diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 72a86d6b..47adcb43 100644 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -300,8 +300,8 @@ config: - "address" - "email" - "profile" - - name: "guardian-cli" - clientId: "guardian-cli" + - name: "guardian-management-api" + clientId: "guardian-management-api" rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" protocol: "openid-connect" @@ -406,21 +406,32 @@ config: access.token.claim: true claim.name: "clientAddress" jsonType.label: "String" - - name: "guardian" - clientId: "guardian" + - name: "guardian-scripts" + clientId: "guardian-scripts" + description: "" rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + adminUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false clientAuthenticatorType: "client-secret" redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" - fullScopeAllowed: true - protocol: "openid-connect" + webOrigins: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false publicClient: true frontchannelLogout: false - standardFlowEnabled: true - attributes: - use.refresh.tokens: "true" - backchannel.logout.session.required: "true" + protocol: "openid-connect" + fullScopeAllowed: true protocolMappers: - name: "email" protocol: "openid-connect" @@ -433,28 +444,15 @@ config: access.token.claim: true claim.name: "email" jsonType.label: "String" - - name: "dn" + - name: "guardian-audience" protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" + protocolMapper: "oidc-audience-mapper" consentRequired: false config: - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" + included.client.audience: "guardian" id.token.claim: false access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "udi" - jsonType.label: "String" + userinfo.token.claim: false - name: "username" protocol: "openid-connect" protocolMapper: "oidc-usermodel-property-mapper" @@ -466,15 +464,51 @@ config: access.token.claim: true claim.name: "preferred_username" jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" - name: "audiencemap" protocol: "openid-connect" protocolMapper: "oidc-audience-mapper" consentRequired: false config: - included.client.audience: "guardian" + included.client.audience: "guardian-scripts" id.token.claim: true access.token.claim: true userinfo.token.claim: true + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + aggregate.attrs: false + multivalued: false + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "web-origins" + - "acr" + - "roles" + - "profile" + - "email" + optionalClientScopes: + - "address" + - "phone" + - "offline_access" + - "microprofile-jwt" - name: "guardian-ui" clientId: "guardian-ui" rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index 0100586a..2e34357e 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -342,7 +342,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize" name: "opendesk-otterize" - version: "1.6.0" + version: "1.7.0" verify: true # @supplier: "openDesk" @@ -440,7 +440,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "guardian-authorization-api" - version: "0.0.1" + version: "0.1.0" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' @@ -454,7 +454,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "guardian-management-api" - version: "0.0.1" + version: "0.1.0" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' @@ -468,7 +468,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "guardian-management-ui" - version: "0.0.1" + version: "0.1.0" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' @@ -566,7 +566,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "open-policy-agent" - version: "0.0.1" + version: "0.1.0" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 9496b6e9..df74aea4 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -541,7 +541,7 @@ images: # dependencyType=supplier registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api" - tag: "1.0.0@sha256:dee5d42131037bde99ab9d827e751bb6a16496f9c2c0380c48f1e2919d905814" + tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' # @mirrorFrom: ['1', '0', '0'] @@ -552,7 +552,7 @@ images: # dependencyType=supplier registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api" - tag: "1.0.0@sha256:16e8004a12a6a9fba47e89e1289c8a433e5f56bbd0ee26620b0ddade0bd33313" + tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' # @mirrorFrom: ['1', '0', '0'] @@ -563,7 +563,7 @@ images: # dependencyType=supplier registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui" - tag: "1.0.0@sha256:e1e4e1e7fa0c7ffff09e63474b5b054cb492fbb743cad0b2ee5910bb1de6967b" + tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' # @mirrorFrom: ['1', '0', '0'] @@ -651,7 +651,7 @@ images: # dependencyType=supplier registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa" - tag: "1.0.0@sha256:a5caa128eef2de1a12514727ceff0f54f647b7b1814a304728da2e1bc9e7b621" + tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4" # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' # @mirrorFrom: ['1', '0', '0']