From 2023d5bce4642f794831670713b1a2520a0419d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= <rossner@univention.de>
Date: Tue, 27 Feb 2024 11:52:01 +0100
Subject: [PATCH] fix(univention-management-stack): Bump Keycloak Extensions
 chart and configure the `/univention/meta.json` to be retrieved from
 `ums-stack-gateway` to avoid the inline 404 during Keycloak login.

---
 docs/components.md                                       | 9 +++++++--
 .../values-ums-keycloak-extensions.yaml.gotmpl           | 8 ++++++++
 helmfile/environments/default/charts.yaml                | 4 ++--
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/docs/components.md b/docs/components.md
index 0eedd393..5ac5823d 100644
--- a/docs/components.md
+++ b/docs/components.md
@@ -113,8 +113,13 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows
 
 An overview of
-- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
-- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
+- components that consume the LDAP service.
+  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP).
+  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
+  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
+    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
+    require an OIDC client to be configured in Keycloak.
 
 Some components trust others to handle authentication for them.
 
diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
index 93881043..80d6e338 100644
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -77,6 +77,14 @@ proxy:
         path: "/resources"
       - pathType: "Prefix"
         path: "/fingerprintjs"
+      - pathType: "Exact"
+        path: "/univention/meta.json"
+        backend:
+          service:
+            name: "ums-stack-gateway"
+            port:
+              name: "http"
+
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index b43f6f4d..fb10011b 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -483,7 +483,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums-keycloak"
-    version: "1.0.3"
+    version: "1.0.5"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -511,7 +511,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "keycloak-extensions"
-    version: "0.1.0"
+    version: "0.2.1"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'