Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add and update information for v4.0.0 #236

Merged
merged 3 commits into from
Nov 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion charts/centralidp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ dependencies:
| keycloak.externalDatabase.existingSecretUserKey | string | `""` | |
| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | |
| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | |
| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"850M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"850M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"850M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"850M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details. Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
| realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. |
| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
Expand All @@ -111,6 +111,17 @@ Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configu
### To 4.0.0

This major changes from the Keycloak version from 23.0.7 to 25.0.6.

Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met:

`
Error: INSTALLATION FAILED: execution error at (centralidp/charts/keycloak/templates/NOTES.txt:100:4):
VALUES VALIDATION:
keycloak: production
In order to enable Production mode, you also need to enable HTTPS/TLS
using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore.
`

No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended.

### To 3.0.1
Expand Down
11 changes: 11 additions & 0 deletions charts/centralidp/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,17 @@ Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configu
### To 4.0.0

This major changes from the Keycloak version from 23.0.7 to 25.0.6.

Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met:

`
Error: INSTALLATION FAILED: execution error at (centralidp/charts/keycloak/templates/NOTES.txt:100:4):
VALUES VALIDATION:
keycloak: production
In order to enable Production mode, you also need to enable HTTPS/TLS
using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore.
`

No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended.

### To 3.0.1
Expand Down
1 change: 1 addition & 0 deletions charts/centralidp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ keycloak:
# -- Seeding job to create and update the CX-Central realm:
# besides creating the CX-Central realm, the job can be used to update
# the configuration of the realm when upgrading to a new version;
# Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details.
# Please also refer to the 'Post-Upgrade Configuration' section in the README.md
# for configuration possibly not covered by the seeding job.
realmSeeding:
Expand Down
13 changes: 12 additions & 1 deletion charts/sharedidp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ dependencies:
| keycloak.externalDatabase.existingSecretUserKey | string | `""` | |
| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | |
| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | |
| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"[email protected]","firstName":"Operator","lastName":"CX Admin","password":"","username":"[email protected]"},"mailing":{"from":"[email protected]","host":"smtp.example.org","password":"","port":"123","replyTo":"[email protected]","username":"smtp-user"},"sslRequired":"external"},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"700M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"700M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"[email protected]","firstName":"Operator","lastName":"CX Admin","password":"","username":"[email protected]"},"mailing":{"from":"[email protected]","host":"smtp.example.org","password":"","port":"123","replyTo":"[email protected]","username":"smtp-user"},"sslRequired":"external"},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"700M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"700M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details. Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
| realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm. |
| realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"[email protected]","firstName":"Operator","lastName":"CX Admin","password":"","username":"[email protected]"}` | Configure initial user in CX-Operator realm. |
| realmSeeding.realms.cxOperator.initialUser.username | string | `"[email protected]"` | SET username for all non-testing and non-local purposes. |
Expand All @@ -118,6 +118,17 @@ Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs)
### To 4.0.0

This major changes from the Keycloak version from 23.0.7 to 25.0.6.

Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met:

`
Error: INSTALLATION FAILED: execution error at (sharedidp/charts/keycloak/templates/NOTES.txt:100:4):
VALUES VALIDATION:
keycloak: production
In order to enable Production mode, you also need to enable HTTPS/TLS
using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore.
`

No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended.

### To 3.0.1
Expand Down
11 changes: 11 additions & 0 deletions charts/sharedidp/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,17 @@ Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs)
### To 4.0.0

This major changes from the Keycloak version from 23.0.7 to 25.0.6.

Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met:

`
Error: INSTALLATION FAILED: execution error at (sharedidp/charts/keycloak/templates/NOTES.txt:100:4):
VALUES VALIDATION:
keycloak: production
In order to enable Production mode, you also need to enable HTTPS/TLS
using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore.
`

No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended.

### To 3.0.1
Expand Down
1 change: 1 addition & 0 deletions charts/sharedidp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ keycloak:
# -- Seeding job to create and update the CX-Operator and master realms:
# besides creating those realm, the job can be used to update
# the configuration of the realms when upgrading to a new version;
# Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details.
# Please also refer to the 'Post-Upgrade Configuration' section in the README.md
# for configuration possibly not covered by the seeding job.
realmSeeding:
Expand Down
2 changes: 1 addition & 1 deletion docs/admin/technical-documentation/03. Clients.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Manual creation of clients is not part of the concept, all realm administration

## Initial Clients and Service Accounts

During the [import of the realms](/import/realm-config/) at startup, the relevant clients and service accounts are seeded:
During the [seeding of the realms](/import/realm-config/) after install and upgrade, the relevant clients and service accounts are added:

| **Instance** | **Client Type** | **Description** | **Client ID** |
|--------------|-----------------|-----------------|---------------|
Expand Down
4 changes: 2 additions & 2 deletions docs/admin/technical-documentation/11. FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ To transform the created "role" to an actual role, since currently its a single

3. Update keycloak base image

The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm import and seeding.
The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm seeding.

4. Update documentation

Expand Down Expand Up @@ -130,7 +130,7 @@ For the scenario of sql, the relevant sql can get found below:

3. Update Keycloak base image

The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm import and seeding.
The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm seeding.

4. Update documentation

Expand Down
27 changes: 27 additions & 0 deletions docs/admin/technical-documentation/14. Realm Seeding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Seeding of custom realms

To add the custom realms to the centralidp and sharedidp instances maintained in the [import/realm-config directory](/import/realm-config/), a seeding job written in dotnet and executed as part of Kubernetes jobs.

The seeding job itself is currently is maintained in the portal-backend repository, but it's planned to move it this repository (see [sig-release#855](https://github.com/eclipse-tractusx/sig-release/issues/855)).

The job is highly configurable, for instance environment specific URLs and client secrets can be seeded, please see [Keycloak.Seeding/README.md](https://github.com/eclipse-tractusx/portal-backend/blob/v4.0.0-iam/src/keycloak/Keycloak.Seeding/README.md) for more details.

It is used to seed - initially and at upgrade:

- the CX-Central realm into centralidp and
- the CX-Operator realm into sharedidp,

for the master realm in sharedidp it also seeds two service accounts as well as the entities connected to those (users and and `cx-admin`role). For the detailed configuration please see:

- [seeding job for centralidp](/charts/centralidp/templates/job-seeding.yaml) and
- [seeding job for sharedidp](/charts/sharedidp/templates/job-seeding.yaml)

As well as the configuration in the values.yaml files under `Values.realmSeeding`.

## NOTICE

This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).

- SPDX-License-Identifier: Apache-2.0
- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
- Source URL: https://github.com/eclipse-tractusx/portal-
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ Authentication Flow - User login to Catena-X

![AuthenticationFlow](/docs/static/authentication-flow.png)

\*(Schatten-) User: The „Schatten-User“ (shadow user) is defined as an empty User frame holding limited information. The actual user is managed in the respective Identity Provider.
The Schatten-User are always federated identities
\*(Schatten-) User: The „Schatten-User“ (shadow user) is defined as an empty User frame holding limited information. The actual user is managed in the respective Identity Provider.
The shadow users are always federated identities.

## Authentication Protocol - OpenID Connect (OIDC)

Expand Down