diff --git a/charts/drogue-cloud-core/templates/_sso.tpl b/charts/drogue-cloud-core/templates/_sso.tpl index 20382e9..bea928d 100644 --- a/charts/drogue-cloud-core/templates/_sso.tpl +++ b/charts/drogue-cloud-core/templates/_sso.tpl @@ -17,3 +17,26 @@ For the Keycloak API, storing access tokens - name: "KEYCLOAK__TLS_INSECURE" value: {{ .Values.oauth2.tls.insecure | quote }} {{- end }} + +{{/* +Apply OAuth2 authenticator settings for an external service. + +Arguments: . +*/}} +{{- define "drogue-cloud-core.oauth2-external-authenticator.env-vars" }} +{{- $clients := list "drogue" "services" -}} +{{- if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }} +{{- $clients = concat $clients "direct" }} +{{- end }} +{{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" $clients ) }} +{{- end }} + +{{/* +Apply OAuth2 authenticator settings for an internal service. + +Arguments: . +*/}} +{{- define "drogue-cloud-core.oauth2-internal-authenticator.env-vars" }} +{{- $clients := list "services" -}} +{{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" $clients ) }} +{{- end }} \ No newline at end of file diff --git a/charts/drogue-cloud-core/templates/infrastructure/sso/clients.yaml b/charts/drogue-cloud-core/templates/infrastructure/sso/clients.yaml index 6ff3b3c..6234426 100644 --- a/charts/drogue-cloud-core/templates/infrastructure/sso/clients.yaml +++ b/charts/drogue-cloud-core/templates/infrastructure/sso/clients.yaml @@ -18,3 +18,15 @@ metadata: data: CLIENT_ID: {{ "services" | b64enc | quote }} CLIENT_SECRET: {{ .Values.keycloak.clients.services.clientSecret | b64enc | quote }} +{{ if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }} +--- +kind: Secret +apiVersion: v1 +metadata: + name: keycloak-client-secret-direct + labels: + {{- include "drogue-cloud-core.labels" (dict "root" . "name" "keycloak-client-secret-direct" "component" "sso") | nindent 4 }} +data: + CLIENT_ID: {{ "direct" | b64enc | quote }} + CLIENT_SECRET: {{ .Values.keycloak.clients.direct.clientSecret | b64enc | quote }} +{{ end }} \ No newline at end of file diff --git a/charts/drogue-cloud-core/templates/infrastructure/sso/post-install-job.yaml b/charts/drogue-cloud-core/templates/infrastructure/sso/post-install-job.yaml index 7b8143f..ae2469d 100644 --- a/charts/drogue-cloud-core/templates/infrastructure/sso/post-install-job.yaml +++ b/charts/drogue-cloud-core/templates/infrastructure/sso/post-install-job.yaml @@ -92,6 +92,47 @@ data: } ] } +{{ if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }} + client-direct.json: | + { + "clientId": "direct", + "clientAuthenticatorType": "client-secret", + "enabled": true, + "publicClient": false, + "implicitFlowEnabled": false, + "standardFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "email", + "profile", + "roles", + "web-origins" + ], + "optionalClientScopes": [ + "address", + "microprofile-jwt", + "offline_access", + "phone" + ], + "defaultRoles": [ + "drogue-user" + ], + "protocolMappers": [ + { + "name": "add-audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "config": { + "included.client.audience": "services", + "id.token.claim": "false", + "access.token.claim": "true" + } + } + ] + } +{{ end }} --- {{ if .Values.keycloak.postInstall.user.enabled }} kind: Secret @@ -247,6 +288,21 @@ spec: # default role for service account of services kcadm add-roles -r "${REALM}" --uusername service-account-services --rolename drogue-admin + {{ if .Values.keycloak.postInstall.resourceOwnerPasswordFlow }} + # client clients - direct + ID=$(kcadm get clients -r "${REALM}" --query "clientId=direct" --fields id --format csv --noquotes) + CLIENT_OPTS=() + CLIENT_OPTS+=(-s 'secret={{ .Values.keycloak.clients.direct.clientSecret | toJson }}') + if [[ -n "$ID" ]]; then + # TODO: replace with update once https://github.com/keycloak/keycloak/issues/12484 is fixed + # kcadm update "clients/${ID}" -r "${REALM}" -f /etc/init-data/client-direct.json "${CLIENT_OPTS[@]}" + kcadm delete "clients/${ID}" -r "${REALM}" + kcadm create clients -r "${REALM}" -f /etc/init-data/client-direct.json "${CLIENT_OPTS[@]}" + else + kcadm create clients -r "${REALM}" -f /etc/init-data/client-direct.json "${CLIENT_OPTS[@]}" + fi + {{ end }} + {{ if .Values.keycloak.postInstall.user.enabled }} # create user ID=$(kcadm get users -r "${REALM}" --query "username={{ .Values.keycloak.postInstall.user.name }}" --fields id --format csv --noquotes) diff --git a/charts/drogue-cloud-core/templates/integration/websocket/deployment.yaml b/charts/drogue-cloud-core/templates/integration/websocket/deployment.yaml index 229cedc..a338761 100644 --- a/charts/drogue-cloud-core/templates/integration/websocket/deployment.yaml +++ b/charts/drogue-cloud-core/templates/integration/websocket/deployment.yaml @@ -43,7 +43,7 @@ spec: configMapKeyRef: name: configuration key: instance - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" )) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }} - name: NAMESPACE valueFrom: fieldRef: diff --git a/charts/drogue-cloud-core/templates/service/console/deployment-backend.yaml b/charts/drogue-cloud-core/templates/service/console/deployment-backend.yaml index 13f1bcd..84450b1 100644 --- a/charts/drogue-cloud-core/templates/service/console/deployment-backend.yaml +++ b/charts/drogue-cloud-core/templates/service/console/deployment-backend.yaml @@ -58,7 +58,7 @@ spec: name: keycloak-client-secret-drogue key: CLIENT_SECRET {{- include "drogue-cloud-common.oauth2-external.env-vars" (dict "root" . "prefix" "UI__" ) | nindent 12 }} - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" "services" )) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }} - name: NAMESPACE valueFrom: fieldRef: diff --git a/charts/drogue-cloud-core/templates/service/registry/auth/deployment.yaml b/charts/drogue-cloud-core/templates/service/registry/auth/deployment.yaml index 9458284..a01b567 100644 --- a/charts/drogue-cloud-core/templates/service/registry/auth/deployment.yaml +++ b/charts/drogue-cloud-core/templates/service/registry/auth/deployment.yaml @@ -41,7 +41,7 @@ spec: {{- include "drogue-cloud-common.health-env" $app | nindent 12 }} {{- include "drogue-cloud-common.http-service-env" $app | nindent 12 }} {{- include "drogue-cloud-common.postgres.env-vars-default" . | nindent 12 }} - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "services" )) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-internal-authenticator.env-vars" . | nindent 12 }} {{- include "drogue-cloud-common.env-vars-extras" $app | nindent 12 }} {{- include "drogue-cloud-common.health-probes" $app | nindent 10 }} diff --git a/charts/drogue-cloud-core/templates/service/registry/registry/deployment.yaml b/charts/drogue-cloud-core/templates/service/registry/registry/deployment.yaml index 4820c93..6aa06ca 100644 --- a/charts/drogue-cloud-core/templates/service/registry/registry/deployment.yaml +++ b/charts/drogue-cloud-core/templates/service/registry/registry/deployment.yaml @@ -39,7 +39,7 @@ spec: {{- include "drogue-cloud-common.http-service-env" $app | nindent 12 }} {{- include "drogue-cloud-common.health-env" $app | nindent 12 }} {{- include "drogue-cloud-common.postgres.env-vars-default" . | nindent 12 }} - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" "services" )) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }} - name: USER_AUTH__URL value: {{ include "drogue-cloud-core.service-url.user-auth-service" . }} - name: USER_AUTH__CLIENT_ID diff --git a/charts/drogue-cloud-core/templates/service/registry/user-auth/deployment.yaml b/charts/drogue-cloud-core/templates/service/registry/user-auth/deployment.yaml index ded7b55..8652e88 100644 --- a/charts/drogue-cloud-core/templates/service/registry/user-auth/deployment.yaml +++ b/charts/drogue-cloud-core/templates/service/registry/user-auth/deployment.yaml @@ -50,7 +50,7 @@ spec: fieldRef: fieldPath: metadata.namespace {{- include "drogue-cloud-common.postgres.env-vars" ( dict "root" . "prefix" "SERVICE__PG__" ) | nindent 12 }} - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" ( dict "root" . "clients" ( list "services" ) ) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-internal-authenticator.env-vars" . | nindent 12 }} {{- include "drogue-cloud-core.keycloak.internal-access" . | nindent 12 }} {{- include "drogue-cloud-common.env-vars-extras" $app | nindent 12 }} diff --git a/charts/drogue-cloud-core/templates/service/state/deployment.yaml b/charts/drogue-cloud-core/templates/service/state/deployment.yaml index 19a4561..312bcbe 100644 --- a/charts/drogue-cloud-core/templates/service/state/deployment.yaml +++ b/charts/drogue-cloud-core/templates/service/state/deployment.yaml @@ -53,7 +53,7 @@ spec: name: keycloak-client-secret-services key: CLIENT_SECRET {{- include "drogue-cloud-common.oauth2-internal.env-vars" (dict "root" . "prefix" "REGISTRY__" ) | nindent 12 }} - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "services" )) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-internal-authenticator.env-vars" . | nindent 12 }} - name: INSTANCE valueFrom: configMapKeyRef: diff --git a/charts/drogue-cloud-core/templates/source/command/deployment.yaml b/charts/drogue-cloud-core/templates/source/command/deployment.yaml index c5714cd..e8ea658 100644 --- a/charts/drogue-cloud-core/templates/source/command/deployment.yaml +++ b/charts/drogue-cloud-core/templates/source/command/deployment.yaml @@ -42,7 +42,7 @@ spec: configMapKeyRef: name: configuration key: instance - {{- include "drogue-cloud-common.oauth2-authenticator.env-vars" (dict "root" . "clients" (list "drogue" "services" )) | nindent 12 }} + {{- include "drogue-cloud-core.oauth2-external-authenticator.env-vars" . | nindent 12 }} - name: REGISTRY__URL value: {{ include "drogue-cloud-core.service-url.device-management-service" . }} - name: REGISTRY__CLIENT_ID