sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-09 00:38:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(nubus): Template external secrets for keycloak-bootstrap

Browse Source 
Signed-off-by: Axel Lender <lender@b1-systems.de>
This commit is contained in:
Axel Lender
2025-08-28 18:19:27 +02:00
parent 369242181f
commit c6a0caeac5
4 changed files with 314 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
docs/external-secrets.md
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
<h1>External Secrets</h1>
This document covers how to utilise external secrets and special requirements.
This document covers how to utilise external secrets and special requirements. The examples documented here are mostly showing the format with the openDesk default values.
<!-- TOC -->
* [General](#general)
@@ -49,7 +49,9 @@ This has to be adapted into a secret that also holds a `cql` script and is named
## Keycloak
The Keycloak bootstrap chart expects a special format for the admin credentials. The following example shows the format with the openDesk default values:
Several external secrets utilised by the Keycloak bootstrap chart are expected in a special format and/or key.
### Admin credentials
```yaml
stringData:
@@ -58,6 +60,8 @@ stringData:
password: "{{ .Values.secrets.keycloak.adminPassword }}"
```
### ox-connector
The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON file. The value `.Values.secrets.oxConnector.provisioningApiPassword` is taken from the default openDesk install without external secrets and has to be replaced by some secret value. The following format is expected:
```yaml
@@ -65,7 +69,56 @@ The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON
ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
```
The secret `nubus.ldapSearch.keycloak` has to contain `password` as key.
### LDAP Search
The secret `nubus.ldapSearch.keycloak` has the requirement to use `password` as key.
### SSOFederation and Clients
Values taken from those external secrets will supersede secret values that are already present for the `client` in the configuration or add them accordingly. Further the secrets for the clients have to provide a `yaml` file in a special format. The expected format for each configuration can be ssen in the as referenced in the table below:
|Section |Format |Key |
|-----------------------------------------------------|-------------|-------------|
|`functional.authentication.clients` |1. |name.yaml |
|`functional.authentication.ssoFederation.idpDetails` |2. |name.yaml |
|`keycloak.clients` |1. |name.yaml |
1. It is expected that the `name`, like it is set in the `clients` list:
```yaml
opendesk-intercom:
clientId: "opendesk-intercom"
secret: "{{ .Values.secrets.keycloak.clientSecret.intercom }}"
opendesk-notes:
clientId: "opendesk-notes"
secret: "{{ .Values.secrets.keycloak.clientSecret.notes }}"
opendesk-dovecot:
clientId: "opendesk-dovecot"
secret: "{{ .Values.secrets.keycloak.clientSecret.dovecot }}"
opendesk-oxappsuite:
clientId: "opendesk-oxappsuite"
secret: "{{ .Values.secrets.keycloak.clientSecret.as8oidc }}"
opendesk-matrix:
clientId: "opendesk-matrix"
secret: "{{ .Values.secrets.keycloak.clientSecret.matrix }}"
opendesk-nextcloud:
clientId: "opendesk-nextcloud"
secret: "{{ .Values.secrets.keycloak.clientSecret.ncoidc }}"
opendesk-openproject:
clientId: "opendesk-openproject"
secret: "{{ .Values.secrets.keycloak.clientSecret.openproject }}"
opendesk-xwiki:
clientId: "opendesk-xwiki"
secret: "{{ .Values.secrets.keycloak.clientSecret.xwiki }}"
```
2. Since the configuration for `ssoFederation` is no list the key is ommited here:
```yaml
clientId: "yourSecretValueHere"
secret: "yourSecretValueHere"
```
## MinIO

470
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -80,7 +80,11 @@ config:
clientScopes:
{{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
clients:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
value:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 8 }}
existingSecret:
name: {{ .Values.externalSecrets.functional.authentication.clients.name | quote }}
key: {{ .Values.externalSecrets.functional.authentication.clients.key | quote }}
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
'offline_access', 'roles', 'address', 'phone' ]
@@ -116,7 +120,11 @@ config:
enabled: {{ .Values.functional.authentication.ssoFederation.enabled }}
enforceFederatedLogin: {{ .Values.functional.authentication.ssoFederation.enforceFederatedLogin }}
name: {{ .Values.functional.authentication.ssoFederation.name | quote }}
idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }}
idpDetails:
value: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 8 }}
existingSecret:
name : {{ .Values.externalSecrets.functional.authentication.ssoFederation.idpDetails.name | quote }}
key : {{ .Values.externalSecrets.functional.authentication.ssoFederation.idpDetails.key | quote }}
twoFactorSettings:
additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }}
precreateGroups: [ 'Domain Admins', 'Domain Users', 'IAM API - Full Access',
@@ -519,233 +527,237 @@ config:
jsonType.label: "String"
{{ end }}
clients:
- name: "opendesk-intercom"
clientId: "opendesk-intercom"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
use.refresh.tokens: true
backchannel.logout.session.required: true
standard.token.exchange.enabled: true
standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
backchannel.logout.revoke.offline.tokens: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
protocolMappers:
- name: "intercom-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "opendesk-intercom"
id.token.claim: false
access.token.claim: true
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
defaultClientScopes:
- "offline_access"
{{ if .Values.apps.notes.enabled }}
- name: "opendesk-notes"
clientId: "opendesk-notes"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
standardFlowEnabled: true
implicitFlowEnabled: false
alwaysDisplayInConsole: false
bearerOnly: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
surrogateAuthRequired: false
attributes:
backchannel.logout.revoke.offline.tokens: false
backchannel.logout.session.required: false
client.introspection.response.allow.jwt.claim.enabled: false
client.use.lightweight.access.token.enabled: false
client_credentials.use_refresh_token: false
display.on.consent.screen: false
oauth2.device.authorization.grant.enabled: false
oidc.ciba.grant.enabled: false
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
require.pushed.authorization.requests: false
tls.client.certificate.bound.access.tokens: false
token.response.type.bearer.lower-case: false
use.jwks.url: false
use.refresh.tokens: false
# it is probably not even required to set this value explicitly.
user.info.response.signature.alg: "RS256"
defaultClientScopes:
- "opendesk-notes-scope"
{{ end }}
{{ if .Values.apps.oxAppSuite.enabled }}
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk-dovecot-scope"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-oxappsuite-scope"
- "read_contacts"
- "write_contacts"
{{ end }}
{{ if .Values.apps.jitsi.enabled }}
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes:
- "opendesk-jitsi-scope"
{{ end }}
{{ if .Values.apps.element.enabled }}
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-matrix-scope"
{{ end }}
{{ if .Values.apps.nextcloud.enabled }}
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-nextcloud-scope"
- "read_contacts"
- "write_contacts"
{{ end }}
{{ if .Values.apps.openproject.enabled }}
- name: "opendesk-openproject"
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-openproject-scope"
{{ end }}
{{ if .Values.apps.xwiki.enabled }}
- name: "opendesk-xwiki"
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-xwiki-scope"
{{ end }}
value:
"opendesk-intercom":
clientId: "opendesk-intercom"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
use.refresh.tokens: true
backchannel.logout.session.required: true
standard.token.exchange.enabled: true
standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
backchannel.logout.revoke.offline.tokens: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
protocolMappers:
- name: "intercom-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "opendesk-intercom"
id.token.claim: false
access.token.claim: true
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
defaultClientScopes:
- "offline_access"
{{ if .Values.apps.notes.enabled }}
"opendesk-notes":
clientId: "opendesk-notes"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
standardFlowEnabled: true
implicitFlowEnabled: false
alwaysDisplayInConsole: false
bearerOnly: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
surrogateAuthRequired: false
attributes:
backchannel.logout.revoke.offline.tokens: false
backchannel.logout.session.required: false
client.introspection.response.allow.jwt.claim.enabled: false
client.use.lightweight.access.token.enabled: false
client_credentials.use_refresh_token: false
display.on.consent.screen: false
oauth2.device.authorization.grant.enabled: false
oidc.ciba.grant.enabled: false
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
require.pushed.authorization.requests: false
tls.client.certificate.bound.access.tokens: false
token.response.type.bearer.lower-case: false
use.jwks.url: false
use.refresh.tokens: false
# it is probably not even required to set this value explicitly.
user.info.response.signature.alg: "RS256"
defaultClientScopes:
- "opendesk-notes-scope"
{{ end }}
{{ if .Values.apps.oxAppSuite.enabled }}
"opendesk-dovecot":
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk-dovecot-scope"
"opendesk-oxappsuite":
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-oxappsuite-scope"
- "read_contacts"
- "write_contacts"
{{ end }}
{{ if .Values.apps.jitsi.enabled }}
"opendesk-jitsi":
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes:
- "opendesk-jitsi-scope"
{{ end }}
{{ if .Values.apps.element.enabled }}
"opendesk-matrix":
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-matrix-scope"
{{ end }}
{{ if .Values.apps.nextcloud.enabled }}
"opendesk-nextcloud":
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-nextcloud-scope"
- "read_contacts"
- "write_contacts"
{{ end }}
{{ if .Values.apps.openproject.enabled }}
"opendesk-openproject":
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-openproject-scope"
{{ end }}
{{ if .Values.apps.xwiki.enabled }}
"opendesk-xwiki":
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-xwiki-scope"
{{ end }}
existingSecret:
name: {{ .Values.externalSecrets.keycloak.clients.name | quote }}
key: {{ .Values.externalSecrets.keycloak.clients.key | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false

13
helmfile/environments/default/external_secrets.yaml.gotmpl
View File

@@ -62,6 +62,15 @@ externalSecrets:
password:
name: ~
key: ~
functional:
authentication:
clients:
name: ~
key: ~
ssoFederation:
idpDetails:
name: ~
key: ~
keycloak:
adminSecret:
name: ~
@@ -87,6 +96,10 @@ externalSecrets:
nextcloudOidc:
name: ~
key: ~
clients:
opendesk:
name: ~
key: ~
minio:
existingSecret: ~
rootUserSecretKey: ~

8
helmfile/environments/default/functional.yaml.gotmpl
View File

@@ -22,11 +22,11 @@ functional:
- "Domain Admins"
oidc:
# Define additional/custom OIDC clients to be created in the 'opendesk' realm within Keycloak.
clients: ~
clients: {}
# Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
clientScopes: ~
# Global settings of the 'opendesk' realm within Keycloak. The values are used to set Keycloak's realm attributes
# of the same name and are applied by `opendesk-keycloak-bootstrap`.
clientScopes: {}
# Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
# passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
# Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
# Note: Global settings can potentially be overridden on a client level.
# Note: All numeric "Lifespan" values are defined in seconds.