diff options
Diffstat (limited to 'kubernetes/authentication/templates/_utils.tpl')
| -rw-r--r-- | kubernetes/authentication/templates/_utils.tpl | 811 |
1 files changed, 811 insertions, 0 deletions
diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl new file mode 100644 index 0000000000..806f96164a --- /dev/null +++ b/kubernetes/authentication/templates/_utils.tpl @@ -0,0 +1,811 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "auth.realm" ( dict "dot" . "realm" .Values.path.to.realm) }} +*/}} +{{- define "auth.realm" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +realm: {{ $realm.name }} +{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} +id: {{ $realm.name }} +accessTokenLifespan: 1900 +registrationAllowed: false +resetPasswordAllowed: true +enabled: true +{{ if $realm.themes }} +{{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }} +{{ if $realm.themes.admin }}adminTheme: {{ $realm.themes.admin }}{{ end }} +{{ if $realm.themes.account }}accountTheme: {{ $realm.themes.account }}{{ end }} +{{ if $realm.themes.email }}emailTheme: {{ $realm.themes.email }}{{ end }} +{{- end }} +{{- if $realm.accessControl }} +{{ include "auth._roles" $realm }} +{{- end }} +{{ include "auth._clients" (dict "dot" $dot "realm" $realm) }} +{{ include "auth._clientScopes" $realm }} +{{ include "auth._defaultClientScopes" $realm }} +{{ include "auth._groups" $realm }} +{{ include "auth._users" $realm }} +{{ include "auth._identity" $realm }} +{{ include "auth._identityMapper" $realm }} +{{ include "auth._smtpServer" $realm }} +{{ include "auth._attributes" (dict "dot" $dot "realm" $realm) }} +{{- end -}} + +{{/* +Renders the roles section in a realm. +Usage: +{{ include "auth._roles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._roles" -}} +{{- $realm := default . .dot -}} +roles: + realm: + {{- range $index, $role := $realm.accessControl.assignableRoles }} + - name: "{{ $role.name }}" + description: "{{ $role.description }}" + {{- if $role.associatedAccessRoles }} + composite: true + composites: + client: + {{- range $key, $accessRole := $realm.accessControl.accessRoles }} + {{ $client := index $realm.clients $key -}} + {{ $client.clientId }}: + {{- range $index2, $associatedRole := $role.associatedAccessRoles }} + - {{ $associatedRole }} + {{- end }} + {{- end }} + {{- else }} + composite: false + {{- end }} + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + {{- end }} + - name: "user" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "admin" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "offline_access" + description: "${role_offline-access}" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "uma_authorization" + description: "${role_uma_authorization}" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "default-roles-{{ $realm.name }}" + description: "${role_default-roles}" + composite: true + composites: + realm: + - "offline_access" + - "uma_authorization" + client: + account: + - "view-profile" + - "manage-account" + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + {{- if $realm.accessControl.accessRoles }} + client: + {{- range $key, $accessRole := $realm.accessControl.accessRoles }} + {{ $client := index $realm.clients $key -}} + {{ $client.clientId }}: + {{- range $index, $role := get $realm.accessControl.accessRoles $key }} + - name: "{{ $role.name }}" + description: "Allows to perform {{ $role.methodsAllowed }} operations for {{ $role.name }} component" + composite: false + clientRole: false + containerId: "{{ $client.clientId }}" + attributes: {} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the clients section in a realm. +Usage: +{{ include "auth._clients" ( dict "dot" . "realm" $realm ) }} +*/}} +{{- define "auth._clients" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +clients: + {{- range $index, $client := $realm.clients }} + - clientId: "{{ $client.clientId }}" + {{- if $client.name }} + name: "{{ $client.name }}" + {{- end }} + {{- if $client.description }} + description: "{{ $client.description }}" + {{- end }} + {{- if $client.rootUrl }} + rootUrl: {{ tpl $client.rootUrl $dot }} + {{- end }} + {{- if $client.adminUrl }} + adminUrl: {{ tpl $client.adminUrl $dot }} + {{- end }} + {{- if $client.baseUrl }} + baseUrl: {{ tpl $client.baseUrl $dot }} + {{- end }} + surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }} + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }} + {{- if $client.secret }} + secret: "{{ $client.secret }}" + {{- end }} + {{- if $client.redirectUris }} + redirectUris: + {{- range $index2, $url := $client.redirectUris }} + - {{ tpl $url $dot }} + {{- end }} + {{- else }} + redirectUris: [] + {{- end }} + {{- if $client.webOrigins }} + webOrigins: + {{- range $index3, $web := $client.webOrigins }} + - {{ $web | quote }} + {{- end }} + {{- else }} + webOrigins: [] + {{- end }} + notBefore: 0 + bearerOnly: {{ default false $client.bearerOnly }} + consentRequired: {{ default false $client.consentRequired }} + standardFlowEnabled: {{ default true $client.standardFlowEnabled }} + implicitFlowEnabled: {{ default false $client.implicitFlowEnabled }} + directAccessGrantsEnabled: {{ default true $client.directAccessGrantsEnabled }} + serviceAccountsEnabled: {{ default false $client.serviceAccountsEnabled }} + publicClient: {{ default false $client.publicClient }} + frontchannelLogout: {{ default false $client.frontchannelLogout }} + protocol: "{{ default "openid-connect" $client.protocol }}" + {{- if $client.attributes }} + attributes: + {{- range $key,$value := $client.attributes }} + {{ $key }}: {{ tpl $value $dot }} + {{- end }} + {{- end }} + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + protocolMappers: + {{- if $client.protocolMappers }} + {{- range $index2, $mapper := $client.protocolMappers }} + - name: {{ $mapper.name }} + protocol: "openid-connect" + protocolMapper: {{ $mapper.protocolMapper }} + consentRequired: false + config: + {{ toYaml $mapper.config | nindent 10 }} + {{- end }} + {{- end }} + defaultClientScopes: + {{- if $client.defaultClientScopes }} + {{- range $index2, $scope := $client.defaultClientScopes }} + - {{ $scope }} + {{- end }} + {{- else }} + - web-origins + - profile + - acr + - email + {{- end }} + optionalClientScopes: + {{- if $client.optionalClientScopes }} + {{- range $index2, $scope := $client.optionalClientScopes }} + - {{ $scope }} + {{- end }} + {{- else }} + - address + - phone + - offline_access + - microprofile-jwt + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the defaulDefaultClientScopes section in a realm. +Usage: +{{ include "auth._defaultClientScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._defaultClientScopes" -}} +{{- $dot := default . .dot -}} +{{- if $dot.defaultClientScopes }} +defaultDefaultClientScopes: + {{- range $index, $scope := $dot.defaultClientScopes }} + - {{ $scope }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the clientScopes section in a realm. +Usage: +{{ include "auth._clientScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._clientScopes" -}} +{{- $dot := default . .dot -}} +clientScopes: +{{- if $dot.additionalClientScopes }} +{{- range $index, $scope := $dot.additionalClientScopes }} +- name: {{ $scope.name }} + description: "{{ default "" $scope.description }}" + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'true' + gui.order: '' + consent.screen.text: "${rolesScopeConsentText}" + protocolMappers: + {{- if $scope.protocolMappers }} + {{- range $index2, $mapper := $scope.protocolMappers }} + - name: {{ $mapper.name }} + protocol: "openid-connect" + protocolMapper: {{ $mapper.protocolMapper }} + consentRequired: false + config: + {{ toYaml $mapper.config | nindent 8 }} + {{- end }} + {{- end }} + +{{- end }} +{{- end }} +- name: roles + description: OpenID Connect scope for add user roles to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'true' + consent.screen.text: "${rolesScopeConsentText}" + protocolMappers: + - name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: {} + - name: realm roles + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: 'true' + claim.name: realm_access.roles + jsonType.label: String + multivalued: 'true' + - name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: 'true' + claim.name: resource_access.${client_id}.roles + jsonType.label: String + multivalued: 'true' +- name: groups + description: Membership to a group + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + gui.order: '' + consent.screen.text: '' + protocolMappers: + - name: groups + protocol: openid-connect + protocolMapper: oidc-group-membership-mapper + consentRequired: false + config: + full.path: 'false' + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + userinfo.token.claim: 'true' +- name: acr + description: OpenID Connect scope for add acr (authentication context class reference) + to the token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + protocolMappers: + - name: acr loa level + protocol: openid-connect + protocolMapper: oidc-acr-mapper + consentRequired: false + config: + id.token.claim: 'true' + access.token.claim: 'true' +- name: profile + description: 'OpenID Connect built-in scope: profile' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${profileScopeConsentText}" + protocolMappers: + - name: profile + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: profile + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: profile + jsonType.label: String + - name: given name + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: firstName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: given_name + jsonType.label: String + - name: website + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: website + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: website + jsonType.label: String + - name: zoneinfo + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: zoneinfo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: zoneinfo + jsonType.label: String + - name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: locale + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: locale + jsonType.label: String + - name: gender + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: gender + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: gender + jsonType.label: String + - name: family name + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: lastName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: family_name + jsonType.label: String + - name: username + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: preferred_username + jsonType.label: String + - name: middle name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: middleName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: middle_name + jsonType.label: String + - name: birthdate + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: birthdate + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: birthdate + jsonType.label: String + - name: updated at + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: updatedAt + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: updated_at + jsonType.label: long + - name: full name + protocol: openid-connect + protocolMapper: oidc-full-name-mapper + consentRequired: false + config: + id.token.claim: 'true' + access.token.claim: 'true' + userinfo.token.claim: 'true' + - name: nickname + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: nickname + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: nickname + jsonType.label: String + - name: picture + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: picture + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: picture + jsonType.label: String +- name: address + description: 'OpenID Connect built-in scope: address' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${addressScopeConsentText}" + protocolMappers: + - name: address + protocol: openid-connect + protocolMapper: oidc-address-mapper + consentRequired: false + config: + user.attribute.formatted: formatted + user.attribute.country: country + user.attribute.postal_code: postal_code + userinfo.token.claim: 'true' + user.attribute.street: street + id.token.claim: 'true' + user.attribute.region: region + access.token.claim: 'true' + user.attribute.locality: locality +- name: web-origins + description: OpenID Connect scope for add allowed web origins to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + consent.screen.text: '' + protocolMappers: + - name: allowed web origins + protocol: openid-connect + protocolMapper: oidc-allowed-origins-mapper + consentRequired: false + config: {} +- name: phone + description: 'OpenID Connect built-in scope: phone' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${phoneScopeConsentText}" + protocolMappers: + - name: phone number verified + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: phoneNumberVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number_verified + jsonType.label: boolean + - name: phone number + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: phoneNumber + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number + jsonType.label: String +- name: offline_access + description: 'OpenID Connect built-in scope: offline_access' + protocol: openid-connect + attributes: + consent.screen.text: "${offlineAccessScopeConsentText}" + display.on.consent.screen: 'true' +- name: role_list + description: SAML role list + protocol: saml + attributes: + consent.screen.text: "${samlRoleListScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - name: role list + protocol: saml + protocolMapper: saml-role-list-mapper + consentRequired: false + config: + single: 'false' + attribute.nameformat: Basic + attribute.name: Role +- name: microprofile-jwt + description: Microprofile - JWT built-in scope + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'false' + protocolMappers: + - name: upn + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: upn + jsonType.label: String + - name: groups + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + multivalued: 'true' + user.attribute: foo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + jsonType.label: String +- name: email + description: 'OpenID Connect built-in scope: email' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${emailScopeConsentText}" + protocolMappers: + - name: email + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: email + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email + jsonType.label: String + - name: email verified + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: emailVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email_verified + jsonType.label: boolean +{{- end }} + +{{/* +Renders the groups section in a realm. +Usage: +{{ include "auth._groups" ( dict "dot" .Values) }} +*/}} +{{- define "auth._groups" -}} +{{- $dot := default . .dot -}} +{{- if $dot.groups }} +groups: +{{- range $index, $group := $dot.groups }} + - name: "{{ $group.name }}" + path: "{{ $group.path }}" + attributes: {} + {{- if $group.roles }} + realmRoles: + {{- range $index2, $groupRole := $group.roles }} + - "{{ $groupRole }}" + {{- end }} + {{- else }} + realmRoles: [] + {{- end }} + clientRoles: {} + subGroups: [] +{{- end }} +{{- else }} +groups: [] +{{- end }} +{{- end }} + +{{/* +Renders the users section in a realm. +Usage: +{{ include "auth._users" ( dict "dot" .Values) }} +*/}} +{{- define "auth._users" -}} +{{- $dot := default . .dot -}} +{{- if $dot.initialUsers }} +users: + {{- range $index, $user := $dot.initialUsers }} + - username: "{{ $user.username }}" + enabled: true + totp: false + email: "{{ default "" $user.email }}" + emailVerified: "{{ default true $user.emailVerified }}" + firstName: "{{ default "" $user.firstName }}" + lastName: "{{ default "" $user.lastName }}" + {{- if $user.attributes }} + attributes: + {{ toYaml $user.attributes | nindent 6 }} + {{- else }} + attributes: {} + {{- end }} + {{- if $user.password }} + credentials: + - type: "password" + temporary: false + value: "{{ $user.password }}" + {{- end }} + {{- if $user.credentials }} + credentials: + {{ toYaml $user.credentials | nindent 6 }} + {{- end }} + disableableCredentialTypes: [] + requiredActions: [] + {{- if $user.realmRoles }} + realmRoles: + {{- range $index2, $realmRole := $user.realmRoles }} + - "{{ $realmRole }}" + {{- end }} + {{- else }} + realmRoles: [ "default-roles-{{ $dot.name }}" ] + {{- end }} + {{- if $user.clientRoles }} + clientRoles: + {{ toYaml $user.clientRoles | nindent 6 }} + {{- end }} + notBefore: 0 + groups: {{ $user.groups | toJson }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the identityProviders section in a realm. +Usage: +{{ include "auth._identity" ( dict "dot" .Values) }} +*/}} +{{- define "auth._identity" -}} +{{- $dot := default . .dot -}} +{{- if $dot.identityProviders }} +identityProviders: +{{- range $index, $provider := $dot.identityProviders }} + - alias: {{ $provider.name }} + displayName: {{ $provider.displayName }} + providerId: oidc + enabled: true + updateProfileFirstLoginMode: "on" + trustEmail: true + storeToken: true + addReadTokenRoleOnCreate: true + authenticateByDefault: false + linkOnly: false + firstBrokerLoginFlowAlias: "first broker login" + config: + {{ toYaml $provider.config | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the identityProviderMappers section in a realm. +Usage: +{{ include "auth._identityMapper" ( dict "dot" .Values) }} +*/}} +{{- define "auth._identityMapper" -}} +{{- $dot := default . .dot -}} +{{- if $dot.identityProviderMappers }} +identityProviderMappers: +{{- range $index, $mapper := $dot.identityProviderMappers }} + - name: {{ $mapper.name }} + identityProviderAlias: {{ $mapper.identityProviderAlias }} + identityProviderMapper: {{ $mapper.identityProviderMapper }} + config: + {{ toYaml $mapper.config | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the smtpServer section in a realm. +Usage: +{{ include "auth._smtpServer" ( dict "dot" .Values) }} +*/}} +{{- define "auth._smtpServer" -}} +{{- $dot := default . .dot -}} +{{- if $dot.smtpServer }} +smtpServer: + {{ toYaml $dot.smtpServer | nindent 2 }} +{{- end }} +{{- end }} + +{{/* +Renders the attributes section in a realm. +Usage: +{{ include "auth._attributes" ( dict "dot" . "realm" $realm ) }} +*/}} +{{- define "auth._attributes" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +attributes: + frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }} + acr.loa.map: "{\"ABC\":\"5\"}" +{{- end }} |