sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-08 00:11:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Bump Keycloak chart and image and provide settings for IT-Grundschutz

Browse Source
This commit is contained in:
Thorsten Roßner
2023-12-21 22:20:24 +01:00
committed by Thorsten Rossner
parent 61eb206c74
commit c2e9204c56
4 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -69,6 +69,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: false backchannel.logout.session.required: false
defaultClientScopes: defaultClientScopes:
@@ -83,6 +84,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout" backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
@@ -136,6 +138,7 @@ config:
frontchannelLogout: false frontchannelLogout: false
publicClient: true publicClient: true
fullScopeAllowed: true fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes: defaultClientScopes:
- "opendesk" - "opendesk"
- "profile" - "profile"
@@ -154,6 +157,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout" backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
@@ -174,6 +178,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
- name: "opendesk-nextcloud" - name: "opendesk-nextcloud"
@@ -187,6 +192,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc" backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
@@ -220,6 +226,7 @@ config:
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
serviceAccountsEnabled: true serviceAccountsEnabled: true
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout" backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
@@ -251,6 +258,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: true backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout" backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
@@ -282,6 +290,7 @@ config:
consentRequired: false consentRequired: false
frontchannelLogout: false frontchannelLogout: false
publicClient: false publicClient: false
authorizationServicesEnabled: false
attributes: attributes:
backchannel.logout.session.required: false backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout" backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"

6
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
View File

@@ -26,6 +26,12 @@ config:
user: {{ .Values.databases.keycloak.username | quote }} user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }} database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
logLevel: "DEBUG"
enableMetrics: true
# The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
# Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
# through an own ingress.
exposeAdminConsole: false
containerSecurityContext: containerSecurityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false

2
helmfile/environments/default/charts.yaml
View File

@@ -175,7 +175,7 @@ charts:
repository: "sovereign-workplace/souvap/tooling/charts/univention-keycloak" repository: "sovereign-workplace/souvap/tooling/charts/univention-keycloak"
name: "ums-keycloak" name: "ums-keycloak"
oci: true oci: true
version: "1.0.1" version: "1.0.3"
verify: true verify: true
username: ~ username: ~
password: ~ password: ~

2
helmfile/environments/default/images.yaml
View File

@@ -105,7 +105,7 @@ images:
# registryUrl=https://docker.software-univention.de # registryUrl=https://docker.software-univention.de
# dependencyType=supplier # dependencyType=supplier
repository: "keycloak-keycloak" repository: "keycloak-keycloak"
tag: "22.0.3-ucs1@sha256:6b17a63d4c6bc60f9c645902f8dbb7ad094a867065e40c43cc81c867c1b8ba00" tag: "22.0.3-ucs2@sha256:1e8e45a2e01050c1473595c3b143446363016ea292b0c599ccd9f1bd37112206"
# @supplier: "Univention" # @supplier: "Univention"
umsKeycloakBootstrap: umsKeycloakBootstrap:
# renovate: # renovate: