From 3fcfa00503854f752a3885321b16b3f3597cb09a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= <thorsten.rossner.extern@zendis.de>
Date: Fri, 4 Apr 2025 10:59:18 +0200
Subject: [PATCH] fix(helmfile): Support for Keycloak session settings via
 `functional.authentication.realmSettings.*`

---
 ...es-opendesk-keycloak-bootstrap.yaml.gotmpl | 12 +++++++++++
 .../environments/default/charts.yaml.gotmpl   |  2 +-
 .../default/functional.yaml.gotmpl            | 20 +++++++++++++++++--
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index 21811e6c..ea3eccf4 100644
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -98,6 +98,18 @@ config:
     intraCluster:
       enabled: true
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  realmSettings:
+    accessTokenLifespan: {{ .Values.functional.authentication.realmSettings.accessTokenLifespan }}
+    revokeRefreshToken: {{ .Values.functional.authentication.realmSettings.revokeRefreshToken }}
+    ssoSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.ssoSessionIdleTimeout }}
+    ssoSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.ssoSessionMaxLifespan }}
+    offlineSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.offlineSessionIdleTimeout }}
+    offlineSessionMaxLifespanEnabled: {{ .Values.functional.authentication.realmSettings.offlineSessionMaxLifespanEnabled }}
+    offlineSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.offlineSessionMaxLifespan }}
+    clientSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.clientSessionIdleTimeout }}
+    clientSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.clientSessionMaxLifespan }}
+    clientOfflineSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.clientOfflineSessionIdleTimeout }}
+    clientOfflineSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.clientOfflineSessionMaxLifespan }}
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
   precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl
index 82a4ecbe..d3623221 100644
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -333,7 +333,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.4.0"
+    version: "2.5.0"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"
diff --git a/helmfile/environments/default/functional.yaml.gotmpl b/helmfile/environments/default/functional.yaml.gotmpl
index a15ef53b..a851ce59 100644
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -20,10 +20,26 @@ functional:
       groups:
         - "Domain Admins"
     oidc:
-      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
+      # Define additional/custom OIDC clients to be created in the 'opendesk' realm within Keycloak.
       clients: ~
-      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
+      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
       clientScopes: ~
+    # Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
+    # passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
+    # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
+    # Note: Global settings can potentially be overridden on a client level.
+    realmSettings:
+      accessTokenLifespan: 300
+      revokeRefreshToken: false
+      ssoSessionIdleTimeout: 14400
+      ssoSessionMaxLifespan: 57600
+      offlineSessionIdleTimeout: 2592000
+      offlineSessionMaxLifespanEnabled: false
+      offlineSessionMaxLifespan: 5184000
+      clientSessionIdleTimeout: 0
+      clientSessionMaxLifespan: 0
+      clientOfflineSessionIdleTimeout: 0
+      clientOfflineSessionMaxLifespan: 0
 
   externalServices:
     nubus: