JAR-9134 - Add create_client option to jarvice_bird helm template (#192)

* add create_client option to jarvice_bird helm template Signed-off-by: Kenneth Hill <ken.hill@nimbix.net> * add helm hook image to values file Signed-off-by: Kenneth Hill <ken.hill@nimbix.net> * quote request URL Signed-off-by: Kenneth Hill <ken.hill@nimbix.net> --------- Signed-off-by: Kenneth Hill <ken.hill@nimbix.net>
nimbix · Aug 29, 2024 · 9c0be88 · 9c0be88
1 parent 289e4ec
commit 9c0be88
Show file tree

Hide file tree

Showing 9 changed files with 449 additions and 159 deletions.
diff --git a/files/jarvice-create-keycloak-client.sh b/files/jarvice-create-keycloak-client.sh
diff --git a/files/keycloak-config/client/jarvice_client.json b/files/keycloak-config/client/jarvice_client.json
@@ -0,0 +1,102 @@
+{
+  "clientId": "jarvice",
+  "name": "",
+  "description": "",
+  "rootUrl": "",
+  "adminUrl": "",
+  "baseUrl": "https://${JARVICE_BIRD_INGRESSHOST}",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": true,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "https://${JARVICE_BIRD_INGRESSHOST}/*"
+  ],
+  "webOrigins": [
+    "+"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "client.secret.creation.time": "1715982162",
+    "post.logout.redirect.uris": "+",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "use.refresh.tokens": "true",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.session.required": "true",
+    "backchannel.logout.url": "https://${JARVICE_BIRD_INGRESSHOST}/portal/kc-logout",
+    "client_credentials.use_refresh_token": "false",
+    "acr.loa.map": "{}",
+    "require.pushed.authorization.requests": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "display.on.consent.screen": "false",
+    "token.response.type.bearer.lower-case": "false"
+  },
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "protocolMappers": [
+    {
+      "name": "jarvice-billing-code",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-usermodel-attribute-mapper",
+      "consentRequired": false,
+      "config": {
+        "userinfo.token.claim": "true",
+        "user.attribute": "jarvice-billing-code",
+        "id.token.claim": "true",
+        "access.token.claim": "true",
+        "claim.name": "jarvice_billing_code",
+        "jsonType.label": "String"
+      }
+    },
+    {
+      "name": "jarvice-payer",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-usermodel-attribute-mapper",
+      "consentRequired": false,
+      "config": {
+        "userinfo.token.claim": "true",
+        "user.attribute": "jarvice-payer",
+        "id.token.claim": "true",
+        "access.token.claim": "true",
+        "claim.name": "jarvice_payer",
+        "jsonType.label": "String"
+      }
+    },
+    {
+      "name": "jarvice",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-audience-mapper",
+      "consentRequired": false,
+      "config": {
+        "included.client.audience": "jarvice",
+        "id.token.claim": "false",
+        "access.token.claim": "true",
+        "userinfo.token.claim": "false"
+      }
+    }
+  ],
+  "defaultClientScopes": [
+    "acr",
+    "address",
+    "phone",
+    "profile",
+    "roles",
+    "email"
+  ],
+  "optionalClientScopes": [],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
diff --git a/files/keycloak-config/client/roles/jarvice_kcadmin_role.json b/files/keycloak-config/client/roles/jarvice_kcadmin_role.json
@@ -0,0 +1,14 @@
+{
+  "name": "jarvice-kcadmin",
+  "description": "",
+  "composite": true,
+  "composites": {
+    "client": {
+      "jarvice": [
+        "jarvice-sysadmin"
+      ]
+    }
+  },
+  "clientRole": true,
+  "attributes": {}
+}
diff --git a/files/keycloak-config/client/roles/jarvice_sysadmin_role.json b/files/keycloak-config/client/roles/jarvice_sysadmin_role.json
@@ -0,0 +1,35 @@
+{
+  "name": "jarvice-sysadmin",
+  "description": "",
+  "composite": true,
+  "composites": {
+    "client": {
+      "realm-management": [
+        "realm-admin",
+        "manage-realm",
+        "query-realms",
+        "manage-clients",
+        "view-users",
+        "query-clients",
+        "manage-authorization",
+        "manage-identity-providers",
+        "view-authorization",
+        "manage-events",
+        "view-clients",
+        "view-realm",
+        "query-groups",
+        "impersonation",
+        "manage-users",
+        "query-users",
+        "view-identity-providers",
+        "view-events",
+        "create-client"
+      ],
+      "jarvice": [
+        "jarvice-user"
+      ]
+    }
+  },
+  "clientRole": true,
+  "attributes": {}
+}
diff --git a/files/keycloak-config/client/roles/jarvice_user_role.json b/files/keycloak-config/client/roles/jarvice_user_role.json
@@ -0,0 +1,14 @@
+{
+  "name": "jarvice-user",
+  "description": "",
+  "composite": true,
+  "composites": {
+    "client": {
+      "account": [
+        "manage-account"
+      ]
+    }
+  },
+  "clientRole": true,
+  "attributes": {}
+}
diff --git a/files/jarvice.json → .../keycloak-config/realm/jarvice_realm.json b/files/jarvice.json → .../keycloak-config/realm/jarvice_realm.json
@@ -381,7 +381,14 @@
           "id": "c6044343-be85-4e63-a716-9170ad8db68b",
           "name": "jarvice-user",
           "description": "",
-          "composite": false,
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": [
+                "manage-account"
+              ]
+            }
+          },
           "clientRole": true,
           "containerId": "68b5f1f1-50e3-4076-a09d-25beb6e50897",
           "attributes": {}
@@ -659,7 +666,7 @@
         "token.response.type.bearer.lower-case": "false"
       },
       "authenticationFlowBindingOverrides": {
-        "browser": "4159d091-569a-4340-b446-de67f522d9d7"
+        "browser": "d3e43bfd-8cca-4475-b452-22d2eed6e18e"
       },
       "fullScopeAllowed": false,
       "nodeReRegistrationTimeout": 0,
@@ -770,10 +777,10 @@
       "description": "",
       "rootUrl": "",
       "adminUrl": "",
-      "baseUrl": "",
+      "baseUrl": "https://${JARVICE_BIRD_INGRESSHOST}",
       "surrogateAuthRequired": false,
       "enabled": true,
-      "alwaysDisplayInConsole": false,
+      "alwaysDisplayInConsole": true,
       "clientAuthenticatorType": "client-secret",
       "redirectUris": [
         "https://${JARVICE_BIRD_INGRESSHOST}/*"