fix(univention-management-stack): Bump Keycloak chart and image and provide settings for IT-Grundschutz

2025-12-06 07:21:36 +01:00 · 2023-12-21 22:20:24 +01:00
parent 61eb206c74
commit c2e9204c56
4 changed files with 17 additions and 2 deletions
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -69,6 +69,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: false
        defaultClientScopes:
@@ -83,6 +84,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
@@ -136,6 +138,7 @@ config:
        frontchannelLogout: false
        publicClient: true
        fullScopeAllowed: true
+        authorizationServicesEnabled: false
        defaultClientScopes:
          - "opendesk"
          - "profile"
@@ -154,6 +157,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
@@ -174,6 +178,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
      - name: "opendesk-nextcloud"
@@ -187,6 +192,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
@@ -220,6 +226,7 @@ config:
        frontchannelLogout: false
        publicClient: false
        serviceAccountsEnabled: true
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
@@ -251,6 +258,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
@@ -282,6 +290,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
+        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: false
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -26,6 +26,12 @@ config:
    user: {{ .Values.databases.keycloak.username | quote }}
    database: {{ .Values.databases.keycloak.name | quote }}
    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
+  logLevel: "DEBUG"
+  enableMetrics: true
+  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
+  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
+  # through an own ingress.
+  exposeAdminConsole: false

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -175,7 +175,7 @@ charts:
    repository: "sovereign-workplace/souvap/tooling/charts/univention-keycloak"
    name: "ums-keycloak"
    oci: true
-    version: "1.0.1"
+    version: "1.0.3"
    verify: true
    username: ~
    password: ~
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -105,7 +105,7 @@ images:
    # registryUrl=https://docker.software-univention.de
    # dependencyType=supplier
    repository: "keycloak-keycloak"
-    tag: "22.0.3-ucs1@sha256:6b17a63d4c6bc60f9c645902f8dbb7ad094a867065e40c43cc81c867c1b8ba00"
+    tag: "22.0.3-ucs2@sha256:1e8e45a2e01050c1473595c3b143446363016ea292b0c599ccd9f1bd37112206"
    # @supplier: "Univention"
  umsKeycloakBootstrap:
    # renovate: