sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Guardian version bump and refactoring.

Browse Source
This commit is contained in:
Jaime Conde
2024-05-17 16:03:50 +02:00
committed by Thorsten Roßner
parent f3d8cf08ef
commit 2f88752ae6
5 changed files with 330 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -302,6 +302,298 @@ config:
- "address"
- "email"
- "profile"
- name: "guardian-management-api"
clientId: "guardian-management-api"
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
protocol: "openid-connect"
publicClient: false
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: false
serviceAccountsEnabled: true
protocolMappers:
- name: "Client Host"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientHost"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientHost"
jsonType.label: "String"
- name: "Client ID"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "client_id"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "client_id"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
userinfo.token.claim: false
id.token.claim: false
access.token.claim: true
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-cli"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "Client IP Address"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientAddress"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientAddress"
jsonType.label: "String"
- name: "guardian-scripts"
clientId: "guardian-scripts"
description: ""
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
surrogateAuthRequired: false
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
webOrigins:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
bearerOnly: false
consentRequired: false
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
publicClient: true
frontchannelLogout: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-scripts"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
aggregate.attrs: false
multivalued: false
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "web-origins"
- "acr"
- "roles"
- "profile"
- "email"
optionalClientScopes:
- "address"
- "phone"
- "offline_access"
- "microprofile-jwt"
- name: "guardian-ui"
clientId: "guardian-ui"
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
standardFlowEnabled: true
publicClient: true
implicitFlowEnabled: false
directAccessGrantsEnabled: false
serviceAccountsEnabled: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: "false"
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false

60
helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
View File

@@ -13,7 +13,7 @@ tags:
pre-release: true
guardian:
enabled: false
enabled: true
authorizationApi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-authorization-api"
@@ -32,8 +32,7 @@ guardian:
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
opaAdapterUrl: "http://ums-guardian-open-policy-agent/"
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
secretRef: "ums-guardian-udm-secret"
ingress:
enabled: false
resources:
@@ -56,7 +55,8 @@ guardian:
guardianManagementLoggingStructured: false
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
secretRef: "guardian-keycloak-client-secret"
guardianManagementBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretRef: "ums-guardian-keycloak-client-secret"
ingress:
enabled: false
resources:
@@ -76,9 +76,6 @@ guardian:
{{- end }}
config:
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -109,7 +106,8 @@ guardian:
provisioning:
enabled: true
# Using openDesk keycloak provisioning
enabled: false
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianProvisioning.registry | quote }}
repository: {{ .Values.images.umsGuardianProvisioning.repository | quote }}
@@ -123,10 +121,16 @@ guardian:
nubusBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
keycloak:
url: "http://ums-keycloak:8080"
fqdn: "id.uv-example.gaia.open-desk.cloud"
realm: "opendesk"
fqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
realm: {{ .Values.platform.realm | quote }}
admin: "kcadmin"
credentialSecretName: "guardian-keycloak-secret"
credentialSecret:
name: "ums-guardian-keycloak-secret"
key: "adminPassword"
managementApi:
credentialSecret:
name: "ums-guardian-keycloak-secret"
key: "managementApiClientSecret"
postgresql:
bundled: false
@@ -1510,15 +1514,15 @@ stack-gateway:
# }
## guardian
# location /univention/guardian/management-ui {
# proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
# }
# location /guardian/management {
# proxy_pass http://ums-guardian-management-api:80/guardian/management;
# }
# location /guardian/authorization {
# proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
# }
location /univention/guardian/management-ui {
proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
}
location /guardian/management {
proxy_pass http://ums-guardian-management-api:80/guardian/management;
}
location /guardian/authorization {
proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
}
## object storage (minio)
location /univention/portal/icons/entries/ {
@@ -1585,14 +1589,18 @@ extraSecrets:
stringData:
ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- name: "ums-guardian-udm-secret"
stringData:
udmDataAdapterUsername: "cn=admin"
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- name: "ums-guardian-keycloak-client-secret"
stringData:
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: "ums-keycloak-postgresql-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
- name: "guardian-keycloak-client-secret"
- name: "ums-guardian-keycloak-secret"
stringData:
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: "guardian-keycloak-secret"
stringData:
KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }}
GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
...

2
helmfile/environments/default/charts.yaml
View File

@@ -378,7 +378,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "ums"
version: "0.15.0"
version: "0.16.0"
verify: true
umsKeycloakBootstrap:
# providerCategory: "Supplier"

2
helmfile/environments/default/images.yaml
View File

@@ -528,7 +528,7 @@ images:
# upstreamMirrorStartFrom: ['0', '3', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
tag: "0.3.0@sha256:6ce026307cace794b33dddc616e37025974707b5c94fc52cff100b769cba722b"
tag: "0.4.0@sha256:390e20ad73a91ae2ecc33d91d1f21872a46e6af4d4d09095d1ce18a6d4a3635e"
umsKeycloak:
# providerCategory: "Supplier"
# providerResponsible: "Univention"

2
helmfile/environments/default/secrets.gotmpl
View File

@@ -42,6 +42,8 @@ secrets:
dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
guardian:
udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
nats:
natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}