aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Geissler <andreas-geissler@telekom.de>2023-03-20 13:07:32 +0100
committerAndreas Geissler <andreas-geissler@telekom.de>2023-03-24 17:46:52 +0100
commitdce54c8e4d6936f5a2189a55f7e6409747a0ecbe (patch)
treed48adbf93b99060b0bb4c5ae685df38b0d14f3c7
parent0879dfcaad420fcc7a6adc77b2b9c72b9522e3cb (diff)
[PLATFORM] Add Oauth2-Proxy client to ONAP Realm
Add the oauth2-proxy client to the ONAP keycloak REALM Issue-ID: OOM-2489 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de> Change-Id: I3c38df8ad79a7cdaa87f4b55b1bb38afb18d2c0e
-rw-r--r--kubernetes/platform/components/keycloak-init/Chart.yaml2
-rw-r--r--kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml4
-rw-r--r--kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml4
-rw-r--r--kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json (renamed from kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json)120
-rw-r--r--kubernetes/platform/components/keycloak-init/templates/secret.yaml17
-rw-r--r--kubernetes/platform/components/keycloak-init/values.yaml9
6 files changed, 145 insertions, 11 deletions
diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml
index 44ca0fa95d..d9add7143b 100644
--- a/kubernetes/platform/components/keycloak-init/Chart.yaml
+++ b/kubernetes/platform/components/keycloak-init/Chart.yaml
@@ -31,5 +31,5 @@ dependencies:
version: ~12.x-0
repository: '@local'
- name: keycloak-config-cli
- version: 5.3.1
+ version: 5.6.1
repository: 'file://components/keycloak-config-cli'
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
index c248ba050f..3f48ef7e21 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
+++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
@@ -20,8 +20,8 @@ apiVersion: v2
name: keycloak-config-cli
description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
home: https://github.com/adorsys/keycloak-config-cli
-version: 5.3.1
-appVersion: 5.3.1-19.0.1
+version: 5.6.1
+appVersion: 5.6.1
maintainers:
- name: jkroepke
email: joe@adorsys.de
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
index e54a4c7bcf..fb2a8955ff 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
+++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
@@ -21,12 +21,12 @@ global:
fullnameOverride: ""
nameOverride: ""
-#keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/"
+keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/"
portalUrl: "https://portal-ng-ui.simpledemo.onap.org"
image:
repository: adorsys/keycloak-config-cli
- tag: "{{ .Chart.AppVersion }}"
+ tag: "{{ .Chart.AppVersion }}-19.0.3"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json
index 8b79e99795..d845c60cfb 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json
+++ b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json
@@ -80,8 +80,92 @@
}
]
},
+ "groups": [
+ {
+ "name": "admins",
+ "path": "/admins",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ }
+ ],
"clients": [
{
+ "clientId": "oauth2-proxy",
+ "name": "Oauth2 Proxy",
+ "description": "",
+ "rootUrl": "",
+ "adminUrl": "",
+ "baseUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": true,
+ "protocol": "openid-connect",
+ "attributes": {
+ "tls-client-certificate-bound-access-tokens": "false",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "true",
+ "client_credentials.use_refresh_token": "false",
+ "acr.loa.map": "{}",
+ "require.pushed.authorization.requests": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "display.on.consent.screen": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "use.refresh.tokens": "true"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "name": "SDC-User",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "false",
+ "userinfo.token.claim": "true",
+ "user.attribute": "sdc_user",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "sdc_user",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "groups",
+ "microprofile-jwt"
+ ]
+ },
+ {
"clientId": "portal-app",
"surrogateAuthRequired": false,
"enabled": true,
@@ -157,7 +241,8 @@
"offline_access",
"microprofile-jwt"
]
- }, {
+ },
+ {
"clientId" : "portal-bff",
"surrogateAuthRequired" : false,
"enabled" : true,
@@ -235,7 +320,8 @@
} ],
"defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ],
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
- }],
+ }
+ ],
"users": [
{
"createdTimestamp" : 1664965113698,
@@ -305,8 +391,36 @@
"groups" : [ ]
}
],
+ "clientScopes": [
+ {
+ "name": "groups",
+ "description": "Membership to a group",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "gui.order": "",
+ "consent.screen.text": ""
+ },
+ "protocolMappers": [
+ {
+ "name": "groups",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-group-membership-mapper",
+ "consentRequired": false,
+ "config": {
+ "full.path": "false",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "groups",
+ "userinfo.token.claim": "true"
+ }
+ }
+ ]
+ }
+ ],
"attributes": {
- "frontendUrl": "{{ .Values.portalUrl }}/auth/",
+ "frontendUrl": "{{ .Values.KEYCLOAK_URL }}",
"acr.loa.map": "{\"ABC\":\"5\"}"
}
}
diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/platform/components/keycloak-init/templates/secret.yaml
new file mode 100644
index 0000000000..0d9b387dfa
--- /dev/null
+++ b/kubernetes/platform/components/keycloak-init/templates/secret.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: keycloak-config-cli-config-realms
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+{{- with .Files.Glob "resources/realms/*json" }}
+data:
+{{- range $path, $bytes := . }}
+ {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml
index 5e975147ab..7eecf195f7 100644
--- a/kubernetes/platform/components/keycloak-init/values.yaml
+++ b/kubernetes/platform/components/keycloak-init/values.yaml
@@ -19,15 +19,18 @@ global:
virtualhost:
baseurl: "simpledemo.onap.org"
+KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/"
+PORTAL_URL: "https://portal-ui.simpledemo.onap.org"
+
keycloak-config-cli:
#existingSecret: "keycloak-keycloakx-admin-creds"
env:
KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/
+ KEYCLOAK_SSLVERIFY: "false"
+ KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
secrets:
KEYCLOAK_PASSWORD: secret
- config:
- onap:
- file: resources/realm/onap-realm.json
+ existingConfigSecret: "keycloak-config-cli-config-realms"
ingress:
service: