sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Pre-create groups in Keycloak to avoid race condition on group sync when initial users login parallel

Browse Source
This commit is contained in:
Thorsten Roßner
2025-01-14 18:07:24 +01:00
parent b4b714ff41
commit 5496317fee
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -29,8 +29,11 @@ config:
clients:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
'offline_access', 'roles', 'address', 'phone' ]
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}',
'${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
'${client_security-admin-console}' ]
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -40,6 +43,15 @@ config:
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
twoFactorSettings:
additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
'managed-by-attribute-Videoconference',
'managed-by-attribute-Groupware',
'managed-by-attribute-Notes' ]
opendesk:
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked
# to LDAP group membership to ensure a user cannot access an application without the required

2
helmfile/environments/default/charts.yaml.gotmpl
View File

@@ -338,7 +338,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
name: "opendesk-keycloak-bootstrap"
version: "2.2.0"
version: "2.2.1"
verify: true
opendeskStaticFiles:
# providerCategory: "Platform"