From 177077c2fe3c9aabcd1e147b129cc48cb597b07e Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Wed, 22 Feb 2023 17:35:33 +0100 Subject: [PATCH] release: add helm-environments updates for v1.0.0 (#14) --- CHANGELOG.md | 31 ++++ README.md | 11 ++ charts/centralidp/.helmignore | 4 + charts/centralidp/Chart.yaml | 6 +- charts/centralidp/README.md | 131 ++++++++++++++++ charts/centralidp/README.md.gotmpl | 52 +++++++ .../templates/secret-external-db.yaml | 10 ++ charts/centralidp/values.yaml | 45 +++++- charts/sharedidp/.helmignore | 4 + charts/sharedidp/Chart.yaml | 4 +- charts/sharedidp/README.md | 146 ++++++++++++++++++ charts/sharedidp/README.md.gotmpl | 60 +++++++ .../templates/secret-external-db.yaml | 10 ++ charts/sharedidp/values.yaml | 46 +++++- 14 files changed, 545 insertions(+), 15 deletions(-) create mode 100644 CHANGELOG.md create mode 100644 charts/centralidp/README.md create mode 100644 charts/centralidp/README.md.gotmpl create mode 100644 charts/centralidp/templates/secret-external-db.yaml create mode 100644 charts/sharedidp/README.md create mode 100644 charts/sharedidp/README.md.gotmpl create mode 100644 charts/sharedidp/templates/secret-external-db.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..476f5a22 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,31 @@ +# Changelog + +New features, fixed bugs, known defects and other noteworthy changes to each release of the Catena-X IAM - Keycloak instances. + +## 1.0.0 + +### Change + +* moved centralidp login theme into iam repository, removed link to portal-assets. +* updated init realms. +* moved to bitnami-full-index as dependency repository. + +### Feature + +* added option for external database. + +### Technical Support + +* added chart test workflow for lint and install. +* added documentation for installation and changelog. + +### Bugfix + +* fixed sharedidp login theme. +* added temporary fix for cve-2023-0286. + +## 0.6.0 + +### Change + +* moved repository to eclipse-tractusx. diff --git a/README.md b/README.md index 694ffbdb..90d3fe2d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Catena-X IAM: Keycloak instances +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) ![Tag](https://img.shields.io/static/v1?label=&message=LeadingRepository&color=green&style=flat) + This repository contains the reference configuration to deploy the Catena-X (CX) specific Keycloak instances. The instances depend on the [helm chart from Bitnami](https://artifacthub.io/packages/helm/bitnami/keycloak) (chart version 7.1.18, app version 16.1.1). @@ -9,3 +11,12 @@ The repository is split up in: * The helm charts to deploy the CX Keycloak instances * The CX specific configuration (e.g. keycloak-themes and initial realm-config) * The dockerfile (Dockerfile.import) to build an image containing the CX specific configuration which is used as init container at Keycloak startup + +For information regarding the **installation** of the helm chart please refer to the chart specific README files, available under the following directories: + +* charts/centralidp +* charts/sharedidp + +For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/1.0.0/developer/Technical%20Documentation). + +The referenced container images are for demonstration purposes only. diff --git a/charts/centralidp/.helmignore b/charts/centralidp/.helmignore index 0e8a0eb3..0bffc69f 100644 --- a/charts/centralidp/.helmignore +++ b/charts/centralidp/.helmignore @@ -21,3 +21,7 @@ .idea/ *.tmproj .vscode/ + +# Custom dirs and files +argocd/ +*.gotmpl diff --git a/charts/centralidp/Chart.yaml b/charts/centralidp/Chart.yaml index f99369a9..085b5f9b 100644 --- a/charts/centralidp/Chart.yaml +++ b/charts/centralidp/Chart.yaml @@ -1,5 +1,5 @@ ############################################################### -# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021-2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -21,8 +21,8 @@ apiVersion: v2 name: centralidp description: Helm chart for Catena-X Central Keycloak Instance type: application -version: 1.0.0-RC2 -appVersion: 1.0.0-RC2 +version: 1.0.0 +appVersion: 1.0.0 dependencies: - name: keycloak repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md new file mode 100644 index 00000000..d9bd957a --- /dev/null +++ b/charts/centralidp/README.md @@ -0,0 +1,131 @@ +# Helm chart for Catena-X Central Keycloak Instance + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +This helm chart installs the Helm chart for Catena-X Central Keycloak Instance. + +For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/1.0.0/developer/Technical%20Documentation). + +The referenced container images are for demonstration purposes only. + +## Installation + +To install the chart with the release name `centralidp`: + +```shell +$ helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev +$ helm install centralidp tractusx-dev/centralidp +``` + +To install the helm chart into your cluster with your values: + +```shell +$ helm install -f your-values.yaml centralidp tractusx-dev/centralidp +``` + +To use the helm chart as a dependency: + +```yaml +dependencies: + - name: centralidp + repository: https://eclipse-tractusx.github.io/charts/dev + version: 1.0.0 +``` + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | keycloak | 7.1.18 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| keycloak.image.tag | string | `"16.1.1-debian-10-r103"` | | +| keycloak.auth.adminUser | string | `"admin"` | | +| keycloak.auth.existingSecret | string | `"centralidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.proxyAddressForwarding | bool | `true` | | +| keycloak.serviceDiscovery.enabled | bool | `true` | | +| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_USER"` | | +| keycloak.extraEnvVars[0].value | string | `"admin"` | | +| keycloak.extraEnvVars[1].name | string | `"KEYCLOAK_PASSWORD"` | | +| keycloak.extraEnvVars[1].valueFrom.secretKeyRef.name | string | `"centralidp-keycloak"` | | +| keycloak.extraEnvVars[1].valueFrom.secretKeyRef.key | string | `"admin-password"` | | +| keycloak.extraEnvVars[2].name | string | `"CACHE_OWNERS_COUNT"` | | +| keycloak.extraEnvVars[2].value | string | `"3"` | | +| keycloak.extraEnvVars[3].name | string | `"CACHE_OWNERS_AUTH_SESSIONS_COUNT"` | | +| keycloak.extraEnvVars[3].value | string | `"3"` | | +| keycloak.extraEnvVars[4].name | string | `"KEYCLOAK_EXTRA_ARGS"` | | +| keycloak.extraEnvVars[4].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/realms -Dkeycloak.migration.strategy=IGNORE_EXISTING"` | | +| keycloak.replicaCount | int | `3` | | +| keycloak.extraVolumes[0].name | string | `"themes"` | | +| keycloak.extraVolumes[0].emptyDir | object | `{}` | | +| keycloak.extraVolumes[1].name | string | `"realms"` | | +| keycloak.extraVolumes[1].emptyDir | object | `{}` | | +| keycloak.extraVolumeMounts[0].name | string | `"themes"` | | +| keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-central"` | | +| keycloak.extraVolumeMounts[1].name | string | `"realms"` | | +| keycloak.extraVolumeMounts[1].mountPath | string | `"/realms"` | | +| keycloak.initContainers[0].name | string | `"import"` | | +| keycloak.initContainers[0].image | string | `"ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0"` | | +| keycloak.initContainers[0].imagePullPolicy | string | `"Always"` | | +| keycloak.initContainers[0].command[0] | string | `"sh"` | | +| keycloak.initContainers[0].args[0] | string | `"-c"` | | +| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes...\"\ncp -R /import/themes/catenax-central/* /themes\necho \"Copying realms...\"\ncp -R /import/catenax-central/realms/* /realms\n"` | | +| keycloak.initContainers[0].volumeMounts[0].name | string | `"themes"` | | +| keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes"` | | +| keycloak.initContainers[0].volumeMounts[1].name | string | `"realms"` | | +| keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/realms"` | | +| keycloak.service.type | string | `"ClusterIP"` | | +| keycloak.service.sessionAffinity | string | `"ClientIP"` | | +| keycloak.ingress.enabled | bool | `false` | | +| keycloak.ingress.ingressClassName | string | `"nginx"` | | +| keycloak.ingress.hostname | string | `"centralidp.example.org"` | Provide default path for the ingress record. | +| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://centralidp.example.org"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"128k"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffers-number" | string | `"20"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | | +| keycloak.ingress.tls | bool | `true` | | +| keycloak.rbac.create | bool | `true` | | +| keycloak.rbac.rules[0].apiGroups[0] | string | `""` | | +| keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | +| keycloak.rbac.rules[0].verbs[0] | string | `"get"` | | +| keycloak.rbac.rules[0].verbs[1] | string | `"list"` | | +| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration; default configurations: host: "centralidp-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| keycloak.postgresql.auth.username | string | `"kccentral"` | Non-root username. | +| keycloak.postgresql.auth.database | string | `"iamcentralidp"` | Database name. | +| keycloak.postgresql.auth.existingSecret | string | `"centralidp-postgres"` | Secret containing the passwords for root usernames postgres and non-root username kccentral. | +| keycloak.postgresql.architecture | string | `"replication"` | | +| keycloak.externalDatabase.host | string | `"centralidp-postgresql-external-db"` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. Database host ('-primary' is added as postfix). | +| keycloak.externalDatabase.port | int | `5432` | Database port number. | +| keycloak.externalDatabase.user | string | `"kccentral"` | Non-root username for centralidp. | +| keycloak.externalDatabase.database | string | `"iamcentralidp"` | Database name. | +| keycloak.externalDatabase.password | string | `""` | Password for the non-root username (default 'kccentral'). Secret-key 'password'. | +| keycloak.externalDatabase.existingSecret | string | `"centralidp-keycloak-external-db"` | Secret containing the password non-root username, (default 'kccentral'). | +| keycloak.externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | +| secrets.auth.existingSecret.adminpassword | string | `""` | Password for the admin username 'admin'. Secret-key 'admin-password'. | +| secrets.auth.existingSecret.managementpassword | string | `""` | Password Wildfly management username 'manager'. Secret-key 'management-password'. | +| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | +| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kccentral'. Secret-key 'password'. | +| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | + +Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) + +## Post-Install Configuration + +Once the installation is completed, the following steps need to be executed in the Keycloak admin console within CX-Central realm: + +1. Generate Client-Secrets for confidential clients and service accounts with access type 'confidential'. + +2. Establish connection to the sharedidp instance + +In order to enable the login of the initial user (see CX-Operator realm in sharedidp instance for username), the connection between the 'CX-Operator' identity provider of the centralidp instance and the according realm in the sharedidp instance needs to be established. +This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance. + +3. Setup SMTP configuration (Realm Settings --> Email) diff --git a/charts/centralidp/README.md.gotmpl b/charts/centralidp/README.md.gotmpl new file mode 100644 index 00000000..604bea55 --- /dev/null +++ b/charts/centralidp/README.md.gotmpl @@ -0,0 +1,52 @@ +# {{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +This helm chart installs the {{ template "chart.description" . }}. + +For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/{{ template "chart.version" . }}/developer/Technical%20Documentation). + +The referenced container images are for demonstration purposes only. + +## Installation + +To install the chart with the release name `{{ template "chart.name" . }}`: + +```shell +$ helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev +$ helm install {{ template "chart.name" . }} tractusx-dev/{{ template "chart.name" . }} +``` + +To install the helm chart into your cluster with your values: + +```shell +$ helm install -f your-values.yaml {{ template "chart.name" . }} tractusx-dev/{{ template "chart.name" . }} +``` + +To use the helm chart as a dependency: + +```yaml +dependencies: + - name: {{ template "chart.name" . }} + repository: https://eclipse-tractusx.github.io/charts/dev + version: {{ template "chart.version" . }} +``` + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) + +## Post-Install Configuration + +Once the installation is completed, the following steps need to be executed in the Keycloak admin console within CX-Central realm: + +1. Generate Client-Secrets for confidential clients and service accounts with access type 'confidential'. + +2. Establish connection to the sharedidp instance + +In order to enable the login of the initial user (see CX-Operator realm in sharedidp instance for username), the connection between the 'CX-Operator' identity provider of the centralidp instance and the according realm in the sharedidp instance needs to be established. +This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance. + +3. Setup SMTP configuration (Realm Settings --> Email) diff --git a/charts/centralidp/templates/secret-external-db.yaml b/charts/centralidp/templates/secret-external-db.yaml new file mode 100644 index 00000000..eecbab8f --- /dev/null +++ b/charts/centralidp/templates/secret-external-db.yaml @@ -0,0 +1,10 @@ +{{- if not .Values.keycloak.postgresql.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.keycloak.externalDatabase.existingSecret}} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 | quote ) }} +{{- end -}} diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index fdfe9632..e3c93d82 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -22,7 +22,8 @@ keycloak: tag: 16.1.1-debian-10-r103 auth: adminUser: admin - existingSecret: centralidp-keycloak + # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. + existingSecret: "centralidp-keycloak" proxyAddressForwarding: true serviceDiscovery: enabled: true @@ -53,7 +54,7 @@ keycloak: mountPath: "/realms" initContainers: - name: import - image: ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0-RC2 + image: ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0 imagePullPolicy: Always command: - sh @@ -75,12 +76,16 @@ keycloak: ingress: enabled: false ingressClassName: "nginx" - hostname: "centralidp.dummy" + # -- Provide default path for the ingress record. + hostname: "centralidp.example.org" annotations: + # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; + # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress cert-manager.io/cluster-issuer: "" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "" + nginx.ingress.kubernetes.io/cors-allow-origin: "https://centralidp.example.org" nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" nginx.ingress.kubernetes.io/proxy-buffering: "on" @@ -98,21 +103,51 @@ keycloak: - get - list postgresql: + # -- PostgreSQL chart configuration; + # default configurations: + # host: "centralidp-postgresql-primary", + # port: 5432; + # Switch to enable or disable the PostgreSQL helm chart. enabled: true auth: + # -- Non-root username. username: kccentral + # -- Database name. database: iamcentralidp - existingSecret: centralidp-postgres + # -- Secret containing the passwords for root usernames postgres and non-root username kccentral. + existingSecret: "centralidp-postgres" architecture: replication + externalDatabase: + # -- External PostgreSQL configuration + # IMPORTANT: non-root db user needs needs to be created beforehand on external database. + # Database host ('-primary' is added as postfix). + host: "centralidp-postgresql-external-db" + # -- Database port number. + port: 5432 + # -- Non-root username for centralidp. + user: "kccentral" + # -- Database name. + database: "iamcentralidp" + # -- Password for the non-root username (default 'kccentral'). Secret-key 'password'. + password: "" + # -- Secret containing the password non-root username, (default 'kccentral'). + existingSecret: "centralidp-keycloak-external-db" + # -- Name of an existing secret key containing the database credentials. + existingSecretPasswordKey: "password" secrets: auth: existingSecret: + # -- Password for the admin username 'admin'. Secret-key 'admin-password'. adminpassword: "" + # -- Password Wildfly management username 'manager'. Secret-key 'management-password'. managementpassword: "" postgresql: auth: existingSecret: + # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. postgrespassword: "" + # -- Password for the non-root username 'kccentral'. Secret-key 'password'. password: "" + # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. replicationPassword: "" diff --git a/charts/sharedidp/.helmignore b/charts/sharedidp/.helmignore index 0e8a0eb3..0bffc69f 100644 --- a/charts/sharedidp/.helmignore +++ b/charts/sharedidp/.helmignore @@ -21,3 +21,7 @@ .idea/ *.tmproj .vscode/ + +# Custom dirs and files +argocd/ +*.gotmpl diff --git a/charts/sharedidp/Chart.yaml b/charts/sharedidp/Chart.yaml index cc31a89c..21c2810b 100644 --- a/charts/sharedidp/Chart.yaml +++ b/charts/sharedidp/Chart.yaml @@ -21,8 +21,8 @@ apiVersion: v2 name: sharedidp description: Helm chart for Catena-X Shared Keycloak Instance type: application -version: 1.0.0-RC2 -appVersion: 1.0.0-RC2 +version: 1.0.0 +appVersion: 1.0.0 dependencies: - name: keycloak repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md new file mode 100644 index 00000000..22fc62e7 --- /dev/null +++ b/charts/sharedidp/README.md @@ -0,0 +1,146 @@ +# Helm chart for Catena-X Shared Keycloak Instance + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +This helm chart installs the Helm chart for Catena-X Shared Keycloak Instance. + +For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/1.0.0/developer/Technical%20Documentation). + +The referenced container images are for demonstration purposes only. + +## Installation + +To install the chart with the release name `sharedidp`: + +```shell +$ helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev +$ helm install sharedidp tractusx-dev/sharedidp +``` + +To install the helm chart into your cluster with your values: + +```shell +$ helm install -f your-values.yaml sharedidp tractusx-dev/sharedidp +``` + +To use the helm chart as a dependency: + +```yaml +dependencies: + - name: sharedidp + repository: https://eclipse-tractusx.github.io/charts/dev + version: 1.0.0 +``` + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | keycloak | 7.1.18 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| keycloak.image.tag | string | `"16.1.1-debian-10-r103"` | | +| keycloak.auth.adminUser | string | `"admin"` | | +| keycloak.auth.existingSecret | string | `"sharedidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. | +| keycloak.proxyAddressForwarding | bool | `true` | | +| keycloak.serviceDiscovery.enabled | bool | `true` | | +| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_USER"` | | +| keycloak.extraEnvVars[0].value | string | `"admin"` | | +| keycloak.extraEnvVars[1].name | string | `"KEYCLOAK_PASSWORD"` | | +| keycloak.extraEnvVars[1].valueFrom.secretKeyRef.name | string | `"sharedidp-keycloak"` | | +| keycloak.extraEnvVars[1].valueFrom.secretKeyRef.key | string | `"admin-password"` | | +| keycloak.extraEnvVars[2].name | string | `"CACHE_OWNERS_COUNT"` | | +| keycloak.extraEnvVars[2].value | string | `"3"` | | +| keycloak.extraEnvVars[3].name | string | `"CACHE_OWNERS_AUTH_SESSIONS_COUNT"` | | +| keycloak.extraEnvVars[3].value | string | `"3"` | | +| keycloak.extraEnvVars[4].name | string | `"KEYCLOAK_EXTRA_ARGS"` | | +| keycloak.extraEnvVars[4].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/realms -Dkeycloak.migration.strategy=IGNORE_EXISTING"` | | +| keycloak.replicaCount | int | `3` | | +| keycloak.extraVolumes[0].name | string | `"themes-catenax-shared"` | | +| keycloak.extraVolumes[0].emptyDir | object | `{}` | | +| keycloak.extraVolumes[1].name | string | `"themes-catenax-shared-portal"` | | +| keycloak.extraVolumes[1].emptyDir | object | `{}` | | +| keycloak.extraVolumes[2].name | string | `"realms"` | | +| keycloak.extraVolumes[2].emptyDir | object | `{}` | | +| keycloak.extraVolumeMounts[0].name | string | `"themes-catenax-shared"` | | +| keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-shared"` | | +| keycloak.extraVolumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | +| keycloak.extraVolumeMounts[1].mountPath | string | `"/opt/bitnami/keycloak/themes/catenax-shared-portal"` | | +| keycloak.extraVolumeMounts[2].name | string | `"realms"` | | +| keycloak.extraVolumeMounts[2].mountPath | string | `"/realms"` | | +| keycloak.initContainers[0].name | string | `"import"` | | +| keycloak.initContainers[0].image | string | `"ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0"` | | +| keycloak.initContainers[0].imagePullPolicy | string | `"Always"` | | +| keycloak.initContainers[0].command[0] | string | `"sh"` | | +| keycloak.initContainers[0].args[0] | string | `"-c"` | | +| keycloak.initContainers[0].args[1] | string | `"echo \"Copying themes-catenax-shared...\"\ncp -R /import/themes/catenax-shared/* /themes-catenax-shared\necho \"Copying themes-catenax-shared-portal...\"\ncp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal\necho \"Copying realms...\"\ncp -R /import/catenax-shared/realms/* /realms\n"` | | +| keycloak.initContainers[0].volumeMounts[0].name | string | `"themes-catenax-shared"` | | +| keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes-catenax-shared"` | | +| keycloak.initContainers[0].volumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | +| keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/themes-catenax-shared-portal"` | | +| keycloak.initContainers[0].volumeMounts[2].name | string | `"realms"` | | +| keycloak.initContainers[0].volumeMounts[2].mountPath | string | `"/realms"` | | +| keycloak.service.type | string | `"ClusterIP"` | | +| keycloak.service.sessionAffinity | string | `"ClientIP"` | | +| keycloak.ingress.enabled | bool | `false` | | +| keycloak.ingress.ingressClassName | string | `"nginx"` | | +| keycloak.ingress.hostname | string | `"sharedidp.example.org"` | Provide default path for the ingress record. | +| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://sharedidp.example.org"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"128k"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffers-number" | string | `"20"` | | +| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | | +| keycloak.ingress.tls | bool | `true` | | +| keycloak.rbac.create | bool | `true` | | +| keycloak.rbac.rules[0].apiGroups[0] | string | `""` | | +| keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | +| keycloak.rbac.rules[0].verbs[0] | string | `"get"` | | +| keycloak.rbac.rules[0].verbs[1] | string | `"list"` | | +| keycloak.postgresql.enabled | bool | `true` | PostgreSQL chart configuration; default configurations: host: "sharedidp-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| keycloak.postgresql.auth.username | string | `"kcshared"` | Non-root username. | +| keycloak.postgresql.auth.database | string | `"iamsharedidp"` | Database name. | +| keycloak.postgresql.auth.existingSecret | string | `"sharedidp-postgres"` | Secret containing the passwords for root usernames postgres and non-root username kcshared. | +| keycloak.postgresql.architecture | string | `"replication"` | | +| keycloak.externalDatabase.host | string | `"sharedidp-postgresql-external-db"` | External PostgreSQL configuration IMPORTANT: non-root db user needs needs to be created beforehand on external database. Database host ('-primary' is added as postfix). | +| keycloak.externalDatabase.port | int | `5432` | Database port number. | +| keycloak.externalDatabase.user | string | `"kcshared"` | Non-root username for sharedidp. | +| keycloak.externalDatabase.database | string | `"iamsharedidp"` | Database name. | +| keycloak.externalDatabase.password | string | `""` | Password for the non-root username (default 'kcshared'). Secret-key 'password'. | +| keycloak.externalDatabase.existingSecret | string | `"sharedidp-keycloak-external-db"` | Secret containing the password non-root username, (default 'kcshared'). | +| keycloak.externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | +| secrets.auth.existingSecret.adminpassword | string | `""` | Password for the admin username 'admin'. Secret-key 'admin-password'. | +| secrets.auth.existingSecret.managementpassword | string | `""` | Password Wildfly management username 'manager'. Secret-key 'management-password'. | +| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | +| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kcshared'. Secret-key 'password'. | +| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | +| secrets.realmuser.enabled | bool | `false` | | + +Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) + +## Post-Install Configuration + +Once the installation is completed, the following steps need to be executed in the Keycloak admin console: + +### Within the master realm: + +Generate client-secrets for the service account with access type 'confidential'. + +### Within the CX-Operator realm: + +#### Establish connection to the centralidp instance: + +1. Change the example.org placeholder in the central-idp client the to the address of the centralidp instance: + +* Settings --> Valid Redirect URI +* Keys --> JWKS URL + +2. Set password and user details for the initial user. + +3. Setup SMTP configuration (Realm Settings --> Email) diff --git a/charts/sharedidp/README.md.gotmpl b/charts/sharedidp/README.md.gotmpl new file mode 100644 index 00000000..add6fc32 --- /dev/null +++ b/charts/sharedidp/README.md.gotmpl @@ -0,0 +1,60 @@ +# {{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +This helm chart installs the {{ template "chart.description" . }}. + +For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/{{ template "chart.version" . }}/developer/Technical%20Documentation). + +The referenced container images are for demonstration purposes only. + +## Installation + +To install the chart with the release name `{{ template "chart.name" . }}`: + +```shell +$ helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev +$ helm install {{ template "chart.name" . }} tractusx-dev/{{ template "chart.name" . }} +``` + +To install the helm chart into your cluster with your values: + +```shell +$ helm install -f your-values.yaml {{ template "chart.name" . }} tractusx-dev/{{ template "chart.name" . }} +``` + +To use the helm chart as a dependency: + +```yaml +dependencies: + - name: {{ template "chart.name" . }} + repository: https://eclipse-tractusx.github.io/charts/dev + version: {{ template "chart.version" . }} +``` + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) + +## Post-Install Configuration + +Once the installation is completed, the following steps need to be executed in the Keycloak admin console: + +### Within the master realm: + +Generate client-secrets for the service account with access type 'confidential'. + +### Within the CX-Operator realm: + +#### Establish connection to the centralidp instance: + +1. Change the example.org placeholder in the central-idp client the to the address of the centralidp instance: + +* Settings --> Valid Redirect URI +* Keys --> JWKS URL + +2. Set password and user details for the initial user. + +3. Setup SMTP configuration (Realm Settings --> Email) diff --git a/charts/sharedidp/templates/secret-external-db.yaml b/charts/sharedidp/templates/secret-external-db.yaml new file mode 100644 index 00000000..eecbab8f --- /dev/null +++ b/charts/sharedidp/templates/secret-external-db.yaml @@ -0,0 +1,10 @@ +{{- if not .Values.keycloak.postgresql.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.keycloak.externalDatabase.existingSecret}} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 | quote ) }} +{{- end -}} diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 7b1765a6..a786f452 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -22,7 +22,8 @@ keycloak: tag: 16.1.1-debian-10-r103 auth: adminUser: admin - existingSecret: sharedidp-keycloak + # -- Secret containing the passwords for admin username 'admin' and management username 'manager'. + existingSecret: "sharedidp-keycloak" proxyAddressForwarding: true serviceDiscovery: enabled: true @@ -57,7 +58,7 @@ keycloak: mountPath: "/realms" initContainers: - name: import - image: ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0-RC2 + image: ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0 imagePullPolicy: Always command: - sh @@ -83,12 +84,16 @@ keycloak: ingress: enabled: false ingressClassName: "nginx" - hostname: "sharedidp.dummy" + # -- Provide default path for the ingress record. + hostname: "sharedidp.example.org" annotations: + # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; + # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress cert-manager.io/cluster-issuer: "" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "" + nginx.ingress.kubernetes.io/cors-allow-origin: "https://sharedidp.example.org" nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" nginx.ingress.kubernetes.io/proxy-buffering: "on" @@ -106,23 +111,54 @@ keycloak: - get - list postgresql: + # -- PostgreSQL chart configuration; + # default configurations: + # host: "sharedidp-postgresql-primary", + # port: 5432; + # Switch to enable or disable the PostgreSQL helm chart. enabled: true auth: + # -- Non-root username. username: kcshared + # -- Database name. database: iamsharedidp - existingSecret: sharedidp-postgres + # -- Secret containing the passwords for root usernames postgres and non-root username kcshared. + existingSecret: "sharedidp-postgres" architecture: replication + externalDatabase: + # -- External PostgreSQL configuration + # IMPORTANT: non-root db user needs needs to be created beforehand on external database. + # Database host ('-primary' is added as postfix). + host: "sharedidp-postgresql-external-db" + # -- Database port number. + port: 5432 + # -- Non-root username for sharedidp. + user: "kcshared" + # -- Database name. + database: "iamsharedidp" + # -- Password for the non-root username (default 'kcshared'). Secret-key 'password'. + password: "" + # -- Secret containing the password non-root username, (default 'kcshared'). + existingSecret: "sharedidp-keycloak-external-db" + # -- Name of an existing secret key containing the database credentials. + existingSecretPasswordKey: "password" secrets: auth: existingSecret: + # -- Password for the admin username 'admin'. Secret-key 'admin-password'. adminpassword: "" + # -- Password Wildfly management username 'manager'. Secret-key 'management-password'. managementpassword: "" postgresql: auth: existingSecret: + # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. postgrespassword: "" + # -- Password for the non-root username 'kcshared'. Secret-key 'password'. password: "" + # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. replicationPassword: "" realmuser: + # Enables the import of test users via secret. enabled: false