diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 5d604ebc..6fee28f6 100644 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -302,6 +302,298 @@ config: - "address" - "email" - "profile" + - name: "guardian-management-api" + clientId: "guardian-management-api" + rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + protocol: "openid-connect" + publicClient: false + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" + fullScopeAllowed: true + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: true + protocolMappers: + - name: "Client Host" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "clientHost" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "clientHost" + jsonType.label: "String" + - name: "Client ID" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "client_id" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "client_id" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + userinfo.token.claim: false + id.token.claim: false + access.token.claim: true + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian-cli" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "Client IP Address" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "clientAddress" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "clientAddress" + jsonType.label: "String" + - name: "guardian-scripts" + clientId: "guardian-scripts" + description: "" + rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" + webOrigins: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: "openid-connect" + fullScopeAllowed: true + protocolMappers: + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: false + access.token.claim: true + userinfo.token.claim: false + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian-scripts" + id.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + aggregate.attrs: false + multivalued: false + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "web-origins" + - "acr" + - "roles" + - "profile" + - "email" + optionalClientScopes: + - "address" + - "phone" + - "offline_access" + - "microprofile-jwt" + - name: "guardian-ui" + clientId: "guardian-ui" + rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" + standardFlowEnabled: true + publicClient: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + protocol: "openid-connect" + fullScopeAllowed: true + protocolMappers: + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: "false" + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: false + access.token.claim: true + userinfo.token.claim: false + containerSecurityContext: allowPrivilegeEscalation: false diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl index 29166799..29e41cf3 100644 --- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl @@ -13,7 +13,7 @@ tags: pre-release: true guardian: - enabled: false + enabled: true authorizationApi: podAnnotations: intents.otterize.com/service-name: "ums-guardian-authorization-api" @@ -32,8 +32,7 @@ guardian: oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" opaAdapterUrl: "http://ums-guardian-open-policy-agent/" udmDataAdapterUrl: "http://ums-udm-rest-api/udm/" - udmDataAdapterUsername: "cn=admin" - udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + secretRef: "ums-guardian-udm-secret" ingress: enabled: false resources: @@ -56,7 +55,8 @@ guardian: guardianManagementLoggingStructured: false guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization" oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" - secretRef: "guardian-keycloak-client-secret" + guardianManagementBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + secretRef: "ums-guardian-keycloak-client-secret" ingress: enabled: false resources: @@ -76,9 +76,6 @@ guardian: {{- end }} config: - viteKeycloakAuthenticationAdapterClientId: "guardian-ui" - viteManagementUiAdapterAuthenticationPort: "keycloak" - viteManagementUiAdapterDataPort: "api" viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management" viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }} @@ -109,7 +106,8 @@ guardian: provisioning: - enabled: true + # Using openDesk keycloak provisioning + enabled: false image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianProvisioning.registry | quote }} repository: {{ .Values.images.umsGuardianProvisioning.repository | quote }} @@ -123,10 +121,16 @@ guardian: nubusBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" keycloak: url: "http://ums-keycloak:8080" - fqdn: "id.uv-example.gaia.open-desk.cloud" - realm: "opendesk" + fqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + realm: {{ .Values.platform.realm | quote }} admin: "kcadmin" - credentialSecretName: "guardian-keycloak-secret" + credentialSecret: + name: "ums-guardian-keycloak-secret" + key: "adminPassword" + managementApi: + credentialSecret: + name: "ums-guardian-keycloak-secret" + key: "managementApiClientSecret" postgresql: bundled: false @@ -1510,15 +1514,15 @@ stack-gateway: # } ## guardian - # location /univention/guardian/management-ui { - # proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui; - # } - # location /guardian/management { - # proxy_pass http://ums-guardian-management-api:80/guardian/management; - # } - # location /guardian/authorization { - # proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization; - # } + location /univention/guardian/management-ui { + proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui; + } + location /guardian/management { + proxy_pass http://ums-guardian-management-api:80/guardian/management; + } + location /guardian/authorization { + proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization; + } ## object storage (minio) location /univention/portal/icons/entries/ { @@ -1585,14 +1589,18 @@ extraSecrets: stringData: ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + - name: "ums-guardian-udm-secret" + stringData: + udmDataAdapterUsername: "cn=admin" + udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + - name: "ums-guardian-keycloak-client-secret" + stringData: + oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - name: "ums-keycloak-postgresql-credentials" stringData: keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} - - name: "guardian-keycloak-client-secret" + - name: "ums-guardian-keycloak-secret" stringData: - oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - - name: "guardian-keycloak-secret" - stringData: - KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }} - GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} + adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} + managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} ... diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index 752cc1e5..9ddfc83e 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -378,7 +378,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "ums" - version: "0.15.0" + version: "0.16.0" verify: true umsKeycloakBootstrap: # providerCategory: "Supplier" diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 0c0f931d..45b1b598 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -528,7 +528,7 @@ images: # upstreamMirrorStartFrom: ['0', '3', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init" - tag: "0.3.0@sha256:6ce026307cace794b33dddc616e37025974707b5c94fc52cff100b769cba722b" + tag: "0.4.0@sha256:390e20ad73a91ae2ecc33d91d1f21872a46e6af4d4d09095d1ce18a6d4a3635e" umsKeycloak: # providerCategory: "Supplier" # providerResponsible: "Univention" diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index 203197cd..2ee57a3b 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -42,6 +42,8 @@ secrets: dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }} udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} + guardian: + udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} nats: natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}