https://centralidp.example.org" initialUser: # -- SET username for initial user for all non-testing and non-local purposes username: "cx-operator@tx.org" @@ -180,8 +172,6 @@ realmSeeding: # -- Option to provide an existingSecret for mailing configuration existingSecret: "" master: - name: "master" - dataPath: "realms/master-realm.json" serviceAccounts: # -- Set clients secret for the service account which enables the portal to provision new realms provisioning: @@ -197,9 +187,11 @@ realmSeeding: existingSecret: "" image: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" imagePullPolicy: "IfNotPresent" + initContainer: + image: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 + imagePullPolicy: IfNotPresent + tls: false portContainer: 8080 - authRealm: "master" - useAuthTrail: "true" # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: @@ -210,24 +202,3 @@ realmSeeding: cpu: 750m memory: 600M ephemeral-storage: 1024Mi - tls: false - extraVolumes: - - name: realms - emptyDir: {} - extraVolumeMounts: - - name: realms - mountPath: "app/realms" - initContainers: - - name: init-cx-central - image: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 - imagePullPolicy: IfNotPresent - command: - - sh - args: - - -c - - | - echo "Copying realms..." - cp -R /import/catenax-shared/realms/* /app/realms - volumeMounts: - - name: realms - mountPath: "app/realms" From 1c28d4e0838bb939e500b0ed3358af28718729dd Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:17:18 +0200 Subject: [PATCH 41/55] chore: fix format --- charts/centralidp/templates/job-seeding.yaml | 4 ++-- charts/sharedidp/templates/job-seeding.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 34ce14ca..0a95b356 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -44,9 +44,9 @@ spec: - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING" value: | {{ if .Values.realmSeeding.tls }} - "https://{{ template "centralidp.fullname" . }}" + https://{{ template "centralidp.fullname" . }} {{ else }} - "http://{{ template "centralidp.fullname" . }}" + http://{{ template "centralidp.fullname" . }} {{ end }} - name: "KEYCLOAK__CENTRAL__USER" value: "{{ .Values.keycloak.auth.adminUser }}" diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 8f6a2a29..10974f38 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -44,9 +44,9 @@ spec: - name: "KEYCLOAK__SHARED__CONNECTIONSTRING" value: | {{ if .Values.realmSeeding.tls }} - "https://{{ template "sharedidp.fullname" . }}" + https://{{ template "sharedidp.fullname" . }} {{ else }} - "http://{{ template "sharedidp.fullname" . }}" + http://{{ template "sharedidp.fullname" . }} {{ end }} - name: "KEYCLOAK__SHARED__USER" value: "{{ .Values.keycloak.auth.adminUser }}" From 1d12065b6fc97b68058dc696ee4a1ac48e482093 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:31:37 +0200 Subject: [PATCH 42/55] chore: fix format --- charts/sharedidp/templates/job-seeding.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 10974f38..6430735d 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -79,11 +79,11 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" value: "central-idp" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__0" - value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/broker/CX-Operator/endpoint/* }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__NAME" value: "jwks.url" - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__VALUE" - value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/protocol/openid-connect/certs }}" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/protocol/openid-connect/certs" ############################# ## CX-OPERATOR INITIAL USER From d8a77e7d0eec0baaec29906a7f7a7a79eaac3915 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:38:04 +0200 Subject: [PATCH 43/55] chore: move into job --- charts/sharedidp/templates/job-seeding.yaml | 8 ++++---- .../sharedidp/templates/secret-seeding-master-realm.yaml | 4 ++-- charts/sharedidp/values.yaml | 2 -- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 6430735d..6425c3d5 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -165,19 +165,19 @@ spec: ############################# - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__CLIENTID" - value: "{{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}" + value: "sa-cl1-reg-1" - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__SECRET" valueFrom: secretKeyRef: name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" - key: "{{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}" + key: "sa-provisioning" - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__CLIENTID" - value: "{{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}" + value: "saCX-Operator" - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__SECRET" valueFrom: secretKeyRef: name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" - key: "{{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}" + key: "sa-cx-operator" ports: - name: http diff --git a/charts/sharedidp/templates/secret-seeding-master-realm.yaml b/charts/sharedidp/templates/secret-seeding-master-realm.yaml index 3f9350ce..5f3e0dbe 100644 --- a/charts/sharedidp/templates/secret-seeding-master-realm.yaml +++ b/charts/sharedidp/templates/secret-seeding-master-realm.yaml @@ -25,6 +25,6 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientId }}: {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | default "changeme" | quote }} - {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientId }}: {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | default "changeme" | quote }} + sa-provisioning: {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | default "changeme" | quote }} + sa-cx-operator: {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | default "changeme" | quote }} {{- end -}} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index f8b0fda8..357dad71 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -175,12 +175,10 @@ realmSeeding: serviceAccounts: # -- Set clients secret for the service account which enables the portal to provision new realms provisioning: - clientId: "sa-cl1-reg-1" # -- SET client secret for all non-testing and non-local purposes, default value is "changeme" clientSecret: "" # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm saCxOperator: - clientId: "saCX-Operator" # -- SET client secret for all non-testing and non-local purposes, default value is "changeme" clientSecret: "" # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value From 35c4b2f17e5d1831cd434c2c182921e82059a909 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:41:41 +0200 Subject: [PATCH 44/55] docs: improve comments --- charts/sharedidp/values.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 357dad71..2d9c346c 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -148,18 +148,16 @@ realmSeeding: enabled: true realms: cxOperator: - # -- Set centralidp address for the connection to the CX-Central (centralidp) + # -- Set centralidp address for the connection to the CX-Central realm centralidp: "https://centralidp.example.org" + # -- Configure initial user in CX-Operator realm initialUser: - # -- SET username for initial user for all non-testing and non-local purposes + # -- SET username for all non-testing and non-local purposes username: "cx-operator@tx.org" - # -- SET password for initial user for all non-testing and non-local purposes, default value is "!3changemeTractus-X" + # -- SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X" password: "" - # -- Set first name for initial user firstName: "Operator" - # -- Set last name for initial user lastName: "CX Admin" - # -- Set e-mail for initial user eMail: "cx-operator@tx.org" # -- Set mailing configuration for CX-Operator realm mailing: From cc78dcf1a462a3b9702c249b98e0107e0c3fbb13 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:45:40 +0200 Subject: [PATCH 45/55] chore: fix comment --- charts/centralidp/values.yaml | 2 +- charts/sharedidp/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index b475c7f4..47770f2f 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -88,7 +88,7 @@ keycloak: postgresql: # -- PostgreSQL chart configuration (recommended for demonstration purposes only); # default configurations: - # host: "centralidp-postgresql-primary", + # host: "centralidp-postgresql", # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 2d9c346c..c0dd231c 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -96,7 +96,7 @@ keycloak: postgresql: # -- PostgreSQL chart configuration (recommended for demonstration purposes only); # default configurations: - # host: "sharedidp-postgresql-primary", + # host: "sharedidp-postgresql", # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true From 4b7fd248c424188be22f16c47e6943dc2af9250a Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 22:48:48 +0200 Subject: [PATCH 46/55] chore: update testing --- charts/values-test-centralidp.yaml | 17 +++-------------- charts/values-test-sharedidp.yaml | 17 +++-------------- 2 files changed, 6 insertions(+), 28 deletions(-) diff --git a/charts/values-test-centralidp.yaml b/charts/values-test-centralidp.yaml index 3ce8f50b..d7102c54 100644 --- a/charts/values-test-centralidp.yaml +++ b/charts/values-test-centralidp.yaml @@ -33,17 +33,6 @@ keycloak: - name: themes mountPath: "/themes" realmSeeding: - initContainers: - - name: init-cx-central - image: kind-registry:5000/iam:testing - imagePullPolicy: Always - command: - - sh - args: - - -c - - | - echo "Copying CX Central realm..." - cp -R /import/catenax-central/realms/* /app/realms - volumeMounts: - - name: realms - mountPath: "app/realms" + initContainer: + image: kind-registry:5000/iam:testing + imagePullPolicy: Always diff --git a/charts/values-test-sharedidp.yaml b/charts/values-test-sharedidp.yaml index f5f50c13..8498b2d0 100644 --- a/charts/values-test-sharedidp.yaml +++ b/charts/values-test-sharedidp.yaml @@ -37,17 +37,6 @@ keycloak: - name: themes-catenax-shared-portal mountPath: "/themes-catenax-shared-portal" realmSeeding: - initContainers: - - name: init-cx-central - image: kind-registry:5000/iam:testing - imagePullPolicy: Always - command: - - sh - args: - - -c - - | - echo "Copying realms..." - cp -R /import/catenax-shared/realms/* /app/realms - volumeMounts: - - name: realms - mountPath: "app/realms" + initContainer: + image: kind-registry:5000/iam:testing + imagePullPolicy: Always From b333dbad14282d3c5a98119e2d2096f3f6dfc8aa Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 23:10:58 +0200 Subject: [PATCH 47/55] chore: improve image config --- charts/centralidp/templates/job-seeding.yaml | 8 ++++---- charts/centralidp/values.yaml | 10 ++++++---- charts/sharedidp/templates/job-seeding.yaml | 8 ++++---- charts/sharedidp/values.yaml | 10 ++++++---- charts/values-test-centralidp.yaml | 5 +++-- charts/values-test-sharedidp.yaml | 5 +++-- 6 files changed, 26 insertions(+), 20 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 0a95b356..94018451 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -38,8 +38,8 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "{{ .Values.realmSeeding.image }}" - imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" + image: "{{ .Values.realmSeeding.image.name }}" + imagePullPolicy: "{{ .Values.realmSeeding.image.pullPolicy }}" env: - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING" value: | @@ -217,8 +217,8 @@ spec: mountPath: "app/realms" initContainers: - name: init-cx-central - image: {{ .Values.realmSeeding.initContainer.image }} - imagePullPolicy: {{ .Values.realmSeeding.initContainer.imagePullPolicy }} + image: {{ .Values.realmSeeding.initContainer.image.name }} + imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }} command: - sh args: diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 47770f2f..2841e604 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -214,11 +214,13 @@ realmSeeding: # bpn: "TBD2" # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value existingSecret: "" - image: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" - imagePullPolicy: "IfNotPresent" + image: + name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" + pullPolicy: "IfNotPresent" initContainer: - image: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" - imagePullPolicy: "IfNotPresent" + image: + name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" + pullPolicy: "IfNotPresent" tls: false portContainer: 8080 # -- We recommend to review the default resource limits as this should a conscious choice. diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 6425c3d5..90336857 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -38,8 +38,8 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "{{ .Values.realmSeeding.image }}" - imagePullPolicy: "{{ .Values.realmSeeding.imagePullPolicy }}" + image: "{{ .Values.realmSeeding.image.name }}" + imagePullPolicy: "{{ .Values.realmSeeding.image.pullPolicy }}" env: - name: "KEYCLOAK__SHARED__CONNECTIONSTRING" value: | @@ -190,8 +190,8 @@ spec: mountPath: "app/realms" initContainers: - name: init-cx-central - image: {{ .Values.realmSeeding.initContainer.image }} - imagePullPolicy: {{ .Values.realmSeeding.initContainer.imagePullPolicy }} + image: {{ .Values.realmSeeding.initContainer.image.name }} + imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }} command: - sh args: diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index c0dd231c..8a5fd59e 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -181,11 +181,13 @@ realmSeeding: clientSecret: "" # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value existingSecret: "" - image: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" - imagePullPolicy: "IfNotPresent" + image: + name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" + pullPolicy: "IfNotPresent" initContainer: - image: docker.io/tractusx/portal-iam:v4.0.0-alpha.1 - imagePullPolicy: IfNotPresent + image: + name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" + pullPolicy: "IfNotPresent" tls: false portContainer: 8080 # -- We recommend to review the default resource limits as this should a conscious choice. diff --git a/charts/values-test-centralidp.yaml b/charts/values-test-centralidp.yaml index d7102c54..6916c740 100644 --- a/charts/values-test-centralidp.yaml +++ b/charts/values-test-centralidp.yaml @@ -34,5 +34,6 @@ keycloak: mountPath: "/themes" realmSeeding: initContainer: - image: kind-registry:5000/iam:testing - imagePullPolicy: Always + image: + name: "kind-registry:5000/iam:testing" + pullPolicy: "Always" diff --git a/charts/values-test-sharedidp.yaml b/charts/values-test-sharedidp.yaml index 8498b2d0..b9650b69 100644 --- a/charts/values-test-sharedidp.yaml +++ b/charts/values-test-sharedidp.yaml @@ -38,5 +38,6 @@ keycloak: mountPath: "/themes-catenax-shared-portal" realmSeeding: initContainer: - image: kind-registry:5000/iam:testing - imagePullPolicy: Always + image: + name: "kind-registry:5000/iam:testing" + pullPolicy: "Always" From f14eb307c4970b8fa893452ff3068aa4835436bb Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 23:33:57 +0200 Subject: [PATCH 48/55] chore: consolidate description of new bpdm svcs --- .../generic/catenax-central/CX-Central-realm.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/import/realm-config/generic/catenax-central/CX-Central-realm.json b/import/realm-config/generic/catenax-central/CX-Central-realm.json index c02662be..a991719c 100644 --- a/import/realm-config/generic/catenax-central/CX-Central-realm.json +++ b/import/realm-config/generic/catenax-central/CX-Central-realm.json @@ -4606,7 +4606,7 @@ "id": "4ebeb21b-055e-403f-8bfa-738bb935395d", "clientId": "sa-cl25-cx-1", "name": "BPDM Dummy Cleaning Task Processor", - "description": "Client for the BPDM cleaning service dummy component to process golden record tasks from the Orchestrator", + "description": "Technical User for the BPDM cleaning service dummy component to process golden record tasks from the Orchestrator", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -4722,7 +4722,7 @@ "id": "0dffae1b-5a95-4253-857e-b84c6904d012", "clientId": "sa-cl25-cx-2", "name": "BPDM Pool Task Processor", - "description": "Client for the BPDM Pool component to process golden record tasks from the Orchestrator", + "description": "Technical User for the BPDM Pool component to process golden record tasks from the Orchestrator", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -4838,7 +4838,7 @@ "id": "dfb5e903-2509-4d52-bef5-2c6a85e34d5c", "clientId": "sa-cl25-cx-3", "name": "BPDM Portal Gate Task Creator", - "description": "Client for the BPDM Portal Gate to create and monitor golden record tasks inside the Orchestrator", + "description": "Technical User for the BPDM Portal Gate to create and monitor golden record tasks inside the Orchestrator", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -4954,7 +4954,7 @@ "id": "fd3c0f0d-40f6-4522-9a87-17ea147e7cfe", "clientId": "sa-cl7-cx-1", "name": "BPDM Portal Gate Pool Consumer", - "description": "Client for the BPDM Portal Gate to consume golden record data from the Pool", + "description": "Technical User for the BPDM Portal Gate to consume golden record data from the Pool", "rootUrl": "", "adminUrl": "", "baseUrl": "", From bd51499b4aaf6e5e271bb9189f4d67a28574790c Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 23:36:36 +0200 Subject: [PATCH 49/55] feat: enable new bpdm client and svcs --- charts/centralidp/templates/job-seeding.yaml | 7 +++++++ charts/centralidp/templates/secret-clients.yaml | 1 + charts/centralidp/values.yaml | 12 ++++++++++++ 3 files changed, 20 insertions(+) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 94018451..27f1065e 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -130,6 +130,13 @@ spec: secretKeyRef: name: "{{ template "centralidp.secret.clients" . }}" key: "bpdm-gate" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__CLIENTID" + value: "Cl25-CX-BPDM-Orchestrator" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "bpdm-orchestrator" ############################# ## BASE SERVICE ACCOUNTS diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml index 5c67b941..f92bf601 100644 --- a/charts/centralidp/templates/secret-clients.yaml +++ b/charts/centralidp/templates/secret-clients.yaml @@ -28,4 +28,5 @@ stringData: miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }} bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }} bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} + bpdm-orchestrator: {{ .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | default "changeme" | quote }} {{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 2841e604..84afb1d0 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -164,6 +164,8 @@ realmSeeding: clientSecret: "" redirects: - https://partners-gate.example.org/* + bpdmOrchestrator: + clientSecret: "" # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value existingSecret: "" # Client secrets for service accounts which are part of the basic CX-Central realm setup; @@ -186,8 +188,12 @@ realmSeeding: clientSecret: "" - clientId: "sa-cl5-custodian-2" clientSecret: "" + - clientId: "sa-cl7-cx-1" + clientSecret: "" - clientId: "sa-cl7-cx-5" clientSecret: "" + - clientId: "sa-cl7-cx-7" + clientSecret: "" - clientId: "sa-cl8-cx-1" clientSecret: "" - clientId: "sa-cl21-01" @@ -196,6 +202,12 @@ realmSeeding: clientSecret: "" - clientId: "sa-cl24-01" clientSecret: "" + - clientId: "sa-cl25-cx-1" + clientSecret: "" + - clientId: "sa-cl25-cx-2" + clientSecret: "" + - clientId: "sa-cl25-cx-3" + clientSecret: "" # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value existingSecret: "" # -- Set value for the 'bpn' user attribute for the initial user and the base service account users From e8bab23f4b9b7d12505144ff255963272461d472 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 2 Oct 2024 23:45:36 +0200 Subject: [PATCH 50/55] docs: remove post-install config and update readme --- README.md | 2 - charts/centralidp/README.md | 88 ++++++++++-------------------- charts/centralidp/README.md.gotmpl | 13 ----- charts/sharedidp/README.md | 78 +++++++++++--------------- charts/sharedidp/README.md.gotmpl | 21 ------- 5 files changed, 60 insertions(+), 142 deletions(-) diff --git a/README.md b/README.md index 2bb1f5b2..88a876c9 100644 --- a/README.md +++ b/README.md @@ -17,12 +17,10 @@ For further information please refer to the chart specific README files, availab * charts/centralidp * [Installation](./charts/centralidp/README.md#installation) - * [Post-Install Configuration](./charts/centralidp/README.md#post-install-configuration) * [Upgrade](./charts/centralidp/README.md#upgrade) * [Post-Upgrade Configuration](./charts/centralidp/README.md#post-upgrade-configuration) * charts/sharedidp * [Installation](./charts/sharedidp/README.md#installation) - * [Post-Install Configuration](./charts/sharedidp/README.md#post-install-configuration) * [Upgrade](./charts/sharedidp/README.md#upgrade) ## Known Issues and Limitations diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index b4eefe70..e1163411 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -43,31 +43,24 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| | keycloak.auth.adminUser | string | `"admin"` | | -| keycloak.auth.existingSecret | string | `"centralidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.auth.adminPassword | string | `""` | | +| keycloak.auth.existingSecret | string | `""` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | | keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | | keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. | | keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed | -| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_EXTRA_ARGS"` | | -| keycloak.extraEnvVars[0].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realms/CX-Central-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING"` | | -| keycloak.replicaCount | int | `3` | | +| keycloak.replicaCount | int | `1` | | | keycloak.extraVolumes[0].name | string | `"themes"` | | | keycloak.extraVolumes[0].emptyDir | object | `{}` | | -| keycloak.extraVolumes[1].name | string | `"realms"` | | -| keycloak.extraVolumes[1].emptyDir | object | `{}` | | | keycloak.extraVolumeMounts[0].name | string | `"themes"` | | | keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-central"` | | -| keycloak.extraVolumeMounts[1].name | string | `"realms"` | | -| keycloak.extraVolumeMounts[1].mountPath | string | `"/realms"` | | | keycloak.initContainers[0].name | string | `"import"` | | | keycloak.initContainers[0].image | string | `"docker.io/tractusx/portal-iam:v3.0.1"` | | | keycloak.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | | keycloak.initContainers[0].command[0] | string | `"sh"` | | | keycloak.initContainers[0].args[0] | string | `"-c"` | | -| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes...\"\ncp -R /import/themes/catenax-central/* /themes\necho \"Copying realms...\"\ncp -R /import/catenax-central/realms/* /realms\n"` | | +| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes...\"\ncp -R /import/themes/catenax-central/* /themes\n"` | | | keycloak.initContainers[0].volumeMounts[0].name | string | `"themes"` | | | keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes"` | | -| keycloak.initContainers[0].volumeMounts[1].name | string | `"realms"` | | -| keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/realms"` | | | keycloak.service.sessionAffinity | string | `"ClientIP"` | | | keycloak.ingress.enabled | bool | `false` | | | keycloak.ingress.ingressClassName | string | `"nginx"` | | @@ -87,63 +80,38 @@ dependencies: | keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | | keycloak.rbac.rules[0].verbs[0] | string | `"get"` | | | keycloak.rbac.rules[0].verbs[1] | string | `"list"` | | -| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "centralidp-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "centralidp-postgresql", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | | keycloak.postgresql.image | object | `{"tag":"15-debian-11"}` | Setting to Postgres version 15 as that is the aligned version, https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions). Keycloak helm-chart from Bitnami has moved on to version 16. | | keycloak.postgresql.commonLabels."app.kubernetes.io/version" | string | `"15"` | | | keycloak.postgresql.auth.username | string | `"kccentral"` | Non-root username. | +| keycloak.postgresql.auth.password | string | `""` | Non-root user password. | +| keycloak.postgresql.auth.postgresPassword | string | `""` | Root user password. | | keycloak.postgresql.auth.database | string | `"iamcentralidp"` | Database name. | -| keycloak.postgresql.auth.existingSecret | string | `"centralidp-postgres"` | Secret containing the passwords for root usernames postgres and non-root username kccentral. | -| keycloak.postgresql.architecture | string | `"replication"` | | -| keycloak.externalDatabase.host | string | `"centralidp-postgresql-external-db"` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. Database host ('-primary' is added as postfix). | +| keycloak.postgresql.auth.existingSecret | string | `""` | Secret containing the passwords for root usernames postgres and non-root username kccentral. | +| keycloak.postgresql.architecture | string | `"standalone"` | | +| keycloak.externalDatabase.host | string | `""` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. | | keycloak.externalDatabase.port | int | `5432` | Database port number. | -| keycloak.externalDatabase.user | string | `"kccentral"` | Non-root username for centralidp. | -| keycloak.externalDatabase.database | string | `"iamcentralidp"` | Database name. | -| keycloak.externalDatabase.password | string | `""` | Password for the non-root username (default 'kccentral'). Secret-key 'password'. | -| keycloak.externalDatabase.existingSecret | string | `"centralidp-keycloak-external-db"` | Secret containing the password non-root username, (default 'kccentral'). | -| keycloak.externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | -| secrets.auth.existingSecret.adminpassword | string | `""` | Password for the admin username 'admin'. Secret-key 'admin-password'. | -| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | -| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kccentral'. Secret-key 'password'. | -| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | -| seeding.enabled | bool | `false` | Seeding job to upgrade CX_Central realm: enable to upgrade the configuration of the CX-Central realm from previous version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | -| seeding.image | string | `"docker.io/tractusx/portal-iam-seeding:v3.0.1-iam"` | | -| seeding.imagePullPolicy | string | `"IfNotPresent"` | | -| seeding.portContainer | int | `8080` | | -| seeding.authRealm | string | `"master"` | | -| seeding.useAuthTrail | string | `"true"` | | -| seeding.dataPaths.dataPath0 | string | `"realms/CX-Central-realm.json"` | | -| seeding.instanceName | string | `"central"` | | -| seeding.excludedUserAttributes.attribute0 | string | `"bpn"` | | -| seeding.excludedUserAttributes.attribute1 | string | `"organisation"` | | -| seeding.resources | object | `{"limits":{"cpu":"225m","memory":"200M"},"requests":{"cpu":"75m","memory":"200M"}}` | We recommend to review the default resource limits as this should a conscious choice. | -| seeding.extraVolumes[0].name | string | `"realms"` | | -| seeding.extraVolumes[0].emptyDir | object | `{}` | | -| seeding.extraVolumeMounts[0].name | string | `"realms"` | | -| seeding.extraVolumeMounts[0].mountPath | string | `"app/realms"` | | -| seeding.initContainers[0].name | string | `"init-cx-central"` | | -| seeding.initContainers[0].image | string | `"docker.io/tractusx/portal-iam:v3.0.1"` | | -| seeding.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | -| seeding.initContainers[0].command[0] | string | `"sh"` | | -| seeding.initContainers[0].args[0] | string | `"-c"` | | -| seeding.initContainers[0].args[1] | string | `"echo \"Copying CX Central realm...\"\ncp -R /import/catenax-central/realms/* /app/realms\n"` | | -| seeding.initContainers[0].volumeMounts[0].name | string | `"realms"` | | -| seeding.initContainers[0].volumeMounts[0].mountPath | string | `"app/realms"` | | +| keycloak.externalDatabase.user | string | `""` | Non-root username. | +| keycloak.externalDatabase.database | string | `""` | Database name. | +| keycloak.externalDatabase.password | string | `""` | Password for the non-root username. | +| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials | +| keycloak.externalDatabase.existingSecretHostKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPortKey | string | `""` | | +| keycloak.externalDatabase.existingSecretUserKey | string | `""` | | +| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | +| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","tls":false}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | +| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme" | +| realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value | +| realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value | +| realmSeeding.bpn | string | `"BPNL00000003CRHK"` | Set value for the 'bpn' user attribute for the initial user and the base service account users | +| realmSeeding.sharedidp | string | `"https://sharedidp.example.org"` | Set sharedidp address to enable the identity provider connection to CX-Operator realm | +| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is "changeme" | +| realmSeeding.extraServiceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value | +| realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console within the CX-Central realm: - -1. Generate client-secrets for confidential clients and service accounts with access type 'confidential'. - -2. Establish connection to the sharedidp instance - -In order to enable the login of the initial user (see CX-Operator realm in sharedidp instance for username), the connection between the 'CX-Operator' identity provider of the centralidp instance and the according realm in the sharedidp instance needs to be established. -This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configuration of the CX-Central realm. diff --git a/charts/centralidp/README.md.gotmpl b/charts/centralidp/README.md.gotmpl index ffb385fe..8bd77957 100644 --- a/charts/centralidp/README.md.gotmpl +++ b/charts/centralidp/README.md.gotmpl @@ -38,19 +38,6 @@ dependencies: Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console within the CX-Central realm: - -1. Generate client-secrets for confidential clients and service accounts with access type 'confidential'. - -2. Establish connection to the sharedidp instance - -In order to enable the login of the initial user (see CX-Operator realm in sharedidp instance for username), the connection between the 'CX-Operator' identity provider of the centralidp instance and the according realm in the sharedidp instance needs to be established. -This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configuration of the CX-Central realm. diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index a4a04647..044358df 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -43,37 +43,30 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| | keycloak.auth.adminUser | string | `"admin"` | | -| keycloak.auth.existingSecret | string | `"sharedidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.auth.adminPassword | string | `""` | | +| keycloak.auth.existingSecret | string | `""` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | | keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | | keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. | | keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed | -| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_EXTRA_ARGS"` | | -| keycloak.extraEnvVars[0].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/realms -Dkeycloak.migration.strategy=IGNORE_EXISTING"` | | -| keycloak.replicaCount | int | `3` | | +| keycloak.replicaCount | int | `1` | | | keycloak.extraVolumes[0].name | string | `"themes-catenax-shared"` | | | keycloak.extraVolumes[0].emptyDir | object | `{}` | | | keycloak.extraVolumes[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.extraVolumes[1].emptyDir | object | `{}` | | -| keycloak.extraVolumes[2].name | string | `"realms"` | | -| keycloak.extraVolumes[2].emptyDir | object | `{}` | | | keycloak.extraVolumeMounts[0].name | string | `"themes-catenax-shared"` | | | keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-shared"` | | | keycloak.extraVolumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.extraVolumeMounts[1].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-shared-portal"` | | -| keycloak.extraVolumeMounts[2].name | string | `"realms"` | | -| keycloak.extraVolumeMounts[2].mountPath | string | `"/realms"` | | | keycloak.initContainers[0].name | string | `"import"` | | | keycloak.initContainers[0].image | string | `"docker.io/tractusx/portal-iam:v3.0.1"` | | | keycloak.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | | keycloak.initContainers[0].command[0] | string | `"sh"` | | | keycloak.initContainers[0].args[0] | string | `"-c"` | | -| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes-catenax-shared...\"\ncp -R /import/themes/catenax-shared/* /themes-catenax-shared\necho \"Copying themes-catenax-shared-portal...\"\ncp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal\necho \"Copying realms...\"\ncp -R /import/catenax-shared/realms/* /realms\n"` | | +| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes-catenax-shared...\"\ncp -R /import/themes/catenax-shared/* /themes-catenax-shared\necho \"Copying themes-catenax-shared-portal...\"\ncp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal\n"` | | | keycloak.initContainers[0].volumeMounts[0].name | string | `"themes-catenax-shared"` | | | keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes-catenax-shared"` | | | keycloak.initContainers[0].volumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/themes-catenax-shared-portal"` | | -| keycloak.initContainers[0].volumeMounts[2].name | string | `"realms"` | | -| keycloak.initContainers[0].volumeMounts[2].mountPath | string | `"/realms"` | | | keycloak.service.sessionAffinity | string | `"ClientIP"` | | | keycloak.ingress.enabled | bool | `false` | | | keycloak.ingress.ingressClassName | string | `"nginx"` | | @@ -93,49 +86,42 @@ dependencies: | keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | | keycloak.rbac.rules[0].verbs[0] | string | `"get"` | | | keycloak.rbac.rules[0].verbs[1] | string | `"list"` | | -| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "sharedidp-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "sharedidp-postgresql", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | | keycloak.postgresql.image | object | `{"tag":"15-debian-11"}` | Setting to Postgres version 15 as that is the aligned version, https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions). Keycloak helm-chart from Bitnami has moved on to version 16. | | keycloak.postgresql.commonLabels."app.kubernetes.io/version" | string | `"15"` | | | keycloak.postgresql.auth.username | string | `"kcshared"` | Non-root username. | +| keycloak.postgresql.auth.password | string | `""` | Non-root user password. | +| keycloak.postgresql.auth.postgresPassword | string | `""` | Root user password. | | keycloak.postgresql.auth.database | string | `"iamsharedidp"` | Database name. | -| keycloak.postgresql.auth.existingSecret | string | `"sharedidp-postgres"` | Secret containing the passwords for root usernames postgres and non-root username kcshared. | -| keycloak.postgresql.architecture | string | `"replication"` | | -| keycloak.externalDatabase.host | string | `"sharedidp-postgresql-external-db"` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. Database host ('-primary' is added as postfix). | +| keycloak.postgresql.auth.existingSecret | string | `""` | Secret containing the passwords for root usernames postgres and non-root username kcshared. | +| keycloak.postgresql.architecture | string | `"standalone"` | | +| keycloak.externalDatabase.host | string | `""` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. | | keycloak.externalDatabase.port | int | `5432` | Database port number. | -| keycloak.externalDatabase.user | string | `"kcshared"` | Non-root username for sharedidp. | -| keycloak.externalDatabase.database | string | `"iamsharedidp"` | Database name. | -| keycloak.externalDatabase.password | string | `""` | Password for the non-root username (default 'kcshared'). Secret-key 'password'. | -| keycloak.externalDatabase.existingSecret | string | `"sharedidp-keycloak-external-db"` | Secret containing the password non-root username, (default 'kcshared'). | -| keycloak.externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | -| secrets.auth.existingSecret.adminpassword | string | `""` | Password for the admin username 'admin'. Secret-key 'admin-password'. | -| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | -| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kcshared'. Secret-key 'password'. | -| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | -| secrets.realmuser.enabled | bool | `false` | | +| keycloak.externalDatabase.user | string | `""` | Non-root username. | +| keycloak.externalDatabase.database | string | `""` | Database name. | +| keycloak.externalDatabase.password | string | `""` | Password for the non-root username. | +| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials | +| keycloak.externalDatabase.existingSecretHostKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPortKey | string | `""` | | +| keycloak.externalDatabase.existingSecretUserKey | string | `""` | | +| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | +| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"tls":false}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | +| realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm | +| realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"}` | Configure initial user in CX-Operator realm | +| realmSeeding.realms.cxOperator.initialUser.username | string | `"cx-operator@tx.org"` | SET username for all non-testing and non-local purposes | +| realmSeeding.realms.cxOperator.initialUser.password | string | `""` | SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X" | +| realmSeeding.realms.cxOperator.mailing | object | `{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}` | Set mailing configuration for CX-Operator realm | +| realmSeeding.realms.cxOperator.existingSecret | string | `""` | Option to provide an existingSecret for mailing configuration | +| realmSeeding.realms.master.serviceAccounts.provisioning | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to provision new realms | +| realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme" | +| realmSeeding.realms.master.serviceAccounts.saCxOperator | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to manage the CX-Operator realm | +| realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme" | +| realmSeeding.realms.master.existingSecret | string | `""` | Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value | +| realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console: - -### Within the master realm - -Generate client-secrets for the service account with access type 'confidential'. - -### Within the CX-Operator realm - -#### Establish connection to the centralidp instance - -1. Change the example.org placeholder in the central-idp client the to the address of the centralidp instance: - -* Settings --> Valid Redirect URI -* Keys --> JWKS URL - -2. Set password and user details for the initial user. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade ### To 3.0.1 diff --git a/charts/sharedidp/README.md.gotmpl b/charts/sharedidp/README.md.gotmpl index bcb78584..823baa69 100644 --- a/charts/sharedidp/README.md.gotmpl +++ b/charts/sharedidp/README.md.gotmpl @@ -38,27 +38,6 @@ dependencies: Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console: - -### Within the master realm - -Generate client-secrets for the service account with access type 'confidential'. - -### Within the CX-Operator realm - -#### Establish connection to the centralidp instance - -1. Change the example.org placeholder in the central-idp client the to the address of the centralidp instance: - -* Settings --> Valid Redirect URI -* Keys --> JWKS URL - -2. Set password and user details for the initial user. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade ### To 3.0.1 From 00265a718e8e714fe393122c006022bec3d38758 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 3 Oct 2024 00:46:07 +0200 Subject: [PATCH 51/55] chore: enable env specific config --- .../helm-values/centralidp/values-int.yaml | 82 +++++++++++++++++-- .../helm-values/sharedidp/values-int.yaml | 34 ++++++-- 2 files changed, 98 insertions(+), 18 deletions(-) diff --git a/environments/helm-values/centralidp/values-int.yaml b/environments/helm-values/centralidp/values-int.yaml index 01c44ba3..c33200ac 100644 --- a/environments/helm-values/centralidp/values-int.yaml +++ b/environments/helm-values/centralidp/values-int.yaml @@ -20,6 +20,8 @@ keycloak: production: true proxy: edge + auth: + adminPassword: "" ingress: enabled: true ingressClassName: nginx @@ -35,14 +37,76 @@ keycloak: nginx.ingress.kubernetes.io/proxy-buffers-number: "20" nginx.ingress.kubernetes.io/use-regex: "true" tls: true - -secrets: - auth: - existingSecret: - adminpassword: "" postgresql: auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" + password: "" + postgresPassword: "" + +realmSeeding: + clients: + registration: + redirects: + - https://portal.int.catena-x.net + - http://localhost:3000/* + portal: + rootUrl: https://portal.int.catena-x.net/home + redirects: + - https://portal.int.catena-x.net + - http://localhost:3000/* + semantics: + redirects: + - https://portal.int.catena-x.net/* + miw: + clientSecret: "" + redirects: + - https://managed-identity-wallets.int.catena-x.net/* + bpdm: + clientSecret: "" + redirects: + - https://partners-pool.int.catena-x.net/* + bpdmGate: + clientSecret: "" + redirects: + - https://partners-gate.int.catena-x.net/* + bpdmOrchestrator: + clientSecret: "" + serviceAccounts: + clientSecrets: + - clientId: "sa-cl1-reg-2" + clientSecret: "" + - clientId: "sa-cl2-01" + clientSecret: "" + - clientId: "sa-cl2-02" + clientSecret: "" + - clientId: "sa-cl2-03" + clientSecret: "" + - clientId: "sa-cl2-04" + clientSecret: "" + - clientId: "sa-cl2-05" + clientSecret: "" + - clientId: "sa-cl3-cx-1" + clientSecret: "" + - clientId: "sa-cl5-custodian-2" + clientSecret: "" + - clientId: "sa-cl7-cx-1" + clientSecret: "" + - clientId: "sa-cl7-cx-5" + clientSecret: "" + - clientId: "sa-cl7-cx-7" + clientSecret: "" + - clientId: "sa-cl8-cx-1" + clientSecret: "" + - clientId: "sa-cl21-01" + clientSecret: "" + - clientId: "sa-cl22-01" + clientSecret: "" + - clientId: "sa-cl24-01" + clientSecret: "" + - clientId: "sa-cl25-cx-1" + clientSecret: "" + - clientId: "sa-cl25-cx-2" + clientSecret: "" + - clientId: "sa-cl25-cx-3" + clientSecret: "" + bpn: "BPNL00000003CRHK" + sharedidp: "https://sharedidp.int.catena-x.net" diff --git a/environments/helm-values/sharedidp/values-int.yaml b/environments/helm-values/sharedidp/values-int.yaml index 276778b3..0cc03eb9 100644 --- a/environments/helm-values/sharedidp/values-int.yaml +++ b/environments/helm-values/sharedidp/values-int.yaml @@ -20,6 +20,8 @@ keycloak: production: true proxy: edge + auth: + adminPassword: "" ingress: enabled: true ingressClassName: nginx @@ -35,14 +37,28 @@ keycloak: nginx.ingress.kubernetes.io/proxy-buffers-number: "20" nginx.ingress.kubernetes.io/use-regex: "true" tls: true - -secrets: - auth: - existingSecret: - adminpassword: "" postgresql: auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" + password: "" + postgresPassword: "" + +realmSeeding: + enabled: true + realms: + cxOperator: + centralidp: "https://centralidp.int.catena-x.net" + initialUser: + password: "" + mailing: + host: "" + port: "" + username: "" + password: "" + replyTo: "" + master: + serviceAccounts: + provisioning: + clientSecret: "" + saCxOperator: + clientSecret: "" From 874543007f76adffb6c9a1874b9ba624a1585346 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 3 Oct 2024 11:30:26 +0200 Subject: [PATCH 52/55] chore: improve docs --- charts/centralidp/values.yaml | 27 +++++++++++++------------ charts/sharedidp/values.yaml | 37 ++++++++++++++++++----------------- 2 files changed, 33 insertions(+), 31 deletions(-) diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 84afb1d0..c06a1db8 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -20,8 +20,9 @@ keycloak: auth: adminUser: admin + # -- centralidp Keycloak administrator password. adminPassword: "" - # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. + # -- Secret containing the password for admin username 'admin'. existingSecret: "" # -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. production: false @@ -64,7 +65,7 @@ keycloak: annotations: # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; - # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. cert-manager.io/cluster-issuer: "" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" @@ -123,7 +124,7 @@ keycloak: database: "" # -- Password for the non-root username. password: "" - # -- Secret containing the database credentials + # -- Secret containing the database credentials. existingSecret: "" existingSecretHostKey: "" existingSecretPortKey: "" @@ -135,12 +136,12 @@ keycloak: # besides creating the CX-Central realm, the job can be used to update # the configuration of the realm when upgrading to a new version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md -# for configuration possibly not covered by the seeding job +# for configuration possibly not covered by the seeding job. realmSeeding: enabled: true # -- Set redirect addresses and - in the case of confidential clients - clients secrets # for clients which are part of the basic CX-Central realm setup; - # SET client secrets for all non-testing and non-local purposes, default value is "changeme" + # SET client secrets for all non-testing and non-local purposes, default value is "changeme". clients: registration: redirects: @@ -166,10 +167,10 @@ realmSeeding: - https://partners-gate.example.org/* bpdmOrchestrator: clientSecret: "" - # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value + # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. existingSecret: "" - # Client secrets for service accounts which are part of the basic CX-Central realm setup; - # SET client secrets for all non-testing and non-local purposes, default value is "changeme" + # -- Client secrets for service accounts which are part of the basic CX-Central realm setup; + # SET client secrets for all non-testing and non-local purposes, default value is "changeme". serviceAccounts: clientSecrets: - clientId: "sa-cl1-reg-2" @@ -208,14 +209,14 @@ realmSeeding: clientSecret: "" - clientId: "sa-cl25-cx-3" clientSecret: "" - # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value + # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. existingSecret: "" - # -- Set value for the 'bpn' user attribute for the initial user and the base service account users + # -- Set value for the 'bpn' user attribute for the initial user and the base service account users. bpn: "BPNL00000003CRHK" - # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm + # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm. sharedidp: "https://sharedidp.example.org" # -- Set client secrets and bpn user attribute for additional service accounts; - # meant to enable possible test data, default value for client secrets is "changeme" + # meant to enable possible test data, default value for client secrets is "changeme". extraServiceAccounts: clientSecretsAndBpn: [] # - clientId: "sa-test-01" @@ -224,7 +225,7 @@ realmSeeding: # - clientId: "sa-test-02" # clientSecret: "" # bpn: "TBD2" - # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value + # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. existingSecret: "" image: name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 8a5fd59e..82be1161 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -20,8 +20,9 @@ keycloak: auth: adminUser: admin + # -- sharedidp Keycloak administrator password. adminPassword: "" - # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. + # -- Secret containing the password for admin username 'admin'. existingSecret: "" # -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. production: false @@ -72,7 +73,7 @@ keycloak: annotations: # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; - # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. cert-manager.io/cluster-issuer: "" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" @@ -131,7 +132,7 @@ keycloak: database: "" # -- Password for the non-root username. password: "" - # -- Secret containing the database credentials + # -- Secret containing the database credentials. existingSecret: "" existingSecretHostKey: "" existingSecretPortKey: "" @@ -139,27 +140,27 @@ keycloak: existingSecretDatabaseKey: "" existingSecretPasswordKey: "" -# -- Seeding job to create and update the CX-Central realm: -# besides creating the CX-Central realm, the job can be used to update -# the configuration of the realm when upgrading to a new version; +# -- Seeding job to create and update the CX-Operator and master realms: +# besides creating those realm, the job can be used to update +# the configuration of the realms when upgrading to a new version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md -# for configuration possibly not covered by the seeding job +# for configuration possibly not covered by the seeding job. realmSeeding: enabled: true realms: cxOperator: - # -- Set centralidp address for the connection to the CX-Central realm + # -- Set centralidp address for the connection to the CX-Central realm. centralidp: "https://centralidp.example.org" - # -- Configure initial user in CX-Operator realm + # -- Configure initial user in CX-Operator realm. initialUser: - # -- SET username for all non-testing and non-local purposes + # -- SET username for all non-testing and non-local purposes. username: "cx-operator@tx.org" - # -- SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X" + # -- SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X". password: "" firstName: "Operator" lastName: "CX Admin" eMail: "cx-operator@tx.org" - # -- Set mailing configuration for CX-Operator realm + # -- Set mailing configuration for CX-Operator realm. mailing: host: "smtp.example.org" port: "123" @@ -167,19 +168,19 @@ realmSeeding: password: "" from: "email@example.org" replyTo: "email@example.org" - # -- Option to provide an existingSecret for mailing configuration + # -- Option to provide an existingSecret for initial user and mailing configuration. existingSecret: "" master: serviceAccounts: - # -- Set clients secret for the service account which enables the portal to provision new realms + # -- Set clients secret for the service account which enables the portal to provision new realms. provisioning: - # -- SET client secret for all non-testing and non-local purposes, default value is "changeme" + # -- SET client secret for all non-testing and non-local purposes, default value is "changeme". clientSecret: "" - # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm + # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm. saCxOperator: - # -- SET client secret for all non-testing and non-local purposes, default value is "changeme" + # -- SET client secret for all non-testing and non-local purposes, default value is "changeme". clientSecret: "" - # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value + # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value. existingSecret: "" image: name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" From fb39525c285fe8e6d72d6beb62312c2bba128303 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Thu, 3 Oct 2024 12:08:10 +0200 Subject: [PATCH 53/55] chore: improve tls setup for tls at keycloak service --- charts/centralidp/templates/job-seeding.yaml | 16 ++++++++++------ charts/centralidp/values.yaml | 3 ++- charts/sharedidp/templates/job-seeding.yaml | 16 ++++++++++------ charts/sharedidp/values.yaml | 3 ++- 4 files changed, 24 insertions(+), 14 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 27f1065e..6875e927 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -43,11 +43,11 @@ spec: env: - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING" value: | - {{ if .Values.realmSeeding.tls }} - https://{{ template "centralidp.fullname" . }} - {{ else }} - http://{{ template "centralidp.fullname" . }} - {{ end }} + {{ if .Values.realmSeeding.keycloakServiceTls -}} + https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- else -}} + http://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- end }} - name: "KEYCLOAK__CENTRAL__USER" value: "{{ .Values.keycloak.auth.adminUser }}" - name: "KEYCLOAK__CENTRAL__PASSWORD" @@ -238,7 +238,11 @@ spec: mountPath: "app/realms" - name: wait-for-keycloak image: appropriate/curl:latest - command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{ if .Values.realmSeeding.keycloakServiceTls -}} + command: [ 'sh', '-c', 'until curl -s https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- else -}} + command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- end }} imagePullPolicy: IfNotPresent volumes: - name: realms diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index c06a1db8..97ad25cc 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -234,8 +234,9 @@ realmSeeding: image: name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" pullPolicy: "IfNotPresent" - tls: false portContainer: 8080 + keycloakServicePort: 80 + keycloakServiceTls: false # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml index 90336857..0d8ac6a6 100644 --- a/charts/sharedidp/templates/job-seeding.yaml +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -43,11 +43,11 @@ spec: env: - name: "KEYCLOAK__SHARED__CONNECTIONSTRING" value: | - {{ if .Values.realmSeeding.tls }} - https://{{ template "sharedidp.fullname" . }} - {{ else }} - http://{{ template "sharedidp.fullname" . }} - {{ end }} + {{ if .Values.realmSeeding.keycloakServiceTls -}} + https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- else -}} + http://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- end }} - name: "KEYCLOAK__SHARED__USER" value: "{{ .Values.keycloak.auth.adminUser }}" - name: "KEYCLOAK__SHARED__PASSWORD" @@ -204,7 +204,11 @@ spec: mountPath: "app/realms" - name: wait-for-keycloak image: appropriate/curl:latest - command: [ 'sh', '-c', 'until curl -s http://{{ template "sharedidp.fullname" . }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{ if .Values.realmSeeding.keycloakServiceTls -}} + command: [ 'sh', '-c', 'until curl -s https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- else -}} + command: [ 'sh', '-c', 'until curl -s http://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- end }} imagePullPolicy: IfNotPresent volumes: - name: realms diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 82be1161..f9a7f01d 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -189,8 +189,9 @@ realmSeeding: image: name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" pullPolicy: "IfNotPresent" - tls: false portContainer: 8080 + keycloakServicePort: 80 + keycloakServiceTls: false # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: From c642e15a31bda5db7ac51f34ccc2c07188ab57df Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Mon, 7 Oct 2024 09:36:58 +0200 Subject: [PATCH 54/55] docs: update readme file --- charts/centralidp/README.md | 25 +++++++++++++------------ charts/sharedidp/README.md | 32 ++++++++++++++++---------------- 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index e1163411..76d42051 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -43,8 +43,8 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| | keycloak.auth.adminUser | string | `"admin"` | | -| keycloak.auth.adminPassword | string | `""` | | -| keycloak.auth.existingSecret | string | `""` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.auth.adminPassword | string | `""` | centralidp Keycloak administrator password. | +| keycloak.auth.existingSecret | string | `""` | Secret containing the password for admin username 'admin'. | | keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | | keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. | | keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed | @@ -65,7 +65,7 @@ dependencies: | keycloak.ingress.enabled | bool | `false` | | | keycloak.ingress.ingressClassName | string | `"nginx"` | | | keycloak.ingress.hostname | string | `"centralidp.example.org"` | Provide default path for the ingress record. | -| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress | +| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://centralidp.example.org"` | | @@ -94,20 +94,21 @@ dependencies: | keycloak.externalDatabase.user | string | `""` | Non-root username. | | keycloak.externalDatabase.database | string | `""` | Database name. | | keycloak.externalDatabase.password | string | `""` | Password for the non-root username. | -| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials | +| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials. | | keycloak.externalDatabase.existingSecretHostKey | string | `""` | | | keycloak.externalDatabase.existingSecretPortKey | string | `""` | | | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","tls":false}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | -| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme" | -| realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value | -| realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value | -| realmSeeding.bpn | string | `"BPNL00000003CRHK"` | Set value for the 'bpn' user attribute for the initial user and the base service account users | -| realmSeeding.sharedidp | string | `"https://sharedidp.example.org"` | Set sharedidp address to enable the identity provider connection to CX-Operator realm | -| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is "changeme" | -| realmSeeding.extraServiceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value | +| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. | +| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. | +| realmSeeding.bpn | string | `"BPNL00000003CRHK"` | Set value for the 'bpn' user attribute for the initial user and the base service account users. | +| realmSeeding.sharedidp | string | `"https://sharedidp.example.org"` | Set sharedidp address to enable the identity provider connection to CX-Operator realm. | +| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is "changeme". | +| realmSeeding.extraServiceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. | | realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index 044358df..1fb45ec9 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -43,8 +43,8 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| | keycloak.auth.adminUser | string | `"admin"` | | -| keycloak.auth.adminPassword | string | `""` | | -| keycloak.auth.existingSecret | string | `""` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.auth.adminPassword | string | `""` | sharedidp Keycloak administrator password. | +| keycloak.auth.existingSecret | string | `""` | Secret containing the password for admin username 'admin'. | | keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | | keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. | | keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed | @@ -71,7 +71,7 @@ dependencies: | keycloak.ingress.enabled | bool | `false` | | | keycloak.ingress.ingressClassName | string | `"nginx"` | | | keycloak.ingress.hostname | string | `"sharedidp.example.org"` | Provide default path for the ingress record. | -| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress | +| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://sharedidp.example.org"` | | @@ -100,24 +100,24 @@ dependencies: | keycloak.externalDatabase.user | string | `""` | Non-root username. | | keycloak.externalDatabase.database | string | `""` | Database name. | | keycloak.externalDatabase.password | string | `""` | Password for the non-root username. | -| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials | +| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials. | | keycloak.externalDatabase.existingSecretHostKey | string | `""` | | | keycloak.externalDatabase.existingSecretPortKey | string | `""` | | | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"tls":false}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | -| realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm | -| realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"}` | Configure initial user in CX-Operator realm | -| realmSeeding.realms.cxOperator.initialUser.username | string | `"cx-operator@tx.org"` | SET username for all non-testing and non-local purposes | -| realmSeeding.realms.cxOperator.initialUser.password | string | `""` | SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X" | -| realmSeeding.realms.cxOperator.mailing | object | `{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}` | Set mailing configuration for CX-Operator realm | -| realmSeeding.realms.cxOperator.existingSecret | string | `""` | Option to provide an existingSecret for mailing configuration | -| realmSeeding.realms.master.serviceAccounts.provisioning | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to provision new realms | -| realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme" | -| realmSeeding.realms.master.serviceAccounts.saCxOperator | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to manage the CX-Operator realm | -| realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme" | -| realmSeeding.realms.master.existingSecret | string | `""` | Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value | +| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm. | +| realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"}` | Configure initial user in CX-Operator realm. | +| realmSeeding.realms.cxOperator.initialUser.username | string | `"cx-operator@tx.org"` | SET username for all non-testing and non-local purposes. | +| realmSeeding.realms.cxOperator.initialUser.password | string | `""` | SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X". | +| realmSeeding.realms.cxOperator.mailing | object | `{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}` | Set mailing configuration for CX-Operator realm. | +| realmSeeding.realms.cxOperator.existingSecret | string | `""` | Option to provide an existingSecret for initial user and mailing configuration. | +| realmSeeding.realms.master.serviceAccounts.provisioning | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to provision new realms. | +| realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.realms.master.serviceAccounts.saCxOperator | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to manage the CX-Operator realm. | +| realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.realms.master.existingSecret | string | `""` | Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value. | | realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) From 93df019d2504d190c4ee6ccb0e7d0e5fc38de63b Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Mon, 7 Oct 2024 09:47:14 +0200 Subject: [PATCH 55/55] chore: change format --- charts/centralidp/templates/job-seeding.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index 6875e927..e2001be1 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -66,16 +66,16 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__REALM" value: "CX-Central" - ################# + ############################# ## INITIAL USER - ################# + ############################# - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" value: "realms/CX-Central-users-0.json" - ########### + ############################# ## CLIENTS - ########### + ############################# - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" value: "Cl1-CX-Registration" @@ -192,9 +192,9 @@ spec: - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__LOGOUTURL" value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/logout" - ############################### + ############################# ## EXTRA SERVICE ACCOUNTS - ############################### + ############################# {{- $index := 100 }} {{- $secret := include "centralidp.secret.extraServiceAccounts" . -}}