sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b4e4947ea76483ddf4e8492d3278a83e0b67b46a
opendesk/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

548 lines
23 KiB
Go Template
Raw Blame History

{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
config:
custom:
clientScopes:
{{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
clients:
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
clients: [ 'UMC', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
twoFactorSettings:
additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
opendesk:
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked
# to LDAP group membership to ensure a user cannot access an application without the required
# group membership.
# ToDo: Ensure all applications verify the token's signature to ensure it is not tampered.
clientScopes:
- name: "read_contacts"
protocol: "openid-connect"
- name: "write_contacts"
protocol: "openid-connect"
- name: "opendesk-openproject-scope"
description: "Scope for the claims required by openDesk's OpenProject instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "given name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "firstName"
id.token.claim: true
access.token.claim: true
claim.name: "given_name"
jsonType.label: "String"
- name: "family name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "lastName"
id.token.claim: true
access.token.claim: true
claim.name: "family_name"
jsonType.label: "String"
- name: "opendesk-jitsi-scope"
description: "Scope for the claims required by openDesk's Jitsi instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-nextcloud-scope"
description: "Scope for the claims required by openDesk's Nextcloud instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk-matrix-scope"
description: "Scope for the claims required by openDesk's Matrix instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-xwiki-scope"
description: "Scope for the claims required by openDesk's XWiki instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-dovecot-scope"
description: "Scope for the claims required by openDesk's Dovecot instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendesk-oxappsuite-scope"
description: "Scope for the claims required by openDesk's OX Appuite instance."
protocol: "openid-connect"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients:
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk-dovecot-scope"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes:
- "opendesk-jitsi-scope"
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-matrix-scope"
# The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
# Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- name: "matrix"
clientId: "matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
standardFlowEnabled: true
directAccessGrantsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes: []
optionalClientScopes: []
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-nextcloud-scope"
- "read_contacts"
- "write_contacts"
- name: "opendesk-openproject"
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-openproject-scope"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-oxappsuite-scope"
- "read_contacts"
- "write_contacts"
- name: "opendesk-xwiki"
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk-xwiki-scope"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
resources:
{{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
...
Reference in New Issue View Git Blame Copy Permalink