From dce54c8e4d6936f5a2189a55f7e6409747a0ecbe Mon Sep 17 00:00:00 2001 From: Andreas Geissler Date: Mon, 20 Mar 2023 13:07:32 +0100 Subject: [PLATFORM] Add Oauth2-Proxy client to ONAP Realm Add the oauth2-proxy client to the ONAP keycloak REALM Issue-ID: OOM-2489 Signed-off-by: Andreas Geissler Change-Id: I3c38df8ad79a7cdaa87f4b55b1bb38afb18d2c0e --- .../platform/components/keycloak-init/Chart.yaml | 2 +- .../components/keycloak-config-cli/Chart.yaml | 4 +- .../resources/realm/onap-realm.json | 312 --------------- .../components/keycloak-config-cli/values.yaml | 4 +- .../keycloak-init/resources/realms/onap-realm.json | 426 +++++++++++++++++++++ .../components/keycloak-init/templates/secret.yaml | 17 + .../platform/components/keycloak-init/values.yaml | 9 +- 7 files changed, 454 insertions(+), 320 deletions(-) delete mode 100644 kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json create mode 100644 kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json create mode 100644 kubernetes/platform/components/keycloak-init/templates/secret.yaml (limited to 'kubernetes') diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml index 44ca0fa95d..d9add7143b 100644 --- a/kubernetes/platform/components/keycloak-init/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/Chart.yaml @@ -31,5 +31,5 @@ dependencies: version: ~12.x-0 repository: '@local' - name: keycloak-config-cli - version: 5.3.1 + version: 5.6.1 repository: 'file://components/keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml index c248ba050f..3f48ef7e21 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.3.1 -appVersion: 5.3.1-19.0.1 +version: 5.6.1 +appVersion: 5.6.1 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json deleted file mode 100644 index 8b79e99795..0000000000 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/resources/realm/onap-realm.json +++ /dev/null @@ -1,312 +0,0 @@ -{ - "id": "ONAP", - "realm": "ONAP", - "enabled": true, - "roles": { - "realm": [ - { - "name": "onap_admin", - "description": "User role for administration tasks in the portal.", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "user", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "admin", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "onap_designer", - "description": "User role for designer tasks in the portal.", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "onap_operator", - "description": "User role for operator tasks in the portal.", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "onap", - "attributes": {} - }, - { - "name": "default-roles-onap", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization" - ], - "client": { - "account": [ - "view-profile", - "manage-account" - ] - } - }, - "clientRole": false, - "containerId": "onap", - "attributes": {} - } - ] - }, - "clients": [ - { - "clientId": "portal-app", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "{{ .Values.portalUrl }}/*", - "http://localhost/*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "{{ .Values.portalUrl }}/*", - "oauth2.device.authorization.grant.enabled": "false", - "display.on.consent.screen": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "User-Roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "roles", - "multivalued": "true", - "userinfo.token.claim": "true" - } - }, - { - "name": "SDC-User", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "sdc_user", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "sdc_user", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, { - "clientId" : "portal-bff", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : false, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : true, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "frontchannel.logout.session.required" : "false", - "oauth2.device.authorization.grant.enabled" : "false", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "use.refresh.tokens" : "true", - "oidc.ciba.grant.enabled" : "false", - "backchannel.logout.session.required" : "true", - "client_credentials.use_refresh_token" : "false", - "require.pushed.authorization.requests" : "false", - "saml.client.signature" : "false", - "saml.allow.ecp.flow" : "false", - "id.token.as.detached.signature" : "false", - "saml.assertion.signature" : "false", - "client.secret.creation.time" : "1665048112", - "saml.encrypt" : "false", - "saml.server.signature" : "false", - "exclude.session.state.from.auth.response" : "false", - "saml.artifact.binding" : "false", - "saml_force_name_id_format" : "false", - "acr.loa.map" : "{}", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "token.response.type.bearer.lower-case" : "false", - "saml.onetimeuse.condition" : "false" - }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "protocolMappers" : [ { - "name" : "Client Host", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usersessionmodel-note-mapper", - "consentRequired" : false, - "config" : { - "user.session.note" : "clientHost", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "clientHost", - "jsonType.label" : "String" - } - }, { - "name" : "Client IP Address", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usersessionmodel-note-mapper", - "consentRequired" : false, - "config" : { - "user.session.note" : "clientAddress", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "clientAddress", - "jsonType.label" : "String" - } - } ], - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }], - "users": [ - { - "createdTimestamp" : 1664965113698, - "username" : "onap-admin", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "attributes" : { - "sdc_user" : [ "cs0008" ] - }, - "credentials" : [ { - "type" : "password", - "createdDate" : 1664965134586, - "secretData" : "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap", "onap_admin" ], - "notBefore" : 0, - "groups" : [ ] - }, { - "createdTimestamp" : 1665048354760, - "username" : "onap-designer", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "attributes" : { - "sec_user" : [ "cs0008" ] - }, - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap", "onap_designer" ], - "notBefore" : 0, - "groups" : [ ] - }, { - "createdTimestamp" : 1665048547054, - "username" : "onap-operator", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "attributes" : { - "sdc_user" : [ "cs0008" ] - }, - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap", "onap_operator" ], - "notBefore" : 0, - "groups" : [ ] - }, { - "createdTimestamp" : 1665048112458, - "username" : "service-account-portal-bff", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "serviceAccountClientId" : "portal-bff", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-onap" ], - "clientRoles" : { - "realm-management" : [ "manage-realm", "manage-users" ] - }, - "notBefore" : 0, - "groups" : [ ] - } - ], - "attributes": { - "frontendUrl": "{{ .Values.portalUrl }}/auth/", - "acr.loa.map": "{\"ABC\":\"5\"}" - } -} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml index e54a4c7bcf..fb2a8955ff 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml @@ -21,12 +21,12 @@ global: fullnameOverride: "" nameOverride: "" -#keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/" +keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/" portalUrl: "https://portal-ng-ui.simpledemo.onap.org" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}" + tag: "{{ .Chart.AppVersion }}-19.0.3" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json new file mode 100644 index 0000000000..d845c60cfb --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json @@ -0,0 +1,426 @@ +{ + "id": "ONAP", + "realm": "ONAP", + "enabled": true, + "roles": { + "realm": [ + { + "name": "onap_admin", + "description": "User role for administration tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "user", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "admin", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "onap_designer", + "description": "User role for designer tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "onap_operator", + "description": "User role for operator tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "default-roles-onap", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "onap", + "attributes": {} + } + ] + }, + "groups": [ + { + "name": "admins", + "path": "/admins", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } + ], + "clients": [ + { + "clientId": "oauth2-proxy", + "name": "Oauth2 Proxy", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp", + "redirectUris": [ + "*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "tls-client-certificate-bound-access-tokens": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "token.response.type.bearer.lower-case": "false", + "use.refresh.tokens": "true" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "multivalued": "false", + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "groups", + "microprofile-jwt" + ] + }, + { + "clientId": "portal-app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "{{ .Values.portalUrl }}/*", + "http://localhost/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "{{ .Values.portalUrl }}/*", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "User-Roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "roles", + "multivalued": "true", + "userinfo.token.claim": "true" + } + }, + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId" : "portal-bff", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : true, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "frontchannel.logout.session.required" : "false", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "use.refresh.tokens" : "true", + "oidc.ciba.grant.enabled" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "require.pushed.authorization.requests" : "false", + "saml.client.signature" : "false", + "saml.allow.ecp.flow" : "false", + "id.token.as.detached.signature" : "false", + "saml.assertion.signature" : "false", + "client.secret.creation.time" : "1665048112", + "saml.encrypt" : "false", + "saml.server.signature" : "false", + "exclude.session.state.from.auth.response" : "false", + "saml.artifact.binding" : "false", + "saml_force_name_id_format" : "false", + "acr.loa.map" : "{}", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "token.response.type.bearer.lower-case" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "name" : "Client Host", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientHost", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientHost", + "jsonType.label" : "String" + } + }, { + "name" : "Client IP Address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientAddress", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientAddress", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } + ], + "users": [ + { + "createdTimestamp" : 1664965113698, + "username" : "onap-admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sdc_user" : [ "cs0008" ] + }, + "credentials" : [ { + "type" : "password", + "createdDate" : 1664965134586, + "secretData" : "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_admin" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048354760, + "username" : "onap-designer", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sec_user" : [ "cs0008" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_designer" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048547054, + "username" : "onap-operator", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sdc_user" : [ "cs0008" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_operator" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048112458, + "username" : "service-account-portal-bff", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "serviceAccountClientId" : "portal-bff", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap" ], + "clientRoles" : { + "realm-management" : [ "manage-realm", "manage-users" ] + }, + "notBefore" : 0, + "groups" : [ ] + } + ], + "clientScopes": [ + { + "name": "groups", + "description": "Membership to a group", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "userinfo.token.claim": "true" + } + } + ] + } + ], + "attributes": { + "frontendUrl": "{{ .Values.KEYCLOAK_URL }}", + "acr.loa.map": "{\"ABC\":\"5\"}" + } +} diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/platform/components/keycloak-init/templates/secret.yaml new file mode 100644 index 0000000000..0d9b387dfa --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/templates/secret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-config-cli-config-realms + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +{{- with .Files.Glob "resources/realms/*json" }} +data: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml index 5e975147ab..7eecf195f7 100644 --- a/kubernetes/platform/components/keycloak-init/values.yaml +++ b/kubernetes/platform/components/keycloak-init/values.yaml @@ -19,15 +19,18 @@ global: virtualhost: baseurl: "simpledemo.onap.org" +KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" +PORTAL_URL: "https://portal-ui.simpledemo.onap.org" + keycloak-config-cli: #existingSecret: "keycloak-keycloakx-admin-creds" env: KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/ + KEYCLOAK_SSLVERIFY: "false" + KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: KEYCLOAK_PASSWORD: secret - config: - onap: - file: resources/realm/onap-realm.json + existingConfigSecret: "keycloak-config-cli-config-realms" ingress: service: -- cgit 1.2.3-korg