From 5496317fee1ca47a80d0798b9048a1474ca8e2a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= <thorsten.rossner.extern@zendis.de>
Date: Tue, 14 Jan 2025 18:07:24 +0100
Subject: [PATCH] fix(nubus): Pre-create groups in Keycloak to avoid race
 condition on group sync when initial users login parallel

---
 ...alues-opendesk-keycloak-bootstrap.yaml.gotmpl | 16 ++++++++++++++--
 helmfile/environments/default/charts.yaml.gotmpl |  2 +-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index 614ca151..2a918279 100644
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -29,8 +29,11 @@ config:
     clients:
       {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
   managed:
-    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
+                    'offline_access', 'roles', 'address', 'phone' ]
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}',
+               '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
+               '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -40,6 +43,15 @@ config:
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+  precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
+                     'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',
+                     'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',
+                     'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',
+                     'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',
+                     'managed-by-attribute-Videoconference',
+                     'managed-by-attribute-Groupware',
+                     'managed-by-attribute-Notes' ]
+
   opendesk:
     # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
     # to LDAP group membership to ensure a user cannot access an application without the required
diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl
index 5ef7b05f..2a0e727f 100644
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -338,7 +338,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.2.0"
+    version: "2.2.1"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"