From: Andreas Geissler Date: Mon, 27 Mar 2023 13:48:11 +0000 (+0000) Subject: Merge "[PLATFORM] Add Oauth2-Proxy client to ONAP Realm" X-Git-Tag: 12.0.0~80 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=6539e7a7ee21d68ce6b0cc7be7b14e71ebaaf4d9;hp=5dad6df09aad4aa5b8e0db5366d0a286f015c6b2;p=oom.git Merge "[PLATFORM] Add Oauth2-Proxy client to ONAP Realm" --- diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml index 44ca0fa95d..d9add7143b 100644 --- a/kubernetes/platform/components/keycloak-init/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/Chart.yaml @@ -31,5 +31,5 @@ dependencies: version: ~12.x-0 repository: '@local' - name: keycloak-config-cli - version: 5.3.1 + version: 5.6.1 repository: 'file://components/keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml index c248ba050f..3f48ef7e21 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.3.1 -appVersion: 5.3.1-19.0.1 +version: 5.6.1 +appVersion: 5.6.1 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml index e54a4c7bcf..fb2a8955ff 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml @@ -21,12 +21,12 @@ global: fullnameOverride: "" nameOverride: "" -#keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/" +keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/" portalUrl: "https://portal-ng-ui.simpledemo.onap.org" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}" + tag: "{{ .Chart.AppVersion }}-19.0.3" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json similarity index 74% rename from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json rename to kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json index 8b79e99795..d845c60cfb 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json +++ b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json @@ -80,7 +80,91 @@ } ] }, + "groups": [ + { + "name": "admins", + "path": "/admins", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } + ], "clients": [ + { + "clientId": "oauth2-proxy", + "name": "Oauth2 Proxy", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp", + "redirectUris": [ + "*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "tls-client-certificate-bound-access-tokens": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "token.response.type.bearer.lower-case": "false", + "use.refresh.tokens": "true" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "multivalued": "false", + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "groups", + "microprofile-jwt" + ] + }, { "clientId": "portal-app", "surrogateAuthRequired": false, @@ -157,7 +241,8 @@ "offline_access", "microprofile-jwt" ] - }, { + }, + { "clientId" : "portal-bff", "surrogateAuthRequired" : false, "enabled" : true, @@ -235,7 +320,8 @@ } ], "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }], + } + ], "users": [ { "createdTimestamp" : 1664965113698, @@ -305,8 +391,36 @@ "groups" : [ ] } ], + "clientScopes": [ + { + "name": "groups", + "description": "Membership to a group", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "userinfo.token.claim": "true" + } + } + ] + } + ], "attributes": { - "frontendUrl": "{{ .Values.portalUrl }}/auth/", + "frontendUrl": "{{ .Values.KEYCLOAK_URL }}", "acr.loa.map": "{\"ABC\":\"5\"}" } } diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/platform/components/keycloak-init/templates/secret.yaml new file mode 100644 index 0000000000..0d9b387dfa --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/templates/secret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-config-cli-config-realms + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +{{- with .Files.Glob "resources/realms/*json" }} +data: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml index 5e975147ab..7eecf195f7 100644 --- a/kubernetes/platform/components/keycloak-init/values.yaml +++ b/kubernetes/platform/components/keycloak-init/values.yaml @@ -19,15 +19,18 @@ global: virtualhost: baseurl: "simpledemo.onap.org" +KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" +PORTAL_URL: "https://portal-ui.simpledemo.onap.org" + keycloak-config-cli: #existingSecret: "keycloak-keycloakx-admin-creds" env: KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/ + KEYCLOAK_SSLVERIFY: "false" + KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: KEYCLOAK_PASSWORD: secret - config: - onap: - file: resources/realm/onap-realm.json + existingConfigSecret: "keycloak-config-cli-config-realms" ingress: service: