From 9c0be8823f065c600e7b5e26272192dc72f281d5 Mon Sep 17 00:00:00 2001 From: Kenneth Hill Date: Thu, 29 Aug 2024 10:30:44 -0500 Subject: [PATCH] JAR-9134 - Add create_client option to jarvice_bird helm template (#192) * add create_client option to jarvice_bird helm template Signed-off-by: Kenneth Hill * add helm hook image to values file Signed-off-by: Kenneth Hill * quote request URL Signed-off-by: Kenneth Hill --------- Signed-off-by: Kenneth Hill --- files/jarvice-create-keycloak-client.sh | 207 +++++++++++++++++ .../client/jarvice_client.json | 102 +++++++++ .../client/roles/jarvice_kcadmin_role.json | 14 ++ .../client/roles/jarvice_sysadmin_role.json | 35 +++ .../client/roles/jarvice_user_role.json | 14 ++ .../realm/jarvice_realm.json} | 15 +- templates/jarvice-helm-hook.yaml | 208 +++++------------- templates/jarvice-keycloak-realm.yaml | 4 +- values.yaml | 9 +- 9 files changed, 449 insertions(+), 159 deletions(-) create mode 100755 files/jarvice-create-keycloak-client.sh create mode 100644 files/keycloak-config/client/jarvice_client.json create mode 100644 files/keycloak-config/client/roles/jarvice_kcadmin_role.json create mode 100644 files/keycloak-config/client/roles/jarvice_sysadmin_role.json create mode 100644 files/keycloak-config/client/roles/jarvice_user_role.json rename files/{jarvice.json => keycloak-config/realm/jarvice_realm.json} (99%) diff --git a/files/jarvice-create-keycloak-client.sh b/files/jarvice-create-keycloak-client.sh new file mode 100755 index 00000000..2ba4695f --- /dev/null +++ b/files/jarvice-create-keycloak-client.sh @@ -0,0 +1,207 @@ +set -e + +get_token() { + curl --fail --silent "${KEYCLOAK_URL}/realms/$KEYCLOAK_REALM/protocol/openid-connect/token" \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + --data-urlencode "username=$JARVICE_KEYCLOAK_USER" \ + --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" \ + --data-urlencode "grant_type=password" \ + --data-urlencode "client_id=admin-cli" | jq -r .access_token; +} + +keycloak_get () { + request="$1" + token=$(get_token) + curl --fail --silent -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$KEYCLOAK_REALM/$request" +} + +keycloak_post () { + request="$1" + data="$2" + token=$(get_token) + curl --fail --silent -d "$data" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $token" \ + "${KEYCLOAK_URL}/admin/realms/$KEYCLOAK_REALM/$request" +} + +keycloak_put () { + request="$1" + data="$2" + token=$(get_token) + curl --fail --silent -X PUT -d "$data" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $token" \ + "${KEYCLOAK_URL}/admin/realms/$KEYCLOAK_REALM/$request" > /dev/null 2>&1 +} + +create_client() { + keycloak_post "clients" "$(envsubst < /etc/jarvice/jarvice_client.json)" && \ + echo "Creating jarvice client on realm $KEYCLOAK_REALM" || true +} + +create_client_roles () { + jarvice_id=$1 + keycloak_post "clients/$jarvice_id/roles" "$(cat /etc/jarvice/jarvice_user_role.json | jq -c)" || return 0 + keycloak_post "clients/$jarvice_id/roles" "$(cat /etc/jarvice/jarvice_sysadmin_role.json | jq -c)" + keycloak_post "clients/$jarvice_id/roles" "$(cat /etc/jarvice/jarvice_kcadmin_role.json | jq -c)" + echo "Creating jarvice client roles on realm $KEYCLOAK_REALM"; +} + +create_auth_broker () { + keycloak_post "authentication/flows" "{\"alias\":\"JARVICE first broker login\",\"description\":\"Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account\",\"providerId\":\"basic-flow\",\"builtIn\":false,\"topLevel\":true}" || return 0 + echo "Creating JARVICE first broker login Authentication flow" + keycloak_post "authentication/flows/JARVICE%20first%20broker%20login/executions/execution" "{\"provider\":\"idp-create-user-if-unique\"}" + keycloak_post "authentication/flows/JARVICE%20first%20broker%20login/executions/execution" "{\"provider\":\"idp-email-verification\"}" + ids=$(keycloak_get "authentication/flows/JARVICE%20first%20broker%20login/executions") + keycloak_put "authentication/flows/JARVICE%20first%20broker%20login/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[0].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"Create User If Unique\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"idp-create-user-if-unique\",\"level\":0,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20first%20broker%20login/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[1].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"Verify existing account by Email\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"idp-email-verification\",\"level\":0,\"index\":1}" +} + +create_auth_jarvice_user_rbac () { + keycloak_post "authentication/flows" "{\"alias\":\"JARVICE jarvice-user RBAC\",\"description\":\"\",\"providerId\":\"basic-flow\",\"builtIn\":false,\"topLevel\":true}" || return 0 + echo "Creating JARVICE jarvice-user RBAC Authentication flow" + keycloak_post "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions/flow" "{\"alias\":\"jarvice-user RBAC\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/jarvice-user%20RBAC/executions/flow" "{\"alias\":\"jarvice-user RBAC allow\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/jarvice-user%20RBAC/executions/flow" "{\"alias\":\"jarvice-user RBAC deny\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/jarvice-user%20RBAC%20allow/executions/execution" "{\"provider\":\"conditional-user-role\"}" + keycloak_post "authentication/flows/jarvice-user%20RBAC%20allow/executions/execution" "{\"provider\":\"allow-access-authenticator\"}" + keycloak_post "authentication/flows/jarvice-user%20RBAC%20deny/executions/execution" "{\"provider\":\"conditional-user-role\"}" + keycloak_post "authentication/flows/jarvice-user%20RBAC%20deny/executions/execution" "{\"provider\":\"deny-access-authenticator\"}" + ids=$(keycloak_get "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions") + keycloak_post "authentication/executions/$(echo $ids | jq -r '.[2].id')/config" "{\"alias\":\"jarvice-user RBAC allow\",\"config\":{\"condUserRole\":\"jarvice.jarvice-user\"}}" + keycloak_post "authentication/executions/$(echo $ids | jq -r '.[5].id')/config" "{\"alias\":\"jarvice-user RBAC deny\",\"config\":{\"condUserRole\":\"jarvice.jarvice-user\",\"negate\":\"true\"}}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[0].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"jarvice-user RBAC\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":0,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[1].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"jarvice-user RBAC allow\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":1,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[2].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user role\",\"alias\":\"jarvice-user RBAC allow\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"conditional-user-role\",\"level\":2,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[3].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Allow access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"allow-access-authenticator\",\"level\":2,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[4].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"jarvice-user RBAC deny\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":1,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[5].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user role\",\"alias\":\"jarvice-user RBAC deny\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"conditional-user-role\",\"level\":2,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-user%20RBAC/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[6].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Deny access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"deny-access-authenticator\",\"level\":2,\"index\":1}" +} + +create_browser () { + keycloak_post "authentication/flows" "{\"alias\":\"JARVICE browser\",\"description\":\"\",\"providerId\":\"basic-flow\",\"builtIn\":false,\"topLevel\":true}" || return 0 + echo "Creating JARVICE browser Authentication flow" + keycloak_post "authentication/flows/JARVICE%20browser/executions/execution" "{\"provider\":\"auth-cookie\"}" + keycloak_post "authentication/flows/JARVICE%20browser/executions/execution" "{\"provider\":\"identity-provider-redirector\"}" + keycloak_post "authentication/flows/JARVICE%20browser/executions/flow" "{\"alias\":\"JARVICE browser forms\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20forms/executions/execution" "{\"provider\":\"auth-username-password-form\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20forms/executions/flow" "{\"alias\":\"JARVICE browser Browser\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20forms/executions/flow" "{\"alias\":\"JARVICE browser RBAC\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20Browser/executions/execution" "{\"provider\":\"conditional-user-configured\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20Browser/executions/execution" "{\"provider\":\"auth-otp-form\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20RBAC/executions/flow" "{\"alias\":\"JARVICE RBAC allow\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/JARVICE%20browser%20RBAC/executions/flow" "{\"alias\":\"JARVICE RBAC deny\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/JARVICE%20RBAC%20allow/executions/execution" "{\"provider\":\"conditional-user-role\"}" + keycloak_post "authentication/flows/JARVICE%20RBAC%20allow/executions/execution" "{\"provider\":\"allow-access-authenticator\"}" + keycloak_post "authentication/flows/JARVICE%20RBAC%20deny/executions/execution" "{\"provider\":\"conditional-user-role\"}" + keycloak_post "authentication/flows/JARVICE%20RBAC%20deny/executions/execution" "{\"provider\":\"deny-access-authenticator\"}" + ids=$(keycloak_get "authentication/flows/JARVICE%20browser/executions") + keycloak_post "authentication/executions/$(echo $ids | jq -r '.[9].id')/config" "{\"alias\":\"jarvice-user allow\",\"config\":{\"condUserRole\":\"jarvice.jarvice-user\"}}" + keycloak_post "authentication/executions/$(echo $ids | jq -r '.[12].id')/config" "{\"alias\":\"jarvice-user deny\",\"config\":{\"condUserRole\":\"jarvice.jarvice-user\",\"negate\":\"true\"}}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[0].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"Cookie\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"auth-cookie\",\"level\":0,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[1].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"Identity Provider Redirector\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"identity-provider-redirector\",\"level\":0,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[2].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"JARVICE browser forms\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":0,\"index\":2}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[4].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"JARVICE browser Browser\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":1,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[5].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user configured\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"conditional-user-configured\",\"level\":2,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[6].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"OTP Form\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"auth-otp-form\",\"level\":2,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[7].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"JARVICE browser RBAC\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":1,\"index\":2}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[8].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"JARVICE RBAC allow\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":2,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[9].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user role\",\"alias\":\"jarvice-user allow\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"conditional-user-role\",\"level\":3,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[10].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Allow access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"allow-access-authenticator\",\"level\":3,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[11].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"JARVICE RBAC deny\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":2,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[12].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user role\",\"alias\":\"jarvice-user deny\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"conditional-user-role\",\"level\":3,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20browser/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[13].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Deny access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"deny-access-authenticator\",\"level\":3,\"index\":1}" +} + +create_auth_deny () { + keycloak_post "authentication/flows" "{\"alias\":\"JARVICE deny\",\"description\":\"\",\"providerId\":\"basic-flow\",\"builtIn\":false,\"topLevel\":true}" || return 0 + echo "Creating JARVICE deny Authentication flow" + keycloak_post "authentication/flows/JARVICE%20deny/executions/execution" "{\"provider\":\"deny-access-authenticator\"}" + ids=$(keycloak_get "authentication/flows/JARVICE%20deny/executions") + keycloak_put "authentication/flows/JARVICE%20deny/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[0].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Deny access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"deny-access-authenticator\",\"level\":0,\"index\":0}" +} + +create_auth_cookie () { + keycloak_post "authentication/flows" "{\"alias\":\"JARVICE jarvice-sysadmin Cookie\",\"description\":\"\",\"providerId\":\"basic-flow\",\"builtIn\":false,\"topLevel\":true}" || return 0 + echo "Creating JARVICE jarvice-sysadmin Cookie Authentication flow" + keycloak_post "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions/flow" "{\"alias\":\"jarvice-sysadmin Cookie RBAC\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions/flow" "{\"alias\":\"jarvice-sysadmin Cookie deny\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC/executions/execution" "{\"provider\":\"auth-cookie\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC/executions/flow" "{\"alias\":\"jarvice-sysadmin Cookie RBAC allow\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC/executions/flow" "{\"alias\":\"jarvice-sysadmin Cookie RBAC deny\",\"description\":\"\",\"provider\":\"registration-page-form\",\"type\":\"basic-flow\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC%20allow/executions/execution" "{\"provider\":\"conditional-user-role\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC%20allow/executions/execution" "{\"provider\":\"allow-access-authenticator\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC%20deny/executions/execution" "{\"provider\":\"conditional-user-role\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20RBAC%20deny/executions/execution" "{\"provider\":\"deny-access-authenticator\"}" + keycloak_post "authentication/flows/jarvice-sysadmin%20Cookie%20deny/executions/execution" "{\"provider\":\"deny-access-authenticator\"}" + ids=$(keycloak_get "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions") + keycloak_post "authentication/executions/$(echo $ids | jq -r '.[3].id')/config" "{\"alias\":\"jarvice-sysadmin allow\",\"config\":{\"condUserRole\":\"jarvice.jarvice-sysadmin\"}}" + keycloak_post "authentication/executions/$(echo $ids | jq -r '.[6].id')/config" "{\"alias\":\"jarvice-sysadmin deny\",\"config\":{\"condUserRole\":\"jarvice.jarvice-sysadmin\",\"negate\":\"true\"}}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[0].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"jarvice-sysadmin Cookie RBAC\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":0,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[1].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Cookie\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"auth-cookie\",\"level\":1,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[2].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"jarvice-sysadmin Cookie RBAC allow\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":1,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[3].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user role\",\"alias\":\"jarvice-sysadmin allow\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"conditional-user-role\",\"level\":2,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[4].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Allow access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":false,\"providerId\":\"allow-access-authenticator\",\"level\":2,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[5].id')\",\"requirement\":\"CONDITIONAL\",\"displayName\":\"jarvice-sysadmin Cookie RBAC deny\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":1,\"index\":2}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[6].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Condition - user role\",\"alias\":\"jarvice-sysadmin deny\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"conditional-user-role\",\"level\":2,\"index\":0}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[7].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Deny access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"deny-access-authenticator\",\"level\":2,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[8].id')\",\"requirement\":\"ALTERNATIVE\",\"displayName\":\"jarvice-sysadmin Cookie deny\",\"description\":\"\",\"requirementChoices\":[\"REQUIRED\",\"ALTERNATIVE\",\"DISABLED\",\"CONDITIONAL\"],\"configurable\":false,\"authenticationFlow\":true,\"level\":0,\"index\":1}" + keycloak_put "authentication/flows/JARVICE%20jarvice-sysadmin%20Cookie/executions" \ + "{\"id\":\"$(echo $ids | jq -r '.[9].id')\",\"requirement\":\"REQUIRED\",\"displayName\":\"Deny access\",\"requirementChoices\":[\"REQUIRED\",\"DISABLED\"],\"configurable\":true,\"providerId\":\"deny-access-authenticator\",\"level\":1,\"index\":0}" +} + +set_jarvice_auth_flow () { + echo "Setting jarvice client Authentication flow to JARVICE browser" + browser_id=$(keycloak_get "authentication/flows" | jq -r '.[] | select(.alias=="JARVICE browser") | .id') + jarvice_client=$(keycloak_get "clients?clientId=jarvice") + client_id=$(echo $jarvice_client | jq -r .[].id) + keycloak_put "clients/$client_id" "$(echo $jarvice_client | jq --arg id "$browser_id" '.[] | .authenticationFlowBindingOverrides.browser = $id')" +} + +while [[ "$(curl -s -o /dev/null -m 3 -L -w ''%{http_code}'' ${KEYCLOAK_URL}/realms/master)" != "200" ]]; do + echo "Waiting for keycloak" && sleep 30 +done + +create_client +client_id=$(keycloak_get "clients?clientId=jarvice" | jq -r .[].id) +create_client_roles "$client_id" +create_auth_broker +create_auth_jarvice_user_rbac +create_browser +create_auth_deny +create_auth_cookie +set_jarvice_auth_flow diff --git a/files/keycloak-config/client/jarvice_client.json b/files/keycloak-config/client/jarvice_client.json new file mode 100644 index 00000000..a5652fe9 --- /dev/null +++ b/files/keycloak-config/client/jarvice_client.json @@ -0,0 +1,102 @@ +{ + "clientId": "jarvice", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "https://${JARVICE_BIRD_INGRESSHOST}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://${JARVICE_BIRD_INGRESSHOST}/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1715982162", + "post.logout.redirect.uris": "+", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.url": "https://${JARVICE_BIRD_INGRESSHOST}/portal/kc-logout", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "tls.client.certificate.bound.access.tokens": "false", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false" + }, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "jarvice-billing-code", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "jarvice-billing-code", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "jarvice_billing_code", + "jsonType.label": "String" + } + }, + { + "name": "jarvice-payer", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "jarvice-payer", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "jarvice_payer", + "jsonType.label": "String" + } + }, + { + "name": "jarvice", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "jarvice", + "id.token.claim": "false", + "access.token.claim": "true", + "userinfo.token.claim": "false" + } + } + ], + "defaultClientScopes": [ + "acr", + "address", + "phone", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/files/keycloak-config/client/roles/jarvice_kcadmin_role.json b/files/keycloak-config/client/roles/jarvice_kcadmin_role.json new file mode 100644 index 00000000..3585b034 --- /dev/null +++ b/files/keycloak-config/client/roles/jarvice_kcadmin_role.json @@ -0,0 +1,14 @@ +{ + "name": "jarvice-kcadmin", + "description": "", + "composite": true, + "composites": { + "client": { + "jarvice": [ + "jarvice-sysadmin" + ] + } + }, + "clientRole": true, + "attributes": {} +} \ No newline at end of file diff --git a/files/keycloak-config/client/roles/jarvice_sysadmin_role.json b/files/keycloak-config/client/roles/jarvice_sysadmin_role.json new file mode 100644 index 00000000..7f97c23b --- /dev/null +++ b/files/keycloak-config/client/roles/jarvice_sysadmin_role.json @@ -0,0 +1,35 @@ +{ + "name": "jarvice-sysadmin", + "description": "", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "realm-admin", + "manage-realm", + "query-realms", + "manage-clients", + "view-users", + "query-clients", + "manage-authorization", + "manage-identity-providers", + "view-authorization", + "manage-events", + "view-clients", + "view-realm", + "query-groups", + "impersonation", + "manage-users", + "query-users", + "view-identity-providers", + "view-events", + "create-client" + ], + "jarvice": [ + "jarvice-user" + ] + } + }, + "clientRole": true, + "attributes": {} +} \ No newline at end of file diff --git a/files/keycloak-config/client/roles/jarvice_user_role.json b/files/keycloak-config/client/roles/jarvice_user_role.json new file mode 100644 index 00000000..0077baa4 --- /dev/null +++ b/files/keycloak-config/client/roles/jarvice_user_role.json @@ -0,0 +1,14 @@ +{ + "name": "jarvice-user", + "description": "", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account" + ] + } + }, + "clientRole": true, + "attributes": {} +} \ No newline at end of file diff --git a/files/jarvice.json b/files/keycloak-config/realm/jarvice_realm.json similarity index 99% rename from files/jarvice.json rename to files/keycloak-config/realm/jarvice_realm.json index b5833341..75f478cc 100644 --- a/files/jarvice.json +++ b/files/keycloak-config/realm/jarvice_realm.json @@ -381,7 +381,14 @@ "id": "c6044343-be85-4e63-a716-9170ad8db68b", "name": "jarvice-user", "description": "", - "composite": false, + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account" + ] + } + }, "clientRole": true, "containerId": "68b5f1f1-50e3-4076-a09d-25beb6e50897", "attributes": {} @@ -659,7 +666,7 @@ "token.response.type.bearer.lower-case": "false" }, "authenticationFlowBindingOverrides": { - "browser": "4159d091-569a-4340-b446-de67f522d9d7" + "browser": "d3e43bfd-8cca-4475-b452-22d2eed6e18e" }, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, @@ -770,10 +777,10 @@ "description": "", "rootUrl": "", "adminUrl": "", - "baseUrl": "", + "baseUrl": "https://${JARVICE_BIRD_INGRESSHOST}", "surrogateAuthRequired": false, "enabled": true, - "alwaysDisplayInConsole": false, + "alwaysDisplayInConsole": true, "clientAuthenticatorType": "client-secret", "redirectUris": [ "https://${JARVICE_BIRD_INGRESSHOST}/*" diff --git a/templates/jarvice-helm-hook.yaml b/templates/jarvice-helm-hook.yaml index 9401f0a6..b7d7c01c 100644 --- a/templates/jarvice-helm-hook.yaml +++ b/templates/jarvice-helm-hook.yaml @@ -1,9 +1,24 @@ {{- if (not (eq "downstream" .Values.jarvice.JARVICE_CLUSTER_TYPE)) }} -{{- if .Values.keycloakx.create_realm }} +{{- if .Values.jarvice_bird.create_client }} +apiVersion: v1 +data: +{{- $files := .Files }} + jarvice_client.json: |- +{{ $files.Get "files/keycloak-config/client/jarvice_client.json" | indent 4 }} + jarvice_user_role.json: |- +{{ $files.Get "files/keycloak-config/client/roles/jarvice_user_role.json" | indent 4 }} + jarvice_sysadmin_role.json: |- +{{ $files.Get "files/keycloak-config/client/roles/jarvice_sysadmin_role.json" | indent 4 }} + jarvice_kcadmin_role.json: |- +{{ $files.Get "files/keycloak-config/client/roles/jarvice_kcadmin_role.json" | indent 4 }} +kind: ConfigMap +metadata: + name: jarvice-keycloak-client +--- apiVersion: batch/v1 kind: Job metadata: - name: jarvice-create-keycloak-realm + name: jarvice-create-keycloak-client namespace: {{ .Values.jarvice.JARVICE_SYSTEM_NAMESPACE }} annotations: "helm.sh/hook": post-upgrade,post-install @@ -14,173 +29,66 @@ metadata: spec: template: metadata: - name: jarvice-create-keycloak-realm + name: jarvice-create-keycloak-client labels: app: jarvice spec: volumes: {{- include "jarvice.rootCertVolume" . | indent 6 }} + - name: jarvice-keycloak-client + configMap: + name: jarvice-keycloak-client + optional: false + defaultMode: 444 hostAliases: {{- include "jarvice.hostAliases" . | nindent 8 }} containers: - - name: jarvice-create-keycloak-realm + - name: jarvice-create-keycloak-client volumeMounts: {{- include "jarvice.rootCertVolumeMount" . | indent 10 }} + - name: jarvice-keycloak-client + mountPath: /etc/jarvice/jarvice_client.json + subPath: jarvice_client.json + readOnly: true + - name: jarvice-keycloak-client + mountPath: /etc/jarvice/jarvice_user_role.json + subPath: jarvice_user_role.json + readOnly: true + - name: jarvice-keycloak-client + mountPath: /etc/jarvice/jarvice_sysadmin_role.json + subPath: jarvice_sysadmin_role.json + readOnly: true + - name: jarvice-keycloak-client + mountPath: /etc/jarvice/jarvice_kcadmin_role.json + subPath: jarvice_kcadmin_role.json + readOnly: true env: - - name: JARVICE_BIRD_URL -{{- if (not (eq "/" .Values.jarvice_bird.ingressPath)) }} - value: "{{ trimSuffix "/" .Values.jarvice_bird.ingressHost }}{{ .Values.jarvice_bird.ingressPath }}" -{{- else }} - value: "{{ trimSuffix "/" .Values.jarvice_bird.ingressHost }}" -{{- end }} - - name: JARVICE_PORTAL_URL - value: "{{ .Values.jarvice_mc_portal.ingressHost }}{{ .Values.jarvice_bird.ingressPath }}" - - name: JARVICE_KEYCLOAK_REALM + - name: JARVICE_SYSTEM_NAMESPACE + value: "{{ .Release.Namespace }}" + - name: KEYCLOAK_URL + value: "{{ .Values.jarvice_bird.env.KEYCLOAK_URL }}" + - name: KEYCLOAK_REALM value: "{{ .Values.jarvice_bird.env.KEYCLOAK_REALM }}" - - name: JARVICE_REALM_ADMIN - value: {{ .Values.keycloakx.env.JARVICE_REALM_ADMIN }} - - name: JARVICE_REALM_ADMIN_PASSWD - value: {{ .Values.keycloakx.env.JARVICE_REALM_ADMIN_PASSWD }} - name: JARVICE_KEYCLOAK_USER - value: {{ .Values.keycloakx.env.JARVICE_KEYCLOAK_ADMIN }} + value: "{{ .Values.jarvice_bird.env.JARVICE_KEYCLOAK_ADMIN_USER }}" - name: JARVICE_KEYCLOAK_PASSWD - value: {{ .Values.keycloakx.env.JARVICE_KEYCLOAK_ADMIN_PASSWD }} - {{- if .Values.jarvice_dal.env.JARVICE_ROOT_USER_CREATE }} - {{- if (not (empty .Values.jarvice_dal.env.JARVICE_ROOT_USER_PASSWD)) }} - - name: JARVICE_ROOT_USER_PASSWD - value: {{ .Values.jarvice_dal.env.JARVICE_ROOT_USER_PASSWD }} - {{- else }} - {{- required "***** !!!!! JARVICE root password required. Please provide a value for jarvice_dal.env.JARVICE_ROOT_USER_PASSWD. !!!!! *****" .Values.jarvice_dal.env.JARVICE_ROOT_USER_PASSWD }} - {{- end }} - {{- end }} - - name: KEYCLOAK_URL - value: "{{ .Values.jarvice_bird.env.KEYCLOAK_URL }}" - - name: KEYCLOAK_RESET_PASSWORD_ALLOWED - value: "{{ .Values.keycloakx.login.KEYCLOAK_RESET_PASSWORD_ALLOWED }}" - - name: KEYCLOAK_REMEMBER_ME - value: "{{ .Values.keycloakx.login.KEYCLOAK_REMEMBER_ME }}" - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_FROM)) }} - - name: KEYCLOAK_SMTP_FROM - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_FROM }}" - {{- end }} - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_HOST)) }} - - name: KEYCLOAK_SMTP_HOST - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_HOST }}" - {{- end }} - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_PORT)) }} - - name: KEYCLOAK_SMTP_PORT - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_PORT }}" - {{- end }} - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_START_TLS)) }} - - name: KEYCLOAK_SMTP_START_TLS - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_START_TLS }}" - {{- end }} - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_AUTH)) }} - - name: KEYCLOAK_SMTP_AUTH - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_AUTH }}" - {{- end }} - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_USER)) }} - - name: KEYCLOAK_SMTP_USER - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_USER }}" - {{- end }} - {{- if (not (empty .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_PASSWORD)) }} - - name: KEYCLOAK_SMTP_PASSWORD - value: "{{ .Values.keycloakx.smtpServer.KEYCLOAK_SMTP_PASSWORD }}" - {{- end }} - image: "{{ .Values.keycloakx.helm_hook.image }}" - imagePullPolicy: "IfNotPresent" + value: "{{ .Values.jarvice_bird.env.JARVICE_KEYCLOAK_ADMIN_PASS }}" + - name: JARVICE_BIRD_INGRESSHOST + value: "{{ .Values.jarvice_bird.ingressHost }}" + image: "{{ .Values.jarvice_helm_hook.image }}" + imagePullPolicy: IfNotPresent command: - /bin/sh - -c - - > - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && while [[ "$(curl -s -o /dev/null -m 3 -L -w ''%{http_code}'' ${KEYCLOAK_URL}/realms/master)" != "200" ]]; do echo "Waiting for keycloak" && sleep 30; done; - sleep 30; - [ "$(curl -s -o /dev/null -m 3 -L -w ''%{http_code}'' ${KEYCLOAK_URL}/realms/$JARVICE_KEYCLOAK_REALM)" == "200" ] && SKIP_CREATE="true"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && [ ! -z "$SKIP_CREATE" ] || echo "Creating $JARVICE_KEYCLOAK_REALM realm"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && [ ! -z "$SKIP_CREATE" ] || curl -s -o /dev/null -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms" --data-raw "{\"enabled\": true,\"id\":\"$JARVICE_KEYCLOAK_REALM\", \"realm\":\"$JARVICE_KEYCLOAK_REALM\"}"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && [ $(curl -s -H "Authorization: Bearer $token" ${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients?clientId=jarvice | jq -r '.[0].clientId') == "jarvice" ] && exit 0; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && echo "Creating jarvice client"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients" --data-raw "{\"enabled\": true,\"attributes\": {},\"redirectUris\": [],\"clientId\": \"jarvice\",\"protocol\": \"openid-connect\"}"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/roles" --data-raw "{\"name\": \"jarvice_admin\"}"; - sleep 30; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && [ $(curl -s -H "Authorization: Bearer $token" ${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients?clientId=jarvice | jq -r '.[0].clientId') == "jarvice" ] || exit 1; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && echo "Creating jarvice_admin role"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && management_roles_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients" | jq -r '.[] | select(.clientId=="realm-management") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && my_roles=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${management_roles_id}/roles" | jq -c); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && jxe_role_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/roles/jarvice_admin" | jq -r '.id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/roles-by-id/${jxe_role_id}/composites" --data-raw "${my_roles}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && jxe_client_id=$(curl -s -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients" | jq -r '.[] | select(.clientId=="jarvice") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && jxe_role_update=$(curl -s -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients" | jq -c --arg JARVICE_BIRD_URL "https://$JARVICE_BIRD_URL/*" --arg JARVICE_PORTAL_URL "https://$JARVICE_BIRD_URL/portal/kc-logout" '.[] | select(.clientId=="jarvice") | .attributes."backchannel.logout.url"=$JARVICE_PORTAL_URL | .redirectUris = [$JARVICE_BIRD_URL] | .webOrigins = ["+"]'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}" --data-raw "$jxe_role_update" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && echo "Setting up jarvice client-scopes"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && address_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes" | jq -r '.[] | select(.name=="address") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && phone_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes" | jq -r '.[] | select(.name=="phone") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && offline_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes" | jq -r '.[] | select(.name=="offline_access") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && microprofile_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes" | jq -r '.[] | select(.name=="microprofile-jwt") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes/${address_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes/${phone_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes/${offline_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/optional-client-scopes/${microprofile_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && web_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes" | jq -r '.[] | select(.name=="web-origins") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && roles_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes" | jq -r '.[] | select(.name=="roles") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && profile_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes" | jq -r '.[] | select(.name=="profile") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && email_id=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes" | jq -r '.[] | select(.name=="email") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${web_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${roles_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${profile_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X DELETE -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${email_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${address_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${email_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${phone_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${profile_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/clients/${jxe_client_id}/default-client-scopes/${roles_id}" & - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && echo "Changing realm login theme to eviden"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && default_role_id=$(curl -s -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM" | jq -r '.defaultRole.id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && roles=$(curl -s -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/roles-by-id/$default_role_id/composites" | jq); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" -d "$roles" -X DELETE "$KEYCLOAK_URL/admin/realms/$JARVICE_KEYCLOAK_REALM/roles-by-id/$default_role_id/composites"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && realm_settings=$(curl -s -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM" | jq --arg rememberMe "$KEYCLOAK_REMEMBER_ME" --arg resetPasswordAllowed "$KEYCLOAK_RESET_PASSWORD_ALLOWED" --arg from "$KEYCLOAK_SMTP_FROM" --arg host "$KEYCLOAK_SMTP_HOST" --arg port "$KEYCLOAK_SMTP_PORT" --arg starttls "$KEYCLOAK_SMTP_START_TLS" --arg auth "$KEYCLOAK_SMTP_AUTH" --arg user "$KEYCLOAK_SMTP_USER" --arg password "$KEYCLOAK_SMTP_PASSWORD" '.smtpServer = { "from": $from, "host": $host, "port": $port, "starttls": $starttls, "auth": $auth, "user": $user, "password": $password} | .rememberMe = $rememberMe | .resetPasswordAllowed = $resetPasswordAllowed | .loginTheme = "eviden"' ); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -X PUT -d "$realm_settings" -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && echo "Creating $JARVICE_KEYCLOAK_REALM realm admin user"; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_KEYCLOAK_USER" --data-urlencode "password=$JARVICE_KEYCLOAK_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && role_id=$(curl -s -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/roles" | jq -r '.[] | select(.name=="jarvice_admin") | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/users" -H 'Content-Type: application/json' -H "Authorization: Bearer $token" --data-raw "{ \"username\": \"$JARVICE_REALM_ADMIN\", \"email\": \"admin@localhost\", \"enabled\": true, \"realmRoles\": [ \"jarvice_admin\" ],\"credentials\": [ { \"type\": \"password\", \"value\": \"$JARVICE_REALM_ADMIN_PASSWD\", \"temporary\": false} ], \"firstName\": \"JXE\", \"lastName\": \"realm admin\"}"; - sleep 5; - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && user_id=$(curl -s -H "Authorization: Bearer $token" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/users" | jq -r --arg USER "$JARVICE_REALM_ADMIN" '.[] | select(.username==$USER) | .id'); - [ ! -z "$JARVICE_KEYCLOAK_USER" ] && curl -s -o /dev/null -H "Authorization: Bearer $token" -H "Content-Type: application/json" "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/users/$user_id/role-mappings/realm" --data-raw "[{\"id\": \"$role_id\", \"name\":\"jarvice_admin\"}]"; - sleep 5; - [ ! -z "$JARVICE_ROOT_USER_PASSWD" ] && echo "Creating JARVICE root user"; - [ ! -z "$JARVICE_ROOT_USER_PASSWD" ] && token=$(curl -s "${KEYCLOAK_URL}/realms/$JARVICE_KEYCLOAK_REALM/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode "username=$JARVICE_REALM_ADMIN" --data-urlencode "password=$JARVICE_REALM_ADMIN_PASSWD" --data-urlencode "grant_type=password" --data-urlencode "client_id=admin-cli" | jq -r .access_token); - sleep 5; - [ ! -z "$JARVICE_ROOT_USER_PASSWD" ] && curl -s "${KEYCLOAK_URL}/admin/realms/$JARVICE_KEYCLOAK_REALM/users" -H 'Content-Type: application/json' -H "Authorization: Bearer $token" --data-raw "{ \"username\": \"root\", \"email\": \"root@localhost\", \"enabled\": true, \"credentials\": [ { \"type\": \"password\", \"value\": \"$JARVICE_ROOT_USER_PASSWD\", \"temporary\": false} ], \"firstName\": \"JXE\", \"lastName\": \"root user\"}"; + - | + {{- range $line := splitList "\n" (.Files.Get "files/jarvice-create-keycloak-client.sh") }} + {{ . | indent 4 }} + {{- end }} restartPolicy: OnFailure {{- if (not (empty .Values.jarvice.tolerations)) }} tolerations: {{ .Values.jarvice.tolerations }} {{- end }} + serviceAccountName: jarvice-system {{- end }} {{- if .Values.jarvice_bird.enabled }} --- @@ -205,7 +113,7 @@ spec: volumes: {{- include "jarvice.rootCertVolume" . | indent 6 }} hostAliases: - {{- include "jarvice.hostAliases" . | indent 8 }} + {{- include "jarvice.hostAliases" . | nindent 8 }} containers: - name: jarvice-get-keycloak-realm-public-key volumeMounts: @@ -217,7 +125,7 @@ spec: value: "{{ .Values.jarvice_bird.env.KEYCLOAK_URL }}" - name: KEYCLOAK_REALM value: "{{ .Values.jarvice_bird.env.KEYCLOAK_REALM }}" - image: "us-docker.pkg.dev/jarvice/images/jarvice-kubectl:v1.28.2-kc" + image: "{{ .Values.jarvice_helm_hook.image }}" imagePullPolicy: "IfNotPresent" command: - /bin/sh diff --git a/templates/jarvice-keycloak-realm.yaml b/templates/jarvice-keycloak-realm.yaml index a822dbd7..dd967361 100644 --- a/templates/jarvice-keycloak-realm.yaml +++ b/templates/jarvice-keycloak-realm.yaml @@ -12,7 +12,7 @@ metadata: labels: app: jarvice data: - jarvice.json: | -{{ .Files.Get "files/jarvice.json" | indent 4 }} + jarvice_realm.json: | +{{ .Files.Get "files/keycloak-config/realm/jarvice_realm.json" | indent 4 }} {{- end }} {{- end }} diff --git a/values.yaml b/values.yaml index 310f5fc3..ce2fc428 100755 --- a/values.yaml +++ b/values.yaml @@ -1172,6 +1172,7 @@ jarvice_mc_portal: # N/A if jarvice.JARVICE_CLUSTER_TYPE: "downstream" jarvice_bird: # N/A if jarvice.JARVICE_CLUSTER_TYPE: "downstream" enabled: false + create_client: false replicaCount: 1 replicaCountMax: 1 # HorizontalPodAutoscaler is enabled when replicaCountMax > replicaCount @@ -1352,9 +1353,11 @@ jarvice_hyperhub: # N/A if jarvice.JARVICE_CLUSTER_TYPE: "downstream" successThreshold: 1 failureThreshold: 3 +jarvice_helm_hook: + image: us-docker.pkg.dev/jarvice/images/jarvice-kubectl:v1.28.2-envsubst + keycloakx: enabled: false - create_realm: false helm_hook: image: us-docker.pkg.dev/jarvice/images/alpine-k8s:1.21.13 login: @@ -1476,8 +1479,8 @@ keycloakx: name: jarvice-keycloak-realm-config extraVolumeMounts: | - name: jarvice-keycloak-realm-config - mountPath: /opt/keycloak/data/import/jarvice.json - subPath: jarvice.json + mountPath: /opt/keycloak/data/import/jarvice_realm.json + subPath: jarvice_realm.json dbchecker: enabled: true database: