sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-07 16:01:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Boostrap new file

Browse Source
This commit is contained in:
Jaime Conde
2024-07-18 15:57:10 +02:00
committed by Carlos García-Mauriño
parent ecfd051521
commit c15fb90ef3
1 changed files with 327 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

388
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -17,10 +17,15 @@ image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
cleanup: cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }} keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
config: config:
custom:
clientScopes:
{{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
clients:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
keycloak: keycloak:
adminUser: "kcadmin" adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -29,14 +34,20 @@ config:
enabled: true enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
twoFactorSettings: twoFactorSettings:
additionalGroups: {{ .Values.authentication.twoFactor.groups }} additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
custom: opendesk:
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked
# to LDAP group membership to ensure a user cannot access an application without the required
# group membership.
# ToDo:
# - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
clientScopes: clientScopes:
- name: "read_contacts" - name: "read_contacts"
protocol: "openid-connect" protocol: "openid-connect"
- name: "write_contacts" - name: "write_contacts"
protocol: "openid-connect" protocol: "openid-connect"
- name: "opendesk" - name: "opendesk-openproject-scope"
description: "Scope for the claims required by openDesk's OpenProject instance."
protocol: "openid-connect" protocol: "openid-connect"
protocolMappers: protocolMappers:
- name: "opendesk_useruuid" - name: "opendesk_useruuid"
@@ -61,6 +72,306 @@ config:
access.token.claim: true access.token.claim: true
claim.name: "opendesk_username" claim.name: "opendesk_username"
jsonType.label: "String" jsonType.label: "String"
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "given name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "firstName"
id.token.claim: true
access.token.claim: true
claim.name: "given_name"
jsonType.label: "String"
- name: "family name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "lastName"
id.token.claim: true
access.token.claim: true
claim.name: "family_name"
jsonType.label: "String"
- name: "opendesk-jitsi-scope"
description: "Scope for the claims required by openDesk's Jitsi instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-nextcloud-scope"
description: "Scope for the claims required by openDesk's Nextcloud instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk-matrix-scope"
description: "Scope for the claims required by openDesk's Matrix instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-xwiki-scope"
description: "Scope for the claims required by openDesk's XWiki instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-dovecot-scope"
description: "Scope for the claims required by openDesk's Dovecot instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendesk-oxappsuite-scope"
description: "Scope for the claims required by openDesk's OX Appuite instance."
protocol: "openid-connect"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients: clients:
- name: "opendesk-dovecot" - name: "opendesk-dovecot"
clientId: "opendesk-dovecot" clientId: "opendesk-dovecot"
@@ -74,7 +385,7 @@ config:
attributes: attributes:
backchannel.logout.session.required: false backchannel.logout.session.required: false
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-dovecot-scope"
- name: "opendesk-intercom" - name: "opendesk-intercom"
clientId: "opendesk-intercom" clientId: "opendesk-intercom"
protocol: "openid-connect" protocol: "openid-connect"
@@ -128,7 +439,6 @@ config:
claim.name: "phoenixusername" claim.name: "phoenixusername"
jsonType.label: "String" jsonType.label: "String"
defaultClientScopes: defaultClientScopes:
- "opendesk"
- "offline_access" - "offline_access"
- name: "opendesk-jitsi" - name: "opendesk-jitsi"
clientId: "opendesk-jitsi" clientId: "opendesk-jitsi"
@@ -142,8 +452,7 @@ config:
fullScopeAllowed: true fullScopeAllowed: true
authorizationServicesEnabled: false authorizationServicesEnabled: false
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-jitsi-scope"
- "profile"
- name: "opendesk-matrix" - name: "opendesk-matrix"
clientId: "opendesk-matrix" clientId: "opendesk-matrix"
protocol: "openid-connect" protocol: "openid-connect"
@@ -165,12 +474,9 @@ config:
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout" backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-matrix-scope"
optionalClientScopes: # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
- "email" # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- "profile"
# This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
# is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- name: "matrix" - name: "matrix"
clientId: "matrix" clientId: "matrix"
protocol: "openid-connect" protocol: "openid-connect"
@@ -183,6 +489,8 @@ config:
authorizationServicesEnabled: false authorizationServicesEnabled: false
attributes: attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes: []
optionalClientScopes: []
- name: "opendesk-nextcloud" - name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud" clientId: "opendesk-nextcloud"
protocol: "openid-connect" protocol: "openid-connect"
@@ -199,21 +507,8 @@ config:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk" backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-nextcloud-scope"
- "email"
- "read_contacts" - "read_contacts"
- "write_contacts" - "write_contacts"
- name: "opendesk-openproject" - name: "opendesk-openproject"
@@ -233,22 +528,8 @@ config:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout" backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-openproject-scope"
- "email"
- "profile"
- name: "opendesk-oxappsuite" - name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite" clientId: "opendesk-oxappsuite"
protocol: "openid-connect" protocol: "openid-connect"
@@ -265,20 +546,8 @@ config:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout" backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-oxappsuite-scope"
- "read_contacts" - "read_contacts"
- "write_contacts" - "write_contacts"
- name: "opendesk-xwiki" - name: "opendesk-xwiki"
@@ -298,10 +567,7 @@ config:
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout" backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk-xwiki-scope"
- "address"
- "email"
- "profile"
containerSecurityContext: containerSecurityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false