From 893dcc8e11e23c3441806824b606a98954afda27 Mon Sep 17 00:00:00 2001 From: Carles Arnal Date: Thu, 30 Jan 2025 19:53:01 +0100 Subject: [PATCH] Add tls verification configuration --- .../operator/EnvironmentVariables.java | 8 +- .../apicurio/registry/operator/feat/Auth.java | 30 +- .../registry/operator/feat/AuthTLS.java | 29 +- .../registry/operator/utils/Utils.java | 29 + .../apicurio/registry/operator/it/ITBase.java | 43 +- .../registry/operator/it/KeycloakITTest.java | 10 +- .../operator/it/KeycloakTLSITTest.java | 98 + .../registry/operator/unit/CorsTest.java | 2 +- .../resources/k8s/examples/auth/keycloak.yaml | 56 +- ...imple-with_keycloak.apicurioregistry3.yaml | 8 +- .../k8s/examples/auth/tls/keycloak.yaml | 3244 ----------------- ...imple-with_keycloak.apicurioregistry3.yaml | 31 + .../api/v1/spec/auth/AppAuthSpec.java | 18 +- .../api/v1/spec/auth/AuthTLSSpec.java | 13 +- 14 files changed, 278 insertions(+), 3341 deletions(-) create mode 100644 operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakTLSITTest.java delete mode 100644 operator/controller/src/test/resources/k8s/examples/auth/tls/keycloak.yaml create mode 100644 operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java b/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java index 9141e7cf7f..d48779eabb 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java @@ -31,11 +31,9 @@ public class EnvironmentVariables { public static final String APICURIO_UI_AUTH_OIDC_LOGOUT_URL = "APICURIO_UI_AUTH_OIDC_LOGOUT_URL"; public static final String APICURIO_REGISTRY_AUTH_SERVER_URL = "QUARKUS_OIDC_AUTH_SERVER_URL"; public static final String OIDC_TLS_VERIFICATION = "QUARKUS_OIDC_TLS_VERIFICATION"; - public static final String OIDC_TLS_KEYSTORE_TYPE = "QUARKUS_OIDC_TLS_KEY_STORE_FILE_TYPE"; - public static final String OIDC_TLS_KEYSTORE_LOCATION = "QUARKUS_OIDC_TLS_KEY_STORE_LOCATION"; + public static final String OIDC_TLS_KEYSTORE_LOCATION = "QUARKUS_OIDC_TLS_KEY_STORE_FILE"; public static final String OIDC_TLS_KEYSTORE_PASSWORD = "QUARKUS_OIDC_TLS_KEY_STORE_PASSWORD"; - public static final String OIDC_TLS_TRUSTSTORE_TYPE = "QUARKUS_OIDC_TLS_TRUST_STORE_FILE_TYPE"; - public static final String OIDC_TLS_TRUSTSTORE_LOCATION = "QUARKUS_OIDC_TLS_TRUST_STORE_NAME"; - public static final String OIDC_TLS_TRUSTSTORE_PASSWORD = "QUARKUS_OIDC_TLS_TRUST_STORE_PASWORD"; + public static final String OIDC_TLS_TRUSTSTORE_LOCATION = "QUARKUS_OIDC_TLS_TRUST_STORE_FILE"; + public static final String OIDC_TLS_TRUSTSTORE_PASSWORD = "QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD"; } diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/Auth.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/Auth.java index b923108b68..f7f2add59b 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/Auth.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/Auth.java @@ -2,14 +2,15 @@ import io.apicurio.registry.operator.EnvironmentVariables; import io.apicurio.registry.operator.api.v1.spec.auth.AppAuthSpec; -import io.apicurio.registry.operator.utils.Utils; import io.fabric8.kubernetes.api.model.EnvVar; -import io.fabric8.kubernetes.api.model.EnvVarBuilder; import io.fabric8.kubernetes.api.model.apps.Deployment; import java.util.Map; import java.util.Optional; +import static io.apicurio.registry.operator.utils.Utils.createEnvVar; +import static io.apicurio.registry.operator.utils.Utils.putIfNotBlank; + /** * Helper class used to handle AUTH related configuration. */ @@ -40,32 +41,7 @@ public static void configureAuth(AppAuthSpec appAuthSpec, Deployment deployment, putIfNotBlank(env, EnvironmentVariables.APICURIO_UI_AUTH_OIDC_LOGOUT_URL, appAuthSpec.getLogoutURL()); putIfNotBlank(env, EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL, appAuthSpec.getAuthServerUrl()); - putIfNotBlank(env, EnvironmentVariables.OIDC_TLS_VERIFICATION, appAuthSpec.getTlsVerification()); AuthTLS.configureAuthTLS(appAuthSpec, deployment, env); } - - /** - * Adds an environment variable to the map only if the value is not null or blank. - * - * @param envVars The environment variables map. - * @param name The name of the environment variable. - * @param value The value to be set (ignored if null or blank). - */ - private static void putIfNotBlank(Map envVars, String name, String value) { - if (!Utils.isBlank(value)) { - envVars.put(name, createEnvVar(name, value)); - } - } - - /** - * Creates an environment variable using the given name and value. - * - * @param name The name of the environment variable. - * @param value The value of the environment variable. - * @return An {@link EnvVar} instance with the specified name and value. - */ - private static EnvVar createEnvVar(String name, String value) { - return new EnvVarBuilder().withName(name).withValue(value).build(); - } } diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/AuthTLS.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/AuthTLS.java index 1df4f8660f..6daf72097a 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/AuthTLS.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/AuthTLS.java @@ -1,5 +1,6 @@ package io.apicurio.registry.operator.feat; +import io.apicurio.registry.operator.EnvironmentVariables; import io.apicurio.registry.operator.api.v1.spec.auth.AppAuthSpec; import io.apicurio.registry.operator.api.v1.spec.auth.AuthTLSSpec; import io.apicurio.registry.operator.utils.SecretKeyRefTool; @@ -12,6 +13,7 @@ import static io.apicurio.registry.operator.EnvironmentVariables.*; import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME; import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.addEnvVar; +import static io.apicurio.registry.operator.utils.Utils.putIfNotBlank; import static java.util.Optional.ofNullable; public class AuthTLS { @@ -19,9 +21,12 @@ public class AuthTLS { /** * Configure TLS for OIDC authentication */ - public static boolean configureAuthTLS(AppAuthSpec appAuthSpec, Deployment deployment, + public static void configureAuthTLS(AppAuthSpec appAuthSpec, Deployment deployment, Map env) { + putIfNotBlank(env, EnvironmentVariables.OIDC_TLS_VERIFICATION, + appAuthSpec.getTls().getTlsVerificationType()); + // spotless:off var keystore = new SecretKeyRefTool(getAuthTLSSpec(appAuthSpec) .map(AuthTLSSpec::getKeystoreSecretRef) @@ -39,27 +44,17 @@ public static boolean configureAuthTLS(AppAuthSpec appAuthSpec, Deployment deplo .map(AuthTLSSpec::getTruststorePasswordSecretRef) .orElse(null), "ca.password"); // spotless:on - - if (truststore.isValid() && truststorePassword.isValid() && keystore.isValid() - && keystorePassword.isValid()) { - - // ===== Keystore - - addEnvVar(env, OIDC_TLS_KEYSTORE_TYPE, "PKCS12"); - keystore.applySecretVolume(deployment, REGISTRY_APP_CONTAINER_NAME); - addEnvVar(env, OIDC_TLS_KEYSTORE_LOCATION, keystore.getSecretVolumeKeyPath()); - keystorePassword.applySecretEnvVar(env, OIDC_TLS_KEYSTORE_PASSWORD); - - // ===== Truststore - - addEnvVar(env, OIDC_TLS_TRUSTSTORE_TYPE, "PKCS12"); + if (truststore.isValid() && truststorePassword.isValid()) { truststore.applySecretVolume(deployment, REGISTRY_APP_CONTAINER_NAME); addEnvVar(env, OIDC_TLS_TRUSTSTORE_LOCATION, truststore.getSecretVolumeKeyPath()); truststorePassword.applySecretEnvVar(env, OIDC_TLS_TRUSTSTORE_PASSWORD); + } - return true; + if (keystore.isValid() && keystorePassword.isValid()) { + keystore.applySecretVolume(deployment, REGISTRY_APP_CONTAINER_NAME); + addEnvVar(env, OIDC_TLS_KEYSTORE_LOCATION, keystore.getSecretVolumeKeyPath()); + keystorePassword.applySecretEnvVar(env, OIDC_TLS_KEYSTORE_PASSWORD); } - return false; } private static Optional getAuthTLSSpec(AppAuthSpec primary) { diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/utils/Utils.java b/operator/controller/src/main/java/io/apicurio/registry/operator/utils/Utils.java index 87a00ca1c2..b0345127fb 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/utils/Utils.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/utils/Utils.java @@ -1,5 +1,10 @@ package io.apicurio.registry.operator.utils; +import io.fabric8.kubernetes.api.model.EnvVar; +import io.fabric8.kubernetes.api.model.EnvVarBuilder; + +import java.util.Map; + public class Utils { private Utils() { @@ -8,4 +13,28 @@ private Utils() { public static boolean isBlank(String value) { return value == null || value.isBlank(); } + + /** + * Adds an environment variable to the map only if the value is not null or blank. + * + * @param envVars The environment variables map. + * @param name The name of the environment variable. + * @param value The value to be set (ignored if null or blank). + */ + public static void putIfNotBlank(Map envVars, String name, String value) { + if (!Utils.isBlank(value)) { + envVars.put(name, createEnvVar(name, value)); + } + } + + /** + * Creates an environment variable using the given name and value. + * + * @param name The name of the environment variable. + * @param value The value of the environment variable. + * @return An {@link EnvVar} instance with the specified name and value. + */ + public static EnvVar createEnvVar(String name, String value) { + return new EnvVarBuilder().withName(name).withValue(value).build(); + } } diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/ITBase.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/ITBase.java index ade6ea64b2..6b3e9a9a76 100644 --- a/operator/controller/src/test/java/io/apicurio/registry/operator/it/ITBase.java +++ b/operator/controller/src/test/java/io/apicurio/registry/operator/it/ITBase.java @@ -2,6 +2,8 @@ import io.apicurio.registry.operator.Constants; import io.apicurio.registry.operator.api.v1.ApicurioRegistry3; +import io.fabric8.kubernetes.api.model.ConfigMap; +import io.fabric8.kubernetes.api.model.ConfigMapBuilder; import io.fabric8.kubernetes.api.model.HasMetadata; import io.fabric8.kubernetes.api.model.NamespaceBuilder; import io.fabric8.kubernetes.api.model.apps.Deployment; @@ -18,11 +20,7 @@ import jakarta.enterprise.util.TypeLiteral; import org.awaitility.Awaitility; import org.eclipse.microprofile.config.ConfigProvider; -import org.junit.jupiter.api.AfterAll; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.TestInfo; +import org.junit.jupiter.api.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -221,6 +219,41 @@ private static void createOperator() { }); } + static void createKeycloakDNSResolution(String ingressHostname, String keycloakService) { + String configMapName = "coredns"; + String systemNamespace = "kube-system"; + + // Step 1: Fetch the existing CoreDNS ConfigMap + ConfigMap existingConfigMap = client.configMaps().inNamespace(systemNamespace).withName(configMapName) + .get(); + + if (existingConfigMap == null) { + throw new IllegalStateException("Error: CoreDNS ConfigMap not found!"); + } + + // Step 2: Modify the CoreDNS configuration + String corefile = existingConfigMap.getData().get("Corefile"); + + // Step 3: Append the rewrite rule to Corefile + String newCorefile = corefile.replaceFirst("\\.:53 \\{", + ".:53 {\n rewrite name " + ingressHostname + " " + keycloakService); + + // Step 4: Create the updated ConfigMap, ensuring resourceVersion is included + ConfigMap updatedConfigMap = new ConfigMapBuilder().withMetadata(existingConfigMap.getMetadata()) // Preserve + // metadata + // (including + // UID) + .addToData("Corefile", newCorefile).build(); + + // Step 5: Apply the updated ConfigMap + client.configMaps().inNamespace(systemNamespace).resource(updatedConfigMap).update(); + + log.info("CoreDNS ConfigMap updated successfully!"); + + // Step 6: Restart CoreDNS to apply changes + client.apps().deployments().inNamespace(systemNamespace).withName("coredns").rolling().restart(); + } + static void createNamespace(KubernetesClient client, String namespace) { log.info("Creating Namespace {}", namespace); client.resource( diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java index 6a2652a14e..e5b9769eb9 100644 --- a/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java +++ b/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java @@ -46,6 +46,9 @@ void testKeycloakPlain() { .isEqualTo(1); }); + createKeycloakDNSResolution("simple-keycloak.apps.cluster.example", + "keycloak." + namespace + ".svc.cluster.local"); + // Deploy Registry var registry = deserialize("k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml", ApicurioRegistry3.class); @@ -62,9 +65,6 @@ void testKeycloakPlain() { Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getRedirectURI()); Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getLogoutURL()); - // We must change the auth url of the backend to use the service. - appAuthSpec.setAuthServerUrl("http://keycloak." + namespace + ".svc.cluster.local/realms/registry"); - client.resource(registry).create(); // Assertions, checks registry deployments exist @@ -86,8 +86,8 @@ void testKeycloakPlain() { assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) .contains(EnvironmentVariables.APICURIO_REGISTRY_UI_CLIENT_ID + "=" + "apicurio-registry"); assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) - .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "=" + "http://keycloak." - + namespace + ".svc.cluster.local/realms/registry"); + .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "=" + + "https://simple-keycloak.apps.cluster.example/realms/registry"); assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) .contains(EnvironmentVariables.APICURIO_UI_AUTH_OIDC_REDIRECT_URI + "=" + "https://simple-ui.apps.cluster.example"); diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakTLSITTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakTLSITTest.java new file mode 100644 index 0000000000..63882e0d28 --- /dev/null +++ b/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakTLSITTest.java @@ -0,0 +1,98 @@ +package io.apicurio.registry.operator.it; + +import io.apicurio.registry.operator.EnvironmentVariables; +import io.apicurio.registry.operator.api.v1.ApicurioRegistry3; +import io.fabric8.kubernetes.api.model.HasMetadata; +import io.fabric8.kubernetes.client.utils.Serialization; +import io.quarkus.test.junit.QuarkusTest; +import org.awaitility.Awaitility; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.time.Duration; +import java.util.List; + +import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME; +import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_APP; +import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_UI; +import static io.apicurio.registry.operator.resource.ResourceFactory.deserialize; +import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.getContainerFromDeployment; +import static org.assertj.core.api.Assertions.assertThat; +import static org.awaitility.Awaitility.await; + +@QuarkusTest +public class KeycloakTLSITTest extends ITBase { + + private static final Logger log = LoggerFactory.getLogger(KeycloakTLSITTest.class); + + @BeforeAll + public static void init() { + Awaitility.setDefaultTimeout(Duration.ofSeconds(60)); + } + + @Test + void testKeycloakPlain() { + // Preparation, deploy Keycloak + List resources = Serialization + .unmarshal(KeycloakTLSITTest.class.getResourceAsStream("/k8s/examples/auth/keycloak.yaml")); + + createResources(resources, "Keycloak"); + + await().ignoreExceptions().untilAsserted(() -> { + assertThat(client.apps().deployments().withName("keycloak").get().getStatus().getReadyReplicas()) + .isEqualTo(1); + }); + + // Deploy Registry + var registry = deserialize("k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml", + ApicurioRegistry3.class); + + registry.getMetadata().setNamespace(namespace); + + var appAuthSpec = registry.getSpec().getApp().getAuth(); + + Assertions.assertEquals("registry-api", appAuthSpec.getAppClientId()); + Assertions.assertEquals("apicurio-registry", appAuthSpec.getUiClientId()); + Assertions.assertEquals(true, appAuthSpec.getEnabled()); + Assertions.assertEquals("https://simple-keycloak.apps.cluster.example/realms/registry", + appAuthSpec.getAuthServerUrl()); + Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getRedirectURI()); + Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getLogoutURL()); + + // We must change the auth url of the backend to use the service. + appAuthSpec.setAuthServerUrl("https://keycloak." + namespace + ".svc.cluster.local/realms/registry"); + + client.resource(registry).create(); + + // Assertions, checks registry deployments exist + checkDeploymentExists(registry, COMPONENT_APP, 1); + checkDeploymentExists(registry, COMPONENT_UI, 1); + + // App deployment auth related assertions + var appEnv = getContainerFromDeployment( + client.apps().deployments().inNamespace(namespace) + .withName(registry.getMetadata().getName() + "-app-deployment").get(), + REGISTRY_APP_CONTAINER_NAME).getEnv(); + + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_ENABLED + "=" + "true"); + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.OIDC_TLS_VERIFICATION + "=" + "required"); + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.APICURIO_REGISTRY_APP_CLIENT_ID + "=" + "registry-api"); + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.APICURIO_REGISTRY_UI_CLIENT_ID + "=" + "apicurio-registry"); + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "=" + "https://keycloak." + + namespace + ".svc.cluster.local/realms/registry"); + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.APICURIO_UI_AUTH_OIDC_REDIRECT_URI + "=" + + "https://simple-ui.apps.cluster.example"); + assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()) + .contains(EnvironmentVariables.APICURIO_UI_AUTH_OIDC_LOGOUT_URL + "=" + + "https://simple-ui.apps.cluster.example"); + } +} diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/unit/CorsTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/unit/CorsTest.java index 6b6ebde01d..cd6d203cdc 100644 --- a/operator/controller/src/test/java/io/apicurio/registry/operator/unit/CorsTest.java +++ b/operator/controller/src/test/java/io/apicurio/registry/operator/unit/CorsTest.java @@ -19,7 +19,7 @@ public class CorsTest { public void testConfigureAllowedOrigins() throws Exception { doTestAllowedOrigins("k8s/examples/cors/example-default.yaml", "*"); doTestAllowedOrigins("k8s/examples/cors/example-ingress.yaml", - "https://simple-ui.apps.cluster.example", "https://simple-ui.apps.cluster.example"); + "http://simple-ui.apps.cluster.example", "https://simple-ui.apps.cluster.example"); doTestAllowedOrigins("k8s/examples/cors/example-env-vars.yaml", "https://ui.example.org"); doTestAllowedOrigins("k8s/examples/cors/example-env-vars-and-ingress.yaml", "https://ui.example.org"); } diff --git a/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml b/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml index ccd0a5fd9a..8f47c914b5 100644 --- a/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml +++ b/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml @@ -3144,6 +3144,23 @@ kind: ConfigMap metadata: name: keycloak-configmap --- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-tls +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVHekNDQXdPZ0F3SUJBZ0lVRHE1a3N5dGovR20xdGRRUU91bGdkZ3dadXJNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1l6RUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaApibU5wYzJOdk1SRXdEd1lEVlFRS0RBaExaWGxqYkc5aGF6RWNNQm9HQTFVRUF3d1RLaTV6ZG1NdVkyeDFjM1JsCmNpNXNiMk5oYkRBZUZ3MHlOVEF4TXpBeE9EUTBNRGRhRncweU5qQXhNekF4T0RRME1EZGFNR014Q3pBSkJnTlYKQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlUyRnVJRVp5WVc1amFYTmpiekVSTUE4RwpBMVVFQ2d3SVMyVjVZMnh2WVdzeEhEQWFCZ05WQkFNTUV5b3VjM1pqTG1Oc2RYTjBaWEl1Ykc5allXd3dnZ0VpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHRxanoyRzAvQTRnUUZGeXo5VzNmbmNkTGoKdFB1MWR6d2tFZ1BUdmM0SlFSQ2hBV0lCQkEyWTlNZUlCTzk0MFpGMWNJa1dMZjFvUURsRXVYNnVRVjZHdTJ4aQpVWDZ5QnNtK2krS0tZdWg2S2Jyd3V1ZmRBTzVFc0pYelpuRmR2L2lUNzBaWUJPTnNPVzBmVmhLY3dBaW9uSFN4CnI2aW1kb2V0S3EzTmJrZ1daQlBpL29SbGhFR2FwRitLTHpRZlU3U1d2bnNsdU5YQXVaMnZpQW5NVGdNNVhmcWoKR3VqSXZaVEliTUQxS05tR0c4U2ZjQXdmSHNXbXBOajUyOTNiQkNVN2lhUkFBakdBZkMyekdVNTJFL0xVQjJPTApxaDZVcUpzdW5pRjJXNWNJREs3OElEZ2tWQysxUy9haEVwUm1WVGZndk00R09zUmtJQXJsS2hpRCttVm5BZ01CCkFBR2pnY1l3Z2NNd2dhRUdBMVVkRVFTQm1UQ0Jsb0lJYTJWNVkyeHZZV3VDREd0bGVXTnNiMkZyTG5OMlk0SWEKYTJWNVkyeHZZV3N1YzNaakxtTnNkWE4wWlhJdWJHOWpZV3lDRXlvdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd5QwpNeW91WVhCcFkzVnlhVzh0Y21WbmFYTjBjbmt0YjNCbGNtRjBiM0l0ZEdWemRDNXpkbU11WTJ4MWMzUmxjaTVzCmIyTmhiSUlXS2k1aGNIQnpMbU5zZFhOMFpYSXVaWGhoYlhCc1pUQWRCZ05WSFE0RUZnUVVBS0grcWZiYjNHMXIKTHRvaHl6ZUdVRDJ2N2Jrd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFOUnZ0V1RHWGthWS9LVCtWaEpwdzJpcQpHZUNJU2JBU28rNTZNMExabDU0M3JlaHhaRUQ0VzBXajdiTTJueFRtdG9sQ0MybGM3cTJST1lLQzU1Y3YvKzdGCitwMnEzWWZQeHpDV0hRN1F6UlRvK2FWN2FubFlOSUdXaXB3T0lPVHhvZmVzOTVmLzdwNTRzRXJzVTliUE9BTUsKLzZCaG5OUzZ4ZmxwczJMZTJrSXREV1dFUVVVZHZQZCtJN0R4SXFxdkpQQVpUL0NZcHFZU3RDQ3NhNWlYcFphOQpkdTl2dW9LVFVnRHhSYld0Rkw5dE5GNUFGM3hjYlVYenc0bE9Hd0g2WmNxZEdXVVA2NU8xYlg5UnJxYkNabHEvCmpWc21vV3BIUG9nK241WGFVUXRmcExRN2xIODNXeUFTMEsyUjYzME4vWFVRZjk1WTV0SWhRd281cmRPcS9wQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHRxanoyRzAvQTRnUUYKRnl6OVczZm5jZExqdFB1MWR6d2tFZ1BUdmM0SlFSQ2hBV0lCQkEyWTlNZUlCTzk0MFpGMWNJa1dMZjFvUURsRQp1WDZ1UVY2R3UyeGlVWDZ5QnNtK2krS0tZdWg2S2Jyd3V1ZmRBTzVFc0pYelpuRmR2L2lUNzBaWUJPTnNPVzBmClZoS2N3QWlvbkhTeHI2aW1kb2V0S3EzTmJrZ1daQlBpL29SbGhFR2FwRitLTHpRZlU3U1d2bnNsdU5YQXVaMnYKaUFuTVRnTTVYZnFqR3VqSXZaVEliTUQxS05tR0c4U2ZjQXdmSHNXbXBOajUyOTNiQkNVN2lhUkFBakdBZkMyegpHVTUyRS9MVUIyT0xxaDZVcUpzdW5pRjJXNWNJREs3OElEZ2tWQysxUy9haEVwUm1WVGZndk00R09zUmtJQXJsCktoaUQrbVZuQWdNQkFBRUNnZ0VBUFBQMFBvb3lvaDFWT3BqL0NOdDBuUDhzUHdvanBCNjRaZWZZNDIxQ2NrMGwKbnFWa0pTNk03aldaRnVGdEtXZFdEdkNWdUFLRGcwRTFidExFRXB6aFNWeTRKMThQUjBsR1pJQXIwYUljVFhoMgpZVmNPTURnVTQ3a0dQQzZCMUxGdlowRnVvUlJmMzFtN0N0WmdYNk5BbFQzTEQrY2xNY3drYjkwS1JpMktmM01jCnJGdTA1UTBvQWEzaEQ4WGQ4a3dMSEJCOVNWREpqTlEzaVlCaTlDNElNQ3EzekNZNjg4a0xEVkFMQlUrQkswTm8KcEN1VlhWMU1jdVFYdURPL2JSdUJoWktBWGFpUWRqNGdRdlhkT1NVL0ozeE41UmpKT1hkRVE0eGNuRGhJRjA1NQpNbjRXZHY5dnVSd0k4akVPeFI1MDl1NUw5eEx4Mlp3MUhYWkZ4S0VhQVFLQmdRRC9rZi81dlhOM0tqYVljSzdLCk9VY0F6T1dQSlhGVlc2VFc0OVhFQkhMbkZZTVgyK2xqZGlDKzhZbE52S3F4V3JVUFRnVDhTMGd2ZEkwK1FwMHcKOUhHZkdxTDRqSEEwUmFla0MvTzFqWlUrMGdMWE9HMTQ5RkZmaEZEZmlHNHFZSHNUOW5HS1dEVFl6a29uVCs5RApteGllN09PUEVTakVrdElEdm91NEc4b09ZUUtCZ1FEdUVJZ1daelkrRnVkV3l1MUI3aTdiMzlqSGlwck5FcC83Ckdrbm5adG5UTG1sVFFvaEtFeEhUYlhHajRMbUUrWDhFcFl6S1BSTEFXZ3k0WVlpa1c3NklEOGYvS2YyNjlwNFkKVWFPVmd2Vi95UkFLcUt2cktxRWJWVDVFbWVhSkRSYkd3QjVsMUkvU3ordTVhVnJjOGdhMW9GVjhTVWh6WVhxawpyRnJUQlVRNHh3S0JnUUNRRTJ5dEMrS1dJVlFaNkJ5Qm9IeW90Tm9OTXR5TGRGaWZWRjNrWFdXeFpHMDgvQnE4Cm1aR29VMTVHVnNBYnI3azI0WkxwOEQ3SGtmczJTRE41cjdTR0wyd0VscGVDd0duYmoybGF4bkNHczdvcVBvTm8KbHNOeEI1VFlEMytib0R5Q2FvSmpyWXBOVnk1eXJ4dUJqMlAzNUMvOUxYMUFKRTBGRTF5TTlBMmF3UUtCZ1FERApIQ2xzc3dweHVMUEJIbTkxS1pDZUE4ZlhRbkc4d1JiODVYN01lQzd1Tll0OUFYcFJ1MjlRcU5JS1RaTyt0L3l5CkFqeHhRN3lxaVNNRHVtd1N5RjVQaFIrVXNRV1N4YXlzb2J4QVBTU1hwbUhQV280TUh0UUxZc0cxMTZ4cGhxQzAKSTZER05IL3JkeHpxeUwzL2R4eW9uczl4SFY2VHNjQ2lWZC9hTXViRzRRS0JnUURNZkNlQTNmN1FvcEhOSkRIOQpvWHpOTlVKZWU0RXN0ZUs4ZWZoYS9SNHpGeDdWcm9FY0FrYTF6bmdXbXRSdmtFNWhldytHNlBEWFhDcFhSaGZpCkQyd0JrR0IvQWw2WlQvOFA1dDFmQXU5NWNtbVdtUk5leHFmRXdnTVRJOE5zVjhpa2d4OEpzZ2xyYzlneUQ1WXcKeGdROGQ5MmZabGxFdisrUWVhaHFkUXkzUkE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-truststore +data: + truststore: MIILQAIBAzCCCvYGCSqGSIb3DQEHAaCCCucEggrjMIIK3zCCBSoGCSqGSIb3DQEHBqCCBRswggUXAgEAMIIFEAYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBA6eRD5E7kSv50VBDTbKGiwAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQlyGrpNprV7ehpgWtpeG4sICCBKDO4TaLLkXo/JfrMfoSDRO8vBqncWmJ1qEKLHM1rP7fdsoF5nl+iliOWCOi6RT5zT+AgIwvSXgDI3cSdMW7BAexwHahN1CABwDR9XnSNgI2G57jMHQIAiMrMA00oyJpsIjfEnTu1/ymNAUj57dzcectDneCQHubZvZzs7ZpRNpcUPwhGTskEGyRhm5Xcohn59iPE8mmEWZsX2cdXBNPJHiovxTRKLRZwhDoWrNvcOOhVaQ50MdkgrZsvqq5X1IQyKZm+FLxb/o0gQ6lkPRdlUMEmWHLdDQ41JOQbHG3KHLfZW9J6ofwSRoNxhJvYck0dhwvmubkw4Cosd7e/IDZ5TiVRZ4DITYxUEmMuCbtIw826seGJP5rUTMHt40UpgYJnQXZj7os3YyO1D3JVmvAHMFuqG/998R1Ll9fTs09ml8adBDwATBtYtRoFUgq+lnwoZg6w195E/hVmo1LtsMvO7/t0eOqlWecFUGf7lhndSNShlbKsJgYVfMQsYKRQ565OFIvgvpSl9belsQR7A+kpsPAeKM2uZMlCi9YrjUhSHjQSdjb1O2NCTXBXULCc9AgagyOWuzDNEdj2QE5ewxvTX/XRLEu8KkPP1VowGIyh3MnmMQxj2En3mmCE9wULIVFYMizOyI2dyK5KGIeBFCrd+YE7+E5nDY3WrRfsDvX4z+NAsVll7OcieGHrDGRuNhErYe0YooA7FRsy1oXXuXg8OUNCxn/D4ioHt9zS+2ck0KJZkjDgy8aP5/1vA/1MQAwxfy431tHqkONspLR/fEjRAMWs/7SwHQeI9CB2jIZEYqIhFC1x5Sc9kgZ00AeAdnjK0innr2m/skzdu8+uSi8Mf3MUNf4v8S8gyqz57SUGxZ8H9z1pDedmYBv0QGRXK2DUrBGc9azggIo3dN10p70jwSUZvYBX1m4HzEElRFZ67YWOPLNY0gctWD+MLnaTKkvLE4+R6bHsjZ8wZzWrj3A9P8eZ2IjZhJET/3QTMWMekdFhqRBv6lPge8Xaovqk63ReHrpkUxdW+QkfPxCvg0Ny/eO1TqE2p7WpWJxzEr6r9UoaHGRgXnw0Z3646DUKLqKX2PQ5s9HZTLrcMxrv8gx1zAIMR4JVJpCECRiwvKGIvAl4mKhGGkXZIe9VuXTp7E3k2RgKaNhUfjhi57hfpZ9CsmZtvf6DVFGmd++DB/zrkX/ypk5d2ZNgA1Lc9CjCTBlsTLoqOPO63/KUXY9WMsOc6Aalm7XhMCEOwJPflHQqGwGaI/zw/VN54tmw7+y5cqLHJHV5eIHHMRHzSOsQCPYs2gw2HYEZMUFnn8MQwvD6EfmKp6tWi/3YvPf1Lq+LeLc24yMD+OXnv2NOg8sdapjG6snX4mVZMnzr4cmY59PRiRdtgsgIdKNB5Oq/SCcxiItRksrMo7hNBvAE5rN5ZaVR87i295aJibHQ7+TIdUzZUr0vugxjc6Z8K5w+rOg6pLjm8V/84pGcWWNeKamf+V2z3x1WCieheVGlDXJbsRdIMKPjPsl8bk77DBAEy3aNmI9uc40XF7illQdbAk1wPT9IMBcdkDQd5F7WOkXq9J5nAq3dDCCBa0GCSqGSIb3DQEHAaCCBZ4EggWaMIIFljCCBZIGCyqGSIb3DQEMCgECoIIFOTCCBTUwXwYJKoZIhvcNAQUNMFIwMQYJKoZIhvcNAQUMMCQEEF2lvAPOGfpDm7KH+lVKjtQCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDfHF4u/SgMTb1+n23MQaSZBIIE0Oz3+pPmxGxlKj1L/1QXEFbyMt86ScQBEIyXiSbEJS0hWTs/e7lvYWU9poWi8hATHrJcgjdnZSipS8Bue8vqhFqme7rsETDLgnNpUQcjQxn/yD9j4n8a0sDY7bmeoYusb2QB9eXiD4ZImXLb0NnKibpqc2MOwJICC2O7Y2pkIpKvymsuxqameQRp5laoyUo8L5SwgbN9tOo+iRKXoVD5eAuOmUfHKU/inOzxyxmr9xF1E+lUS/vOEMS4j7qFrg3RTh6OTt4O8IwpOEY6jhvhcI0X6YIQALB0tEXNsGzZkHfwTrF4ppZBJStWSwFo6bvGMj7gJWhynul1BnUdcnsfOeHqKoo5a1kO6jc5JSyYtoeWJyFomCYoDd7SMbTYC7FPhSddZw9+IaaSYNYM5ayOqgfV6M6qh/f5K/0tW3MJYT9hSjaVgFBrkBSPo07GpQX7SXphoqyDxc+G4CWzxtVSTB7eod583MY147ha0OqPNS+LHklCMlF3YOOWt7025JXFLk1jsJ/yQYFzPkaeZeK+xCNabUVwJsqLHaB++xGzrzi4mr3IB473u9VBZF+1liIRAmImBJqDSU7qdPJ8xRSk2Y9QNOZfX/gJZu2E0KnVLgMiAE5dpuJ16OCcBM8W2YDhRnKq/H80WDTrXSjuTrFMrMn41wO5DTtvytqikPDMbfQEeSEuXCUKOgeWaemazrKmPe/ZovAGMINSlg0h+U4D0YkiOWJ9dH6d91WGYZpMxzr1LbBjCqSkcOMTJuXcZSOsfckm0MzhfjX1n6Fn+14yvz6Ep15ESK5wcKZbPAcrwU2h2ZODO3HTz1Dc7lKMUy7kBPChVQtqOH0kKBL5kpP6FDvjPo5UxNvMlUjqhF+Uo/g/8IPGr2+F+x12+/VncWWZfn0xkZ4nuTNrNEXsyYCI6s1qBaKHa1tpjoR5ncgBFg3gN5j0LCKI8sJukmEclrs09OGudEFHq9K1y7CeJkGn7fWelPxxlvbNAxJvefZw9RMcTrG/N4j12b111JY/3+13QrGzH8OdDi91iGMvg48+AVBuL9D0XQYe9KIhzOR2tGBBeQvGcHhULzzEqv5aQHH62yfri1El3n4Aut5hP/9sdqkUlPK/MwiPkxwCIOFho+Tl66rYcOCO8U+HAePJP33QV9lFClpzmtfh7Mj8xv2szWfhA/xUK7TFgfrMbjgOZI/l+8+t77VPSB8Ur6fvvaHRyP6yqf83yDY119uLo3idS2XyswhT4zG/Lc4Fx9Cbhnz4VKIoDjTwnIcQH25KEJYvTgl/1IdVGR/w7ZbwfJF0o9CnT+oa89AONbYpObwiB35ImUJAmQ30ockRbfknFV7ZPQGGkj7tIu+DmygJN0qKM3LasedpJwwfwV+fibLfqWstZmQqxPl4KdyjLgaY0vHqROiGllGFZv8foHjObS16npWgD51+hzrZqXSG2XK3f1RAbz9LsS4d5YNU63vmCJbR0LNIFUbyijCgSTImEWBWa0DnuRs3hwWXhLu32g8IMnK4Ai3tut9XCb3L0X2W9k7lKeDntzE6JoRIJ4gXEBbLqM/ZYmXF9Kcd5Xa3sIRQXeE1gYXhde0iwJ1538no+sFPfhNcyYggaRbvp/WHyzq82AHF1nubbx954jeAn6dOhS49MUYwHwYJKoZIhvcNAQkUMRIeEABrAGUAeQBjAGwAbwBhAGswIwYJKoZIhvcNAQkVMRYEFIdlbOhFpWzKLhy2ou13L+PLiRDSMEEwMTANBglghkgBZQMEAgEFAAQgoh3teDOnQzRB3DfUXVI6GItHsnwuhrSgiuPhPSqfkykECBoicn2i1WYzAgIIAA== + password: YXBpY3VyaW8= +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -3165,6 +3182,8 @@ spec: image: quay.io/keycloak/keycloak:26.1.0 args: ["start-dev", "--import-realm"] env: + - name: KC_HOSTNAME + value: "simple-keycloak.apps.cluster.example" - name: KC_BOOTSTRAP_ADMIN_USERNAME value: "admin" - name: KC_BOOTSTRAP_ADMIN_PASSWORD @@ -3173,26 +3192,39 @@ spec: value: "edge" - name: KC_HEALTH_ENABLED value: "true" - - name: KC_HTTP_PORT - value: "8090" + - name: KC_HTTPS_PORT + value: "8443" - name: PROXY_ADDRESS_FORWARDING value: "true" - name: KEYCLOAK_FRONTEND_URL value: "https://simple-keycloak.apps.cluster.example" + - name: KC_HTTPS_CERTIFICATE_FILE + value: "/etc/x509/https/tls.crt" + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: "/etc/x509/https/tls.key" ports: - name: http - containerPort: 8090 + containerPort: 8443 + - name: health + containerPort: 9000 readinessProbe: httpGet: path: /health/ready port: 9000 + scheme: HTTPS volumeMounts: + - name: keycloak-tls + mountPath: /etc/x509/https + readOnly: true - name: keycloak-volume mountPath: /opt/keycloak/data/import volumes: - name: keycloak-volume configMap: name: keycloak-configmap + - name: keycloak-tls + secret: + secretName: keycloak-tls --- apiVersion: v1 kind: Service @@ -3202,23 +3234,13 @@ metadata: app: keycloak spec: ports: - - name: http - port: 80 - targetPort: 8090 + - name: https + port: 443 + targetPort: 8443 selector: app: keycloak type: LoadBalancer --- -apiVersion: v1 -kind: Secret -metadata: - name: keycloak-tls - namespace: keycloak -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lVZmQ1OEdNUDljRlMzZzZuNldhNzdsUGtYZUY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1B6RXFNQ2dHQTFVRUF3d2hkR3h6TFd0bGVXTnNiMkZyTG1Gd2NITXVZMngxYzNSbGNpNWxlR0Z0Y0d4bApNUkV3RHdZRFZRUUtEQWhMWlhsamJHOWhhekFlRncweU5UQXhNamt4TmpRM016aGFGdzB6TlRBeE1qY3hOalEzCk16aGFNRDh4S2pBb0JnTlZCQU1NSVhSc2N5MXJaWGxqYkc5aGF5NWhjSEJ6TG1Oc2RYTjBaWEl1WlhoaGJYQnMKWlRFUk1BOEdBMVVFQ2d3SVMyVjVZMnh2WVdzd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFSwpBb0lCQVFDeWQ2OEVVMXZpRkhVTlhOSFVzYWpmWmVPdXBxUDE3SjhJaE1DcGY0U3NRWXl4WnFYanhDVTA5N0VlCklyemxjbjFCMzhGRUZQRHdkZ1V5NGt1SGNpZ2pJMFZ5ZVYwNTJRTkYySFpJdThiM3BNVm1zSXRNZWcwcHpaSFgKUjB6c0dRUVBJQS9SaGs0bUpsdjVBdHFhcWkyUmVOQ3BtR3dKZklQVzFUQndLYWZ2VGV6MnZUSXBXY0FmcTJVdQpiVkZhMHBrY2NDRTNZejJNV2VvWnd0dGxCN1RHS2tjNEJObGxrQmxaZ0FLSXhHYk5Bd0JiaVpqejBGZVFIQk90ClcwZUxjUFVEZG1jeDJCQWxzVTFkd21FT1BkLzJUNDFIUlZ5NUlNZ0Fxa2loMHNkcFF5MnpUY2swRDJDMHpFcWUKN1EyMEY2RVRPamI2U0JzN0NXejJHNlk5cmU1RkFnTUJBQUdqVXpCUk1CMEdBMVVkRGdRV0JCUVI0WVpjVC8yMQpmdktrQVptUkxaTXp3anNKU0RBZkJnTlZIU01FR0RBV2dCUVI0WVpjVC8yMWZ2S2tBWm1STFpNendqc0pTREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBZ28xTndRbXBtNHQ1UytuM2EKUGhFRTM0dFN0RVd3TW5vNW5zL0hrS2c3VzVtVGl2UEJsOWdUemRDTjlFL3hjb1ZxOEkzVjZxQ2VKN2xmTHBQcgpzdnZ4M2hyTW5WUDUyMUdZV1BKOVFRaDNHeTRDNHBQVjJxeHV2b0ZaaUdKY0diWWcrSnJKTElKWGk1RUdiNk1YCi81bzVRb01GYUtBSGU2WVRjVzA2cEp5NDlFaXdQWkRJM1dCcXlzSTNhbHRWUlNBN3pXdWJHb1JXdjArS0dNcHoKMzNkNWcyT1ovOG5pREhxSFZxNDVucFRyczBXU0pLa1ZoWDBaazFJN0ZTYlJNQzllcXlaRkQzaG45TGF5eDlrbwprcVgyZ0dubDVVV25PWElWdUFXREQ2NE1RTWtyOWZpeXp6ekEvbmJmT2lvVG1PdmxPQmduVnFmVnFMb25kelg2CkY2NlMKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3lkNjhFVTF2aUZIVU4KWE5IVXNhamZaZU91cHFQMTdKOEloTUNwZjRTc1FZeXhacVhqeENVMDk3RWVJcnpsY24xQjM4RkVGUER3ZGdVeQo0a3VIY2lnakkwVnllVjA1MlFORjJIWkl1OGIzcE1WbXNJdE1lZzBwelpIWFIwenNHUVFQSUEvUmhrNG1KbHY1CkF0cWFxaTJSZU5DcG1Hd0pmSVBXMVRCd0thZnZUZXoydlRJcFdjQWZxMlV1YlZGYTBwa2NjQ0UzWXoyTVdlb1oKd3R0bEI3VEdLa2M0Qk5sbGtCbFpnQUtJeEdiTkF3QmJpWmp6MEZlUUhCT3RXMGVMY1BVRGRtY3gyQkFsc1UxZAp3bUVPUGQvMlQ0MUhSVnk1SU1nQXFraWgwc2RwUXkyelRjazBEMkMwekVxZTdRMjBGNkVUT2piNlNCczdDV3oyCkc2WTlyZTVGQWdNQkFBRUNnZ0VBVVRrOVUwZXBBc3p5dFFFd2tvL0UzdCtkYndoeWlPT0hRYlpCaFNML08vS2QKV01QeDdpYUFGSXBDZHdleVZ1N3phUDZ3RkE4LzFRQ3h2d1hWQURFSmFXeU5GOXQ2ZlhCeUYrQzdmTURSZmpYawpqYWI5enZHaGVnd1FPeDA5T2hyc2lRRzdrVTJCMWNVUmlOUXVyOE9SOTZvM3RXZ2tpM0M3QkJTRTloZFBVZzZ0CkNoSzBSZW1GTStQQnZFa1VMbnNtUHNmdnpMU3k0ZVdlajlRUGlNa0JQTnR3VTFjelY4dFZZY2I3UFlKbjN3Uk8KcXl1WjBIU3VFWUl0a3I3cWg0ZW5xR3Zkek4vclZKUUlMc3VLVkhOd0xRbUJYVjMxK1U2TFJRbWJqWW9UU0JqbgppK2V0c0Fta0dFeFFiRUhEb2cza2RML2dQcFRyKzFCaXozNkJpOTFraFFLQmdRRDdsOFprcFJPLy9OUm9CbkhiCkltM2ttbmkxQjZwaUVCczhXamNNejhTNmwzNnBwQVpUMCtGL3FXUTkzZnJYUUpNYWUyOWd5SS9Fby9PQXlzdWkKMFZBTjdWNVVSN01ncjc2TzFJQU5naXVvVC9yRE92bkZQV0thM3BoYnc1UlBBYStsRmxzdy9DNzAwTmtiUjlydgpWY0t4aFluNVhtMVlZMTZSRXZWdFVGRVdnd0tCZ1FDMWwvMld2bytxZkFxZUtUeXBXaHFZUU95Y29ZYXZpVUNKCmlJOG1zaGhsemJhRG9DSm94aE1MTFgzcjJpUlA4anBZQTZyWEZvNEhpU2RKSC9WZFlmMXBQRk4zRkJVVytNZ2YKdnl1U2ZDK3ozV3NrNFpXWEJyUDNaQmxJeFpTRjlzZDRyU2llVUlQZkpsV29lU2JOM3lmUHV6NUU4NmZLbTU1cApxd1lDdTJjTmx3S0JnUUNrVEpOa3VtRFJhWnlVYWxFRUY5SElEaEJ4dUJYT2dGSW84WWt0dHFqMGFXWndCZ3VUCnhyUm1HQXE4VkRBeFRaeERHUVM5SVh5eG41ZXZMY0FhRGJMSHhaRnFYSUJnQWlUaFJXaHlhZVYwdnZZMWRGZ1UKTkdnbVZ1TU1XZ2FLS2NHNGY0Y0IwRTRoMWhsUnRYVUdBdTFuM0pzajNFUndDa1NCWE80bGV1UFpYUUtCZ0VtLwpFdTVBTDIKLS0tLS1FTkQgU0VDUkVULS0tLS0= ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -3238,4 +3260,4 @@ spec: service: name: keycloak port: - number: 80 \ No newline at end of file + number: 443 \ No newline at end of file diff --git a/operator/controller/src/test/resources/k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml b/operator/controller/src/test/resources/k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml index 8b6bfc55ce..2e49ddeae0 100644 --- a/operator/controller/src/test/resources/k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml +++ b/operator/controller/src/test/resources/k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml @@ -13,12 +13,8 @@ spec: authServerUrl: https://simple-keycloak.apps.cluster.example/realms/registry redirectURI: https://simple-ui.apps.cluster.example logoutURL: https://simple-ui.apps.cluster.example - tlsVerification: none + tls: + tlsVerificationType: none ui: ingress: host: simple-ui.apps.cluster.example - env: - - name: REGISTRY_API_URL - value: https://simple-app.apps.cluster.example/apis/registry/v3 - - name: REGISTRY_AUTH_URL - value: https://simple-keycloak.apps.cluster.example/realms/registry diff --git a/operator/controller/src/test/resources/k8s/examples/auth/tls/keycloak.yaml b/operator/controller/src/test/resources/k8s/examples/auth/tls/keycloak.yaml deleted file mode 100644 index 44e47bf010..0000000000 --- a/operator/controller/src/test/resources/k8s/examples/auth/tls/keycloak.yaml +++ /dev/null @@ -1,3244 +0,0 @@ -apiVersion: v1 -data: - realm.json: | - { - "id": "registry", - "realm": "registry", - "notBefore": 1600933598, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": true, - "registrationEmailAsUsername": false, - "rememberMe": true, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "roles": { - "realm": [ - { - "id": "91363f21-2a57-4d65-954b-b3cd45d9f69c", - "name": "sr-admin", - "composite": false, - "clientRole": false, - "containerId": "registry", - "attributes": {} - }, - { - "id": "b2a0eee7-c761-49a1-9426-441d467f3f98", - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "registry", - "attributes": {} - }, - { - "id": "2c0937ba-7b1f-424c-927c-33cd2ccfdc62", - "name": "sr-developer", - "composite": false, - "clientRole": false, - "containerId": "registry", - "attributes": {} - }, - { - "id": "1ffdda65-2476-4ad5-b1e8-9f8af44a897b", - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "registry", - "attributes": {} - }, - { - "id": "a06b0184-e5bc-44c2-ae5b-4315754405f1", - "name": "sr-readonly", - "composite": false, - "clientRole": false, - "containerId": "registry", - "attributes": {} - }, - { - "id": "33a21208-808d-444f-9aa7-fdf3dc9536ce", - "name": "default-roles-registry", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "User", - "offline_access", - "uma_authorization" - ], - "client": { - "account": [ - "view-applications", - "view-profile", - "manage-account" - ] - } - }, - "clientRole": false, - "containerId": "registry", - "attributes": {} - }, - { - "id": "43dd3a54-4447-4703-ad0e-cd558f78c803", - "name": "User", - "composite": false, - "clientRole": false, - "containerId": "registry", - "attributes": {} - } - ], - "client": { - "admin-client": [], - "realm-management": [ - { - "id": "dcd9e6f5-3158-4e90-ba06-e5e80e0fa05c", - "name": "query-users", - "description": "${role_query-users}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "0b4d5891-c2d9-409d-b4bd-b5daa11e059e", - "name": "view-identity-providers", - "description": "${role_view-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "2fee03d5-f4da-418f-843e-0a70cba351c7", - "name": "view-clients", - "description": "${role_view-clients}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients" - ] - } - }, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "82e5542a-8ec4-4e76-aa2f-75c0eb707aad", - "name": "manage-realm", - "description": "${role_manage-realm}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "4d0d41a7-ac3f-47c6-a227-de0dc1c861de", - "name": "query-groups", - "description": "${role_query-groups}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "4d69772c-08d4-4735-954c-4115788cecbc", - "name": "view-events", - "description": "${role_view-events}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "8a79c5f9-2d14-44e4-b2bc-7e4cb955b721", - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "0b54c521-9672-49b5-89ab-603fe4da9693", - "name": "manage-events", - "description": "${role_manage-events}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "3fa4a674-d449-4576-b207-f89e556ba617", - "name": "manage-authorization", - "description": "${role_manage-authorization}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "7a9c60b9-f2e6-4fec-ac85-7b3633a0f116", - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-users", - "view-identity-providers", - "view-clients", - "manage-realm", - "query-groups", - "view-events", - "query-realms", - "manage-events", - "manage-authorization", - "view-users", - "view-authorization", - "manage-identity-providers", - "impersonation", - "query-clients", - "manage-clients", - "view-realm", - "create-client", - "manage-users" - ] - } - }, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "f7c5550f-8233-4347-967d-4905cbd36cec", - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-users", - "query-groups" - ] - } - }, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "05c8c44f-8554-4a91-b9cb-be6995144040", - "name": "view-authorization", - "description": "${role_view-authorization}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "e91f859e-d5c3-48d6-b0b0-5ff2710db3c9", - "name": "impersonation", - "description": "${role_impersonation}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "a0c6b281-3915-45c2-9af7-d7d4f669419a", - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "e6e6d63d-d161-444f-a58d-30875b076d16", - "name": "query-clients", - "description": "${role_query-clients}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "4c592e93-ba00-4661-af7d-bc50b800c060", - "name": "manage-clients", - "description": "${role_manage-clients}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "e50b557e-c79e-4e5a-92ee-a56b9c3925e1", - "name": "view-realm", - "description": "${role_view-realm}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "34b1cafe-ee16-42d0-9ec1-c6829e01f78c", - "name": "create-client", - "description": "${role_create-client}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - }, - { - "id": "7d1d9c1e-6c1c-41eb-b8d9-6460e4d243f0", - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, - "clientRole": true, - "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "attributes": {} - } - ], - "apicurio-registry": [], - "readonly-client": [], - "security-admin-console": [], - "admin-cli": [], - "account-console": [], - "developer-client": [], - "wrong-client": [], - "broker": [ - { - "id": "1ec1b34a-682d-44e7-b1fb-1d235b27b9d0", - "name": "read-token", - "description": "${role_read-token}", - "composite": false, - "clientRole": true, - "containerId": "717c272b-ed48-4d5a-a3cb-da5d3d3ba528", - "attributes": {} - } - ], - "account": [ - { - "id": "e81eb004-b1ac-49a7-84ab-d2b86228c89d", - "name": "delete-account", - "description": "${role_delete-account}", - "composite": false, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - }, - { - "id": "a49e7c09-b2df-4468-96f0-65b8591774ad", - "name": "manage-account-links", - "description": "${role_manage-account-links}", - "composite": false, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - }, - { - "id": "b6e07306-8781-4538-800b-32b2ffc5d57c", - "name": "view-applications", - "description": "${role_view-applications}", - "composite": false, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - }, - { - "id": "aa763dea-9699-4899-95bc-f2cef6692b1d", - "name": "manage-consent", - "description": "${role_manage-consent}", - "composite": true, - "composites": { - "client": { - "account": [ - "view-consent" - ] - } - }, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - }, - { - "id": "6b67af9e-5c96-4944-8189-7d6c7ecc1f80", - "name": "view-consent", - "description": "${role_view-consent}", - "composite": false, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - }, - { - "id": "aad246c6-eb26-4cfd-b840-e113021f5b9b", - "name": "view-profile", - "description": "${role_view-profile}", - "composite": false, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - }, - { - "id": "de065b56-c31c-41df-b110-186a798d7f17", - "name": "manage-account", - "description": "${role_manage-account}", - "composite": true, - "composites": { - "client": { - "account": [ - "manage-account-links" - ] - } - }, - "clientRole": true, - "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "attributes": {} - } - ], - "registry-api": [] - } - }, - "groups": [], - "defaultRole": { - "id": "33a21208-808d-444f-9aa7-fdf3dc9536ce", - "name": "default-roles-registry", - "description": "${role_default-roles}", - "composite": true, - "clientRole": false, - "containerId": "registry" - }, - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpSupportedApplications": [ - "FreeOTP", - "Google Authenticator" - ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users": [ - { - "id": "5d3833aa-2aba-4fc4-a546-00dfe1d56bb5", - "createdTimestamp": 1687335757025, - "username": "admin-client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "admin-client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "sr-admin", - "default-roles-registry" - ], - "notBefore": 0, - "groups": [] - }, - { - "id": "0f1c31e8-a357-4f05-90cc-3374973b6088", - "createdTimestamp": 1608543288931, - "username": "developer-client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "developer-client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "offline_access", - "uma_authorization", - "sr-developer", - "User" - ], - "clientRoles": { - "account": [ - "view-applications", - "view-profile", - "manage-account" - ] - }, - "notBefore": 0, - "groups": [] - }, - { - "id": "0f1d31e8-a358-4f05-90cc-3374453b7088", - "createdTimestamp": 1608543288931, - "username": "service-account-wrong-client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "wrong-client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "offline_access", - "uma_authorization", - "sr-developer", - "User" - ], - "clientRoles": { - "account": [ - "view-applications", - "view-profile", - "manage-account" - ] - }, - "notBefore": 0, - "groups": [] - }, - { - "id": "06fec980-2e11-4c7f-a8fb-3d285f30b0b0", - "createdTimestamp": 1608543552621, - "username": "readonly-client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "readonly-client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "offline_access", - "uma_authorization", - "sr-readonly", - "User" - ], - "clientRoles": { - "account": [ - "view-applications", - "view-profile", - "manage-account" - ] - }, - "notBefore": 0, - "groups": [] - }, - { - "id": "70dbaf4a-fcef-449c-9184-121b6cedb115", - "createdTimestamp": 1607594319706, - "username": "service-account-registry-api", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "registry-api", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "sr-admin", - "offline_access", - "uma_authorization", - "User" - ], - "clientRoles": { - "account": [ - "view-applications", - "view-profile", - "manage-account" - ] - }, - "notBefore": 0, - "groups": [] - } - ], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account" - ] - } - ] - }, - "clients": [ - { - "id": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b", - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/registry/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "/realms/registry/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "ae8d8aa5-5991-42a1-8ca8-eec12b6717f7", - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/registry/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "/realms/registry/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "b852b0a0-768e-4f42-badd-14cf7d2d227a", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "80b79538-8665-4188-921d-f4d0ad1f3113", - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "21c5668a-4fba-46e9-8ac3-831e5d907eb6", - "clientId": "admin-client", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "frontchannel.logout.session.required": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "saml.client.signature": "false", - "saml.allow.ecp.flow": "false", - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "client.secret.creation.time": "1687335786", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "exclude.session.state.from.auth.response": "false", - "saml.artifact.binding": "false", - "saml_force_name_id_format": "false", - "acr.loa.map": "{}", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "ef8fe948-b172-4d59-bffe-4ba46d0c0b09", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "7e443600-bf35-49df-b0ea-5b5c51f9c590", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "605d578d-5532-4f83-bd97-fe6bf72c5fee", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "1fa15256-6427-47fa-a144-b0b784e834c6", - "clientId": "apicurio-registry", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "717c272b-ed48-4d5a-a3cb-da5d3d3ba528", - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "af889033-76c2-41ae-a368-67d5789f4b87", - "clientId": "developer-client", - "rootUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "frontchannel.logout.session.required": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "false", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "saml.client.signature": "false", - "saml.allow.ecp.flow": "false", - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "exclude.session.state.from.auth.response": "false", - "saml.artifact.binding": "false", - "saml_force_name_id_format": "false", - "acr.loa.map": "{}", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "aeb67b03-0bbd-432c-a329-0a04363e974a", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "7c29a433-d724-4b5b-86fe-d9cf9f6b7ba1", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "d2bda4a4-e2cc-498e-838e-60a7840ccad9", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "af779833-76c2-41ae-a368-67d5789f4b87", - "clientId": "developer-2-client", - "rootUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test2", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "frontchannel.logout.session.required": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "false", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "saml.client.signature": "false", - "saml.allow.ecp.flow": "false", - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "exclude.session.state.from.auth.response": "false", - "saml.artifact.binding": "false", - "saml_force_name_id_format": "false", - "acr.loa.map": "{}", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "aeb67a03-0bbd-432c-a329-0a04363e974a", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "7c28a433-d724-4b5b-86fe-d9cf9f6b7ba1", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "d2bda474-e2cc-498e-838e-60a7840ccad9", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "af669833-76c2-41ae-a368-67d5789f4b87", - "clientId": "no-role-client", - "rootUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "frontchannel.logout.session.required": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "false", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "saml.client.signature": "false", - "saml.allow.ecp.flow": "false", - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "exclude.session.state.from.auth.response": "false", - "saml.artifact.binding": "false", - "saml_force_name_id_format": "false", - "acr.loa.map": "{}", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "aeb67c03-0bbd-432c-a329-0a04363e974a", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "7c27a433-d724-4b5b-86fe-d9cf9f6b7ba1", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "d2bda374-e2cc-498e-838e-60a7840ccad9", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "af774034-77c2-41le-a368-67d5789f4b87", - "clientId": "wrong-client", - "rootUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "frontchannel.logout.session.required": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "false", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "saml.client.signature": "false", - "saml.allow.ecp.flow": "false", - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "exclude.session.state.from.auth.response": "false", - "saml.artifact.binding": "false", - "saml_force_name_id_format": "false", - "acr.loa.map": "{}", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "ytb67b03-0yyi-432c-a329-0a04363e974a", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "4c29a234-d731-4b5b-84fe-d9cf9f6b7ba1", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "d2bda9a3-e2cc-498e-838e-60a7840hhod5", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "57e9899-9c1a-498d-96fd-c9bcbd3f3121", - "clientId": "readonly-client", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "574cef06-3ccf-4ed0-9001-edd83606ff57", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - }, - { - "id": "eae693c7-5b00-4c10-bf8c-c8959925659a", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "c1861851-a5ae-4da0-9110-469abc9bd64d", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e", - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "69afe60b-7329-440a-9b4c-0ebec33d8902", - "clientId": "registry-api", - "rootUrl": "", - "adminUrl": "http://localhost:8080", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "frontchannel.logout.session.required": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "false", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "saml.client.signature": "false", - "saml.allow.ecp.flow": "false", - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "saml.encrypt": "false", - "login_theme": "keycloak", - "saml.server.signature": "false", - "exclude.session.state.from.auth.response": "false", - "saml.artifact.binding": "false", - "saml_force_name_id_format": "false", - "acr.loa.map": "{}", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "83a4a269-207b-4818-bbbb-a04abebb2997", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "20241caf-ebb6-467f-acae-7543b143c289", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "eb3a14a2-5c4c-4dd7-99dc-e2734c8c5d98", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "f1beca1a-0756-4dc6-9719-9234cd9b779f", - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/registry/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "test1", - "redirectUris": [ - "/admin/registry/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "cb9b9e1a-63a0-460e-a42f-14d1ace49da3", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "id": "db64f4f6-e562-4e43-9f17-255b8a21c5ca", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "bfdfc98c-59eb-4a05-9a74-dd1bb4dea691", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "e285b5a4-2854-46d8-bd06-6ca2911dde8a", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "c6da4bb5-fc32-4e34-88ac-72ca671afd3f", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "5539a2b5-6e75-4533-aaaa-800101d0df4d", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "f7c31e38-1dda-4dcc-82b6-c7d958416962", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "ab66a766-4d9d-40ac-bcc9-264cd5471b92", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "1b1867ba-1a17-412d-ab97-0ae88963d5b5", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "a2766301-ac7f-42f4-bfbe-87d2fdcef382", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "35bbe3f0-d5a3-4785-b3dc-d187330b699d", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - }, - { - "id": "d439a3d1-c6da-4138-87df-c1b851e7b9c8", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "90c61a9b-39ac-4dbd-af49-9123739f98f9", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "9170cc7f-5624-4a15-b50d-cd1b9a0ffb6f", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "f2d44f21-de2f-47d8-b0d5-4e46f9de581b", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "9f0f742e-6202-4543-80e3-80fb2fbfc042", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "033dab17-488c-400d-b603-f75ebe1949b7", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "id": "c87aca2f-23dd-4fc7-b79f-a9b061c165e4", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "id": "4361eae6-7021-49e1-a387-3d8bc4f50247", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "id": "35c03d95-ce9d-4fd2-823b-23e896dbb105", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" - } - }, - { - "id": "0ff4cd3c-6567-4935-bbe8-0191a9bcdd72", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "id": "8e087dfd-2978-4ea5-9ed2-32efca9a98c5", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "id": "31a3c477-3aab-46cd-81e3-2b76b2c8c21c", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" - } - }, - { - "id": "a3606512-379b-4bcb-999d-29cf17812012", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "id": "2f535da7-ea99-4f8d-acbe-988a3691034b", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "id": "2fbfe26c-b175-4b16-97ea-edea4072181a", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - }, - { - "id": "17e5a7d4-2e77-4ff4-8c71-b93e41e4e1bb", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "ca64060a-1d26-43ca-aae7-23c62ed805d4", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" - } - }, - { - "id": "beaddf45-8040-42cd-9236-55fe2134f5df", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "id": "043c162e-e0ba-418b-b965-157f6a52db46", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "5074f873-23f3-4d03-9b75-6c6af91fb7ed", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "ab3d0106-d086-4813-930b-5a27ddfe038b", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "65eabc09-c5a1-4a0e-830c-44a430c129f0", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "f25b9036-55b3-4cc3-bc37-bc0be5405432", - "name": "acr", - "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "e5051472-d2aa-4658-9d95-01064efcca13", - "name": "acr loa level", - "protocol": "openid-connect", - "protocolMapper": "oidc-acr-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true" - } - } - ] - }, - { - "id": "d6f896d6-b31b-487e-b4a8-af921d3d04eb", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "c7831e59-070e-4d77-8382-d5ef4f60ddd4", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - }, - { - "id": "3456b5e1-4852-48ac-8420-79568ffd9a89", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - } - ] - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "web-origins", - "roles", - "acr" - ], - "defaultOptionalClientScopes": [ - "address", - "offline_access", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": {}, - "loginTheme": "keycloak", - "accountTheme": "keycloak", - "adminTheme": "keycloak", - "emailTheme": "keycloak", - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "6b7d0997-665b-4567-b955-f41029b1f7c6", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "b2062994-7819-4b5b-bcaf-bd565e0261f7", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - }, - { - "id": "e28102af-287e-40d3-a64d-636f9d0af6c0", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "7ea991c6-db4b-4989-87c1-2cf0b2e2b371", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "c2aa0c17-6405-441a-96d8-7174001b1f6e", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-usermodel-property-mapper", - "oidc-address-mapper", - "oidc-full-name-mapper", - "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-user-attribute-mapper", - "saml-role-list-mapper" - ] - } - }, - { - "id": "f1d9cee9-fa10-451a-a96f-486c1abc9184", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "398d86a9-4247-4923-b3bf-a94ef18974f2", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "fd8139d0-82ee-453e-a9aa-0bbd10538eff", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", - "saml-user-attribute-mapper", - "saml-user-property-mapper", - "oidc-usermodel-property-mapper", - "oidc-full-name-mapper", - "oidc-address-mapper", - "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper" - ] - } - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "id": "9ec415cf-5494-4823-a83d-cc38441b088c", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "id": "cd2dc9b1-a252-4f70-93c0-5bdb51532236", - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - }, - { - "id": "2dc91aa5-3084-4ceb-973e-24d78e78777a", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [ - "" - ], - "authenticationFlows": [ - { - "id": "e5691b91-7a97-482c-9ba4-fef8933be469", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false - } - ] - }, - { - "id": "c6f47ebc-143a-471b-9f93-0b7faf267717", - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "basic-auth-otp", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "09cbd3e3-0784-4af0-a279-4fd95216a37f", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "016d5ed7-b797-4d0c-8a2a-da422a1c0b07", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "2122d0ae-d429-43ca-82aa-b2a8ebf265f4", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "7dcbbd10-cfcb-4146-a080-d829ed4bbda8", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Account verification options", - "userSetupAllowed": false - } - ] - }, - { - "id": "f575338f-7ff4-4f6c-9230-2d5a93c01d8e", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "8b96e8ee-9bd6-44a5-9ce6-e12bcb1fca11", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false - } - ] - }, - { - "id": "20339a98-7cbd-4a95-8d8f-f5b60f512524", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "43e87d99-f6c4-495b-a175-35fec32291c4", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 25, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": true, - "flowAlias": "forms", - "userSetupAllowed": false - } - ] - }, - { - "id": "09f61a35-e173-40a8-9bbf-4554586112f0", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-secret-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-x509", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 40, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "30361549-be4b-4a06-ae79-b60cb3d6ac68", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 30, - "autheticatorFlow": true, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "ba07e315-0671-4691-af1e-beed84da42ab", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "3ff3f29e-260a-43df-b71b-75a945b220b1", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "User creation or linking", - "userSetupAllowed": false - } - ] - }, - { - "id": "11efa214-3d69-470c-92e1-2ea6cd2f1133", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "b1ee124e-1648-42c2-a268-2db3251b3e44", - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Authentication Options", - "userSetupAllowed": false - } - ] - }, - { - "id": "e5c21eef-7736-42bf-83f7-219f11579be9", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": true, - "flowAlias": "registration form", - "userSetupAllowed": false - } - ] - }, - { - "id": "51b02897-de8e-47d9-872b-ee06ff1ffd8f", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-profile-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 40, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-password-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 50, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-recaptcha-action", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 60, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "f3d3919d-e759-49c4-8eb9-e85c16f314a5", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-credential-email", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 40, - "autheticatorFlow": true, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "84316c99-bba7-42d5-aeeb-2f56b4ce657d", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - } - ], - "authenticatorConfig": [ - { - "id": "43cf7bce-acd0-4c1f-a08e-cac4a1f32a6c", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "id": "6c176502-376d-46fc-835f-0e0352158326", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "terms_and_conditions", - "name": "Terms and Conditions", - "providerId": "terms_and_conditions", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} - }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} - } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaExpiresIn": "120", - "cibaAuthRequestedUserHint": "login_hint", - "oauth2DeviceCodeLifespan": "600", - "oauth2DevicePollingInterval": "5", - "clientSessionIdleTimeout": "0", - "parRequestUriLifespan": "60", - "clientSessionMaxLifespan": "0", - "cibaInterval": "5" - }, - "keycloakVersion": "25.1.0", - "userManagedAccessAllowed": true, - "clientProfiles": { - "profiles": [] - }, - "clientPolicies": { - "policies": [] - } - } -kind: ConfigMap -metadata: - name: keycloak-configmap ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: keycloak - labels: - app: keycloak -spec: - replicas: 1 - selector: - matchLabels: - app: keycloak - template: - metadata: - labels: - app: keycloak - spec: - containers: - - name: keycloak - image: quay.io/keycloak/keycloak:26.1.0 - args: ["start-dev", "--import-realm"] - env: - - name: KC_BOOTSTRAP_ADMIN_USERNAME - value: "admin" - - name: KC_BOOTSTRAP_ADMIN_PASSWORD - value: "admin" - - name: KC_PROXY - value: "edge" - - name: PROXY_ADDRESS_FORWARDING - value: "true" - - name: KEYCLOAK_FRONTEND_URL - value: "https://tls-keycloak.apps.cluster.example" - - name: KC_HEALTH_ENABLED - value: "true" - ports: - - name: app - containerPort: 8080 - - name: health - containerPort: 9000 - readinessProbe: - httpGet: - path: /health/ready - port: 9000 - volumeMounts: - - name: keycloak-volume - mountPath: /opt/keycloak/data/import - volumes: - - name: keycloak-volume - configMap: - name: keycloak-configmap ---- -apiVersion: v1 -kind: Service -metadata: - name: keycloak - labels: - app: keycloak -spec: - type: ClusterIP - ports: - - name: http - port: 8080 - targetPort: 8080 - selector: - app: keycloak ---- -apiVersion: v1 -kind: Secret -metadata: - name: keycloak-tls - namespace: keycloak -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lVZmQ1OEdNUDljRlMzZzZuNldhNzdsUGtYZUY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1B6RXFNQ2dHQTFVRUF3d2hkR3h6TFd0bGVXTnNiMkZyTG1Gd2NITXVZMngxYzNSbGNpNWxlR0Z0Y0d4bApNUkV3RHdZRFZRUUtEQWhMWlhsamJHOWhhekFlRncweU5UQXhNamt4TmpRM016aGFGdzB6TlRBeE1qY3hOalEzCk16aGFNRDh4S2pBb0JnTlZCQU1NSVhSc2N5MXJaWGxqYkc5aGF5NWhjSEJ6TG1Oc2RYTjBaWEl1WlhoaGJYQnMKWlRFUk1BOEdBMVVFQ2d3SVMyVjVZMnh2WVdzd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFSwpBb0lCQVFDeWQ2OEVVMXZpRkhVTlhOSFVzYWpmWmVPdXBxUDE3SjhJaE1DcGY0U3NRWXl4WnFYanhDVTA5N0VlCklyemxjbjFCMzhGRUZQRHdkZ1V5NGt1SGNpZ2pJMFZ5ZVYwNTJRTkYySFpJdThiM3BNVm1zSXRNZWcwcHpaSFgKUjB6c0dRUVBJQS9SaGs0bUpsdjVBdHFhcWkyUmVOQ3BtR3dKZklQVzFUQndLYWZ2VGV6MnZUSXBXY0FmcTJVdQpiVkZhMHBrY2NDRTNZejJNV2VvWnd0dGxCN1RHS2tjNEJObGxrQmxaZ0FLSXhHYk5Bd0JiaVpqejBGZVFIQk90ClcwZUxjUFVEZG1jeDJCQWxzVTFkd21FT1BkLzJUNDFIUlZ5NUlNZ0Fxa2loMHNkcFF5MnpUY2swRDJDMHpFcWUKN1EyMEY2RVRPamI2U0JzN0NXejJHNlk5cmU1RkFnTUJBQUdqVXpCUk1CMEdBMVVkRGdRV0JCUVI0WVpjVC8yMQpmdktrQVptUkxaTXp3anNKU0RBZkJnTlZIU01FR0RBV2dCUVI0WVpjVC8yMWZ2S2tBWm1STFpNendqc0pTREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBZ28xTndRbXBtNHQ1UytuM2EKUGhFRTM0dFN0RVd3TW5vNW5zL0hrS2c3VzVtVGl2UEJsOWdUemRDTjlFL3hjb1ZxOEkzVjZxQ2VKN2xmTHBQcgpzdnZ4M2hyTW5WUDUyMUdZV1BKOVFRaDNHeTRDNHBQVjJxeHV2b0ZaaUdKY0diWWcrSnJKTElKWGk1RUdiNk1YCi81bzVRb01GYUtBSGU2WVRjVzA2cEp5NDlFaXdQWkRJM1dCcXlzSTNhbHRWUlNBN3pXdWJHb1JXdjArS0dNcHoKMzNkNWcyT1ovOG5pREhxSFZxNDVucFRyczBXU0pLa1ZoWDBaazFJN0ZTYlJNQzllcXlaRkQzaG45TGF5eDlrbwprcVgyZ0dubDVVV25PWElWdUFXREQ2NE1RTWtyOWZpeXp6ekEvbmJmT2lvVG1PdmxPQmduVnFmVnFMb25kelg2CkY2NlMKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3lkNjhFVTF2aUZIVU4KWE5IVXNhamZaZU91cHFQMTdKOEloTUNwZjRTc1FZeXhacVhqeENVMDk3RWVJcnpsY24xQjM4RkVGUER3ZGdVeQo0a3VIY2lnakkwVnllVjA1MlFORjJIWkl1OGIzcE1WbXNJdE1lZzBwelpIWFIwenNHUVFQSUEvUmhrNG1KbHY1CkF0cWFxaTJSZU5DcG1Hd0pmSVBXMVRCd0thZnZUZXoydlRJcFdjQWZxMlV1YlZGYTBwa2NjQ0UzWXoyTVdlb1oKd3R0bEI3VEdLa2M0Qk5sbGtCbFpnQUtJeEdiTkF3QmJpWmp6MEZlUUhCT3RXMGVMY1BVRGRtY3gyQkFsc1UxZAp3bUVPUGQvMlQ0MUhSVnk1SU1nQXFraWgwc2RwUXkyelRjazBEMkMwekVxZTdRMjBGNkVUT2piNlNCczdDV3oyCkc2WTlyZTVGQWdNQkFBRUNnZ0VBVVRrOVUwZXBBc3p5dFFFd2tvL0UzdCtkYndoeWlPT0hRYlpCaFNML08vS2QKV01QeDdpYUFGSXBDZHdleVZ1N3phUDZ3RkE4LzFRQ3h2d1hWQURFSmFXeU5GOXQ2ZlhCeUYrQzdmTURSZmpYawpqYWI5enZHaGVnd1FPeDA5T2hyc2lRRzdrVTJCMWNVUmlOUXVyOE9SOTZvM3RXZ2tpM0M3QkJTRTloZFBVZzZ0CkNoSzBSZW1GTStQQnZFa1VMbnNtUHNmdnpMU3k0ZVdlajlRUGlNa0JQTnR3VTFjelY4dFZZY2I3UFlKbjN3Uk8KcXl1WjBIU3VFWUl0a3I3cWg0ZW5xR3Zkek4vclZKUUlMc3VLVkhOd0xRbUJYVjMxK1U2TFJRbWJqWW9UU0JqbgppK2V0c0Fta0dFeFFiRUhEb2cza2RML2dQcFRyKzFCaXozNkJpOTFraFFLQmdRRDdsOFprcFJPLy9OUm9CbkhiCkltM2ttbmkxQjZwaUVCczhXamNNejhTNmwzNnBwQVpUMCtGL3FXUTkzZnJYUUpNYWUyOWd5SS9Fby9PQXlzdWkKMFZBTjdWNVVSN01ncjc2TzFJQU5naXVvVC9yRE92bkZQV0thM3BoYnc1UlBBYStsRmxzdy9DNzAwTmtiUjlydgpWY0t4aFluNVhtMVlZMTZSRXZWdFVGRVdnd0tCZ1FDMWwvMld2bytxZkFxZUtUeXBXaHFZUU95Y29ZYXZpVUNKCmlJOG1zaGhsemJhRG9DSm94aE1MTFgzcjJpUlA4anBZQTZyWEZvNEhpU2RKSC9WZFlmMXBQRk4zRkJVVytNZ2YKdnl1U2ZDK3ozV3NrNFpXWEJyUDNaQmxJeFpTRjlzZDRyU2llVUlQZkpsV29lU2JOM3lmUHV6NUU4NmZLbTU1cApxd1lDdTJjTmx3S0JnUUNrVEpOa3VtRFJhWnlVYWxFRUY5SElEaEJ4dUJYT2dGSW84WWt0dHFqMGFXWndCZ3VUCnhyUm1HQXE4VkRBeFRaeERHUVM5SVh5eG41ZXZMY0FhRGJMSHhaRnFYSUJnQWlUaFJXaHlhZVYwdnZZMWRGZ1UKTkdnbVZ1TU1XZ2FLS2NHNGY0Y0IwRTRoMWhsUnRYVUdBdTFuM0pzajNFUndDa1NCWE80bGV1UFpYUUtCZ0VtLwpFdTVBTDIKLS0tLS1FTkQgU0VDUkVULS0tLS0= ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: keycloak-ingress - annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "true" -spec: - ingressClassName: nginx - tls: - - hosts: - - tls-keycloak.apps.cluster.example - secretName: keycloak-tls - rules: - - host: tls-keycloak.apps.cluster.example - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: keycloak - port: - number: 8080 \ No newline at end of file diff --git a/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml b/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml new file mode 100644 index 0000000000..ca96913d76 --- /dev/null +++ b/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml @@ -0,0 +1,31 @@ +apiVersion: registry.apicur.io/v1 +kind: ApicurioRegistry3 +metadata: + name: simple +spec: + app: + ingress: + host: simple-app.apps.cluster.example + auth: + enabled: true + appClientId: registry-api + uiClientId: apicurio-registry + authServerUrl: https://simple-keycloak.apps.cluster.example/realms/registry + redirectURI: https://simple-ui.apps.cluster.example + logoutURL: https://simple-ui.apps.cluster.example + tls: + tlsVerificationType: required + truststoreSecretRef: + name: keycloak-truststore + key: truststore + truststorePasswordSecretRef: + name: keycloak-truststore + key: password + ui: + ingress: + host: simple-ui.apps.cluster.example + env: + - name: REGISTRY_API_URL + value: https://simple-app.apps.cluster.example/apis/registry/v3 + - name: REGISTRY_AUTH_URL + value: https://simple-keycloak.apps.cluster.example/realms/registry diff --git a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AppAuthSpec.java b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AppAuthSpec.java index d12aff7d64..acea6667d2 100644 --- a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AppAuthSpec.java +++ b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AppAuthSpec.java @@ -21,8 +21,7 @@ @JsonDeserialize(using = JsonDeserializer.None.class) @JsonInclude(NON_NULL) -@JsonPropertyOrder({ "enabled", "appClientId", "uiClientId", "redirectURI", "authServerUrl", - "tlsVerification" }) +@JsonPropertyOrder({ "enabled", "appClientId", "uiClientId", "redirectURI", "authServerUrl", "tls" }) @NoArgsConstructor @AllArgsConstructor(access = PRIVATE) @SuperBuilder(toBuilder = true) @@ -39,13 +38,6 @@ public class AppAuthSpec { @JsonSetter(nulls = Nulls.SKIP) private Boolean enabled; - @JsonProperty("tls") - @JsonPropertyDescription(""" - OIDC TLS configuration. - When custom certificates are used, this is the field to be used to configure the keystore and the trustore""") - @JsonSetter(nulls = Nulls.SKIP) - private AuthTLSSpec tls; - @JsonProperty("appClientId") @JsonPropertyDescription(""" Apicurio Registry backend clientId used for OIDC authentication. @@ -78,9 +70,11 @@ public class AppAuthSpec { @JsonSetter(nulls = Nulls.SKIP) private String authServerUrl; - @JsonProperty("tlsVerification") + @JsonProperty("tls") @JsonPropertyDescription(""" - Verify the identity server certificate.""") + OIDC TLS configuration. + When custom certificates are used, this is the field to be used to configure the keystore and the trustore""") @JsonSetter(nulls = Nulls.SKIP) - private String tlsVerification; + private AuthTLSSpec tls; + } diff --git a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AuthTLSSpec.java b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AuthTLSSpec.java index df980eb7b2..b60155ead7 100644 --- a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AuthTLSSpec.java +++ b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/auth/AuthTLSSpec.java @@ -12,8 +12,8 @@ @JsonDeserialize(using = None.class) @JsonInclude(Include.NON_NULL) -@JsonPropertyOrder({ "keystoreSecretRef", "keystorePasswordSecretRef", "truststoreSecretRef", - "truststorePasswordSecretRef" }) +@JsonPropertyOrder({ "tlsVerificationType", "keystoreSecretRef", "keystorePasswordSecretRef", + "truststoreSecretRef", "truststorePasswordSecretRef" }) @NoArgsConstructor @AllArgsConstructor(access = PRIVATE) @SuperBuilder(toBuilder = true) @@ -23,6 +23,15 @@ @ToString public class AuthTLSSpec { + /** + * Type of TLS verification. + */ + @JsonProperty("tlsVerificationType") + @JsonPropertyDescription(""" + Verify the identity server certificate.""") + @JsonSetter(nulls = Nulls.SKIP) + private String tlsVerificationType; + /** * Reference to the Secret that contains the TLS keystore (in PKCS12 format). Key user.p12 is * assumed by default.