fix(nubus): Guardian version bump and refactoring.

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -302,6 +302,298 @@ config:
           - "address"
           - "email"
           - "profile"
+      - name: "guardian-management-api"
+        clientId: "guardian-management-api"
+        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        protocol: "openid-connect"
+        publicClient: false
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
+        fullScopeAllowed: true
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: true
+        protocolMappers:
+          - name: "Client Host"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientHost"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientHost"
+              jsonType.label: "String"
+          - name: "Client ID"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "client_id"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "client_id"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              userinfo.token.claim: false
+              id.token.claim: false
+              access.token.claim: true
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-cli"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "Client IP Address"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientAddress"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientAddress"
+              jsonType.label: "String"
+      - name: "guardian-scripts"
+        clientId: "guardian-scripts"
+        description: ""
+        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        surrogateAuthRequired: false
+        enabled: true
+        alwaysDisplayInConsole: false
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
+        webOrigins:
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        bearerOnly: false
+        consentRequired: false
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: false
+        publicClient: true
+        frontchannelLogout: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-scripts"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              aggregate.attrs: false
+              multivalued: false
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "opendesk"
+          - "web-origins"
+          - "acr"
+          - "roles"
+          - "profile"
+          - "email"
+        optionalClientScopes:
+          - "address"
+          - "phone"
+          - "offline_access"
+          - "microprofile-jwt"
+      - name: "guardian-ui"
+        clientId: "guardian-ui"
+        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
+        standardFlowEnabled: true
+        publicClient: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: "false"
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
+
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -13,7 +13,7 @@ tags:
   pre-release: true
 
 guardian:
-  enabled: false
+  enabled: true
   authorizationApi:
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-authorization-api"
@@ -32,8 +32,7 @@ guardian:
       oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
       opaAdapterUrl: "http://ums-guardian-open-policy-agent/"
       udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
-      udmDataAdapterUsername: "cn=admin"
+      secretRef: "ums-guardian-udm-secret"
-      udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     ingress:
       enabled: false
     resources:
@@ -56,7 +55,8 @@ guardian:
       guardianManagementLoggingStructured: false
       guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
       oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-      secretRef: "guardian-keycloak-client-secret"
+      guardianManagementBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+      secretRef: "ums-guardian-keycloak-client-secret"
     ingress:
       enabled: false
     resources:
@@ -76,9 +76,6 @@ guardian:
         {{- end }}
 
     config:
-      viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
-      viteManagementUiAdapterAuthenticationPort: "keycloak"
-      viteManagementUiAdapterDataPort: "api"
       viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
       viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
       viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -109,7 +106,8 @@ guardian:
 
 
   provisioning:
-    enabled: true
+    # Using openDesk keycloak provisioning
+    enabled: false
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianProvisioning.registry | quote }}
       repository: {{ .Values.images.umsGuardianProvisioning.repository | quote }}
@@ -123,10 +121,16 @@ guardian:
       nubusBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
       keycloak:
         url: "http://ums-keycloak:8080"
-        fqdn: "id.uv-example.gaia.open-desk.cloud"
+        fqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        realm: "opendesk"
+        realm: {{ .Values.platform.realm | quote }}
         admin: "kcadmin"
-    credentialSecretName: "guardian-keycloak-secret"
+        credentialSecret:
+          name: "ums-guardian-keycloak-secret"
+          key: "adminPassword"
+      managementApi:
+        credentialSecret:
+          name: "ums-guardian-keycloak-secret"
+          key: "managementApiClientSecret"
 
   postgresql:
     bundled: false
@@ -1510,15 +1514,15 @@ stack-gateway:
       # }
 
       ## guardian
-      # location /univention/guardian/management-ui {
+      location /univention/guardian/management-ui {
-      #   proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
+        proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
-      # }
+      }
-      # location /guardian/management {
+      location /guardian/management {
-      #   proxy_pass http://ums-guardian-management-api:80/guardian/management;
+        proxy_pass http://ums-guardian-management-api:80/guardian/management;
-      # }
+      }
-      # location /guardian/authorization {
+      location /guardian/authorization {
-      #   proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
+        proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
-      # }
+      }
 
       ## object storage (minio)
       location /univention/portal/icons/entries/ {
@@ -1585,14 +1589,18 @@ extraSecrets:
     stringData:
       ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
       machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  - name: "ums-guardian-udm-secret"
+    stringData:
+      udmDataAdapterUsername: "cn=admin"
+      udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  - name: "ums-guardian-keycloak-client-secret"
+    stringData:
+      oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
   - name: "ums-keycloak-postgresql-credentials"
     stringData:
       keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  - name: "guardian-keycloak-client-secret"
+  - name: "ums-guardian-keycloak-secret"
     stringData:
-      oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+      adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-  - name: "guardian-keycloak-secret"
+      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-    stringData:
-      KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }}
-      GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
 ...

helmfile/environments/default/charts.yaml

@@ -378,7 +378,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums"
-    version: "0.15.0"
+    version: "0.16.0"
     verify: true
   umsKeycloakBootstrap:
     # providerCategory: "Supplier"

helmfile/environments/default/images.yaml

@@ -528,7 +528,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '3', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.3.0@sha256:6ce026307cace794b33dddc616e37025974707b5c94fc52cff100b769cba722b"
+    tag: "0.4.0@sha256:390e20ad73a91ae2ecc33d91d1f21872a46e6af4d4d09095d1ce18a6d4a3635e"
   umsKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"

helmfile/environments/default/secrets.gotmpl

@@ -42,6 +42,8 @@ secrets:
       dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
       udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
       udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+    guardian:
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
   nats:
     natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}