From 7e0a46214c59a5b97f9e3b238fceef4ea8d330bb Mon Sep 17 00:00:00 2001 From: oleksandr_taruraiev Date: Thu, 25 Jan 2024 19:05:39 +0200 Subject: [PATCH] chore: Bump keycloak-operator version(#38) * moved mainRealm creation from keycloak values to CR * KeycloakRealmIdentityProvider clientSecret the secret is removed from the value parameters, and taken directly from the secret Jira: EPMDEDP-13111 Related: https://github.com/epam/edp-cluster-add-ons/issues/38 Change-Id: Idb52bbc00dfb51d0d816335aa3e866354777826b --- README.md | 2 +- add-ons/extensions-oidc/Chart.yaml | 6 ++-- add-ons/extensions-oidc/README.md | 29 ++++++++++++--- add-ons/extensions-oidc/README.md.gotmpl | 35 +++++++++++++++++++ .../extensions-oidc/templates/_helpers.tpl | 7 ++++ .../broker/keycloak-client-shared.yaml | 17 +++++++++ .../templates/broker/keycloak-realm.yaml | 11 ++++++ .../keycloak-client-broker-secret.yaml | 16 +++++++++ .../keycloak-client-shared-secret.yaml} | 8 ++--- .../keycloak-client-scope-edp.yaml | 0 .../keycloak-client-scope-groups.yaml | 0 .../{ => shared}/keycloak-client-shared.yaml | 6 ++-- .../{ => shared}/keycloak-realm.yaml | 2 +- .../{ => shared}/realmrolebatch.yaml | 2 +- .../templates/{ => shared}/shared-idp.yaml | 18 +++++----- add-ons/extensions-oidc/values.yaml | 20 +++++++++-- add-ons/tekton-cache/README.md | 4 +-- 17 files changed, 152 insertions(+), 31 deletions(-) create mode 100644 add-ons/extensions-oidc/README.md.gotmpl create mode 100644 add-ons/extensions-oidc/templates/_helpers.tpl create mode 100644 add-ons/extensions-oidc/templates/broker/keycloak-client-shared.yaml create mode 100644 add-ons/extensions-oidc/templates/broker/keycloak-realm.yaml create mode 100644 add-ons/extensions-oidc/templates/external-secrets/keycloak-client-broker-secret.yaml rename add-ons/extensions-oidc/templates/{keycloak-client-shared-openshift-secret.yaml => external-secrets/keycloak-client-shared-secret.yaml} (52%) rename add-ons/extensions-oidc/templates/{ => shared}/keycloak-client-scope-edp.yaml (100%) rename add-ons/extensions-oidc/templates/{ => shared}/keycloak-client-scope-groups.yaml (100%) rename add-ons/extensions-oidc/templates/{ => shared}/keycloak-client-shared.yaml (56%) rename add-ons/extensions-oidc/templates/{ => shared}/keycloak-realm.yaml (68%) rename add-ons/extensions-oidc/templates/{ => shared}/realmrolebatch.yaml (90%) rename add-ons/extensions-oidc/templates/{ => shared}/shared-idp.yaml (67%) diff --git a/README.md b/README.md index efafe0c..9ac40dc 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ make update-readme | defectdojo | 1.6.96 | 2.28.2 | False | False | | dependency-track | 1.5.5 | v1.12.1 | False | False | | edp | 3.7.5 | 3.7.5 | False | False | -| extensions-oidc | 1.18.1 | 1.18.1 | False | False | +| extensions-oidc | 1.20.0 | 1.20.0 | False | False | | external-secrets | 0.9.9 | 1.0 | False | False | | fluent-bit | 0.1.0 | 2.1.4 | False | False | | harbor | 0.1.0 | 1.12.2 | False | False | diff --git a/add-ons/extensions-oidc/Chart.yaml b/add-ons/extensions-oidc/Chart.yaml index c21cd35..b0c21b3 100644 --- a/add-ons/extensions-oidc/Chart.yaml +++ b/add-ons/extensions-oidc/Chart.yaml @@ -2,10 +2,10 @@ apiVersion: v2 description: A Helm chart for extensions-oidc name: extensions-oidc type: application -version: 1.18.1 -appVersion: 1.18.1 +version: 1.20.0 +appVersion: 1.20.0 dependencies: - name: keycloak-operator - version: 1.18.1 + version: 1.20.0 repository: https://epam.github.io/edp-helm-charts/stable diff --git a/add-ons/extensions-oidc/README.md b/add-ons/extensions-oidc/README.md index ea9a1af..2e944d3 100644 --- a/add-ons/extensions-oidc/README.md +++ b/add-ons/extensions-oidc/README.md @@ -1,21 +1,40 @@ # extensions-oidc -![Version: 1.18.1](https://img.shields.io/badge/Version-1.18.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.18.1](https://img.shields.io/badge/AppVersion-1.18.1-informational?style=flat-square) +![Version: 1.20.0](https://img.shields.io/badge/Version-1.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.20.0](https://img.shields.io/badge/AppVersion-1.20.0-informational?style=flat-square) A Helm chart for extensions-oidc +``` ++-------------------------+ +-----------------+ +| sharedService | | broker | +| Realm | | Realm | +| +------------------+ | | +-------------+ | +| | idpBroker | | | |sharedService| | +| | identityProvider +---+---+-> Client | | +| +------------------+ | | +-------------+ | +| +----------+ +--------+ | +-----------------+ +| | sonarqube| | nexus | | +| | Client | | Client | | +| +----------+ +--------+ | ++-------------------------+ +``` + +broker - contains a list of users and basic settings, you can install or use a pre-created Realm, for that set the 'create' parameter to 'false' and ununcomment 'existingBroker' provide the name of the existing realm. + +sharedService - contains clients, application integrations, and identity providers for connect to `broker` realm. + ## Requirements | Repository | Name | Version | |------------|------|---------| -| https://epam.github.io/edp-helm-charts/stable | keycloak-operator | 1.18.1 | +| https://epam.github.io/edp-helm-charts/stable | keycloak-operator | 1.20.0 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| extensionsOIDC.broker.create | bool | `true` | | +| extensionsOIDC.broker.name | string | `"broker"` | | | extensionsOIDC.keycloakUrl | string | `"https://keycloak.example.com"` | | -| extensionsOIDC.mainRealm | string | `"openshift"` | | -| extensionsOIDC.mainRealmSecret | string | `""` | | +| extensionsOIDC.sharedService | string | `"shared"` | | | keycloak-operator.clusterReconciliationEnabled | bool | `true` | | - diff --git a/add-ons/extensions-oidc/README.md.gotmpl b/add-ons/extensions-oidc/README.md.gotmpl new file mode 100644 index 0000000..fff9370 --- /dev/null +++ b/add-ons/extensions-oidc/README.md.gotmpl @@ -0,0 +1,35 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +``` ++-------------------------+ +-----------------+ +| sharedService | | broker | +| Realm | | Realm | +| +------------------+ | | +-------------+ | +| | idpBroker | | | |sharedService| | +| | identityProvider +---+---+-> Client | | +| +------------------+ | | +-------------+ | +| +----------+ +--------+ | +-----------------+ +| | sonarqube| | nexus | | +| | Client | | Client | | +| +----------+ +--------+ | ++-------------------------+ +``` + +broker - contains a list of users and basic settings, you can install or use a pre-created Realm, for that set the 'create' parameter to 'false' and ununcomment 'existingBroker' provide the name of the existing realm. + +sharedService - contains clients, application integrations, and identity providers for connect to `broker` realm. + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} diff --git a/add-ons/extensions-oidc/templates/_helpers.tpl b/add-ons/extensions-oidc/templates/_helpers.tpl new file mode 100644 index 0000000..d29e40b --- /dev/null +++ b/add-ons/extensions-oidc/templates/_helpers.tpl @@ -0,0 +1,7 @@ +{{- define "broker.name" -}} +{{- if .Values.extensionsOIDC.broker.create -}} +{{- .Values.extensionsOIDC.broker.name -}} +{{- else -}} +{{- .Values.extensionsOIDC.existingBroker -}} +{{- end -}} +{{- end -}} diff --git a/add-ons/extensions-oidc/templates/broker/keycloak-client-shared.yaml b/add-ons/extensions-oidc/templates/broker/keycloak-client-shared.yaml new file mode 100644 index 0000000..eb38ece --- /dev/null +++ b/add-ons/extensions-oidc/templates/broker/keycloak-client-shared.yaml @@ -0,0 +1,17 @@ +{{- if .Values.extensionsOIDC.broker.create -}} +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakClient +metadata: + name: {{ .Values.extensionsOIDC.sharedService }} +spec: + attributes: + post.logout.redirect.uris: + + clientId: {{ .Values.extensionsOIDC.sharedService }} + clientRoles: + - administrator + - developer + realmRef: + kind: KeycloakRealm + name: {{ .Values.extensionsOIDC.broker.name }} + secret: keycloak-client-broker-secret +{{- end -}} diff --git a/add-ons/extensions-oidc/templates/broker/keycloak-realm.yaml b/add-ons/extensions-oidc/templates/broker/keycloak-realm.yaml new file mode 100644 index 0000000..2ebf0aa --- /dev/null +++ b/add-ons/extensions-oidc/templates/broker/keycloak-realm.yaml @@ -0,0 +1,11 @@ +{{- if .Values.extensionsOIDC.broker.create -}} +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakRealm +metadata: + name: {{ .Values.extensionsOIDC.broker.name }} +spec: + keycloakRef: + kind: ClusterKeycloak + name: keycloak + realmName: {{ .Values.extensionsOIDC.broker.name }} +{{- end -}} diff --git a/add-ons/extensions-oidc/templates/external-secrets/keycloak-client-broker-secret.yaml b/add-ons/extensions-oidc/templates/external-secrets/keycloak-client-broker-secret.yaml new file mode 100644 index 0000000..6eefcbc --- /dev/null +++ b/add-ons/extensions-oidc/templates/external-secrets/keycloak-client-broker-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.extensionsOIDC.broker.create -}} +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: keycloak-client-broker-secret +spec: + refreshInterval: 1h + secretStoreRef: + kind: SecretStore + name: aws-parameterstore-oidc + data: + - secretKey: clientSecret + remoteRef: + key: /edp/keycloak-operator + property: keycloak-client-broker-secret.clientSecret +{{- end -}} diff --git a/add-ons/extensions-oidc/templates/keycloak-client-shared-openshift-secret.yaml b/add-ons/extensions-oidc/templates/external-secrets/keycloak-client-shared-secret.yaml similarity index 52% rename from add-ons/extensions-oidc/templates/keycloak-client-shared-openshift-secret.yaml rename to add-ons/extensions-oidc/templates/external-secrets/keycloak-client-shared-secret.yaml index bcdc8ee..9687e04 100644 --- a/add-ons/extensions-oidc/templates/keycloak-client-shared-openshift-secret.yaml +++ b/add-ons/extensions-oidc/templates/external-secrets/keycloak-client-shared-secret.yaml @@ -1,14 +1,14 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: keycloak-client-shared-openshift-secret + name: keycloak-client-shared-secret spec: refreshInterval: 1h secretStoreRef: kind: SecretStore - name: aws-parameterstore + name: aws-parameterstore-oidc data: - secretKey: clientSecret remoteRef: - key: /edp/system - property: keycloak-client-shared-openshift-secret.clientSecret + key: /edp/keycloak-operator + property: keycloak-client-shared-secret.clientSecret diff --git a/add-ons/extensions-oidc/templates/keycloak-client-scope-edp.yaml b/add-ons/extensions-oidc/templates/shared/keycloak-client-scope-edp.yaml similarity index 100% rename from add-ons/extensions-oidc/templates/keycloak-client-scope-edp.yaml rename to add-ons/extensions-oidc/templates/shared/keycloak-client-scope-edp.yaml diff --git a/add-ons/extensions-oidc/templates/keycloak-client-scope-groups.yaml b/add-ons/extensions-oidc/templates/shared/keycloak-client-scope-groups.yaml similarity index 100% rename from add-ons/extensions-oidc/templates/keycloak-client-scope-groups.yaml rename to add-ons/extensions-oidc/templates/shared/keycloak-client-scope-groups.yaml diff --git a/add-ons/extensions-oidc/templates/keycloak-client-shared.yaml b/add-ons/extensions-oidc/templates/shared/keycloak-client-shared.yaml similarity index 56% rename from add-ons/extensions-oidc/templates/keycloak-client-shared.yaml rename to add-ons/extensions-oidc/templates/shared/keycloak-client-shared.yaml index 814f452..67c4e42 100644 --- a/add-ons/extensions-oidc/templates/keycloak-client-shared.yaml +++ b/add-ons/extensions-oidc/templates/shared/keycloak-client-shared.yaml @@ -1,15 +1,15 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakClient metadata: - name: shared-openshift + name: {{ .Values.extensionsOIDC.sharedService }}-{{ include "broker.name" . }} spec: attributes: post.logout.redirect.uris: + - clientId: shared + clientId: {{ .Values.extensionsOIDC.sharedService }} clientRoles: - administrator - developer realmRef: kind: ClusterKeycloakRealm name: main - secret: keycloak-client-shared-openshift-secret + secret: keycloak-client-shared-secret diff --git a/add-ons/extensions-oidc/templates/keycloak-realm.yaml b/add-ons/extensions-oidc/templates/shared/keycloak-realm.yaml similarity index 68% rename from add-ons/extensions-oidc/templates/keycloak-realm.yaml rename to add-ons/extensions-oidc/templates/shared/keycloak-realm.yaml index 5950cc8..af85631 100644 --- a/add-ons/extensions-oidc/templates/keycloak-realm.yaml +++ b/add-ons/extensions-oidc/templates/shared/keycloak-realm.yaml @@ -4,4 +4,4 @@ metadata: name: main spec: clusterKeycloakRef: keycloak - realmName: shared + realmName: {{ .Values.extensionsOIDC.sharedService }} diff --git a/add-ons/extensions-oidc/templates/realmrolebatch.yaml b/add-ons/extensions-oidc/templates/shared/realmrolebatch.yaml similarity index 90% rename from add-ons/extensions-oidc/templates/realmrolebatch.yaml rename to add-ons/extensions-oidc/templates/shared/realmrolebatch.yaml index abe0037..a9db604 100644 --- a/add-ons/extensions-oidc/templates/realmrolebatch.yaml +++ b/add-ons/extensions-oidc/templates/shared/realmrolebatch.yaml @@ -15,6 +15,6 @@ spec: - name: sonar-developers - name: administrator composite: true + description: "default administrator role" composites: - name: sonar-administrators - description: "default administrator role" \ No newline at end of file diff --git a/add-ons/extensions-oidc/templates/shared-idp.yaml b/add-ons/extensions-oidc/templates/shared/shared-idp.yaml similarity index 67% rename from add-ons/extensions-oidc/templates/shared-idp.yaml rename to add-ons/extensions-oidc/templates/shared/shared-idp.yaml index f3b17a2..d3fb52a 100644 --- a/add-ons/extensions-oidc/templates/shared-idp.yaml +++ b/add-ons/extensions-oidc/templates/shared/shared-idp.yaml @@ -1,7 +1,7 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmIdentityProvider metadata: - name: shared-idp + name: {{ .Values.extensionsOIDC.sharedService }}-idp spec: realmRef: kind: ClusterKeycloakRealm @@ -15,25 +15,25 @@ spec: config: acceptsPromptNoneForwardFromClient: "false" allowedClockSkew: "0" - authorizationUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ .Values.extensionsOIDC.mainRealm }}/protocol/openid-connect/auth" + authorizationUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ include "broker.name" . }}/protocol/openid-connect/auth" backchannelSupported: "false" clientAuthMethod: "client_secret_post" - clientId: "shared" - clientSecret: {{ .Values.extensionsOIDC.mainRealmSecret }} + clientId: {{ .Values.extensionsOIDC.sharedService }} + clientSecret: "$keycloak-client-shared-secret:clientSecret" defaultScope: "" disableUserInfo: "false" forwardParameters: "" guiOrder: "" hideOnLoginPage: "false" - issuer: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ .Values.extensionsOIDC.mainRealm }}" - jwksUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ .Values.extensionsOIDC.mainRealm }}/protocol/openid-connect/certs" + issuer: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ include "broker.name" . }}" + jwksUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ include "broker.name" . }}/protocol/openid-connect/certs" loginHint: "false" - logoutUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ .Values.extensionsOIDC.mainRealm }}/protocol/openid-connect/logout" + logoutUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ include "broker.name" . }}/protocol/openid-connect/logout" passMaxAge: "false" pkceEnabled: "false" prompt: "" syncMode: "IMPORT" - tokenUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ .Values.extensionsOIDC.mainRealm }}/protocol/openid-connect/token" + tokenUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ include "broker.name" . }}/protocol/openid-connect/token" uiLocales: "false" - userInfoUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ .Values.extensionsOIDC.mainRealm }}/protocol/openid-connect/userinfo" + userInfoUrl: "{{ .Values.extensionsOIDC.keycloakUrl }}/auth/realms/{{ include "broker.name" . }}/protocol/openid-connect/userinfo" validateSignature: "false" diff --git a/add-ons/extensions-oidc/values.yaml b/add-ons/extensions-oidc/values.yaml index 2420533..4ff4cc4 100644 --- a/add-ons/extensions-oidc/values.yaml +++ b/add-ons/extensions-oidc/values.yaml @@ -1,7 +1,23 @@ extensionsOIDC: keycloakUrl: "https://keycloak.example.com" - mainRealm: "openshift" - mainRealmSecret: "" + # Recommended to utilize this realm primarily for enabling unique integrations and + # inheriting these capabilities into other realms. + broker: + # Create the broker realm with corresponding resources. + create: true + # If broker create parameter set to false operator create only a client for connection as Identity Provider, + # in this case be sure you define correct Realm name. + name: "broker" + # If you already have pre-configured realm and don't need to create a new one, set the broker create + # parameter to false and uncomment existingBroker parameter and provide the name of the existing realm: + + # existingBroker: "" + + # Realm creating for connecting and managing shared services clients, such as Nexus, Sonar, DefectDojo, etc. + sharedService: "shared" + +# ClusterReconciliationEnabled is enabled (set to true), the operator will reconcile all. +# keycloak-operator objects throughout the cluster. keycloak-operator: clusterReconciliationEnabled: true diff --git a/add-ons/tekton-cache/README.md b/add-ons/tekton-cache/README.md index 5b01cbf..ea75985 100644 --- a/add-ons/tekton-cache/README.md +++ b/add-ons/tekton-cache/README.md @@ -1,6 +1,6 @@ # tekton-cache -![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.1](https://img.shields.io/badge/AppVersion-0.3.1-informational?style=flat-square) +![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.2](https://img.shields.io/badge/AppVersion-0.3.2-informational?style=flat-square) A Helm chart for EDP Tekton Cache @@ -8,5 +8,5 @@ A Helm chart for EDP Tekton Cache | Repository | Name | Version | |------------|------|---------| -| https://epam.github.io/edp-helm-charts/stable | tekton-cache | 0.3.1 | +| https://epam.github.io/edp-helm-charts/stable | tekton-cache | 0.3.2 |