Merge pull request #3 from catenax-ng/main

feat: Merge upstream v1.1.0

.github/workflows/centralidp-chart-test.yaml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 

.github/workflows/chart-release.yaml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 

.github/workflows/cx-iam-beta.yml

@@ -46,21 +46,21 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push KeyCloak custom images for central and shared idp instances
       - name: 'Build and push KeyCloak images'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: docker/Dockerfile.beta.import

.github/workflows/cx-iam-dev.yml

@@ -46,21 +46,21 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push KeyCloak custom images for central and shared idp instances
       - name: 'Build and push KeyCloak images'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: docker/Dockerfile.dev.import

.github/workflows/cx-iam-int.yml

@@ -46,21 +46,21 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push KeyCloak custom images for central and shared idp instances
       - name: 'Build and push KeyCloak images'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: docker/Dockerfile.int.import

.github/workflows/cx-iam-pen.yml

@@ -46,21 +46,21 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push KeyCloak custom images for central and shared idp instances
       - name: 'Build and push KeyCloak images'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: docker/Dockerfile.pen.import

.github/workflows/cx-iam-pre-prod.yml

@@ -46,21 +46,21 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push KeyCloak custom images for central and shared idp instances
       - name: 'Build and push KeyCloak images'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: docker/Dockerfile.pre-prod.import

.github/workflows/cx-iam.yml

@@ -45,20 +45,20 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Keycloak custom image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: docker/Dockerfile.import

.github/workflows/sharedidp-chart-test.yaml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 

.tractusx

@@ -0,0 +1,6 @@
+product: "cx-iam"
+leadingRepository: "https://github.com/eclipse-tractusx/portal-iam"
+repositories:
+  - name: "cx-iam"
+    usage: "cx-iam: Keycloak instances"
+    url: "https://github.com/eclipse-tractusx/portal-iam"

CHANGELOG.md

@@ -2,6 +2,33 @@
 
 New features, fixed bugs, known defects and other noteworthy changes to each release of the Catena-X IAM - Keycloak instances.
 
+## 1.1.0
+
+### Change
+
+* realm init (centralidp - cx-central): see [Post-Upgrade Configuration](./charts/centralidp/README.md#post-upgrade-configuration)
+* changed to secret name to be retrieved from values file
+
+### Bugfix
+
+* login theme (centralidp - cx-central): allowed to search for numbers only at idp-selection
+* enabled usage of existing secret values if secret exists: stops regeneration of random secret values at 'helm upgrade'
+* stopped creation of the corresponding secret if database dependency is disabled
+* realm init (centralidp): switched to singleFile import
+
+### Technical Support
+
+* added documentation for post-upgrade configuration
+* trg: added repo metafile
+* upgraded workflow actions
+
+## 1.0.1
+
+### Technical Support
+
+* added license files on chart level
+* added information about home and sources to charts
+
 ## 1.0.0
 
 ### Change

README.md

@@ -12,9 +12,14 @@ The repository is split up in:
 * The CX specific configuration (e.g. keycloak-themes and initial realm-config)
 * The dockerfile (Dockerfile.import) to build an image containing the CX specific configuration which is used as init container at Keycloak startup
 
-For further information especially regarding the **installation** of the helm charts please refer to the chart specific README files, available under the following directories:
+For further information please refer to the chart specific README files, available under the following directories:
 
 * charts/centralidp
+  * [Installation](./charts/centralidp/README.md#installation)
+  * [Post-Install Configuration](./charts/centralidp/README.md#post-install-configuration)
+  * [Post-Upgrade Configuration](./charts/centralidp/README.md#post-upgrade-configuration)
 * charts/sharedidp
+  * [Installation](./charts/sharedidp/README.md#installation)
+  * [Post-Install Configuration](./charts/sharedidp/README.md#post-install-configuration)
 
 The referenced container images are for demonstration purposes only.

charts/centralidp/Chart.yaml

@@ -20,8 +20,8 @@
 apiVersion: v2
 name: centralidp
 type: application
-version: 1.0.1
-appVersion: 1.0.0
+version: 1.1.0
+appVersion: 1.1.0
 description: Helm chart for Catena-X Central Keycloak Instance
 home: https://github.com/eclipse-tractusx/portal-iam
 sources:

charts/centralidp/README.md

@@ -1,10 +1,10 @@
 # Helm chart for Catena-X Central Keycloak Instance
 
-![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)
 
 This helm chart installs the Helm chart for Catena-X Central Keycloak Instance.
 
-For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/1.0.0/developer/Technical%20Documentation).
+For further information please refer to the [technical documentation](https://github.com/eclipse-tractusx/portal-assets/tree/1.1.0/developer/Technical%20Documentation).
 
 The referenced container images are for demonstration purposes only.
 
@@ -29,7 +29,7 @@ To use the helm chart as a dependency:
 dependencies:
   - name: centralidp
     repository: https://eclipse-tractusx.github.io/charts/dev
-    version: 1.0.1
+    version: 1.1.0
 ```
 
 ## Requirements
@@ -68,7 +68,7 @@ dependencies:
 | keycloak.extraVolumeMounts[1].name | string | `"realms"` |  |
 | keycloak.extraVolumeMounts[1].mountPath | string | `"/realms"` |  |
 | keycloak.initContainers[0].name | string | `"import"` |  |
-| keycloak.initContainers[0].image | string | `"ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.0.0"` |  |
+| keycloak.initContainers[0].image | string | `"ghcr.io/catenax-ng/tx-portal-iam_iam-import:v1.1.0"` |  |
 | keycloak.initContainers[0].imagePullPolicy | string | `"Always"` |  |
 | keycloak.initContainers[0].command[0] | string | `"sh"` |  |
 | keycloak.initContainers[0].args[0] | string | `"-c"` |  |
@@ -129,3 +129,48 @@ In order to enable the login of the initial user (see CX-Operator realm in share
 This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance.
 
 3. Setup SMTP configuration (Realm Settings --> Email)
+
+## Post-Upgrade Configuration
+
+This section describes the necessary changes to the CX-Central realm when upgrading from version 1.0.0 or 1.0.1 to 1.1.0:
+
+Create the following new client:
+
+* Client ID: Cl20-CX-IRS
+* Description: Decentral IRS Component for Traceability and CE Apps
+* Access Type: bearer-only
+
+  Add the following role to the new client:
+
+  * Role Name: view_irs
+  * Description: view_irs
+
+Changes to composite roles of the Cl2-CX-Portal client:
+
+* CX Admin:
+  * assign the update_service_offering role of the Cl2-CX-Portal client
+  * assign the view_company_data and delete_company_data roles of the Cl7-CX-BPDM client
+
+* assign the view_company_data role of the Cl7-CX-BPDM client to the following composite roles:
+  * Service Manager
+  * App Developer
+  * Business Admin
+  * IT Admin
+  * Sales Manager
+  * Company Admin
+  * CX User
+  * App Manager
+  * Purchaser
+
+* IT Admin: assign the add_connectors role of the Cl2-CX-Portal client
+
+* Company Admin: remove the add_service_offering, activate_subscription and app management roles of the Cl2-CX-Portal client
+
+Changes to composite roles of the technical_roles_management client:
+
+* App Tech User:
+  * assign the view_membership role of the Cl2-CX-Portal client
+  * assign the view_irs of the 'Cl20-CX-IRS' client
+
+* Service Management:
+  * assign the add_connectors role of the Cl2-CX-Portal client

charts/centralidp/README.md.gotmpl

@@ -50,3 +50,48 @@ In order to enable the login of the initial user (see CX-Operator realm in share
 This is done by setting the 'example.org' placeholder in the CX-Operator' Identity Provider to the address of the sharedidp instance.
 
 3. Setup SMTP configuration (Realm Settings --> Email)
+
+## Post-Upgrade Configuration
+
+This section describes the necessary changes to the CX-Central realm when upgrading from version 1.0.0 or 1.0.1 to 1.1.0:
+
+Create the following new client:
+
+* Client ID: Cl20-CX-IRS
+* Description: Decentral IRS Component for Traceability and CE Apps
+* Access Type: bearer-only
+
+  Add the following role to the new client:
+
+  * Role Name: view_irs
+  * Description: view_irs
+
+Changes to composite roles of the Cl2-CX-Portal client:
+
+* CX Admin:
+  * assign the update_service_offering role of the Cl2-CX-Portal client
+  * assign the view_company_data and delete_company_data roles of the Cl7-CX-BPDM client
+
+* assign the view_company_data role of the Cl7-CX-BPDM client to the following composite roles:
+  * Service Manager
+  * App Developer
+  * Business Admin
+  * IT Admin
+  * Sales Manager
+  * Company Admin
+  * CX User
+  * App Manager
+  * Purchaser
+
+* IT Admin: assign the add_connectors role of the Cl2-CX-Portal client
+
+* Company Admin: remove the add_service_offering, activate_subscription and app management roles of the Cl2-CX-Portal client
+
+Changes to composite roles of the technical_roles_management client:
+
+* App Tech User:
+  * assign the view_membership role of the Cl2-CX-Portal client
+  * assign the view_irs of the 'Cl20-CX-IRS' client
+
+* Service Management:
+  * assign the add_connectors role of the Cl2-CX-Portal client

charts/centralidp/templates/secret-centralidp.yaml

@@ -1,10 +1,21 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations:
-  name: centralidp-keycloak
+  name: {{ .Values.keycloak.auth.existingSecret }}
   namespace: {{ .Release.Namespace }}
 type: Opaque
+# use lookup function to check if secret exists
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.keycloak.auth.existingSecret) }}
+{{ if $secret -}}
+data:
+  # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret
+  # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
+  # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
+  admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) }}
+  management-password: {{ ( .Values.secrets.auth.existingSecret.managementpassword | b64enc ) | default ( index $secret.data "management-password" ) }}
+{{ else -}}
 stringData:
+  # if secret doesn't exist, use provided value from values file or generate a random one
   admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 | quote ) }}
   management-password: {{ .Values.secrets.auth.existingSecret.managementpassword | default ( randAlphaNum 32 | quote ) }}
+{{ end }}