refactor: add a new SSO client when enabling password auth

This is a required as a client using resource owner password flow requires a secret.
drogue-iot · Dec 15, 2022 · 9cbd3e2 · 9cbd3e2
1 parent 22b4136
commit 9cbd3e2
Show file tree

Hide file tree

Showing 10 changed files with 98 additions and 7 deletions.
diff --git a/charts/drogue-cloud-core/templates/_sso.tpl b/charts/drogue-cloud-core/templates/_sso.tpl
@@ -17,3 +17,26 @@ For the Keycloak API, storing access tokens
 - name: "KEYCLOAK__TLS_INSECURE"
   value: {{ .Values.oauth2.tls.insecure | quote }}
 {{- end }}
+
+{{/*
+Apply OAuth2 authenticator settings for an external service.
+
+Arguments: .
+*/}}
+{{- define "drogue-cloud-core.oauth2-external-authenticator.env-vars" }}
+{{- $clients := list "drogue" "services" -}}
+{{- if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }}
+{{- $clients = concat $clients "direct" }}
+{{- end }}
+{{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" $clients ) }}
+{{- end }}
+
+{{/*
+Apply OAuth2 authenticator settings for an internal service.
+
+Arguments: .
+*/}}
+{{- define "drogue-cloud-core.oauth2-internal-authenticator.env-vars" }}
+{{- $clients := list "services" -}}
+{{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" $clients ) }}
+{{- end }}
diff --git a/charts/drogue-cloud-core/templates/infrastructure/sso/clients.yaml b/charts/drogue-cloud-core/templates/infrastructure/sso/clients.yaml
@@ -18,3 +18,15 @@ metadata:
 data:
   CLIENT_ID: {{ "services" | b64enc | quote }}
   CLIENT_SECRET: {{ .Values.keycloak.clients.services.clientSecret | b64enc | quote }}
+{{ if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: keycloak-client-secret-direct
+  labels:
+    {{- include "drogue-cloud-core.labels" (dict "root" . "name" "keycloak-client-secret-direct" "component" "sso") | nindent 4 }}
+data:
+  CLIENT_ID: {{ "direct" | b64enc | quote }}
+  CLIENT_SECRET: {{ .Values.keycloak.clients.direct.clientSecret | b64enc | quote }}
+{{ end }}
diff --git a/charts/drogue-cloud-core/templates/infrastructure/sso/post-install-job.yaml b/charts/drogue-cloud-core/templates/infrastructure/sso/post-install-job.yaml
@@ -92,6 +92,47 @@ data:
         }
       ]
     }
+{{ if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }}
+  client-direct.json: |
+    {
+      "clientId": "direct",
+      "clientAuthenticatorType": "client-secret",
+      "enabled": true,
+      "publicClient": false,
+      "implicitFlowEnabled": false,
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "fullScopeAllowed": true,
+      "defaultClientScopes": [
+        "email",
+        "profile",
+        "roles",
+        "web-origins"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "microprofile-jwt",
+        "offline_access",
+        "phone"
+      ],
+      "defaultRoles": [
+        "drogue-user"
+      ],
+      "protocolMappers": [
+        {
+          "name": "add-audience",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "config": {
+            "included.client.audience": "services",
+            "id.token.claim": "false",
+            "access.token.claim": "true"
+          }
+        }
+      ]
+    }
+{{ end }}
 ---
 {{ if .Values.keycloak.postInstall.user.enabled }}
 kind: Secret
@@ -247,6 +288,21 @@ spec:
               # default role for service account of services
               kcadm add-roles -r "${REALM}" --uusername service-account-services --rolename drogue-admin
 
+              {{ if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }}
+              # client clients - direct
+              ID=$(kcadm get clients -r "${REALM}" --query "clientId=direct" --fields id --format csv --noquotes)
+              CLIENT_OPTS=()
+              CLIENT_OPTS+=(-s 'secret={{ .Values.keycloak.clients.direct.clientSecret | toJson }}')
+              if [[ -n "$ID" ]]; then
+                # TODO: replace with update once https://github.com/keycloak/keycloak/issues/12484 is fixed
+                # kcadm update "clients/${ID}" -r "${REALM}" -f /etc/init-data/client-direct.json "${CLIENT_OPTS[@]}"
+                kcadm delete "clients/${ID}" -r "${REALM}"
+                kcadm create clients -r "${REALM}" -f /etc/init-data/client-direct.json "${CLIENT_OPTS[@]}"
+              else
+                kcadm create clients -r "${REALM}" -f /etc/init-data/client-direct.json "${CLIENT_OPTS[@]}"
+              fi
+              {{ end }}
+
               {{ if .Values.keycloak.postInstall.user.enabled }}
               # create user
               ID=$(kcadm get users -r "${REALM}" --query "username={{ .Values.keycloak.postInstall.user.name }}" --fields id --format csv --noquotes)

diff --git a/charts/drogue-cloud-core/templates/integration/websocket/deployment.yaml b/charts/drogue-cloud-core/templates/integration/websocket/deployment.yaml
@@ -43,7 +43,7 @@ spec:
                 configMapKeyRef:
                   name: configuration
                   key: instance
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" )) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }}
             - name: NAMESPACE
               valueFrom:
                 fieldRef:

diff --git a/charts/drogue-cloud-core/templates/service/console/deployment-backend.yaml b/charts/drogue-cloud-core/templates/service/console/deployment-backend.yaml
@@ -58,7 +58,7 @@ spec:
                   name: keycloak-client-secret-drogue
                   key: CLIENT_SECRET
             {{- include "drogue-cloud-common.oauth2-external.env-vars" (dict "root" . "prefix" "UI__" ) | nindent 12 }}
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" "services" )) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }}
             - name: NAMESPACE
               valueFrom:
                 fieldRef:

diff --git a/charts/drogue-cloud-core/templates/service/registry/auth/deployment.yaml b/charts/drogue-cloud-core/templates/service/registry/auth/deployment.yaml
@@ -41,7 +41,7 @@ spec:
             {{- include "drogue-cloud-common.health-env" $app | nindent 12 }}
             {{- include "drogue-cloud-common.http-service-env" $app | nindent 12 }}
             {{- include "drogue-cloud-common.postgres.env-vars-default" . | nindent 12 }}
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "services" )) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-internal-authenticator.env-vars" . | nindent 12 }}
             {{- include "drogue-cloud-common.env-vars-extras" $app | nindent 12 }}
 
           {{- include "drogue-cloud-common.health-probes" $app | nindent 10 }}

diff --git a/charts/drogue-cloud-core/templates/service/registry/registry/deployment.yaml b/charts/drogue-cloud-core/templates/service/registry/registry/deployment.yaml
@@ -39,7 +39,7 @@ spec:
             {{- include "drogue-cloud-common.http-service-env" $app | nindent 12 }}
             {{- include "drogue-cloud-common.health-env" $app | nindent 12 }}
             {{- include "drogue-cloud-common.postgres.env-vars-default" . | nindent 12 }}
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" "services" )) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }}
             - name: USER_AUTH__URL
               value: {{ include "drogue-cloud-core.service-url.user-auth-service" . }}
             - name: USER_AUTH__CLIENT_ID

diff --git a/charts/drogue-cloud-core/templates/service/registry/user-auth/deployment.yaml b/charts/drogue-cloud-core/templates/service/registry/user-auth/deployment.yaml
@@ -50,7 +50,7 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             {{- include "drogue-cloud-common.postgres.env-vars" ( dict "root" . "prefix" "SERVICE__PG__" ) | nindent 12 }}
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" ( dict "root" . "clients" ( list "services" ) ) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-internal-authenticator.env-vars" . | nindent 12 }}
             {{- include "drogue-cloud-core.keycloak.internal-access" . | nindent 12 }}
             {{- include "drogue-cloud-common.env-vars-extras" $app | nindent 12 }}
 

diff --git a/charts/drogue-cloud-core/templates/service/state/deployment.yaml b/charts/drogue-cloud-core/templates/service/state/deployment.yaml
@@ -53,7 +53,7 @@ spec:
                   name: keycloak-client-secret-services
                   key: CLIENT_SECRET
             {{- include "drogue-cloud-common.oauth2-internal.env-vars" (dict "root" . "prefix" "REGISTRY__" ) | nindent 12 }}
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "services" )) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-internal-authenticator.env-vars" . | nindent 12 }}
             - name: INSTANCE
               valueFrom:
                 configMapKeyRef:

diff --git a/charts/drogue-cloud-core/templates/source/command/deployment.yaml b/charts/drogue-cloud-core/templates/source/command/deployment.yaml
@@ -42,7 +42,7 @@ spec:
                 configMapKeyRef:
                   name: configuration
                   key: instance
-            {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" "services" )) | nindent 12 }}
+            {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }}
             - name: REGISTRY__URL
               value: {{ include "drogue-cloud-core.service-url.device-management-service" . }}
             - name: REGISTRY__CLIENT_ID