From 46111ba718da668286d031795e26bb890d3d95cd Mon Sep 17 00:00:00 2001
From: Nubus CI Bot <nubus-team@univention.de>
Date: Mon, 12 Aug 2024 11:11:59 +0000
Subject: [PATCH] feat(nubus): Integrate keycloak provisioning

---
 .../apps/intercom-service/values.yaml.gotmpl  | 20 +++++++
 helmfile/apps/nubus/values-nubus.yaml.gotmpl  |  6 +++
 ...es-opendesk-keycloak-bootstrap.yaml.gotmpl | 54 -------------------
 helmfile/environments/default/charts.yaml     |  9 ++--
 helmfile/environments/default/images.yaml     | 10 ++--
 5 files changed, 36 insertions(+), 63 deletions(-)

diff --git a/helmfile/apps/intercom-service/values.yaml.gotmpl b/helmfile/apps/intercom-service/values.yaml.gotmpl
index b3feb860..6706c2dc 100644
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -72,6 +72,26 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+provisioning:
+  enabled: true
+  config:
+    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
+    keycloak:
+      url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
+      username: "kcadmin"
+      realm: {{ .Values.platform.realm | quote }}
+      connection:
+        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+        baseUrl: "http://ums-keycloak:8080"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+    ics_client:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+      credentialSecret:
+        key: "ics_secret"
+
+
 podSecurityContext:
   enabled: true
   fsGroup: 1000
diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index f7c87fd6..ed8a48c6 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -165,7 +165,13 @@ nubusGuardian:
   provisioning:
     enabled: false
     config:
+      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
       keycloak:
+        realm: {{ .Values.platform.realm | quote }}
+        username: "kcadmin"
+        connection:
+          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+          baseUrl: "http://ums-keycloak:8080"
         credentialSecret:
           name: "ums-opendesk-keycloak-credentials"
           key: "admin_password"
diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index 890d0958..d6239c16 100644
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -389,60 +389,6 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
-      - name: "opendesk-intercom"
-        clientId: "opendesk-intercom"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.revoke.offline.tokens: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
-        protocolMappers:
-          - name: "intercom-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "opendesk-intercom"
-              id.token.claim: false
-              access.token.claim: true
-          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
-          # it to `opendesk_useruuid` standard claim. For reference:
-          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
-          - name: "entryuuid_temp"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "entryUUID"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "entryuuid"
-              jsonType.label: "String"
-          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
-          # set it to `opendesk_username` standard claim. For reference:
-          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
-          - name: "phoenixusername_temp"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "phoenixusername"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "offline_access"
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index f1ee84f8..3547e031 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -122,8 +122,8 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
-    version: "2.0.1"
-    verify: true
+    version: "2.1.1"
+    verify: false
   jitsi:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -274,8 +274,9 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.1.1"
-    verify: true
+    version: "2.2.0-jtorres-univention-keycloak-clients"
+    verify: false
+    # TODO: change to the final version during MR to develop
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "openProject"
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index 02be2bac..ea59b1d4 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -75,13 +75,13 @@ images:
   intercom:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
-    # upstreamRegistry: "https://quay.io"
-    # upstreamRepository: "univention/intercom-service"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "6"]
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/intercom-service"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
+    tag: "2.1.1@sha256:889b82681883b2cec1267a744f135f5b25a716de6ca584f7565ccd118b6f6c4f"
   jibri:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"