sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ad285a8695a32607c4bf0faea0747c7e685dcd6
opendesk/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
Thorsten Roßner 3ad285a869 feat: Newsfeed in Portal based on XWiki blog feature
2024-12-18 15:58:51 +01:00

615 lines
26 KiB
Go Template
Raw Blame History

{{/*
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.opendeskKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
config:
custom:
clientScopes:
{{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
clients:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
twoFactorSettings:
additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
opendesk:
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked
# to LDAP group membership to ensure a user cannot access an application without the required
# group membership.
# ToDo: Ensure all applications verify the token's signature to ensure it is not tampered.
clientScopes:
- name: "read_contacts"
protocol: "openid-connect"
- name: "write_contacts"
protocol: "openid-connect"
- name: "opendesk-openproject-scope"
description: "Scope for the claims required by openDesk's OpenProject instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "given name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "firstName"
id.token.claim: true
access.token.claim: true
claim.name: "given_name"
jsonType.label: "String"
- name: "family name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "lastName"
id.token.claim: true
access.token.claim: true
claim.name: "family_name"
jsonType.label: "String"
- name: "opendesk-jitsi-scope"
description: "Scope for the claims required by openDesk's Jitsi instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-nextcloud-scope"
description: "Scope for the claims required by openDesk's Nextcloud instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk-matrix-scope"
description: "Scope for the claims required by openDesk's Matrix instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-xwiki-scope"
description: "Scope for the claims required by openDesk's XWiki instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-dovecot-scope"
description: "Scope for the claims required by openDesk's Dovecot instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendesk-oxappsuite-scope"
description: "Scope for the claims required by openDesk's OX Appuite instance."
protocol: "openid-connect"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients:
- name: "opendesk-intercom"
clientId: "opendesk-intercom"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.revoke.offline.tokens: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
protocolMappers:
- name: "intercom-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "opendesk-intercom"
id.token.claim: false
access.token.claim: true
# temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
# it to `opendesk_useruuid` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
- name: "entryuuid_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "entryuuid"
jsonType.label: "String"
# temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
# set it to `opendesk_username` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
- name: "phoenixusername_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "phoenixusername"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
defaultClientScopes:
- "offline_access"
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk-dovecot-scope"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes:
- "opendesk-jitsi-scope"
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-matrix-scope"
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-nextcloud-scope"
- "read_contacts"
- "write_contacts"
- name: "opendesk-openproject"
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-openproject-scope"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-oxappsuite-scope"
- "read_contacts"
- "write_contacts"
- name: "opendesk-xwiki"
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-xwiki-scope"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
additionalAnnotations:
argocd.argoproj.io/hook: "Sync"
argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
resources:
{{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
{{- end }}
...
Reference in New Issue View Git Blame Copy Permalink