Update of Microgateway and IAM (#45)

* Readme improved
* Airlock Microgateway updated to version 3.0.0
* Airlock IAM updated to version latest-7.5
  * New readinessProbe and livenessProbe configured
* IAM configuration improved and updated to version 7.5
* Replaced the configured artefacts with the new ones for IAM 7.5
  * Mapping templates
  * OpenAPI specification file
  * Database schema
* Improved the Microgateway configuration
* Set targetRevision to v4.0.0

README.md

@@ -3,11 +3,6 @@
 This repository contains deployment examples for [Airlock] on [Minikube]. It shows how to protect a backend application with Airlock Microgateway and how to authenticate users using Airlock IAM. The
 source code is available under the [MIT license].
 
-## About Ergon
-
-*Airlock* is a registered trademark of [Ergon]. Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is
-the international distribution of globally revered products.
-
 ## Overview
 
 ![Overview](/.github/images/overview.svg)
@@ -281,11 +276,14 @@ Afterwards sign in: `https://localhost:8080/`
   * Username: `admin`
   * Password: `<From the command described above>`
 
-## Additional information
-- [Airlock Microgateway](https://www.airlock.com/microgateway)
-- [Airlock Microgateway Manual](https://docs.airlock.com/microgateway/latest/)
-- [Airlock Community Forum](https://forum.airlock.com)
-- [Airlock Helm Charts](https://github.com/ergon/airlock-helm-charts)
+## Additional Information
+- Introduction: [Airlock Microgateway](https://www.airlock.com/microgateway)
+- Documentation: [Airlock Microgateway Manual](https://docs.airlock.com/microgateway/latest/)
+- Community Support: [Airlock Community Forum](https://forum.airlock.com)
+- Helm Charts: [Airlock Helm Charts](https://github.com/ergon/airlock-helm-charts)
+
+## About Ergon
+*Airlock* is a registered trademark of [Ergon](https://www.ergon.ch). Ergon is a Swiss leader in leveraging digitalisation to create unique and effective client benefits, from conception to market, the result of which is the international distribution of globally revered products.
 
 [MIT license]: https://github.com/ergon/airlock-minikube-examples/blob/main/LICENSE
 

apps/authentication/values-iam-microgateway.yaml

@@ -3,7 +3,7 @@ iam:
     spec:
       source:
         repoURL: https://ergon.github.io/airlock-helm-charts
-        targetRevision: 2.2.1
+        targetRevision: 3.0.0
         chart: microgateway
 
     resources:

apps/backend/values-echoserver-microgateway.yaml

@@ -3,7 +3,7 @@ echoserver:
     spec:
       source:
         repoURL: https://ergon.github.io/airlock-helm-charts
-        targetRevision: 2.2.1
+        targetRevision: 3.0.0
         chart: microgateway
 
     helm:

apps/iam/statefulset.yaml

@@ -20,7 +20,7 @@ spec:
 
       initContainers:
         - name: iam-init
-          image: docker.io/ergon/airlock-iam:latest-7.4
+          image: docker.io/ergon/airlock-iam:latest-7.5
           imagePullPolicy: IfNotPresent
           args: ["init"]
           volumeMounts:
@@ -29,14 +29,21 @@ spec:
               subPath: iam
       containers:
         - name: iam
-          image: docker.io/ergon/airlock-iam:latest-7.4
+          image: docker.io/ergon/airlock-iam:latest-7.5
           imagePullPolicy: IfNotPresent
+          env:
+            - name: IAM_HEALTH_ADDRESS
+              value: .*
+            - name: IAM_HEALTH_PORT
+              value: "9090"
           envFrom:
             - configMapRef:
                 name: iam-env-config
           ports:
             - name: https
               containerPort: 8443
+            - name: probes
+              containerPort: 9090
           volumeMounts:
             - name: data
               mountPath: /home/airlock/iam/
@@ -59,15 +66,15 @@ spec:
               mountPath: /home/airlock/iam/instances/auth/values/mariadb/
           livenessProbe:
             httpGet:
-              path: /health
-              port: https
-              scheme: HTTPS
+              path: /health/live
+              port: probes
+              scheme: HTTP
             initialDelaySeconds: 120
           readinessProbe:
             httpGet:
-              path: /auth-login/rest/health
-              port: https
-              scheme: HTTPS
+              path: /health/ready
+              port: probes
+              scheme: HTTP
             initialDelaySeconds: 120
       volumes:
         - name: data

apps/logging/values-kibana-microgateway.yaml

@@ -3,7 +3,7 @@ kibana:
     spec:
       source:
         repoURL: https://ergon.github.io/airlock-helm-charts
-        targetRevision: 2.2.1
+        targetRevision: 3.0.0
         chart: microgateway
 
     helm:

apps/monitoring/values-grafana-microgateway.yaml

@@ -3,7 +3,7 @@ grafana:
     spec:
       source:
         repoURL: https://ergon.github.io/airlock-helm-charts
-        targetRevision: 2.2.1
+        targetRevision: 3.0.0
         chart: microgateway
 
     helm:

data/authentication/iam/config/medusa-configuration.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<medusaConfiguration xmlns="http://www.ergon.ch" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ergon.ch medusa-config.xsd" medusa-version="7.4">
+<medusaConfiguration xmlns="http://www.ergon.ch" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ergon.ch medusa-config.xsd" medusa-version="7.5">
   <plugin class="com.airlock.iam.admin.app.application.configuration.Adminapp" id="adminapp" uuid="a25f0193-6c34-44eb-9708-cf7ac234cca3">
     <pluginProperty name="accessControl">
       <plugin uuidref="2e2e41d5-5bca-450b-bc88-b1c0b273a9ba"/>
@@ -315,8 +315,10 @@
     <property name="unorderPassword">useradmin,superadmin</property>
     <property name="viewAdministrator">superadmin</property>
     <property name="viewContextData">useradmin,tokenadmin,helpdesk,superadmin</property>
+    <property name="viewKobilActivationCode">tokenadmin,superadmin</property>
     <property name="viewLicense">superadmin</property>
     <property name="viewLog">sysadmin,superadmin</property>
+    <property name="viewOathOtpTokenSecret">tokenadmin,superadmin</property>
     <property name="viewStatistics">tokenadmin,superadmin</property>
     <property name="viewTechnicalClients">techclientadmin,superadmin</property>
     <property name="viewToken">tokenadmin,helpdesk,superadmin</property>
@@ -341,9 +343,9 @@
     <pluginProperty name="passwordRepository">
       <plugin uuidref="5c54b2e6-287c-4118-a5b6-d64e8d4caf36"/>
     </pluginProperty>
-    <pluginList name="skipConditionTags">
-      <plugin uuidref="8a3cae4d-85fa-471a-b933-00d948455da8"/>
-    </pluginList>
+    <pluginProperty name="skipCondition">
+      <plugin uuidref="b4a68208-0b33-4fc9-8626-c9845088b77f"/>
+    </pluginProperty>
     <pluginProperty name="stepId">
       <plugin uuidref="a29f520f-a7f0-48bc-8efd-a4bdbc5cada3"/>
     </pluginProperty>
@@ -378,7 +380,7 @@
     <pluginProperty name="encrypter">
       <plugin uuidref="05009e0f-7a37-4c0d-a2f4-898f40051156"/>
     </pluginProperty>
-    <property name="issuer">Airlock IAM</property>
+    <property name="issuer">airlock-iam</property>
     <pluginProperty name="signer">
       <plugin uuidref="3bcae214-793d-403b-a0a4-3799843e7b35"/>
     </pluginProperty>
@@ -391,7 +393,7 @@
     <pluginProperty name="encrypter">
       <plugin uuidref="28e4196f-de4b-4733-8999-d4ec05e72767"/>
     </pluginProperty>
-    <property name="issuer">iam</property>
+    <property name="issuer">airlock-iam</property>
     <pluginProperty name="signer">
       <plugin uuidref="f65106a9-4fb3-4d91-a1ab-b3ff72c8b2c4"/>
     </pluginProperty>
@@ -1068,6 +1070,7 @@
     <pluginProperty name="first">
       <plugin uuidref="a1486d28-0d83-4495-b287-c22511ee9fc0"/>
     </pluginProperty>
+    <property name="useUsernameFromUserPersister">false</property>
     <pluginProperty name="userPersister">
       <plugin uuidref="6ebce410-5585-44c1-9868-2cc114b304fb"/>
     </pluginProperty>
@@ -1245,15 +1248,14 @@
     <pluginProperty name="dataSources">
       <plugin uuidref="d0064eff-e40b-496d-8dca-6eec870a96ad"/>
     </pluginProperty>
+    <pluginProperty name="mainAuthenticator">
+      <plugin uuidref="3905a5aa-114e-4123-99b5-5b5c33f9b466"/>
+    </pluginProperty>
     <pluginProperty name="passwordSettings">
       <plugin uuidref="2c362f77-b400-4367-bf89-2d5d571b00d1"/>
     </pluginProperty>
   </plugin>
-  <plugin class="com.airlock.iam.core.misc.plugin.config.GlobalConfiguration$AuthenticationSettings" id="Main Authentication Settings" uuid="e41183de-281e-4aa0-9234-a71ce8e56cfb">
-    <pluginProperty name="authenticator">
-      <plugin uuidref="3905a5aa-114e-4123-99b5-5b5c33f9b466"/>
-    </pluginProperty>
-  </plugin>
+  <plugin class="com.airlock.iam.core.misc.plugin.config.GlobalConfiguration$AuthenticationSettings" id="Main Authentication Settings" uuid="e41183de-281e-4aa0-9234-a71ce8e56cfb"/>
   <plugin class="com.airlock.iam.core.misc.plugin.config.GlobalConfiguration$PersisterSettings" id="Data sources" uuid="d0064eff-e40b-496d-8dca-6eec870a96ad">
     <pluginProperty name="userDataSource">
       <plugin uuidref="2c2fe396-d7c4-45ab-b7d2-1fab5ecee047"/>
@@ -1290,9 +1292,18 @@
   <plugin class="com.airlock.iam.flow.api.application.configuration.step.StepIdConfig" id="Password Authentication Step ID &quot;pwcheck&quot;" uuid="a29f520f-a7f0-48bc-8efd-a4bdbc5cada3">
     <property name="id">pwcheck</property>
   </plugin>
+  <plugin class="com.airlock.iam.flow.application.configuration.selection.condition.TagConditionConfig" uuid="b4a68208-0b33-4fc9-8626-c9845088b77f">
+    <pluginProperty name="tag">
+      <plugin uuidref="8a3cae4d-85fa-471a-b933-00d948455da8"/>
+    </pluginProperty>
+  </plugin>
   <plugin class="com.airlock.iam.flow.application.configuration.tag.TagConfigImpl" id="Password Verified Tag" uuid="8a3cae4d-85fa-471a-b933-00d948455da8">
     <property name="name">PASSWORD_VERIFIED</property>
   </plugin>
+  <plugin class="com.airlock.iam.flow.ui.application.configuration.SameFlowRedirectTargetConfig" uuid="033926a2-16b6-4eb0-9851-94913ef81742"/>
+  <plugin class="com.airlock.iam.flow.ui.application.configuration.SameFlowRedirectTargetConfig" uuid="9b92b004-f45e-4fcd-9a3e-2a9c04b03c3c"/>
+  <plugin class="com.airlock.iam.flow.ui.application.configuration.SameFlowRedirectTargetConfig" uuid="a15a3c91-6454-442c-bde3-ccaca7f33123"/>
+  <plugin class="com.airlock.iam.flow.ui.application.configuration.SameFlowRedirectTargetConfig" uuid="b060d35d-f1ac-48cd-a0be-44a2074d75a4"/>
   <plugin class="com.airlock.iam.login.app.misc.configuration.AuthenticationConfig" uuid="1a1d8ec5-6d95-4155-b8e9-252044e2def2">
     <pluginProperty name="authenticator"/>
     <property name="defaultAfterLogoutUrl">ui/app/auth/logout/disclaimer</property>
@@ -1309,6 +1320,9 @@
     <pluginProperty name="authentication">
       <plugin uuidref="1a1d8ec5-6d95-4155-b8e9-252044e2def2"/>
     </pluginProperty>
+    <pluginProperty name="authenticationFlows">
+      <plugin uuidref="5e478f8a-d129-4b58-9487-cd940bd98dc6"/>
+    </pluginProperty>
     <pluginProperty name="miscellaneousSettings">
       <plugin uuidref="c074dafd-a5e3-4b94-9cfd-76e568c430df"/>
     </pluginProperty>
@@ -1318,6 +1332,12 @@
     <pluginProperty name="securitySettings">
       <plugin uuidref="6c87b73b-e06d-4835-9fd1-4f5b39e48e49"/>
     </pluginProperty>
+    <pluginProperty name="ui">
+      <plugin uuidref="20905f4b-85aa-445b-a7ca-5f7eea1875ac"/>
+    </pluginProperty>
+    <pluginProperty name="userStore">
+      <plugin uuidref="6a76be1e-94af-4a57-9837-ef7e4e15b7af"/>
+    </pluginProperty>
   </plugin>
   <plugin class="com.airlock.iam.login.app.misc.configuration.security.ContentSecurityPolicyConfig" uuid="85337d01-b570-44a7-94a4-27297b09d4f7"/>
   <plugin class="com.airlock.iam.login.app.misc.configuration.security.SecurityConfig" uuid="6c87b73b-e06d-4835-9fd1-4f5b39e48e49" comment="">
@@ -1544,6 +1564,8 @@
     </propertyList>
   </plugin>
   <plugin class="com.airlock.iam.login.application.configuration.targetapp.StaticWafCredentialProviderConfig" id="Static WAF Role &quot;authenticated&quot;" uuid="70559820-d8e5-49ca-aedb-64d51415ecf1">
+    <property name="idleTimeout">3600</property>
+    <property name="lifetime">28800</property>
     <property name="wafCredentialName">authenticated</property>
   </plugin>
   <plugin class="com.airlock.iam.login.application.configuration.targetapp.UserRolesProviderConfig" uuid="6af9773c-1081-4754-a038-390dbb5c2189"/>
@@ -1559,19 +1581,10 @@
       <plugin uuidref="1d826138-48f9-430e-92bf-403f7db6395e"/>
     </pluginProperty>
     <property name="encryptionKey">7aTaMWPIFivk+x+jV+bBodugwFaer+SawuPcKP+nxes=</property>
-    <pluginProperty name="flowAuthenticationConfig">
-      <plugin uuidref="5e478f8a-d129-4b58-9487-cd940bd98dc6"/>
-    </pluginProperty>
     <property name="hmacKey">J1P1j8VWpVA5/x+W00OU/Bw3ARUg1nSp639EREr2nbsYD5Rxzwu8lXuxjfhiRUuMbAuo5ox950ZIBlMe6ycqmw==</property>
     <pluginProperty name="requestCredentialPolicy">
       <plugin uuidref="025ab856-5262-4163-9e4b-cf325a1bdad0"/>
     </pluginProperty>
-    <pluginProperty name="ui">
-      <plugin uuidref="20905f4b-85aa-445b-a7ca-5f7eea1875ac"/>
-    </pluginProperty>
-    <pluginProperty name="userStoreProvider">
-      <plugin uuidref="6a76be1e-94af-4a57-9837-ef7e4e15b7af"/>
-    </pluginProperty>
     <pluginProperty name="wafConfig">
       <plugin uuidref="96252446-240e-4321-afc7-53796b0ed76d"/>
     </pluginProperty>
@@ -1598,6 +1611,9 @@
     </pluginProperty>
   </plugin>
   <plugin class="com.airlock.iam.login.rest.application.configuration.ui.authentication.AuthenticationUiConfig" id="Echo Authentication Flow UI" uuid="06b3d8a5-0bba-4d76-8575-62eecf127ce0">
+    <pluginProperty name="cancellationTarget">
+      <plugin uuidref="b060d35d-f1ac-48cd-a0be-44a2074d75a4"/>
+    </pluginProperty>
     <pluginList name="stepUiConfigurations">
       <plugin uuidref="7358849e-c98d-4609-a8a6-9cfca00a9baf"/>
     </pluginList>
@@ -1609,6 +1625,9 @@
     </pluginProperty>
   </plugin>
   <plugin class="com.airlock.iam.login.rest.application.configuration.ui.authentication.AuthenticationUiConfig" id="Grafana Authentication Flow UI" uuid="92dc3ac1-1295-47ca-8f3c-85b98429eedd">
+    <pluginProperty name="cancellationTarget">
+      <plugin uuidref="a15a3c91-6454-442c-bde3-ccaca7f33123"/>
+    </pluginProperty>
     <pluginList name="stepUiConfigurations">
       <plugin uuidref="7358849e-c98d-4609-a8a6-9cfca00a9baf"/>
     </pluginList>
@@ -1620,6 +1639,9 @@
     </pluginProperty>
   </plugin>
   <plugin class="com.airlock.iam.login.rest.application.configuration.ui.authentication.AuthenticationUiConfig" id="Default Authentication Flow UI" uuid="e4d340ab-bc10-4a2b-8376-bbbfaea64561">
+    <pluginProperty name="cancellationTarget">
+      <plugin uuidref="033926a2-16b6-4eb0-9851-94913ef81742"/>
+    </pluginProperty>
     <pluginList name="stepUiConfigurations">
       <plugin uuidref="7358849e-c98d-4609-a8a6-9cfca00a9baf"/>
     </pluginList>
@@ -1631,6 +1653,9 @@
     </pluginProperty>
   </plugin>
   <plugin class="com.airlock.iam.login.rest.application.configuration.ui.authentication.AuthenticationUiConfig" id="Kibana Authentication Flow UI" uuid="f7c67bf3-fff9-4d98-8478-9cb4c0b680f7">
+    <pluginProperty name="cancellationTarget">
+      <plugin uuidref="9b92b004-f45e-4fcd-9a3e-2a9c04b03c3c"/>
+    </pluginProperty>
     <pluginList name="stepUiConfigurations">
       <plugin uuidref="7358849e-c98d-4609-a8a6-9cfca00a9baf"/>
     </pluginList>
@@ -1654,7 +1679,5 @@
       <plugin uuidref="a29f520f-a7f0-48bc-8efd-a4bdbc5cada3"/>
     </pluginProperty>
   </plugin>
-  <plugin class="com.airlock.iam.selfservice.rest.application.configuration.ui.SelfServiceUiConfigs" id="Protected Self-Service Flow UIs" uuid="50452fff-b076-4ef4-9cf0-787e24401b25"/>
-  <configHistoryMetaData>
-  </configHistoryMetaData>
+  <plugin class="com.airlock.iam.selfservice.application.configuration.ui.SelfServiceUiConfigs" id="Protected Self-Service Flow UIs" uuid="50452fff-b076-4ef4-9cf0-787e24401b25"/>
 </medusaConfiguration>

data/authentication/iam/kustomization.yaml

@@ -18,5 +18,4 @@ configMapGenerator:
     literals:
       - IAM_LOG_LEVEL=INFO
       - IAM_LOG_STRUCTURED_STDOUT_ENABLED="true"
-      - IAM_HEALTH_ADDRESS=".*"
       - IAM_MODULES=adminapp,loginapp