diff options
| author |   Andreas Geissler <andreas-geissler@telekom.de> | 2024-04-24 15:38:24 +0200 |
|---|---|---|
| committer | Andreas Geissler <andreas-geissler@telekom.de> | 2024-06-05 13:49:50 +0200 |
| commit | e9f67624d1f5e25d24c951e385661341baa21830 (patch) | |
| tree | 5c76da9347276454bee590369905b5b35b0489dc /kubernetes/authentication/resources | |
| parent | 53fe20dc15c0e23c27bee5c1450340e454b8945b (diff) | |
[AUTHENTICATION] Restructured keycloak and Oauth2-proxy
Changed keycloak-init to "authentication"
and moved as root chart
Moved oauth2-proxy to onap-authentication and updated
to version 7.5.4
Use TCL proposal for REALM creation.
Update keycloak-config-cli version to 5.12.0.
Ingress AuthorizationPolicy creation for all defined accessRoles
in the configured realms
Issue-ID: OOM-3292
Issue-ID: OOM-3268
Change-Id: I0901cd416ca5da871931d7cf084cd35c55f804f1
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
Diffstat (limited to 'kubernetes/authentication/resources')
| -rw-r--r-- | kubernetes/authentication/resources/oauth2_proxy.cfg | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/kubernetes/authentication/resources/oauth2_proxy.cfg b/kubernetes/authentication/resources/oauth2_proxy.cfg new file mode 100644 index 0000000000..60aaad4b52 --- /dev/null +++ b/kubernetes/authentication/resources/oauth2_proxy.cfg @@ -0,0 +1,38 @@ +provider = "oidc" +provider_display_name = "ONAPKeycloakID" +client_id = "{{ index .Values "onap-oauth2-proxy" "config" "clientId" }}" +client_secret = "{{ index .Values "onap-oauth2-proxy" "config" "clientSecret" }}" +oidc_issuer_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap' +oidc_jwks_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/certs' +profile_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' +validate_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' +redeem_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/token' +scope = "openid email profile groups onap_roles" +skip_oidc_discovery = true +cookie_secure = false +cookie_secret = "{{ index .Values "onap-oauth2-proxy" "config" "cookieSecret" }}" +email_domains = [ "*" ] +auth_logging = true +request_logging = true +standard_logging = true +show_debug_on_error = true +cookie_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}" +cookie_samesite = "lax" +whitelist_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}" +login_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/auth' +pass_access_token = true +pass_authorization_header = true +pass_host_header = true +pass_user_headers = true +http_address = "0.0.0.0:4180" +oidc_email_claim = "email" +oidc_groups_claim = "groups" +insecure_oidc_skip_issuer_verification = true +insecure_oidc_allow_unverified_email = true +silence_ping_logging = true +upstreams = "static://200" +set_xauthrequest = true +set_authorization_header = true +skip_provider_button = true +skip_jwt_bearer_tokens = true +cookie_expire = "30m" |