sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Pre-create groups in Keycloak to avoid race condition on group sync when initial users login parallel

Browse Source
This commit is contained in:
Thorsten Roßner
2025-01-14 18:07:24 +01:00
parent b4b714ff41
commit 5496317fee
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -29,8 +29,11 @@ config:
clients: clients:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }} {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
managed: managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ] clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ] 'offline_access', 'roles', 'address', 'phone' ]
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}',
'${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
'${client_security-admin-console}' ]
keycloak: keycloak:
adminUser: "kcadmin" adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -40,6 +43,15 @@ config:
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
twoFactorSettings: twoFactorSettings:
additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }} additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
'managed-by-attribute-Videoconference',
'managed-by-attribute-Groupware',
'managed-by-attribute-Notes' ]
opendesk: opendesk:
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
# to LDAP group membership to ensure a user cannot access an application without the required # to LDAP group membership to ensure a user cannot access an application without the required

2
helmfile/environments/default/charts.yaml.gotmpl
View File

@@ -338,7 +338,7 @@ charts:
registry: "registry.opencode.de" registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap" repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
name: "opendesk-keycloak-bootstrap" name: "opendesk-keycloak-bootstrap"
version: "2.2.0" version: "2.2.1"
verify: true verify: true
opendeskStaticFiles: opendeskStaticFiles:
# providerCategory: "Platform" # providerCategory: "Platform"