diff --git a/.github/workflows/centralidp-chart-test.yaml b/.github/workflows/centralidp-chart-test.yaml index 5a076a2a..dbf78c55 100644 --- a/.github/workflows/centralidp-chart-test.yaml +++ b/.github/workflows/centralidp-chart-test.yaml @@ -103,7 +103,7 @@ jobs: run: | helm repo add bitnami-full-index https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev - helm install centralidp tractusx-dev/centralidp --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug + helm install centralidp tractusx-dev/centralidp -f charts/values-test-upgrade.yaml --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug helm dependency update charts/centralidp - helm upgrade centralidp charts/centralidp -f charts/values-test-centralidp.yaml --namespace upgrade --debug + helm upgrade centralidp charts/centralidp -f charts/values-test-upgrade.yaml --namespace upgrade --debug if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/sharedidp-chart-test.yaml b/.github/workflows/sharedidp-chart-test.yaml index 3eaf39ea..fa9df825 100644 --- a/.github/workflows/sharedidp-chart-test.yaml +++ b/.github/workflows/sharedidp-chart-test.yaml @@ -103,7 +103,7 @@ jobs: run: | helm repo add bitnami-full-index https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev - helm install sharedidp tractusx-dev/sharedidp --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug + helm install sharedidp tractusx-dev/sharedidp -f charts/values-test-upgrade.yaml --version ${{ github.event.inputs.upgrade_from || '2.1.0' }} --namespace upgrade --create-namespace --debug helm dependency update charts/sharedidp - helm upgrade sharedidp charts/sharedidp -f charts/values-test-sharedidp.yaml --namespace upgrade --debug + helm upgrade sharedidp charts/sharedidp -f charts/values-test-upgrade.yaml --namespace upgrade --debug if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' diff --git a/README.md b/README.md index 2bb1f5b2..88a876c9 100644 --- a/README.md +++ b/README.md @@ -17,12 +17,10 @@ For further information please refer to the chart specific README files, availab * charts/centralidp * [Installation](./charts/centralidp/README.md#installation) - * [Post-Install Configuration](./charts/centralidp/README.md#post-install-configuration) * [Upgrade](./charts/centralidp/README.md#upgrade) * [Post-Upgrade Configuration](./charts/centralidp/README.md#post-upgrade-configuration) * charts/sharedidp * [Installation](./charts/sharedidp/README.md#installation) - * [Post-Install Configuration](./charts/sharedidp/README.md#post-install-configuration) * [Upgrade](./charts/sharedidp/README.md#upgrade) ## Known Issues and Limitations diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index b4eefe70..76d42051 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -43,36 +43,29 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| | keycloak.auth.adminUser | string | `"admin"` | | -| keycloak.auth.existingSecret | string | `"centralidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.auth.adminPassword | string | `""` | centralidp Keycloak administrator password. | +| keycloak.auth.existingSecret | string | `""` | Secret containing the password for admin username 'admin'. | | keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | | keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. | | keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed | -| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_EXTRA_ARGS"` | | -| keycloak.extraEnvVars[0].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realms/CX-Central-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING"` | | -| keycloak.replicaCount | int | `3` | | +| keycloak.replicaCount | int | `1` | | | keycloak.extraVolumes[0].name | string | `"themes"` | | | keycloak.extraVolumes[0].emptyDir | object | `{}` | | -| keycloak.extraVolumes[1].name | string | `"realms"` | | -| keycloak.extraVolumes[1].emptyDir | object | `{}` | | | keycloak.extraVolumeMounts[0].name | string | `"themes"` | | | keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-central"` | | -| keycloak.extraVolumeMounts[1].name | string | `"realms"` | | -| keycloak.extraVolumeMounts[1].mountPath | string | `"/realms"` | | | keycloak.initContainers[0].name | string | `"import"` | | | keycloak.initContainers[0].image | string | `"docker.io/tractusx/portal-iam:v3.0.1"` | | | keycloak.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | | keycloak.initContainers[0].command[0] | string | `"sh"` | | | keycloak.initContainers[0].args[0] | string | `"-c"` | | -| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes...\"\ncp -R /import/themes/catenax-central/* /themes\necho \"Copying realms...\"\ncp -R /import/catenax-central/realms/* /realms\n"` | | +| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes...\"\ncp -R /import/themes/catenax-central/* /themes\n"` | | | keycloak.initContainers[0].volumeMounts[0].name | string | `"themes"` | | | keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes"` | | -| keycloak.initContainers[0].volumeMounts[1].name | string | `"realms"` | | -| keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/realms"` | | | keycloak.service.sessionAffinity | string | `"ClientIP"` | | | keycloak.ingress.enabled | bool | `false` | | | keycloak.ingress.ingressClassName | string | `"nginx"` | | | keycloak.ingress.hostname | string | `"centralidp.example.org"` | Provide default path for the ingress record. | -| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress | +| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://centralidp.example.org"` | | @@ -87,63 +80,39 @@ dependencies: | keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | | keycloak.rbac.rules[0].verbs[0] | string | `"get"` | | | keycloak.rbac.rules[0].verbs[1] | string | `"list"` | | -| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "centralidp-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "centralidp-postgresql", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | | keycloak.postgresql.image | object | `{"tag":"15-debian-11"}` | Setting to Postgres version 15 as that is the aligned version, https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions). Keycloak helm-chart from Bitnami has moved on to version 16. | | keycloak.postgresql.commonLabels."app.kubernetes.io/version" | string | `"15"` | | | keycloak.postgresql.auth.username | string | `"kccentral"` | Non-root username. | +| keycloak.postgresql.auth.password | string | `""` | Non-root user password. | +| keycloak.postgresql.auth.postgresPassword | string | `""` | Root user password. | | keycloak.postgresql.auth.database | string | `"iamcentralidp"` | Database name. | -| keycloak.postgresql.auth.existingSecret | string | `"centralidp-postgres"` | Secret containing the passwords for root usernames postgres and non-root username kccentral. | -| keycloak.postgresql.architecture | string | `"replication"` | | -| keycloak.externalDatabase.host | string | `"centralidp-postgresql-external-db"` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. Database host ('-primary' is added as postfix). | +| keycloak.postgresql.auth.existingSecret | string | `""` | Secret containing the passwords for root usernames postgres and non-root username kccentral. | +| keycloak.postgresql.architecture | string | `"standalone"` | | +| keycloak.externalDatabase.host | string | `""` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. | | keycloak.externalDatabase.port | int | `5432` | Database port number. | -| keycloak.externalDatabase.user | string | `"kccentral"` | Non-root username for centralidp. | -| keycloak.externalDatabase.database | string | `"iamcentralidp"` | Database name. | -| keycloak.externalDatabase.password | string | `""` | Password for the non-root username (default 'kccentral'). Secret-key 'password'. | -| keycloak.externalDatabase.existingSecret | string | `"centralidp-keycloak-external-db"` | Secret containing the password non-root username, (default 'kccentral'). | -| keycloak.externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | -| secrets.auth.existingSecret.adminpassword | string | `""` | Password for the admin username 'admin'. Secret-key 'admin-password'. | -| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | -| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kccentral'. Secret-key 'password'. | -| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | -| seeding.enabled | bool | `false` | Seeding job to upgrade CX_Central realm: enable to upgrade the configuration of the CX-Central realm from previous version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | -| seeding.image | string | `"docker.io/tractusx/portal-iam-seeding:v3.0.1-iam"` | | -| seeding.imagePullPolicy | string | `"IfNotPresent"` | | -| seeding.portContainer | int | `8080` | | -| seeding.authRealm | string | `"master"` | | -| seeding.useAuthTrail | string | `"true"` | | -| seeding.dataPaths.dataPath0 | string | `"realms/CX-Central-realm.json"` | | -| seeding.instanceName | string | `"central"` | | -| seeding.excludedUserAttributes.attribute0 | string | `"bpn"` | | -| seeding.excludedUserAttributes.attribute1 | string | `"organisation"` | | -| seeding.resources | object | `{"limits":{"cpu":"225m","memory":"200M"},"requests":{"cpu":"75m","memory":"200M"}}` | We recommend to review the default resource limits as this should a conscious choice. | -| seeding.extraVolumes[0].name | string | `"realms"` | | -| seeding.extraVolumes[0].emptyDir | object | `{}` | | -| seeding.extraVolumeMounts[0].name | string | `"realms"` | | -| seeding.extraVolumeMounts[0].mountPath | string | `"app/realms"` | | -| seeding.initContainers[0].name | string | `"init-cx-central"` | | -| seeding.initContainers[0].image | string | `"docker.io/tractusx/portal-iam:v3.0.1"` | | -| seeding.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | -| seeding.initContainers[0].command[0] | string | `"sh"` | | -| seeding.initContainers[0].args[0] | string | `"-c"` | | -| seeding.initContainers[0].args[1] | string | `"echo \"Copying CX Central realm...\"\ncp -R /import/catenax-central/realms/* /app/realms\n"` | | -| seeding.initContainers[0].volumeMounts[0].name | string | `"realms"` | | -| seeding.initContainers[0].volumeMounts[0].mountPath | string | `"app/realms"` | | +| keycloak.externalDatabase.user | string | `""` | Non-root username. | +| keycloak.externalDatabase.database | string | `""` | Database name. | +| keycloak.externalDatabase.password | string | `""` | Password for the non-root username. | +| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials. | +| keycloak.externalDatabase.existingSecretHostKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPortKey | string | `""` | | +| keycloak.externalDatabase.existingSecretUserKey | string | `""` | | +| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | +| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. | +| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. | +| realmSeeding.bpn | string | `"BPNL00000003CRHK"` | Set value for the 'bpn' user attribute for the initial user and the base service account users. | +| realmSeeding.sharedidp | string | `"https://sharedidp.example.org"` | Set sharedidp address to enable the identity provider connection to CX-Operator realm. | +| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is "changeme". | +| realmSeeding.extraServiceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. | +| realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console within the CX-Central realm: - -1. Generate client-secrets for confidential clients and service accounts with access type 'confidential'. - -2. Establish connection to the sharedidp instance - -In order to enable the login of the initial user (see CX-Operator realm in sharedidp instance for username), the connection between the 'CX-Operator' identity provider of the centralidp instance and the according realm in the sharedidp instance needs to be established. -This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configuration of the CX-Central realm. diff --git a/charts/centralidp/README.md.gotmpl b/charts/centralidp/README.md.gotmpl index ffb385fe..8bd77957 100644 --- a/charts/centralidp/README.md.gotmpl +++ b/charts/centralidp/README.md.gotmpl @@ -38,19 +38,6 @@ dependencies: Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console within the CX-Central realm: - -1. Generate client-secrets for confidential clients and service accounts with access type 'confidential'. - -2. Establish connection to the sharedidp instance - -In order to enable the login of the initial user (see CX-Operator realm in sharedidp instance for username), the connection between the 'CX-Operator' identity provider of the centralidp instance and the according realm in the sharedidp instance needs to be established. -This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configuration of the CX-Central realm. diff --git a/charts/centralidp/templates/_helpers.tpl b/charts/centralidp/templates/_helpers.tpl index eefa1099..dfe2674f 100644 --- a/charts/centralidp/templates/_helpers.tpl +++ b/charts/centralidp/templates/_helpers.tpl @@ -15,7 +15,9 @@ * under the License. * * SPDX-License-Identifier: Apache-2.0 +*/}} +{{/* Define "centralidp.fullname" like ""common.names.fullname" in the bitnami common chart but setting ".Chart.Name" to "keycloak". This is necessary to retrieve the keycloak service name for the execution of the seeding job. */}} @@ -31,3 +33,36 @@ This is necessary to retrieve the keycloak service name for the execution of the {{- end -}} {{- end -}} {{- end -}} + +{{/* +Define secret name for clients secrets of clients (realm seeding). +*/}} +{{- define "centralidp.secret.clients" -}} +{{- if .Values.realmSeeding.clients.existingSecret -}} +{{- .Values.realmSeeding.clients.existingSecret }} +{{- else -}} +{{- include "centralidp.fullname" . -}}-clients +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of base service accounts (realm seeding). +*/}} +{{- define "centralidp.secret.serviceAccounts" -}} +{{- if .Values.realmSeeding.serviceAccounts.existingSecret -}} +{{- .Values.realmSeeding.serviceAccounts.existingSecret }} +{{- else -}} +{{- include "centralidp.fullname" . -}}-base-service-accounts +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of additional service accounts (realm seeding). +*/}} +{{- define "centralidp.secret.extraServiceAccounts" -}} +{{- if .Values.realmSeeding.extraServiceAccounts.existingSecret -}} +{{- .Values.realmSeeding.extraServiceAccounts.existingSecret }} +{{- else -}} +{{- include "centralidp.fullname" . -}}-extra-service-accounts +{{- end -}} +{{- end -}} diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml index e29bb327..e2001be1 100644 --- a/charts/centralidp/templates/job-seeding.yaml +++ b/charts/centralidp/templates/job-seeding.yaml @@ -17,64 +17,235 @@ * SPDX-License-Identifier: Apache-2.0 */}} -{{- if .Values.seeding.enabled -}} +{{- if .Values.realmSeeding.enabled -}} apiVersion: batch/v1 kind: Job metadata: - name: {{ include "centralidp.fullname" . }}-upgrade-seeding + name: {{ include "centralidp.fullname" . }}-realm-seeding-{{ .Release.Revision }} namespace: {{ .Release.Namespace }} - annotations: - "batch.kubernetes.io/job-tracking": "true" - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-5" spec: template: metadata: - name: {{ include "centralidp.fullname" . }}-upgrade-seeding + name: {{ include "centralidp.fullname" . }}-realm-seeding spec: restartPolicy: Never containers: - - name: {{ include "centralidp.fullname" . }}-upgrade-seeding + - name: {{ include "centralidp.fullname" . }}-realm-seeding securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true runAsNonRoot: true - image: "{{ .Values.seeding.image }}" - imagePullPolicy: "{{ .Values.seeding.imagePullPolicy }}" + image: "{{ .Values.realmSeeding.image.name }}" + imagePullPolicy: "{{ .Values.realmSeeding.image.pullPolicy }}" env: - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING" - value: "http://{{ template "centralidp.fullname" . }}" + value: | + {{ if .Values.realmSeeding.keycloakServiceTls -}} + https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- else -}} + http://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- end }} - name: "KEYCLOAK__CENTRAL__USER" value: "{{ .Values.keycloak.auth.adminUser }}" - name: "KEYCLOAK__CENTRAL__PASSWORD" valueFrom: secretKeyRef: - name: "{{ .Values.keycloak.auth.existingSecret }}" + name: "{{ template "centralidp.fullname" . }}" key: "admin-password" - name: "KEYCLOAK__CENTRAL__AUTHREALM" - value: "{{ .Values.seeding.authRealm }}" + value: "master" - name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL" - value: "{{ .Values.seeding.useAuthTrail }}" - - name: "KEYCLOAKSEEDING__DATAPATHES__0" - value: "{{ .Values.seeding.dataPaths.dataPath0 }}" - - name: "KEYCLOAKSEEDING__INSTANCENAME" - value: "{{ .Values.seeding.instanceName }}" - - name: "KEYCLOAKSEEDING__EXCLUDEDUSERATTRIBUTES__0" - value: "{{ .Values.seeding.excludedUserAttributes.attribute0 }}" - - name: "KEYCLOAKSEEDING__EXCLUDEDUSERATTRIBUTES__1" - value: "{{ .Values.seeding.excludedUserAttributes.attribute1 }}" + value: "true" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" + value: "realms/CX-Central-realm.json" + - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" + value: "central" + - name: "KEYCLOAKSEEDING__REALMS__0__REALM" + value: "CX-Central" + + ############################# + ## INITIAL USER + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" + value: "realms/CX-Central-users-0.json" + + ############################# + ## CLIENTS + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" + value: "Cl1-CX-Registration" + {{- range $index, $redirects := .Values.realmSeeding.clients.registration.redirects }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__{{ $index }}" + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__CLIENTID" + value: "Cl2-CX-Portal" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__ROOTURL" + value: "{{ .Values.realmSeeding.clients.portal.rootUrl }}" + {{- range $index, $redirects := .Values.realmSeeding.clients.portal.redirects }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__1__REDIRECTURIS__{{ $index }}" + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__CLIENTID" + value: "Cl3-CX-Semantic" + {{- range $index, $redirects := .Values.realmSeeding.clients.semantics.redirects }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__2__REDIRECTURIS__{{ $index }}" + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__CLIENTID" + value: "Cl5-CX-Custodian" + {{- range $index, $redirects := .Values.realmSeeding.clients.miw.redirects }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__REDIRECTURIS__{{ $index }}" + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__3__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "miw" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__CLIENTID" + value: "Cl7-CX-BPDM" + {{- range $index, $redirects := .Values.realmSeeding.clients.bpdm.redirects }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__REDIRECTURIS__{{ $index }}" + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__4__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "bpdm" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__CLIENTID" + value: "Cl16-CX-BPDMGate" + {{- range $index, $redirects := .Values.realmSeeding.clients.bpdmGate.redirects }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__REDIRECTURIS__{{ $index }}" + value: {{ $redirects | quote }} + {{- end }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__5__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "bpdm-gate" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__CLIENTID" + value: "Cl25-CX-BPDM-Orchestrator" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__6__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "centralidp.secret.clients" . }}" + key: "bpdm-orchestrator" + + ############################# + ## BASE SERVICE ACCOUNTS + ############################# + + {{- $index := 20 }} + {{- $secretBaseSa := include "centralidp.secret.serviceAccounts" . -}} + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID" + value: {{ .clientId | quote }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET" + valueFrom: + secretKeyRef: + name: "{{ $secretBaseSa }}" + key: "{{ .clientId }}" + {{- $index = add1 $index }} + {{- end }} + + ############################# + ## BPN USER ATTRIBUTE + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" + value: "ac1cf001-7fbc-1f2f-817f-bce058020006" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__NAME" + value: "bpn" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__VALUES__0" + value: "{{ .Values.realmSeeding.bpn }}" + {{- $index := 1 }} + {{- $bpn := .Values.realmSeeding.bpn -}} + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME" + value: {{ printf "service-account-%s" .clientId | quote }} + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__NAME" + value: "bpn" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__VALUES__0" + value: {{ $bpn | quote }} + {{- $index = add1 $index }} + {{- end }} + + ############################# + ## IDENTITY PROVIDER + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__ALIAS" + value: "CX-Operator" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__TOKENURL" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/token" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__JWKSURL" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/certs" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__AUTHORIZATIONURL" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/auth" + - name: "KEYCLOAKSEEDING__REALMS__0__IDENTITYPROVIDERS__0__CONFIG__LOGOUTURL" + value: "{{ .Values.realmSeeding.sharedidp }}/auth/realms/CX-Operator/protocol/openid-connect/logout" + + ############################# + ## EXTRA SERVICE ACCOUNTS + ############################# + + {{- $index := 100 }} + {{- $secret := include "centralidp.secret.extraServiceAccounts" . -}} + {{- range .Values.realmSeeding.extraServiceAccounts.clientSecretsAndBpn }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__CLIENTID" + value: {{ .clientId | quote }} + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__{{ $index }}__SECRET" + valueFrom: + secretKeyRef: + name: {{ $secret }} + key: {{ .clientId }} + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__USERNAME" + value: {{ printf "service-account-%s" .clientId | quote }} + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__{{ $index }}__ATTRIBUTES__0__VALUES__0" + value: {{ .bpn | quote }} + {{- $index = add1 $index }} + {{- end }} + ports: - name: http - containerPort: {{ .Values.seeding.portContainer }} + containerPort: {{ .Values.realmSeeding.portContainer }} protocol: TCP resources: - {{- toYaml .Values.seeding.resources | nindent 10 }} + {{- toYaml .Values.realmSeeding.resources | nindent 10 }} volumeMounts: - {{- toYaml .Values.seeding.extraVolumeMounts | nindent 10 }} + - name: realms + mountPath: "app/realms" initContainers: - {{- toYaml .Values.seeding.initContainers | nindent 8 }} + - name: init-cx-central + image: {{ .Values.realmSeeding.initContainer.image.name }} + imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }} + command: + - sh + args: + - -c + - | + echo "Copying CX Central realm..." + cp -R /import/catenax-central/realms/* /app/realms + volumeMounts: + - name: realms + mountPath: "app/realms" + - name: wait-for-keycloak + image: appropriate/curl:latest + {{ if .Values.realmSeeding.keycloakServiceTls -}} + command: [ 'sh', '-c', 'until curl -s https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- else -}} + command: [ 'sh', '-c', 'until curl -s http://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- end }} + imagePullPolicy: IfNotPresent volumes: - {{- toYaml .Values.seeding.extraVolumes | nindent 8 }} + - name: realms + emptyDir: {} + automountServiceAccountToken: false {{- end -}} diff --git a/charts/centralidp/templates/secret-base-service-accounts.yaml b/charts/centralidp/templates/secret-base-service-accounts.yaml new file mode 100644 index 00000000..77a193a7 --- /dev/null +++ b/charts/centralidp/templates/secret-base-service-accounts.yaml @@ -0,0 +1,31 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.serviceAccounts.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "centralidp.secret.serviceAccounts" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }} + {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} + {{- end }} +{{- end -}} diff --git a/charts/centralidp/templates/secret-centralidp.yaml b/charts/centralidp/templates/secret-centralidp.yaml deleted file mode 100644 index 7af8a6d4..00000000 --- a/charts/centralidp/templates/secret-centralidp.yaml +++ /dev/null @@ -1,38 +0,0 @@ -############################################################### -# Copyright (c) 2022 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################### - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml new file mode 100644 index 00000000..f92bf601 --- /dev/null +++ b/charts/centralidp/templates/secret-clients.yaml @@ -0,0 +1,32 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.clients.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "centralidp.secret.clients" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }} + bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }} + bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }} + bpdm-orchestrator: {{ .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | default "changeme" | quote }} +{{- end -}} diff --git a/charts/centralidp/templates/secret-external-db.yaml b/charts/centralidp/templates/secret-external-db.yaml deleted file mode 100644 index 6570900c..00000000 --- a/charts/centralidp/templates/secret-external-db.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if not .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.externalDatabase.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.externalDatabase.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - password: {{ ( .Values.keycloak.externalDatabase.password | b64enc ) | default $secret.data.password | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} diff --git a/charts/centralidp/templates/secret-extra-service-accounts.yaml b/charts/centralidp/templates/secret-extra-service-accounts.yaml new file mode 100644 index 00000000..f9ffa3fc --- /dev/null +++ b/charts/centralidp/templates/secret-extra-service-accounts.yaml @@ -0,0 +1,31 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (.Values.realmSeeding.extraServiceAccounts.clientSecrets) (not .Values.realmSeeding.extraServiceAccounts.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "centralidp.secret.extraServiceAccounts" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{- range .Values.realmSeeding.extraServiceAccounts.clientSecrets }} + {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }} + {{- end }} +{{- end -}} diff --git a/charts/centralidp/templates/secret-postgres-init.yaml b/charts/centralidp/templates/secret-postgres-init.yaml deleted file mode 100644 index a741dd6d..00000000 --- a/charts/centralidp/templates/secret-postgres-init.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.postgresql.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.postgresql.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc ) | default ( index $secret.data "postgres-password" ) | quote }} - password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password | quote }} - replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc ) | default ( index $secret.data "replication-password" ) | quote}} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 ) | quote }} - password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 ) | quote }} - replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index cbb71ffc..97ad25cc 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -20,8 +20,10 @@ keycloak: auth: adminUser: admin - # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. - existingSecret: "centralidp-keycloak" + # -- centralidp Keycloak administrator password. + adminPassword: "" + # -- Secret containing the password for admin username 'admin'. + existingSecret: "" # -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. production: false # -- reverse Proxy mode edge, reencrypt, passthrough or none; @@ -32,20 +34,13 @@ keycloak: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed httpRelativePath: "/auth/" - extraEnvVars: - - name: KEYCLOAK_EXTRA_ARGS - value: "-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realms/CX-Central-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING" - replicaCount: 3 + replicaCount: 1 extraVolumes: - name: themes emptyDir: {} - - name: realms - emptyDir: {} extraVolumeMounts: - name: themes mountPath: "/opt/bitnami/keycloak/themes/catenax-central" - - name: realms - mountPath: "/realms" initContainers: - name: import image: docker.io/tractusx/portal-iam:v3.0.1 @@ -57,13 +52,9 @@ keycloak: - | echo "Copying themes..." cp -R /import/themes/catenax-central/* /themes - echo "Copying realms..." - cp -R /import/catenax-central/realms/* /realms volumeMounts: - name: themes mountPath: "/themes" - - name: realms - mountPath: "/realms" service: sessionAffinity: ClientIP ingress: @@ -74,7 +65,7 @@ keycloak: annotations: # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; - # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. cert-manager.io/cluster-issuer: "" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" @@ -98,7 +89,7 @@ keycloak: postgresql: # -- PostgreSQL chart configuration (recommended for demonstration purposes only); # default configurations: - # host: "centralidp-postgresql-primary", + # host: "centralidp-postgresql", # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true @@ -112,86 +103,147 @@ keycloak: auth: # -- Non-root username. username: kccentral + # -- Non-root user password. + password: "" + # -- Root user password. + postgresPassword: "" # -- Database name. database: iamcentralidp # -- Secret containing the passwords for root usernames postgres and non-root username kccentral. - existingSecret: "centralidp-postgres" - architecture: replication + existingSecret: "" + architecture: standalone externalDatabase: # -- External PostgreSQL configuration # IMPORTANT: non-root db user needs needs to be created beforehand on external database. - # Database host ('-primary' is added as postfix). - host: "centralidp-postgresql-external-db" + host: "" # -- Database port number. port: 5432 - # -- Non-root username for centralidp. - user: "kccentral" + # -- Non-root username. + user: "" # -- Database name. - database: "iamcentralidp" - # -- Password for the non-root username (default 'kccentral'). Secret-key 'password'. + database: "" + # -- Password for the non-root username. password: "" - # -- Secret containing the password non-root username, (default 'kccentral'). - existingSecret: "centralidp-keycloak-external-db" - # -- Name of an existing secret key containing the database credentials. - existingSecretPasswordKey: "password" - -secrets: - auth: - existingSecret: - # -- Password for the admin username 'admin'. Secret-key 'admin-password'. - adminpassword: "" - postgresql: - auth: - existingSecret: - # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. - postgrespassword: "" - # -- Password for the non-root username 'kccentral'. Secret-key 'password'. - password: "" - # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. - replicationPassword: "" + # -- Secret containing the database credentials. + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" -seeding: -# -- Seeding job to upgrade CX_Central realm: -# enable to upgrade the configuration of the CX-Central realm from previous version; +# -- Seeding job to create and update the CX-Central realm: +# besides creating the CX-Central realm, the job can be used to update +# the configuration of the realm when upgrading to a new version; # Please also refer to the 'Post-Upgrade Configuration' section in the README.md -# for configuration possibly not covered by the seeding job - enabled: false - image: "docker.io/tractusx/portal-iam-seeding:v3.0.1-iam" - imagePullPolicy: "IfNotPresent" +# for configuration possibly not covered by the seeding job. +realmSeeding: + enabled: true + # -- Set redirect addresses and - in the case of confidential clients - clients secrets + # for clients which are part of the basic CX-Central realm setup; + # SET client secrets for all non-testing and non-local purposes, default value is "changeme". + clients: + registration: + redirects: + - https://portal.example.org + portal: + rootUrl: https://portal.example.org/home + redirects: + - https://portal.example.org + semantics: + redirects: + - https://portal.example.org/* + miw: + clientSecret: "" + redirects: + - https://managed-identity-wallets.example.org/* + bpdm: + clientSecret: "" + redirects: + - https://partners-pool.example.org/* + bpdmGate: + clientSecret: "" + redirects: + - https://partners-gate.example.org/* + bpdmOrchestrator: + clientSecret: "" + # -- Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. + existingSecret: "" + # -- Client secrets for service accounts which are part of the basic CX-Central realm setup; + # SET client secrets for all non-testing and non-local purposes, default value is "changeme". + serviceAccounts: + clientSecrets: + - clientId: "sa-cl1-reg-2" + clientSecret: "" + - clientId: "sa-cl2-01" + clientSecret: "" + - clientId: "sa-cl2-02" + clientSecret: "" + - clientId: "sa-cl2-03" + clientSecret: "" + - clientId: "sa-cl2-04" + clientSecret: "" + - clientId: "sa-cl2-05" + clientSecret: "" + - clientId: "sa-cl3-cx-1" + clientSecret: "" + - clientId: "sa-cl5-custodian-2" + clientSecret: "" + - clientId: "sa-cl7-cx-1" + clientSecret: "" + - clientId: "sa-cl7-cx-5" + clientSecret: "" + - clientId: "sa-cl7-cx-7" + clientSecret: "" + - clientId: "sa-cl8-cx-1" + clientSecret: "" + - clientId: "sa-cl21-01" + clientSecret: "" + - clientId: "sa-cl22-01" + clientSecret: "" + - clientId: "sa-cl24-01" + clientSecret: "" + - clientId: "sa-cl25-cx-1" + clientSecret: "" + - clientId: "sa-cl25-cx-2" + clientSecret: "" + - clientId: "sa-cl25-cx-3" + clientSecret: "" + # -- Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. + existingSecret: "" + # -- Set value for the 'bpn' user attribute for the initial user and the base service account users. + bpn: "BPNL00000003CRHK" + # -- Set sharedidp address to enable the identity provider connection to CX-Operator realm. + sharedidp: "https://sharedidp.example.org" + # -- Set client secrets and bpn user attribute for additional service accounts; + # meant to enable possible test data, default value for client secrets is "changeme". + extraServiceAccounts: + clientSecretsAndBpn: [] + # - clientId: "sa-test-01" + # clientSecret: "" + # bpn: "TBD1" + # - clientId: "sa-test-02" + # clientSecret: "" + # bpn: "TBD2" + # -- Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. + existingSecret: "" + image: + name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" + pullPolicy: "IfNotPresent" + initContainer: + image: + name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" + pullPolicy: "IfNotPresent" portContainer: 8080 - authRealm: "master" - useAuthTrail: "true" - dataPaths: - dataPath0: "realms/CX-Central-realm.json" - instanceName: "central" - excludedUserAttributes: - attribute0: "bpn" - attribute1: "organisation" + keycloakServicePort: 80 + keycloakServiceTls: false # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: - cpu: 75m - memory: 200M + cpu: 250m + memory: 600M + ephemeral-storage: 50Mi limits: - cpu: 225m - memory: 200M - extraVolumes: - - name: realms - emptyDir: {} - extraVolumeMounts: - - name: realms - mountPath: "app/realms" - initContainers: - - name: init-cx-central - image: docker.io/tractusx/portal-iam:v3.0.1 - imagePullPolicy: IfNotPresent - command: - - sh - args: - - -c - - | - echo "Copying CX Central realm..." - cp -R /import/catenax-central/realms/* /app/realms - volumeMounts: - - name: realms - mountPath: "app/realms" + cpu: 750m + memory: 600M + ephemeral-storage: 1024Mi diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index a4a04647..1fb45ec9 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -43,42 +43,35 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| | keycloak.auth.adminUser | string | `"admin"` | | -| keycloak.auth.existingSecret | string | `"sharedidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.auth.adminPassword | string | `""` | sharedidp Keycloak administrator password. | +| keycloak.auth.existingSecret | string | `""` | Secret containing the password for admin username 'admin'. | | keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | | keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. | | keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed | -| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_EXTRA_ARGS"` | | -| keycloak.extraEnvVars[0].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/realms -Dkeycloak.migration.strategy=IGNORE_EXISTING"` | | -| keycloak.replicaCount | int | `3` | | +| keycloak.replicaCount | int | `1` | | | keycloak.extraVolumes[0].name | string | `"themes-catenax-shared"` | | | keycloak.extraVolumes[0].emptyDir | object | `{}` | | | keycloak.extraVolumes[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.extraVolumes[1].emptyDir | object | `{}` | | -| keycloak.extraVolumes[2].name | string | `"realms"` | | -| keycloak.extraVolumes[2].emptyDir | object | `{}` | | | keycloak.extraVolumeMounts[0].name | string | `"themes-catenax-shared"` | | | keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-shared"` | | | keycloak.extraVolumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.extraVolumeMounts[1].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-shared-portal"` | | -| keycloak.extraVolumeMounts[2].name | string | `"realms"` | | -| keycloak.extraVolumeMounts[2].mountPath | string | `"/realms"` | | | keycloak.initContainers[0].name | string | `"import"` | | | keycloak.initContainers[0].image | string | `"docker.io/tractusx/portal-iam:v3.0.1"` | | | keycloak.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | | keycloak.initContainers[0].command[0] | string | `"sh"` | | | keycloak.initContainers[0].args[0] | string | `"-c"` | | -| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes-catenax-shared...\"\ncp -R /import/themes/catenax-shared/* /themes-catenax-shared\necho \"Copying themes-catenax-shared-portal...\"\ncp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal\necho \"Copying realms...\"\ncp -R /import/catenax-shared/realms/* /realms\n"` | | +| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes-catenax-shared...\"\ncp -R /import/themes/catenax-shared/* /themes-catenax-shared\necho \"Copying themes-catenax-shared-portal...\"\ncp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal\n"` | | | keycloak.initContainers[0].volumeMounts[0].name | string | `"themes-catenax-shared"` | | | keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes-catenax-shared"` | | | keycloak.initContainers[0].volumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/themes-catenax-shared-portal"` | | -| keycloak.initContainers[0].volumeMounts[2].name | string | `"realms"` | | -| keycloak.initContainers[0].volumeMounts[2].mountPath | string | `"/realms"` | | | keycloak.service.sessionAffinity | string | `"ClientIP"` | | | keycloak.ingress.enabled | bool | `false` | | | keycloak.ingress.ingressClassName | string | `"nginx"` | | | keycloak.ingress.hostname | string | `"sharedidp.example.org"` | Provide default path for the ingress record. | -| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress | +| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | | keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://sharedidp.example.org"` | | @@ -93,49 +86,42 @@ dependencies: | keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | | keycloak.rbac.rules[0].verbs[0] | string | `"get"` | | | keycloak.rbac.rules[0].verbs[1] | string | `"list"` | | -| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "sharedidp-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration (recommended for demonstration purposes only); default configurations: host: "sharedidp-postgresql", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | | keycloak.postgresql.image | object | `{"tag":"15-debian-11"}` | Setting to Postgres version 15 as that is the aligned version, https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-07/#aligning-dependency-versions). Keycloak helm-chart from Bitnami has moved on to version 16. | | keycloak.postgresql.commonLabels."app.kubernetes.io/version" | string | `"15"` | | | keycloak.postgresql.auth.username | string | `"kcshared"` | Non-root username. | +| keycloak.postgresql.auth.password | string | `""` | Non-root user password. | +| keycloak.postgresql.auth.postgresPassword | string | `""` | Root user password. | | keycloak.postgresql.auth.database | string | `"iamsharedidp"` | Database name. | -| keycloak.postgresql.auth.existingSecret | string | `"sharedidp-postgres"` | Secret containing the passwords for root usernames postgres and non-root username kcshared. | -| keycloak.postgresql.architecture | string | `"replication"` | | -| keycloak.externalDatabase.host | string | `"sharedidp-postgresql-external-db"` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. Database host ('-primary' is added as postfix). | +| keycloak.postgresql.auth.existingSecret | string | `""` | Secret containing the passwords for root usernames postgres and non-root username kcshared. | +| keycloak.postgresql.architecture | string | `"standalone"` | | +| keycloak.externalDatabase.host | string | `""` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. | | keycloak.externalDatabase.port | int | `5432` | Database port number. | -| keycloak.externalDatabase.user | string | `"kcshared"` | Non-root username for sharedidp. | -| keycloak.externalDatabase.database | string | `"iamsharedidp"` | Database name. | -| keycloak.externalDatabase.password | string | `""` | Password for the non-root username (default 'kcshared'). Secret-key 'password'. | -| keycloak.externalDatabase.existingSecret | string | `"sharedidp-keycloak-external-db"` | Secret containing the password non-root username, (default 'kcshared'). | -| keycloak.externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | -| secrets.auth.existingSecret.adminpassword | string | `""` | Password for the admin username 'admin'. Secret-key 'admin-password'. | -| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | -| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kcshared'. Secret-key 'password'. | -| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | -| secrets.realmuser.enabled | bool | `false` | | +| keycloak.externalDatabase.user | string | `""` | Non-root username. | +| keycloak.externalDatabase.database | string | `""` | Database name. | +| keycloak.externalDatabase.password | string | `""` | Password for the non-root username. | +| keycloak.externalDatabase.existingSecret | string | `""` | Secret containing the database credentials. | +| keycloak.externalDatabase.existingSecretHostKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPortKey | string | `""` | | +| keycloak.externalDatabase.existingSecretUserKey | string | `""` | | +| keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | +| keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | +| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm. | +| realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"}` | Configure initial user in CX-Operator realm. | +| realmSeeding.realms.cxOperator.initialUser.username | string | `"cx-operator@tx.org"` | SET username for all non-testing and non-local purposes. | +| realmSeeding.realms.cxOperator.initialUser.password | string | `""` | SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X". | +| realmSeeding.realms.cxOperator.mailing | object | `{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"}` | Set mailing configuration for CX-Operator realm. | +| realmSeeding.realms.cxOperator.existingSecret | string | `""` | Option to provide an existingSecret for initial user and mailing configuration. | +| realmSeeding.realms.master.serviceAccounts.provisioning | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to provision new realms. | +| realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.realms.master.serviceAccounts.saCxOperator | object | `{"clientSecret":""}` | Set clients secret for the service account which enables the portal to manage the CX-Operator realm. | +| realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | string | `""` | SET client secret for all non-testing and non-local purposes, default value is "changeme". | +| realmSeeding.realms.master.existingSecret | string | `""` | Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value. | +| realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. | Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console: - -### Within the master realm - -Generate client-secrets for the service account with access type 'confidential'. - -### Within the CX-Operator realm - -#### Establish connection to the centralidp instance - -1. Change the example.org placeholder in the central-idp client the to the address of the centralidp instance: - -* Settings --> Valid Redirect URI -* Keys --> JWKS URL - -2. Set password and user details for the initial user. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade ### To 3.0.1 diff --git a/charts/sharedidp/README.md.gotmpl b/charts/sharedidp/README.md.gotmpl index bcb78584..823baa69 100644 --- a/charts/sharedidp/README.md.gotmpl +++ b/charts/sharedidp/README.md.gotmpl @@ -38,27 +38,6 @@ dependencies: Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) -## Post-Install Configuration - -Once the installation is completed, the following steps need to be executed in the Keycloak admin console: - -### Within the master realm - -Generate client-secrets for the service account with access type 'confidential'. - -### Within the CX-Operator realm - -#### Establish connection to the centralidp instance - -1. Change the example.org placeholder in the central-idp client the to the address of the centralidp instance: - -* Settings --> Valid Redirect URI -* Keys --> JWKS URL - -2. Set password and user details for the initial user. - -3. Setup SMTP configuration (Realm Settings --> Email) - ## Upgrade ### To 3.0.1 diff --git a/charts/sharedidp/templates/_helpers.tpl b/charts/sharedidp/templates/_helpers.tpl new file mode 100644 index 00000000..80f8fdf6 --- /dev/null +++ b/charts/sharedidp/templates/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{/* +Define "sharedidp.fullname" like ""common.names.fullname" in the bitnami common chart but setting ".Chart.Name" to "keycloak". +This is necessary to retrieve the keycloak service name for the execution of the seeding job. +*/}} +{{- define "sharedidp.fullname" -}} +{{- if .Values.keycloak.fullnameOverride -}} +{{- .Values.keycloak.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "keycloak" .Values.keycloak.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of clients (realm seeding). +*/}} +{{- define "sharedidp.secret.realmSeeding.cxOperator" -}} +{{- if .Values.realmSeeding.realms.cxOperator.existingSecret -}} +{{- .Values.realmSeeding.realms.cxOperator.existingSecret }} +{{- else -}} +{{- include "sharedidp.fullname" . -}}-cx-operator-realm-seeding +{{- end -}} +{{- end -}} + +{{/* +Define secret name for clients secrets of clients (realm seeding). +*/}} +{{- define "sharedidp.secret.realmSeeding.master" -}} +{{- if .Values.realmSeeding.realms.master.existingSecret -}} +{{- .Values.realmSeeding.realms.master.existingSecret }} +{{- else -}} +{{- include "sharedidp.fullname" . -}}-master-realm-seeding +{{- end -}} +{{- end -}} diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml new file mode 100644 index 00000000..0d8ac6a6 --- /dev/null +++ b/charts/sharedidp/templates/job-seeding.yaml @@ -0,0 +1,217 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if .Values.realmSeeding.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "sharedidp.fullname" . }}-realm-seeding-{{ .Release.Revision }} + namespace: {{ .Release.Namespace }} +spec: + template: + metadata: + name: {{ include "sharedidp.fullname" . }}-realm-seeding + spec: + restartPolicy: Never + containers: + - name: {{ include "sharedidp.fullname" . }}-realm-seeding + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "{{ .Values.realmSeeding.image.name }}" + imagePullPolicy: "{{ .Values.realmSeeding.image.pullPolicy }}" + env: + - name: "KEYCLOAK__SHARED__CONNECTIONSTRING" + value: | + {{ if .Values.realmSeeding.keycloakServiceTls -}} + https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- else -}} + http://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }} + {{- end }} + - name: "KEYCLOAK__SHARED__USER" + value: "{{ .Values.keycloak.auth.adminUser }}" + - name: "KEYCLOAK__SHARED__PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.fullname" . }}" + key: "admin-password" + - name: "KEYCLOAK__SHARED__AUTHREALM" + value: "master" + - name: "KEYCLOAK__SHARED__USEAUTHTRAIL" + value: "true" + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__0" + value: "realms/CX-Operator-realm.json" + - name: "KEYCLOAKSEEDING__REALMS__1__DATAPATHS__0" + value: "realms/master-realm.json" + - name: "KEYCLOAKSEEDING__REALMS__0__INSTANCENAME" + value: "shared" + - name: "KEYCLOAKSEEDING__REALMS__1__INSTANCENAME" + value: "shared" + - name: "KEYCLOAKSEEDING__REALMS__0__REALM" + value: "CX-Operator" + - name: "KEYCLOAKSEEDING__REALMS__1__REALM" + value: "master" + + ############################# + ## CX-OPERATOR CLIENT + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__CLIENTID" + value: "central-idp" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__REDIRECTURIS__0" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/broker/CX-Operator/endpoint/*" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__NAME" + value: "jwks.url" + - name: "KEYCLOAKSEEDING__REALMS__0__CLIENTS__0__ATTRIBUTES__0__VALUE" + value: "{{ .Values.realmSeeding.realms.cxOperator.centralidp }}/auth/realms/CX-Central/protocol/openid-connect/certs" + + ############################# + ## CX-OPERATOR INITIAL USER + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__DATAPATHS__1" + value: "realms/CX-Operator-users-0.json" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__ID" + value: "656e8a94-188b-4a3e-9eec-b45d8efd8347" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__USERNAME" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-username" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__ENABLED" + value: "true" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__FIRSTNAME" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-first-name" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__LASTNAME" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-last-name" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__EMAIL" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-email" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__TEMPORARY" + value: "false" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__TYPE" + value: "password" + - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__CREDENTIALS__0__VALUE" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "initial-user-password" + + ############################# + ## CX-OPERATOR MAIL CONFIG + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__HOST" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-host" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__PORT" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-port" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__USER" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-username" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__FROM" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-from" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__REPLYTO" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-reply-to" + - name: "KEYCLOAKSEEDING__REALMS__0__SMTPSERVER__PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.cxOperator" . }}" + key: "mailing-password" + + ############################# + ## MASTER SERVICE ACCOUNTS + ############################# + + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__CLIENTID" + value: "sa-cl1-reg-1" + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__0__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" + key: "sa-provisioning" + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__CLIENTID" + value: "saCX-Operator" + - name: "KEYCLOAKSEEDING__REALMS__1__CLIENTS__1__SECRET" + valueFrom: + secretKeyRef: + name: "{{ template "sharedidp.secret.realmSeeding.master" . }}" + key: "sa-cx-operator" + + ports: + - name: http + containerPort: {{ .Values.realmSeeding.portContainer }} + protocol: TCP + resources: + {{- toYaml .Values.realmSeeding.resources | nindent 10 }} + volumeMounts: + - name: realms + mountPath: "app/realms" + initContainers: + - name: init-cx-central + image: {{ .Values.realmSeeding.initContainer.image.name }} + imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }} + command: + - sh + args: + - -c + - | + echo "Copying realms..." + cp -R /import/catenax-shared/realms/* /app/realms + volumeMounts: + - name: realms + mountPath: "app/realms" + - name: wait-for-keycloak + image: appropriate/curl:latest + {{ if .Values.realmSeeding.keycloakServiceTls -}} + command: [ 'sh', '-c', 'until curl -s https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- else -}} + command: [ 'sh', '-c', 'until curl -s http://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ] + {{- end }} + imagePullPolicy: IfNotPresent + volumes: + - name: realms + emptyDir: {} + automountServiceAccountToken: false +{{- end -}} diff --git a/charts/sharedidp/templates/secret-external-db.yaml b/charts/sharedidp/templates/secret-external-db.yaml deleted file mode 100644 index 1bd5cd08..00000000 --- a/charts/sharedidp/templates/secret-external-db.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if not .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.externalDatabase.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.externalDatabase.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - password: {{ ( .Values.keycloak.externalDatabase.password | b64enc ) | default $secret.data.password | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} diff --git a/charts/sharedidp/templates/secret-postgres-init.yaml b/charts/sharedidp/templates/secret-postgres-init.yaml deleted file mode 100644 index 0422263d..00000000 --- a/charts/sharedidp/templates/secret-postgres-init.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if .Values.keycloak.postgresql.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.postgresql.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.postgresql.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc ) | default ( index $secret.data "postgres-password" ) | quote }} - password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password | quote }} - replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc ) | default ( index $secret.data "replication-password" ) | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 ) | quote }} - password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 ) | quote }} - replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} -{{- end -}} \ No newline at end of file diff --git a/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml new file mode 100644 index 00000000..f75b8014 --- /dev/null +++ b/charts/sharedidp/templates/secret-seeding-cx-operator-realm.yaml @@ -0,0 +1,39 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.realms.cxOperator.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "sharedidp.secret.realmSeeding.cxOperator" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + initial-user-username: {{ .Values.realmSeeding.realms.cxOperator.initialUser.username | quote }} + initial-user-password: {{ .Values.realmSeeding.realms.cxOperator.initialUser.password | default "!3changemeTractus-X" | quote }} + initial-user-first-name: {{ .Values.realmSeeding.realms.cxOperator.initialUser.firstName | quote }} + initial-user-last-name: {{ .Values.realmSeeding.realms.cxOperator.initialUser.lastName | quote }} + initial-user-email: {{ .Values.realmSeeding.realms.cxOperator.initialUser.eMail | quote }} + mailing-host: {{ .Values.realmSeeding.realms.cxOperator.mailing.host | quote }} + mailing-port: {{ .Values.realmSeeding.realms.cxOperator.mailing.port | quote }} + mailing-username: {{ .Values.realmSeeding.realms.cxOperator.mailing.username | quote }} + mailing-password: {{ .Values.realmSeeding.realms.cxOperator.mailing.password | default "changeme" | quote }} + mailing-from: {{ .Values.realmSeeding.realms.cxOperator.mailing.from | quote }} + mailing-reply-to: {{ .Values.realmSeeding.realms.cxOperator.mailing.replyTo | quote }} +{{- end -}} diff --git a/charts/sharedidp/templates/secret-seeding-master-realm.yaml b/charts/sharedidp/templates/secret-seeding-master-realm.yaml new file mode 100644 index 00000000..5f3e0dbe --- /dev/null +++ b/charts/sharedidp/templates/secret-seeding-master-realm.yaml @@ -0,0 +1,30 @@ +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} + +{{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.realms.master.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "sharedidp.secret.realmSeeding.master" . }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + sa-provisioning: {{ .Values.realmSeeding.realms.master.serviceAccounts.provisioning.clientSecret | default "changeme" | quote }} + sa-cx-operator: {{ .Values.realmSeeding.realms.master.serviceAccounts.saCxOperator.clientSecret | default "changeme" | quote }} +{{- end -}} diff --git a/charts/sharedidp/templates/secret-sharedidp-realms.yaml b/charts/sharedidp/templates/secret-sharedidp-realms.yaml deleted file mode 100644 index d6492576..00000000 --- a/charts/sharedidp/templates/secret-sharedidp-realms.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- /* -* Copyright (c) 2022 Contributors to the Eclipse Foundation -* -* See the NOTICE file(s) distributed with this work for additional -* information regarding copyright ownership. -* -* This program and the accompanying materials are made available under the -* terms of the Apache License, Version 2.0 which is available at -* https://www.apache.org/licenses/LICENSE-2.0. -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -* License for the specific language governing permissions and limitations -* under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/}} - -{{- if .Values.secrets.realmuser.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: secret-sharedidp-realms - namespace: {{ .Release.Namespace }} -type: Opaque -data: - CX-Test-Access-users-0.json: {{ .Values.secrets.realmuser.cxtestaccessuser }} - Company-1-users-0.json: {{ .Values.secrets.realmuser.company1user }} - Company-2-users-0.json: {{ .Values.secrets.realmuser.company2user }} - Security-Company-users-0.json: {{ .Values.secrets.realmuser.securitycompany }} - CX-Operator-users-0.json: {{ .Values.secrets.realmuser.cxoperator }} - Service-Provider-users-0.json: {{ .Values.secrets.realmuser.serviceprovider }} - App-Provider-users-0.json: {{ .Values.secrets.realmuser.appprovider }} - Onboarding-Provider-users-0.json: {{ .Values.secrets.realmuser.onboardingprovider }} -{{- end -}} \ No newline at end of file diff --git a/charts/sharedidp/templates/secret-sharedidp.yaml b/charts/sharedidp/templates/secret-sharedidp.yaml deleted file mode 100644 index 7af8a6d4..00000000 --- a/charts/sharedidp/templates/secret-sharedidp.yaml +++ /dev/null @@ -1,38 +0,0 @@ -############################################################### -# Copyright (c) 2022 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################### - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keycloak.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -# use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.auth.existingSecret) }} -{{ if $secret -}} -data: - # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret - # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret - # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) | quote }} -{{ else -}} -stringData: - # if secret doesn't exist, use provided value from values file or generate a random one - admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 ) | quote }} -{{ end }} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 79270b3b..f9a7f01d 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -20,8 +20,10 @@ keycloak: auth: adminUser: admin - # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. - existingSecret: "sharedidp-keycloak" + # -- sharedidp Keycloak administrator password. + adminPassword: "" + # -- Secret containing the password for admin username 'admin'. + existingSecret: "" # -- Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. production: false # -- reverse Proxy mode edge, reencrypt, passthrough or none; @@ -32,24 +34,17 @@ keycloak: # as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. # ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed httpRelativePath: "/auth/" - extraEnvVars: - - name: KEYCLOAK_EXTRA_ARGS - value: "-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/realms -Dkeycloak.migration.strategy=IGNORE_EXISTING" - replicaCount: 3 + replicaCount: 1 extraVolumes: - name: themes-catenax-shared emptyDir: {} - name: themes-catenax-shared-portal emptyDir: {} - - name: realms - emptyDir: {} extraVolumeMounts: - name: themes-catenax-shared mountPath: "/opt/bitnami/keycloak/themes/catenax-shared" - name: themes-catenax-shared-portal mountPath: "/opt/bitnami/keycloak/themes/catenax-shared-portal" - - name: realms - mountPath: "/realms" initContainers: - name: import image: docker.io/tractusx/portal-iam:v3.0.1 @@ -63,15 +58,11 @@ keycloak: cp -R /import/themes/catenax-shared/* /themes-catenax-shared echo "Copying themes-catenax-shared-portal..." cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal - echo "Copying realms..." - cp -R /import/catenax-shared/realms/* /realms volumeMounts: - name: themes-catenax-shared mountPath: "/themes-catenax-shared" - name: themes-catenax-shared-portal mountPath: "/themes-catenax-shared-portal" - - name: realms - mountPath: "/realms" service: sessionAffinity: ClientIP ingress: @@ -82,7 +73,7 @@ keycloak: annotations: # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; - # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. cert-manager.io/cluster-issuer: "" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" @@ -106,7 +97,7 @@ keycloak: postgresql: # -- PostgreSQL chart configuration (recommended for demonstration purposes only); # default configurations: - # host: "sharedidp-postgresql-primary", + # host: "sharedidp-postgresql", # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true @@ -120,43 +111,94 @@ keycloak: auth: # -- Non-root username. username: kcshared + # -- Non-root user password. + password: "" + # -- Root user password. + postgresPassword: "" # -- Database name. database: iamsharedidp # -- Secret containing the passwords for root usernames postgres and non-root username kcshared. - existingSecret: "sharedidp-postgres" - architecture: replication + existingSecret: "" + architecture: standalone externalDatabase: # -- External PostgreSQL configuration # IMPORTANT: non-root db user needs needs to be created beforehand on external database. - # Database host ('-primary' is added as postfix). - host: "sharedidp-postgresql-external-db" + host: "" # -- Database port number. port: 5432 - # -- Non-root username for sharedidp. - user: "kcshared" + # -- Non-root username. + user: "" # -- Database name. - database: "iamsharedidp" - # -- Password for the non-root username (default 'kcshared'). Secret-key 'password'. + database: "" + # -- Password for the non-root username. password: "" - # -- Secret containing the password non-root username, (default 'kcshared'). - existingSecret: "sharedidp-keycloak-external-db" - # -- Name of an existing secret key containing the database credentials. - existingSecretPasswordKey: "password" + # -- Secret containing the database credentials. + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" -secrets: - auth: - existingSecret: - # -- Password for the admin username 'admin'. Secret-key 'admin-password'. - adminpassword: "" - postgresql: - auth: - existingSecret: - # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. - postgrespassword: "" - # -- Password for the non-root username 'kcshared'. Secret-key 'password'. +# -- Seeding job to create and update the CX-Operator and master realms: +# besides creating those realm, the job can be used to update +# the configuration of the realms when upgrading to a new version; +# Please also refer to the 'Post-Upgrade Configuration' section in the README.md +# for configuration possibly not covered by the seeding job. +realmSeeding: + enabled: true + realms: + cxOperator: + # -- Set centralidp address for the connection to the CX-Central realm. + centralidp: "https://centralidp.example.org" + # -- Configure initial user in CX-Operator realm. + initialUser: + # -- SET username for all non-testing and non-local purposes. + username: "cx-operator@tx.org" + # -- SET password for all non-testing and non-local purposes, default value is "!3changemeTractus-X". password: "" - # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. - replicationPassword: "" - realmuser: - # Enables the import of test users via secret. - enabled: false + firstName: "Operator" + lastName: "CX Admin" + eMail: "cx-operator@tx.org" + # -- Set mailing configuration for CX-Operator realm. + mailing: + host: "smtp.example.org" + port: "123" + username: "smtp-user" + password: "" + from: "email@example.org" + replyTo: "email@example.org" + # -- Option to provide an existingSecret for initial user and mailing configuration. + existingSecret: "" + master: + serviceAccounts: + # -- Set clients secret for the service account which enables the portal to provision new realms. + provisioning: + # -- SET client secret for all non-testing and non-local purposes, default value is "changeme". + clientSecret: "" + # -- Set clients secret for the service account which enables the portal to manage the CX-Operator realm. + saCxOperator: + # -- SET client secret for all non-testing and non-local purposes, default value is "changeme". + clientSecret: "" + # -- Option to provide an existingSecret for clients secrets with clientId as key and clientSecret as value. + existingSecret: "" + image: + name: "docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1" + pullPolicy: "IfNotPresent" + initContainer: + image: + name: "docker.io/tractusx/portal-iam:v4.0.0-alpha.1" + pullPolicy: "IfNotPresent" + portContainer: 8080 + keycloakServicePort: 80 + keycloakServiceTls: false + # -- We recommend to review the default resource limits as this should a conscious choice. + resources: + requests: + cpu: 250m + memory: 600M + ephemeral-storage: 50Mi + limits: + cpu: 750m + memory: 600M + ephemeral-storage: 1024Mi diff --git a/charts/values-test-centralidp.yaml b/charts/values-test-centralidp.yaml index ef3f22bd..6916c740 100644 --- a/charts/values-test-centralidp.yaml +++ b/charts/values-test-centralidp.yaml @@ -21,7 +21,7 @@ keycloak: initContainers: - name: import image: kind-registry:5000/iam:testing - imagePullPolicy: IfNotPresent + imagePullPolicy: Always command: - sh args: @@ -29,10 +29,11 @@ keycloak: - | echo "Copying themes..." cp -R /import/themes/catenax-central/* /themes - echo "Copying realms..." - cp -R /import/catenax-central/realms/* /realms volumeMounts: - name: themes mountPath: "/themes" - - name: realms - mountPath: "/realms" +realmSeeding: + initContainer: + image: + name: "kind-registry:5000/iam:testing" + pullPolicy: "Always" diff --git a/charts/values-test-sharedidp.yaml b/charts/values-test-sharedidp.yaml index c1fca5cc..b9650b69 100644 --- a/charts/values-test-sharedidp.yaml +++ b/charts/values-test-sharedidp.yaml @@ -21,7 +21,7 @@ keycloak: initContainers: - name: import image: kind-registry:5000/iam:testing - imagePullPolicy: IfNotPresent + imagePullPolicy: Always command: - sh args: @@ -31,12 +31,13 @@ keycloak: cp -R /import/themes/catenax-shared/* /themes-catenax-shared echo "Copying themes-catenax-shared-portal..." cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal - echo "Copying realms..." - cp -R /import/catenax-shared/realms/* /realms volumeMounts: - name: themes-catenax-shared mountPath: "/themes-catenax-shared" - name: themes-catenax-shared-portal mountPath: "/themes-catenax-shared-portal" - - name: realms - mountPath: "/realms" +realmSeeding: + initContainer: + image: + name: "kind-registry:5000/iam:testing" + pullPolicy: "Always" diff --git a/charts/values-test-upgrade.yaml b/charts/values-test-upgrade.yaml new file mode 100644 index 00000000..5021b4c5 --- /dev/null +++ b/charts/values-test-upgrade.yaml @@ -0,0 +1,37 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +# set credentials and architecture to test upgrade from chart version 3.0.0 to 4.0.0 +keycloak: + replicaCount: 1 + postgresql: + auth: + # -- Non-root user password. + password: "password" + # -- Root user password. + postgresPassword: "password" + architecture: standalone +secrets: + postgresql: + auth: + existingSecret: + postgrespassword: "password" + password: "password" +realmSeeding: + enabled: false diff --git a/environments/helm-values/centralidp/values-int.yaml b/environments/helm-values/centralidp/values-int.yaml index 01c44ba3..c33200ac 100644 --- a/environments/helm-values/centralidp/values-int.yaml +++ b/environments/helm-values/centralidp/values-int.yaml @@ -20,6 +20,8 @@ keycloak: production: true proxy: edge + auth: + adminPassword: "" ingress: enabled: true ingressClassName: nginx @@ -35,14 +37,76 @@ keycloak: nginx.ingress.kubernetes.io/proxy-buffers-number: "20" nginx.ingress.kubernetes.io/use-regex: "true" tls: true - -secrets: - auth: - existingSecret: - adminpassword: "" postgresql: auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" + password: "" + postgresPassword: "" + +realmSeeding: + clients: + registration: + redirects: + - https://portal.int.catena-x.net + - http://localhost:3000/* + portal: + rootUrl: https://portal.int.catena-x.net/home + redirects: + - https://portal.int.catena-x.net + - http://localhost:3000/* + semantics: + redirects: + - https://portal.int.catena-x.net/* + miw: + clientSecret: "" + redirects: + - https://managed-identity-wallets.int.catena-x.net/* + bpdm: + clientSecret: "" + redirects: + - https://partners-pool.int.catena-x.net/* + bpdmGate: + clientSecret: "" + redirects: + - https://partners-gate.int.catena-x.net/* + bpdmOrchestrator: + clientSecret: "" + serviceAccounts: + clientSecrets: + - clientId: "sa-cl1-reg-2" + clientSecret: "" + - clientId: "sa-cl2-01" + clientSecret: "" + - clientId: "sa-cl2-02" + clientSecret: "" + - clientId: "sa-cl2-03" + clientSecret: "" + - clientId: "sa-cl2-04" + clientSecret: "" + - clientId: "sa-cl2-05" + clientSecret: "" + - clientId: "sa-cl3-cx-1" + clientSecret: "" + - clientId: "sa-cl5-custodian-2" + clientSecret: "" + - clientId: "sa-cl7-cx-1" + clientSecret: "" + - clientId: "sa-cl7-cx-5" + clientSecret: "" + - clientId: "sa-cl7-cx-7" + clientSecret: "" + - clientId: "sa-cl8-cx-1" + clientSecret: "" + - clientId: "sa-cl21-01" + clientSecret: "" + - clientId: "sa-cl22-01" + clientSecret: "" + - clientId: "sa-cl24-01" + clientSecret: "" + - clientId: "sa-cl25-cx-1" + clientSecret: "" + - clientId: "sa-cl25-cx-2" + clientSecret: "" + - clientId: "sa-cl25-cx-3" + clientSecret: "" + bpn: "BPNL00000003CRHK" + sharedidp: "https://sharedidp.int.catena-x.net" diff --git a/environments/helm-values/sharedidp/values-int.yaml b/environments/helm-values/sharedidp/values-int.yaml index 276778b3..0cc03eb9 100644 --- a/environments/helm-values/sharedidp/values-int.yaml +++ b/environments/helm-values/sharedidp/values-int.yaml @@ -20,6 +20,8 @@ keycloak: production: true proxy: edge + auth: + adminPassword: "" ingress: enabled: true ingressClassName: nginx @@ -35,14 +37,28 @@ keycloak: nginx.ingress.kubernetes.io/proxy-buffers-number: "20" nginx.ingress.kubernetes.io/use-regex: "true" tls: true - -secrets: - auth: - existingSecret: - adminpassword: "" postgresql: auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" + password: "" + postgresPassword: "" + +realmSeeding: + enabled: true + realms: + cxOperator: + centralidp: "https://centralidp.int.catena-x.net" + initialUser: + password: "" + mailing: + host: "" + port: "" + username: "" + password: "" + replyTo: "" + master: + serviceAccounts: + provisioning: + clientSecret: "" + saCxOperator: + clientSecret: "" diff --git a/import/realm-config/generic/catenax-central/CX-Central-realm.json b/import/realm-config/generic/catenax-central/CX-Central-realm.json index ea0e8a7d..a991719c 100644 --- a/import/realm-config/generic/catenax-central/CX-Central-realm.json +++ b/import/realm-config/generic/catenax-central/CX-Central-realm.json @@ -2795,35 +2795,6 @@ "webAuthnPolicyPasswordlessAcceptableAaguids": [], "webAuthnPolicyPasswordlessExtraOrigins": [], "users": [ - { - "id" : "502dabcf-01c7-47d9-a88e-0be4279097b5", - "createdTimestamp" : 1652788086549, - "username" : "ac1cf001-7fbc-1f2f-817f-bce058020006", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Operator", - "lastName" : "CX Admin", - "email" : "tobeadded@cx.com", - "attributes" : { - "bpn" : [ "BPNL00000003CRHK" ], - "organisation" : [ "CX-Operator" ] - }, - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "federatedIdentities" : [ { - "identityProvider" : "CX-Operator", - "userId" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", - "userName" : "cx-operator@cx.com" - } ], - "realmRoles" : [ "default-roles-cx-central" ], - "clientRoles" : { - "Cl2-CX-Portal" : [ "CX Admin" ] - }, - "notBefore" : 0, - "groups" : [ ] - }, { "id": "e69c1397-eee8-434a-b83b-dc7944bb9bdd", "createdTimestamp": 1651730911692, @@ -4635,7 +4606,7 @@ "id": "4ebeb21b-055e-403f-8bfa-738bb935395d", "clientId": "sa-cl25-cx-1", "name": "BPDM Dummy Cleaning Task Processor", - "description": "Client for the BPDM cleaning service dummy component to process golden record tasks from the Orchestrator", + "description": "Technical User for the BPDM cleaning service dummy component to process golden record tasks from the Orchestrator", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -4751,7 +4722,7 @@ "id": "0dffae1b-5a95-4253-857e-b84c6904d012", "clientId": "sa-cl25-cx-2", "name": "BPDM Pool Task Processor", - "description": "Client for the BPDM Pool component to process golden record tasks from the Orchestrator", + "description": "Technical User for the BPDM Pool component to process golden record tasks from the Orchestrator", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -4867,7 +4838,7 @@ "id": "dfb5e903-2509-4d52-bef5-2c6a85e34d5c", "clientId": "sa-cl25-cx-3", "name": "BPDM Portal Gate Task Creator", - "description": "Client for the BPDM Portal Gate to create and monitor golden record tasks inside the Orchestrator", + "description": "Technical User for the BPDM Portal Gate to create and monitor golden record tasks inside the Orchestrator", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -4983,7 +4954,7 @@ "id": "fd3c0f0d-40f6-4522-9a87-17ea147e7cfe", "clientId": "sa-cl7-cx-1", "name": "BPDM Portal Gate Pool Consumer", - "description": "Client for the BPDM Portal Gate to consume golden record data from the Pool", + "description": "Technical User for the BPDM Portal Gate to consume golden record data from the Pool", "rootUrl": "", "adminUrl": "", "baseUrl": "", diff --git a/import/realm-config/generic/catenax-central/CX-Central-users-0.json b/import/realm-config/generic/catenax-central/CX-Central-users-0.json new file mode 100644 index 00000000..c9855e0a --- /dev/null +++ b/import/realm-config/generic/catenax-central/CX-Central-users-0.json @@ -0,0 +1,34 @@ +{ + "realm" : "CX-Central", + "users" : [ + { + "id" : "502dabcf-01c7-47d9-a88e-0be4279097b5", + "createdTimestamp" : 1652788086549, + "username" : "ac1cf001-7fbc-1f2f-817f-bce058020006", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Operator", + "lastName" : "CX Admin", + "email" : "cx-operator@tx.org", + "attributes" : { + "bpn" : [ "BPNL00000003CRHK" ], + "organisation" : [ "CX-Operator" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "federatedIdentities" : [ { + "identityProvider" : "CX-Operator", + "userId" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", + "userName" : "cx-operator@tx.org" + } ], + "realmRoles" : [ "default-roles-cx-central" ], + "clientRoles" : { + "Cl2-CX-Portal" : [ "CX Admin" ] + }, + "notBefore" : 0, + "groups" : [ ] + } + ] +} \ No newline at end of file diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-realm.json b/import/realm-config/generic/catenax-shared/CX-Operator-realm.json index c1ee1b7b..28b38da0 100644 --- a/import/realm-config/generic/catenax-shared/CX-Operator-realm.json +++ b/import/realm-config/generic/catenax-shared/CX-Operator-realm.json @@ -1332,7 +1332,17 @@ "xXSSProtection": "1; mode=block", "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, - "smtpServer": {}, + "smtpServer": { + "password": "**********", + "starttls": "true", + "auth": "true", + "port": "123", + "host": "smtp.example.org", + "replyTo": "email@example.org", + "from": "email@example.org", + "ssl": "", + "user": "smtp-user" + }, "eventsEnabled": false, "eventsListeners": [ "jboss-logging" diff --git a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json index cd08ed40..dbac9eca 100644 --- a/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json +++ b/import/realm-config/generic/catenax-shared/CX-Operator-users-0.json @@ -1,18 +1,4 @@ { "realm" : "CX-Operator", - "users" : [ { - "id" : "656e8a94-188b-4a3e-9eec-b45d8efd8347", - "username" : "cx-operator@cx.com", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Operator", - "lastName" : "CX Admin", - "email" : "tobeadded@cx.com", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "notBefore" : 0, - "groups" : [ ] - } ] + "users" : [ ] } \ No newline at end of file diff --git a/import/realm-config/generic/catenax-shared/master-realm.json b/import/realm-config/generic/catenax-shared/master-realm.json index 90292184..b8730206 100644 --- a/import/realm-config/generic/catenax-shared/master-realm.json +++ b/import/realm-config/generic/catenax-shared/master-realm.json @@ -796,7 +796,8 @@ "web-origins", "profile", "roles", - "email" + "email", + "acr" ], "optionalClientScopes": [ "address", @@ -889,7 +890,8 @@ "web-origins", "profile", "roles", - "email" + "email", + "acr" ], "optionalClientScopes": [ "address", @@ -1263,7 +1265,8 @@ "web-origins", "profile", "roles", - "email" + "email", + "acr" ], "optionalClientScopes": [ "address",