From d78fb9f79b87fa3dff78ae50924655ff49f922e5 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Thu, 25 Sep 2025 08:13:02 +0000 Subject: [PATCH 01/25] miograting from bitnami to redhat img & codecentric chart --- .../configs/platform-keycloak-config-job.yaml | 70 + ...orm-keycloak-database-secret-template.yaml | 28 + .../platform-keycloak-realm-config.yaml | 360 +++++ ...-keycloak-with-initcontainer-approach.yaml | 1263 ++++++++++++++++ .../configs/platform-keycloak.yaml | 1328 ++--------------- .../custom/platform-keycloak-codecentric.tpl | 119 ++ .../applications/custom/platform-keycloak.tpl | 104 +- .../templates/platform-keycloak.yaml | 6 +- 8 files changed, 2060 insertions(+), 1218 deletions(-) create mode 100644 argocd/applications/configs/platform-keycloak-config-job.yaml create mode 100644 argocd/applications/configs/platform-keycloak-database-secret-template.yaml create mode 100644 argocd/applications/configs/platform-keycloak-realm-config.yaml create mode 100644 argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml create mode 100644 argocd/applications/custom/platform-keycloak-codecentric.tpl diff --git a/argocd/applications/configs/platform-keycloak-config-job.yaml b/argocd/applications/configs/platform-keycloak-config-job.yaml new file mode 100644 index 000000000..0d7d142b4 --- /dev/null +++ b/argocd/applications/configs/platform-keycloak-config-job.yaml @@ -0,0 +1,70 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: batch/v1 +kind: Job +metadata: + name: platform-keycloak-config-import + namespace: orch-platform + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: hook-succeeded +spec: + template: + metadata: + labels: + app: keycloak-config-import + sidecar.istio.io/inject: "false" + spec: + restartPolicy: OnFailure + containers: + - name: keycloak-config-cli + image: quay.io/adorsys/keycloak-config-cli:5.12.0-26.0.7 + imagePullPolicy: IfNotPresent + env: + - name: KEYCLOAK_URL + value: "http://platform-keycloak:8080" + - name: KEYCLOAK_USER + value: "admin" + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + - name: IMPORT_MANAGED_GROUP + value: "no-delete" + - name: IMPORT_MANAGED_REQUIRED_ACTION + value: "no-delete" + - name: IMPORT_MANAGED_ROLE + value: "no-delete" + - name: IMPORT_MANAGED_CLIENT + value: "no-delete" + - name: KEYCLOAK_AVAILABILITYCHECK_ENABLED + value: "true" + - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT + value: "120s" + volumeMounts: + - name: keycloak-config + mountPath: /opt/keycloak-config-cli/configs + readOnly: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + volumes: + - name: keycloak-config + configMap: + name: platform-keycloak-config \ No newline at end of file diff --git a/argocd/applications/configs/platform-keycloak-database-secret-template.yaml b/argocd/applications/configs/platform-keycloak-database-secret-template.yaml new file mode 100644 index 000000000..3c63981e3 --- /dev/null +++ b/argocd/applications/configs/platform-keycloak-database-secret-template.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +# Template for creating the Keycloak database secret +# This secret contains the PostgreSQL connection information for Keycloak +# +# IMPORTANT: Update the values below to match your environment before applying! +# +# For local deployment, the secret is typically created by mage commands +# For production, ensure you have the correct database connection details + +apiVersion: v1 +kind: Secret +metadata: + name: platform-keycloak-local-postgresql + namespace: orch-platform # Update to your actual namespace +type: Opaque +stringData: + # Database connection details - UPDATE THESE VALUES! + PGHOST: postgresql.orch-database.svc.cluster.local # PostgreSQL service name + PGPORT: "5432" # PostgreSQL port + PGUSER: orch-platform-keycloak_user # Database username + PGDATABASE: orch-platform-keycloak # Database name + PGPASSWORD: your-database-password-here # Database password - CHANGE THIS! + + # Additional fields that might be used + password: your-database-password-here # Alternative password field \ No newline at end of file diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml new file mode 100644 index 000000000..a541246ca --- /dev/null +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -0,0 +1,360 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: platform-keycloak-config + namespace: orch-platform +data: + realm-master.json: | + { + "realm": "master", + "accountTheme": "keycloak", + "displayName": "Keycloak", + "displayNameHtml": "", + "defaultSignatureAlgorithm": "PS512", + "accessTokenLifespan": 3600, + "ssoSessionIdleTimeout": 5400, + "ssoSessionMaxLifespan": 43200, + "passwordPolicy": "length(14) and digits(1) and specialChars(1) and upperCase(1) and lowerCase(1)", + "bruteForceProtected": true, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 300, + "quickLoginCheckMilliSeconds": 200, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 5, + "roles": { + "realm": [ + { + "name": "en-agent-rw" + }, + { + "name": "secrets-root-role" + }, + { + "name": "rs-access-r" + }, + { + "name": "rs-proxy-r" + }, + { + "name": "app-service-proxy-read-role" + }, + { + "name": "app-service-proxy-write-role" + }, + { + "name": "app-deployment-manager-read-role" + }, + { + "name": "app-deployment-manager-write-role" + }, + { + "name": "app-resource-manager-read-role" + }, + { + "name": "app-resource-manager-write-role" + }, + { + "name": "app-vm-console-write-role" + }, + { + "name": "catalog-publisher-read-role" + }, + { + "name": "catalog-publisher-write-role" + }, + { + "name": "catalog-other-read-role" + }, + { + "name": "catalog-other-write-role" + }, + { + "name": "catalog-restricted-read-role" + }, + { + "name": "catalog-restricted-write-role" + }, + { + "name": "clusters-read-role" + }, + { + "name": "clusters-write-role" + }, + { + "name": "cluster-templates-read-role" + }, + { + "name": "cluster-templates-write-role" + }, + { + "name": "cluster-artifacts-read-role" + }, + { + "name": "cluster-artifacts-write-role" + }, + { + "name": "infra-manager-core-read-role" + }, + { + "name": "infra-manager-core-write-role" + }, + { + "name": "alrt-r" + }, + { + "name": "alrt-rw" + }, + { + "name": "alrt-rx-rw" + }, + { + "name": "ao-m2m-rw" + }, + { + "name": "co-m2m-rw" + }, + { + "name": "org-read-role" + }, + { + "name": "org-write-role" + }, + { + "name": "org-update-role" + }, + { + "name": "org-delete-role" + } + ], + "client": { + "alerts-m2m-client": [], + "host-manager-m2m-client": [], + "ktc-m2m-client": [], + "3rd-party-host-manager-m2m-client": [], + "edge-manager-m2m-client": [], + "en-m2m-template-client": [], + "webui-client": [], + "docsui-client": [], + "account": [ + { + "name": "view-profile", + "clientRole": true + }, + { + "name": "manage-account", + "clientRole": true + } + ], + "telemetry-client": [ + { + "name": "admin", + "clientRole": true + }, + { + "name": "viewer", + "clientRole": true + } + ], + "cluster-management-client": [ + { + "name": "restricted-role", + "clientRole": true + }, + { + "name": "standard-role", + "clientRole": true + }, + { + "name": "base-role", + "clientRole": true + } + ], + "registry-client": [ + { + "name": "registry-admin-role", + "clientRole": true + }, + { + "name": "registry-editor-role", + "clientRole": true + }, + { + "name": "registry-viewer-role", + "clientRole": true + } + ] + } + }, + "clients": [ + { + "clientId": "alerts-m2m-client", + "name": "Alerts M2M Client", + "description": "Client for Alerts", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email", + "basic" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId": "system-client", + "name": "System Client", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "true", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "profile", + "email", + "basic" + ], + "optionalClientScopes": [ + "groups", + "offline_access" + ] + } + ], + "clientScopes": [ + { + "name": "groups", + "description": "Groups scope", + "type": "Optional", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "userinfo.token.claim": "true", + "jsonType.label": "String" + } + } + ] + } + ], + "groups": [ + { + "name": "apps-m2m-service-account", + "path": "/apps-m2m-service-account", + "realmRoles": [ + "ao-m2m-rw", + "co-m2m-rw" + ] + }, + { + "name": "edge-manager-group", + "path": "/edge-manager-group", + "realmRoles": [ + "app-service-proxy-read-role", + "app-service-proxy-write-role", + "app-deployment-manager-read-role", + "app-deployment-manager-write-role" + ] + } + ], + "users": [ + { + "username": "service-account-alerts-m2m-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "alerts-m2m-client", + "realmRoles": [ + "default-roles-master" + ], + "clientRoles": { + "alerts-m2m-client": [ + "uma_protection" + ] + }, + "notBefore": 0 + } + ], + "components": { + "org.keycloak.keys.KeyProvider": [ + { + "name": "fallback-PS512", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "keySize": [ + "4096" + ], + "active": [ + "true" + ], + "priority": [ + "-100" + ], + "enabled": [ + "true" + ], + "algorithm": [ + "PS512" + ] + } + } + ] + } + } \ No newline at end of file diff --git a/argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml b/argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml new file mode 100644 index 000000000..0947ea5a2 --- /dev/null +++ b/argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml @@ -0,0 +1,1263 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +# Configuration for CodeCentric keycloakx chart +# Using official Keycloak image instead of Bitnami + +## Image configuration - using official Keycloak image +image: + repository: quay.io/keycloak/keycloak + tag: 26.0.7 + pullPolicy: IfNotPresent + +## Security context configuration +securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + +podSecurityContext: + fsGroup: 1000 + +## Service configuration +service: + type: ClusterIP + httpPort: 8080 + +## Admin user configuration via environment variables +extraEnv: | + - name: KEYCLOAK_ADMIN + value: "admin" + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_METRICS_ENABLED + value: "true" + - name: KC_PROXY + value: "passthrough" + +## Startup command and arguments +command: + - "/opt/keycloak/bin/kc.sh" + +args: + - "start" + - "--optimized" + - "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true" + - "--spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests=true" + +## Database configuration using existing secret +database: + vendor: postgres + existingSecret: platform-keycloak-local-postgresql + hostname: + port: + database: + username: + +## External database secret contains all connection info +dbchecker: + enabled: true + +## Health and readiness probes +livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + +## Enable metrics +metrics: + enabled: true + +health: + enabled: true + +## Cache configuration using jdbc-ping (default in keycloakx) +cache: + stack: default + +## Disable network policy to avoid DNS issues +networkPolicy: + enabled: false + +## Realm configuration import via init container +extraInitContainers: | + - name: keycloak-config-cli + image: quay.io/adorsys/keycloak-config-cli:5.12.0-26.0.7 + imagePullPolicy: IfNotPresent + env: + - name: KEYCLOAK_URL + value: "http://localhost:8080" + - name: KEYCLOAK_USER + value: "admin" + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + - name: IMPORT_MANAGED_GROUP + value: "no-delete" + - name: IMPORT_MANAGED_REQUIRED_ACTION + value: "no-delete" + - name: IMPORT_MANAGED_ROLE + value: "no-delete" + - name: IMPORT_MANAGED_CLIENT + value: "no-delete" + volumeMounts: + - name: keycloak-config + mountPath: /opt/keycloak-config-cli/configs + readOnly: true + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + +## Additional volumes for realm configuration +extraVolumes: | + - name: keycloak-config + configMap: + name: platform-keycloak-config + +## Pod labels to avoid sidecar injection +podLabels: + sidecar.istio.io/inject: "false" + realm-master.json: | + { + "realm": "master", + "accountTheme": "keycloak", + "displayName": "Keycloak", + "displayNameHtml": "", + "defaultSignatureAlgorithm": "PS512", + "accessTokenLifespan": 3600, + "ssoSessionIdleTimeout": 5400, + "ssoSessionMaxLifespan": 43200, + "passwordPolicy": "length(14) and digits(1) and specialChars(1) and upperCase(1) and lowerCase(1)", + "bruteForceProtected": true, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 300, + "quickLoginCheckMilliSeconds": 200, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 5, + "roles": { + "realm": [ + { + "name": "en-agent-rw" + }, + { + "name": "secrets-root-role" + }, + { + "name": "rs-access-r" + }, + { + "name": "rs-proxy-r" + }, + { + "name": "app-service-proxy-read-role" + }, + { + "name": "app-service-proxy-write-role" + }, + { + "name": "app-deployment-manager-read-role" + }, + { + "name": "app-deployment-manager-write-role" + }, + { + "name": "app-resource-manager-read-role" + }, + { + "name": "app-resource-manager-write-role" + }, + { + "name": "app-vm-console-write-role" + }, + { + "name": "catalog-publisher-read-role" + }, + { + "name": "catalog-publisher-write-role" + }, + { + "name": "catalog-other-read-role" + }, + { + "name": "catalog-other-write-role" + }, + { + "name": "catalog-restricted-read-role" + }, + { + "name": "catalog-restricted-write-role" + }, + { + "name": "clusters-read-role" + }, + { + "name": "clusters-write-role" + }, + { + "name": "cluster-templates-read-role" + }, + { + "name": "cluster-templates-write-role" + }, + { + "name": "cluster-artifacts-read-role" + }, + { + "name": "cluster-artifacts-write-role" + }, + { + "name": "infra-manager-core-read-role" + }, + { + "name": "infra-manager-core-write-role" + }, + { + "name": "alrt-r" + }, + { + "name": "alrt-rw" + }, + { + "name": "alrt-rx-rw" + }, + { + "name": "ao-m2m-rw" + }, + { + "name": "co-m2m-rw" + }, + { + "name": "org-read-role" + }, + { + "name": "org-write-role" + }, + { + "name": "org-update-role" + }, + { + "name": "org-delete-role" + } + ], + "client": { + "alerts-m2m-client": [], + "host-manager-m2m-client": [], + "ktc-m2m-client": [], + "3rd-party-host-manager-m2m-client": [], + "edge-manager-m2m-client": [], + "en-m2m-template-client": [], + "webui-client": [], + "docsui-client": [], + "account": [ + { + "name": "view-profile", + "clientRole": true + }, + { + "name": "manage-account", + "clientRole": true + } + ], + "telemetry-client": [ + { + "name": "admin", + "clientRole": true + }, + { + "name": "viewer", + "clientRole": true + } + ], + "cluster-management-client": [ + { + "name": "restricted-role", + "clientRole": true + }, + { + "name": "standard-role", + "clientRole": true + }, + { + "name": "base-role", + "clientRole": true + } + ], + "registry-client": [ + { + "name": "registry-admin-role", + "clientRole": true + }, + { + "name": "registry-editor-role", + "clientRole": true + }, + { + "name": "registry-viewer-role", + "clientRole": true + } + ] + } + }, + "clients": [ + { + "clientId": "alerts-m2m-client", + "name": "Alerts M2M Client", + "description": "Client for Alerts", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email", + "basic" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId": "host-manager-m2m-client", + "name": "Host Manager Client", + "description": "Client for the EN Host Manager to use in creating edgenode m2m clients", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email", + "basic" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId": "ktc-m2m-client", + "name": "Keycloak Tenant Controller client", + "description": "Client for the Keycloak Tenant Controller to use in creating Tenant specific roles and groups in Keycloak", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "groups", + "email", + "basic" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId": "3rd-party-host-manager-m2m-client", + "name": "3rd Party Host Manager Client", + "description": "Client for the 3rd party Host Manager to use in creating edgenode m2m clients", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email", + "basic" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId": "edge-manager-m2m-client", + "name": "Edge Manager M2M Client", + "description": "Client for the accessing Orchestrator with Edge-Manager persona", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "email", + "groups", + "basic" + ], + "optionalClientScopes": [ + "offline_access", + ] + }, + { + "clientId": "en-m2m-template-client", + "name": "Edge Node M2M Template Client", + "description": "Client to use as basis for Roles to assign to new Edge Node M2M clients", + "surrogateAuthRequired": false, + "enabled": false, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email", + "basic" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId": "telemetry-client", + "name": "Telemetry Client", + "rootUrl": {{ .Values.clusterSpecific.telemetryClientRootUrl | toJson }}, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": {{ .Values.clusterSpecific.telemetryRedirectUrls | toJson }}, + "webOrigins": [ + "+" + ], + "protocol": "openid-connect", + "directAccessGrantsEnabled": true, + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1683218404", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "use.jwks.url": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "profile", + "email", + "basic" + ], + "optionalClientScopes": [ + "groups", + "offline_access" + ] + }, + { + "clientId": "cluster-management-client", + "name": "Cluster Management Client", + "rootUrl": {{ .Values.clusterSpecific.clusterManagementClientRootUrl | toJson }}, + "adminUrl": {{ .Values.clusterSpecific.clusterManagementClientRootUrl | toJson }}, + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": {{ .Values.clusterSpecific.clusterManagementRedirectUrls | toJson }}, + "webOrigins": [ + "+" + ], + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "require.pushed.authorization.requests": "false", + "tls.client.certificate.bound.access.tokens": "false", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false", + }, + "fullScopeAllowed": true, + "protocolMappers": [ + { + "name": "Group Path", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "true", + "id.token.claim": "false", + "access.token.claim": "false", + "claim.name": "full_group_path", + "userinfo.token.claim": "true" + } + }, + { + "name": "Groups Mapper", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "id.token.claim": "false", + "access.token.claim": "false", + "claim.name": "groups", + "userinfo.token.claim": "true" + } + }, + { + "name": "Client Audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "cluster-management-client", + "id.token.claim": "false", + "access.token.claim": "true" + } + } + ], + "defaultClientScopes": [ + "profile", + "roles", + "email", + "basic" + ], + "optionalClientScopes": [ + "groups", + "offline_access", + ], + "authorizationServicesEnabled": false + }, + { + "clientId": "webui-client", + "name": "WebUI Client", + "rootUrl": {{ .Values.clusterSpecific.webuiClientRootUrl | toJson }}, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": {{ .Values.clusterSpecific.webuiRedirectUrls | toJson }}, + "webOrigins": [ + "+" + ], + "protocol": "openid-connect", + "directAccessGrantsEnabled": false, + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1683218404", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "profile", + "email", + "basic" + ], + "optionalClientScopes": [ + "groups", + "offline_access" + ] + }, + { + "clientId": "docsui-client", + "name": "DocsUI Client", + "rootUrl": {{ .Values.clusterSpecific.docsuiClientRootUrl | toJson }}, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": {{ .Values.clusterSpecific.docsuiRedirectUrls | toJson }}, + "webOrigins": [ + "+" + ], + "protocol": "openid-connect", + "directAccessGrantsEnabled": false, + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1683218404", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "profile", + "email", + "basic" + ], + "optionalClientScopes": [ + "groups", + "offline_access" + ] + }, + { + "clientId": "system-client", + "name": "System Client", + "surrogateAuthRequired": false, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "true", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "profile", + "email", + "basic" + ], + "optionalClientScopes": [ + "groups", + "offline_access" + ] + }, + { + "frontchannelLogout": true, + "standardFlowEnabled": true, + "clientId": "registry-client", + "name": "Registry Client", + "rootUrl": {{ .Values.clusterSpecific.registryClientRootUrl | toJson }}, + "enabled": true, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/c/oidc/callback" + ], + "webOrigins": [ + "+" + ], + "protocol": "openid-connect", + "directAccessGrantsEnabled": true, + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1683218404", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "use.jwks.url": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "roles", + "profile", + "email", + "groups", + "basic" + ], + "optionalClientScopes": [ + "offline_access" + ] + } + ], + "clientScopes": [ + { + "name": "groups", + "description": "Groups scope", + "type": "Optional", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "userinfo.token.claim": "true", + "jsonType.label": "String" + } + } + ] + }, + { + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": '{{"$"}}{{"{"}}roleScopeConsentText{{"}"}}' + }, + "protocolMappers": [ + { + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String" + } + }, + { + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "resource_access.{{"$"}}{{"{"}}client_id{{"}"}}.roles", + "jsonType.label": "String" + } + } + ] + } + ], + "groups": [ + { + "name": "registry-app-admin-group", + "path": "/registry-app-admin-group", + }, + { + "name": "registry-app-editor-group", + "path": "/registry-app-editor-group", + }, + { + "name": "registry-app-viewer-group", + "path": "/registry-app-viewer-group", + }, + { + "name": "apps-m2m-service-account", + "path": "/apps-m2m-service-account", + "realmRoles": [ + "ao-m2m-rw", + "co-m2m-rw" + ] + }, + { + "name": "org-admin-group", + "path": "/org-admin-group", + "realmRoles": [ + "org-read-role", + "org-update-role", + "org-delete-role", + "org-write-role" + ] + }, + { + "name": "sre-admin-group", + "path": "/sre-admin-group", + "realmRoles": [ + "alrt-r" + ], + "clientRoles": { + "account": [ + "view-profile", + "manage-account" + ], + "telemetry-client": [ + "viewer" + ] + } + }, + { + "name": "iam-admin-group", + "path": "/iam-admin-group", + "realmRoles": [ + "admin", + "secrets-root-role" + ], + "clientRoles": { + "account": [ + "view-profile", + "manage-account" + ], + "master-realm": [ + "view-users", + "query-users", + "manage-clients" + ] + } + }, + { + "name": "service-admin-group", + "path": "/service-admin-group", + "realmRoles": [ + "alrt-rx-rw", + "rs-access-r", + "infra-manager-core-read-role", + "infra-manager-core-write-role", + "alrt-rw" + ], + "clientRoles": { + "account": [ + "view-profile", + "manage-account" + ], + "master-realm": [ + "view-users", + "query-users", + "manage-clients" + ], + "telemetry-client": [ + "admin" + ], + "cluster-management-client": [ + "restricted-role", + "standard-role", + "base-role" + ], + "registry-client": [ + "registry-admin-role" + ] + } + }, + { + "name": "edge-manager-group", + "path": "/edge-manager-group", + "realmRoles": [ + "app-service-proxy-read-role", + "app-service-proxy-write-role", + "app-deployment-manager-read-role", + "app-deployment-manager-write-role", + "app-resource-manager-read-role", + "app-resource-manager-write-role", + "app-vm-console-write-role", + "catalog-publisher-read-role", + "catalog-publisher-write-role", + "catalog-other-read-role", + "catalog-other-write-role", + "catalog-restricted-read-role", + "catalog-restricted-write-role", + "clusters-read-role", + "clusters-write-role", + "cluster-templates-read-role", + "cluster-templates-write-role", + "cluster-artifacts-read-role", + "cluster-artifacts-write-role", + "infra-manager-core-read-role", + "alrt-rw" + ], + "clientRoles": { + "telemetry-client": [ + "viewer" + ], + "cluster-management-client": [ + "standard-role", + "base-role" + ], + "registry-client": [ + "registry-editor-role" + ] + } + }, + { + "name": "edge-operator-group", + "path": "/edge-operator-group", + "realmRoles": [ + "app-service-proxy-read-role", + "app-service-proxy-write-role", + "app-deployment-manager-read-role", + "app-deployment-manager-write-role", + "app-resource-manager-read-role", + "app-resource-manager-write-role", + "app-vm-console-write-role", + "catalog-publisher-read-role", + "catalog-other-read-role", + "clusters-read-role", + "clusters-write-role", + "cluster-templates-read-role", + "cluster-artifacts-read-role", + "cluster-artifacts-write-role", + "infra-manager-core-read-role", + "alrt-r" + ], + "clientRoles": { + "telemetry-client": [ + "viewer" + ], + "registry-client": [ + "registry-viewer-role" + ] + } + }, + { + "name": "host-manager-group", + "path": "/host-manager-group", + "realmRoles": [ + "infra-manager-core-read-role", + "infra-manager-core-write-role" + ], + "clientRoles": { + "telemetry-client": [ + "viewer" + ] + } + }, + { + "name": "sre-group", + "path": "/sre-group", + "realmRoles": [ + "alrt-r", + "clusters-read-role", + "clusters-write-role", + "cluster-templates-read-role", + "infra-manager-core-read-role" + ], + "clientRoles": { + "telemetry-client": [ + "viewer" + ], + "cluster-management-client": [ + "base-role", + "restricted-role" + ] + } + } + ], + "users": [ + { + "username": "service-account-alerts-m2m-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "alerts-m2m-client", + "realmRoles": [ + "default-roles-master" + ], + "clientRoles": { + "alerts-m2m-client": [ + "uma_protection" + ], + "master-realm": [ + "view-users" + ] + }, + "notBefore": 0 + }, + { + "username": "service-account-host-manager-m2m-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "host-manager-m2m-client", + "realmRoles": [ + "default-roles-master", + "rs-access-r" + ], + "clientRoles": { + "host-manager-m2m-client": [ + "uma_protection" + ], + "master-realm": [ + "query-clients", + "manage-authorization", + "view-clients", + "view-users", + "create-client", + "manage-users", + "manage-clients", + "view-realm" + ] + }, + "notBefore": 0 + }, + { + "username": "service-account-ktc-m2m-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "ktc-m2m-client", + "realmRoles": [ + "admin", + "create-realm", + "default-roles-master", + "rs-access-r" + ], + "clientRoles": { + "ktc-m2m-client": [ + "uma_protection" + ], + "master-realm": [ + "query-clients", + "manage-authorization", + "view-clients", + "view-users", + "create-client", + "manage-users", + "manage-clients" + ] + }, + "notBefore": 0 + }, + { + "username": "service-account-3rd-party-host-manager-m2m-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "3rd-party-host-manager-m2m-client", + "realmRoles": [ + "default-roles-master", + "rs-access-r" + ], + "clientRoles": { + "3rd-party-host-manager-m2m-client": [ + "uma_protection" + ], + "master-realm": [ + "query-clients", + "manage-authorization", + "view-clients", + "view-users", + "create-client", + "manage-users", + "manage-clients", + "view-realm", + ] + }, + "notBefore": 0 + }, + { + "username": "service-account-en-m2m-template-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "en-m2m-template-client", + "realmRoles": [ + "default-roles-master", + "rs-access-r", + "en-agent-rw" + ], + "clientRoles": { + "en-m2m-template-client": [ + "uma_protection" + ] + }, + "notBefore": 0 + }, + { + "username": "service-account-edge-manager-m2m-client", + "enabled": true, + "totp": false, + "serviceAccountClientId": "edge-manager-m2m-client", + "realmRoles": [ + "default-roles-master" + ], + "clientRoles": { + "edge-manager-m2m-client": [ + "uma_protection" + ] + }, + "notBefore": 0, + "groups": [ + "/edge-manager-group", + "/apps-m2m-service-account" + ] + }, + ], + "components": { + "org.keycloak.keys.KeyProvider": [ + { + "name": "fallback-PS512", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "keySize": [ + "4096" + ], + "active": [ + "true" + ], + "priority": [ + "-100" + ], + "enabled": [ + "true" + ], + "algorithm": [ + "PS512" + ] + } + } + ] + } + } +# yamllint enable rule:line-length diff --git a/argocd/applications/configs/platform-keycloak.yaml b/argocd/applications/configs/platform-keycloak.yaml index 4eda44459..98a151bb3 100644 --- a/argocd/applications/configs/platform-keycloak.yaml +++ b/argocd/applications/configs/platform-keycloak.yaml @@ -2,1210 +2,168 @@ # # SPDX-License-Identifier: Apache-2.0 -global: - security: - allowInsecureImages: true +# Keycloak Configuration - CodeCentric Chart +# Modular configuration for production deployment + +################################# +# IDENTITY & NAMING +################################# +## Ensure service name compatibility with existing consumers +fullnameOverride: "platform-keycloak" + +################################# +# CONTAINER & IMAGE +################################# image: - registry: docker.io - repository: bitnamilegacy/keycloak - tag: 26.1.3-debian-12-r0 + repository: quay.io/keycloak/keycloak + tag: "26.0.7" pullPolicy: IfNotPresent -containerSecurityContext: +################################# +# SECURITY CONFIGURATION +################################# +securityContext: + runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" -# disable network policy to avoid intermittent dns issues -networkPolicy: - enabled: false +podSecurityContext: + fsGroup: 1000 -## PostgreSQL chart configuration -## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml -## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart -postgresql: - enabled: false +podLabels: + sidecar.istio.io/inject: "false" -## Service configuration -## +################################# +# NETWORK & SERVICE +################################# service: - ## @param service.type Kubernetes service type, default: LoadBalancer - ## type: ClusterIP - ports: - http: 8080 + httpPort: 8080 -## Keycloak authentication parameters -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials -## -auth: - ## @param auth.adminUser Keycloak administrator user - ## - adminUser: admin - ## @param auth.adminPassword Keycloak administrator password for the new user - ## - adminPassword: "" +networkPolicy: + enabled: false - passwordSecretKey: admin-password - existingSecret: platform-keycloak +################################# +# KEYCLOAK CONFIGURATION +################################# +## Startup configuration +command: + - "/opt/keycloak/bin/kc.sh" -## Adds argument for enabling legacy logout redirect -## This is needed for the Grafana client integration which does not currently support the new way keycloak does single sign-out. -## Keycloak mentions that this legacy feature will be removed in Keycloak 23.0. -extraStartupArgs: >- - --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true - --spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests=true +args: + - "start" + - "--optimized" + - "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true" + - "--spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests=true" -## Configuration for keycloak-config-cli -## ref: https://github.com/adorsys/keycloak-config-cli -## -keycloakConfigCli: - ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job - ## +## Environment variables for Keycloak configuration +extraEnv: | + # Admin credentials + - name: KEYCLOAK_ADMIN + value: "admin" + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + + # HTTP/HTTPS configuration + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_PROXY + value: "passthrough" + + # Feature enablement + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_METRICS_ENABLED + value: "true" + + # Database configuration + - name: KC_DB + value: "postgres" + - name: KC_DB_URL_HOST + valueFrom: + secretKeyRef: + name: platform-keycloak-local-postgresql + key: PGHOST + - name: KC_DB_URL_PORT + valueFrom: + secretKeyRef: + name: platform-keycloak-local-postgresql + key: PGPORT + - name: KC_DB_URL_DATABASE + valueFrom: + secretKeyRef: + name: platform-keycloak-local-postgresql + key: PGDATABASE + - name: KC_DB_USERNAME + valueFrom: + secretKeyRef: + name: platform-keycloak-local-postgresql + key: PGUSER + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak-local-postgresql + key: PGPASSWORD + +################################# +# DATABASE CONFIGURATION +################################# +database: + vendor: postgres + existingSecret: platform-keycloak-local-postgresql + +dbchecker: enabled: true - args: - - --import.managed.group="no-delete" - - --import.managed.required-action="no-delete" - - --import.managed.role="no-delete" - - --import.managed.client="no-delete" - ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - annotations: - helm.sh/hook: "post-install" - helm.sh/hook-delete-policy: "hook-succeeded" +################################# +# HEALTH & MONITORING +################################# +livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 - ## do not inject sidecar to pods for job - podLabels: - sidecar.istio.io/inject: "false" +metrics: + enabled: true + +health: + enabled: true - ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration - ## NOTE: nil keys will be considered files to import locally - ## Example: - ## configuration: - ## realm1.json: | - ## { - ## "realm": "realm1", - ## "clients": [] - ## } - ## files/realm2.yaml: - ## realm3.yaml: | - ## realm: realm3 - ## clients: [] - ## +################################# +# CLUSTERING & CACHE +################################# +cache: + stack: default - # yamllint disable rule:line-length - configuration: - realm-master.json: | - { - "realm": "master", - "accountTheme": "keycloak", - "displayName": "Keycloak", - "displayNameHtml": "", - "defaultSignatureAlgorithm": "PS512", - "accessTokenLifespan": 3600, - "ssoSessionIdleTimeout": 5400, - "ssoSessionMaxLifespan": 43200, - "passwordPolicy": "length(14) and digits(1) and specialChars(1) and upperCase(1) and lowerCase(1)", - "bruteForceProtected": true, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 300, - "quickLoginCheckMilliSeconds": 200, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 5, - "roles": { - "realm": [ - { - "name": "en-agent-rw" - }, - { - "name": "secrets-root-role" - }, - { - "name": "rs-access-r" - }, - { - "name": "rs-proxy-r" - }, - { - "name": "app-service-proxy-read-role" - }, - { - "name": "app-service-proxy-write-role" - }, - { - "name": "app-deployment-manager-read-role" - }, - { - "name": "app-deployment-manager-write-role" - }, - { - "name": "app-resource-manager-read-role" - }, - { - "name": "app-resource-manager-write-role" - }, - { - "name": "app-vm-console-write-role" - }, - { - "name": "catalog-publisher-read-role" - }, - { - "name": "catalog-publisher-write-role" - }, - { - "name": "catalog-other-read-role" - }, - { - "name": "catalog-other-write-role" - }, - { - "name": "catalog-restricted-read-role" - }, - { - "name": "catalog-restricted-write-role" - }, - { - "name": "clusters-read-role" - }, - { - "name": "clusters-write-role" - }, - { - "name": "cluster-templates-read-role" - }, - { - "name": "cluster-templates-write-role" - }, - { - "name": "cluster-artifacts-read-role" - }, - { - "name": "cluster-artifacts-write-role" - }, - { - "name": "infra-manager-core-read-role" - }, - { - "name": "infra-manager-core-write-role" - }, - { - "name": "alrt-r" - }, - { - "name": "alrt-rw" - }, - { - "name": "alrt-rx-rw" - }, - { - "name": "ao-m2m-rw" - }, - { - "name": "co-m2m-rw" - }, - { - "name": "org-read-role" - }, - { - "name": "org-write-role" - }, - { - "name": "org-update-role" - }, - { - "name": "org-delete-role" - } - ], - "client": { - "alerts-m2m-client": [], - "host-manager-m2m-client": [], - "ktc-m2m-client": [], - "3rd-party-host-manager-m2m-client": [], - "edge-manager-m2m-client": [], - "en-m2m-template-client": [], - "webui-client": [], - "docsui-client": [], - "account": [ - { - "name": "view-profile", - "clientRole": true - }, - { - "name": "manage-account", - "clientRole": true - } - ], - "telemetry-client": [ - { - "name": "admin", - "clientRole": true - }, - { - "name": "viewer", - "clientRole": true - } - ], - "cluster-management-client": [ - { - "name": "restricted-role", - "clientRole": true - }, - { - "name": "standard-role", - "clientRole": true - }, - { - "name": "base-role", - "clientRole": true - } - ], - "registry-client": [ - { - "name": "registry-admin-role", - "clientRole": true - }, - { - "name": "registry-editor-role", - "clientRole": true - }, - { - "name": "registry-viewer-role", - "clientRole": true - } - ] - } - }, - "clients": [ - { - "clientId": "alerts-m2m-client", - "name": "Alerts M2M Client", - "description": "Client for Alerts", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "host-manager-m2m-client", - "name": "Host Manager Client", - "description": "Client for the EN Host Manager to use in creating edgenode m2m clients", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "ktc-m2m-client", - "name": "Keycloak Tenant Controller client", - "description": "Client for the Keycloak Tenant Controller to use in creating Tenant specific roles and groups in Keycloak", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "groups", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "3rd-party-host-manager-m2m-client", - "name": "3rd Party Host Manager Client", - "description": "Client for the 3rd party Host Manager to use in creating edgenode m2m clients", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "edge-manager-m2m-client", - "name": "Edge Manager M2M Client", - "description": "Client for the accessing Orchestrator with Edge-Manager persona", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "email", - "groups", - "basic" - ], - "optionalClientScopes": [ - "offline_access", - ] - }, - { - "clientId": "en-m2m-template-client", - "name": "Edge Node M2M Template Client", - "description": "Client to use as basis for Roles to assign to new Edge Node M2M clients", - "surrogateAuthRequired": false, - "enabled": false, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "telemetry-client", - "name": "Telemetry Client", - "rootUrl": {{ .Values.clusterSpecific.telemetryClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.telemetryRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": true, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "use.jwks.url": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "clientId": "cluster-management-client", - "name": "Cluster Management Client", - "rootUrl": {{ .Values.clusterSpecific.clusterManagementClientRootUrl | toJson }}, - "adminUrl": {{ .Values.clusterSpecific.clusterManagementClientRootUrl | toJson }}, - "surrogateAuthRequired": false, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.clusterManagementRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "tls.client.certificate.bound.access.tokens": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - }, - "fullScopeAllowed": true, - "protocolMappers": [ - { - "name": "Group Path", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "true", - "id.token.claim": "false", - "access.token.claim": "false", - "claim.name": "full_group_path", - "userinfo.token.claim": "true" - } - }, - { - "name": "Groups Mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "false", - "id.token.claim": "false", - "access.token.claim": "false", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - }, - { - "name": "Client Audience", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "cluster-management-client", - "id.token.claim": "false", - "access.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access", - ], - "authorizationServicesEnabled": false - }, - { - "clientId": "webui-client", - "name": "WebUI Client", - "rootUrl": {{ .Values.clusterSpecific.webuiClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.webuiRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": false, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "clientId": "docsui-client", - "name": "DocsUI Client", - "rootUrl": {{ .Values.clusterSpecific.docsuiClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.docsuiRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": false, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "clientId": "system-client", - "name": "System Client", - "surrogateAuthRequired": false, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "true", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "frontchannelLogout": true, - "standardFlowEnabled": true, - "clientId": "registry-client", - "name": "Registry Client", - "rootUrl": {{ .Values.clusterSpecific.registryClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/c/oidc/callback" - ], - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": true, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "use.jwks.url": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "groups", - "basic" - ], - "optionalClientScopes": [ - "offline_access" - ] - } - ], - "clientScopes": [ - { - "name": "groups", - "description": "Groups scope", - "type": "Optional", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "full.path": "false", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true", - "jsonType.label": "String" - } - } - ] - }, - { - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "gui.order": "", - "consent.screen.text": '{{"$"}}{{"{"}}roleScopeConsentText{{"}"}}' - }, - "protocolMappers": [ - { - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String" - } - }, - { - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "resource_access.{{"$"}}{{"{"}}client_id{{"}"}}.roles", - "jsonType.label": "String" - } - } - ] - } - ], - "groups": [ - { - "name": "registry-app-admin-group", - "path": "/registry-app-admin-group", - }, - { - "name": "registry-app-editor-group", - "path": "/registry-app-editor-group", - }, - { - "name": "registry-app-viewer-group", - "path": "/registry-app-viewer-group", - }, - { - "name": "apps-m2m-service-account", - "path": "/apps-m2m-service-account", - "realmRoles": [ - "ao-m2m-rw", - "co-m2m-rw" - ] - }, - { - "name": "org-admin-group", - "path": "/org-admin-group", - "realmRoles": [ - "org-read-role", - "org-update-role", - "org-delete-role", - "org-write-role" - ] - }, - { - "name": "sre-admin-group", - "path": "/sre-admin-group", - "realmRoles": [ - "alrt-r" - ], - "clientRoles": { - "account": [ - "view-profile", - "manage-account" - ], - "telemetry-client": [ - "viewer" - ] - } - }, - { - "name": "iam-admin-group", - "path": "/iam-admin-group", - "realmRoles": [ - "admin", - "secrets-root-role" - ], - "clientRoles": { - "account": [ - "view-profile", - "manage-account" - ], - "master-realm": [ - "view-users", - "query-users", - "manage-clients" - ] - } - }, - { - "name": "service-admin-group", - "path": "/service-admin-group", - "realmRoles": [ - "alrt-rx-rw", - "rs-access-r", - "infra-manager-core-read-role", - "infra-manager-core-write-role", - "alrt-rw" - ], - "clientRoles": { - "account": [ - "view-profile", - "manage-account" - ], - "master-realm": [ - "view-users", - "query-users", - "manage-clients" - ], - "telemetry-client": [ - "admin" - ], - "cluster-management-client": [ - "restricted-role", - "standard-role", - "base-role" - ], - "registry-client": [ - "registry-admin-role" - ] - } - }, - { - "name": "edge-manager-group", - "path": "/edge-manager-group", - "realmRoles": [ - "app-service-proxy-read-role", - "app-service-proxy-write-role", - "app-deployment-manager-read-role", - "app-deployment-manager-write-role", - "app-resource-manager-read-role", - "app-resource-manager-write-role", - "app-vm-console-write-role", - "catalog-publisher-read-role", - "catalog-publisher-write-role", - "catalog-other-read-role", - "catalog-other-write-role", - "catalog-restricted-read-role", - "catalog-restricted-write-role", - "clusters-read-role", - "clusters-write-role", - "cluster-templates-read-role", - "cluster-templates-write-role", - "cluster-artifacts-read-role", - "cluster-artifacts-write-role", - "infra-manager-core-read-role", - "alrt-rw" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ], - "cluster-management-client": [ - "standard-role", - "base-role" - ], - "registry-client": [ - "registry-editor-role" - ] - } - }, - { - "name": "edge-operator-group", - "path": "/edge-operator-group", - "realmRoles": [ - "app-service-proxy-read-role", - "app-service-proxy-write-role", - "app-deployment-manager-read-role", - "app-deployment-manager-write-role", - "app-resource-manager-read-role", - "app-resource-manager-write-role", - "app-vm-console-write-role", - "catalog-publisher-read-role", - "catalog-other-read-role", - "clusters-read-role", - "clusters-write-role", - "cluster-templates-read-role", - "cluster-artifacts-read-role", - "cluster-artifacts-write-role", - "infra-manager-core-read-role", - "alrt-r" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ], - "registry-client": [ - "registry-viewer-role" - ] - } - }, - { - "name": "host-manager-group", - "path": "/host-manager-group", - "realmRoles": [ - "infra-manager-core-read-role", - "infra-manager-core-write-role" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ] - } - }, - { - "name": "sre-group", - "path": "/sre-group", - "realmRoles": [ - "alrt-r", - "clusters-read-role", - "clusters-write-role", - "cluster-templates-read-role", - "infra-manager-core-read-role" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ], - "cluster-management-client": [ - "base-role", - "restricted-role" - ] - } - } - ], - "users": [ - { - "username": "service-account-alerts-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "alerts-m2m-client", - "realmRoles": [ - "default-roles-master" - ], - "clientRoles": { - "alerts-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "view-users" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-host-manager-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "host-manager-m2m-client", - "realmRoles": [ - "default-roles-master", - "rs-access-r" - ], - "clientRoles": { - "host-manager-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "query-clients", - "manage-authorization", - "view-clients", - "view-users", - "create-client", - "manage-users", - "manage-clients", - "view-realm" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-ktc-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "ktc-m2m-client", - "realmRoles": [ - "admin", - "create-realm", - "default-roles-master", - "rs-access-r" - ], - "clientRoles": { - "ktc-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "query-clients", - "manage-authorization", - "view-clients", - "view-users", - "create-client", - "manage-users", - "manage-clients" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-3rd-party-host-manager-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "3rd-party-host-manager-m2m-client", - "realmRoles": [ - "default-roles-master", - "rs-access-r" - ], - "clientRoles": { - "3rd-party-host-manager-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "query-clients", - "manage-authorization", - "view-clients", - "view-users", - "create-client", - "manage-users", - "manage-clients", - "view-realm", - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-en-m2m-template-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "en-m2m-template-client", - "realmRoles": [ - "default-roles-master", - "rs-access-r", - "en-agent-rw" - ], - "clientRoles": { - "en-m2m-template-client": [ - "uma_protection" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-edge-manager-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "edge-manager-m2m-client", - "realmRoles": [ - "default-roles-master" - ], - "clientRoles": { - "edge-manager-m2m-client": [ - "uma_protection" - ] - }, - "notBefore": 0, - "groups": [ - "/edge-manager-group", - "/apps-m2m-service-account" - ] - }, - ], - "components": { - "org.keycloak.keys.KeyProvider": [ - { - "name": "fallback-PS512", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "keySize": [ - "4096" - ], - "active": [ - "true" - ], - "priority": [ - "-100" - ], - "enabled": [ - "true" - ], - "algorithm": [ - "PS512" - ] - } - } - ] - } - } -# yamllint enable rule:line-length +################################# +# STORAGE & CONFIGURATION +################################# +## Volume for realm configuration import +extraVolumes: | + - name: keycloak-config + configMap: + name: platform-keycloak-config \ No newline at end of file diff --git a/argocd/applications/custom/platform-keycloak-codecentric.tpl b/argocd/applications/custom/platform-keycloak-codecentric.tpl new file mode 100644 index 000000000..2694486e7 --- /dev/null +++ b/argocd/applications/custom/platform-keycloak-codecentric.tpl @@ -0,0 +1,119 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +# CodeCentric Keycloak Chart Template +# This template provides cluster-specific configuration for the CodeCentric keycloakx chart + +## Cluster-Specific values for realm configuration +## These values parameterize the realm configuration for different environments +## @param clusterSpecific.webuiClientRootUrl The Keycloak Master realm UI Client's rootUrl value +## @param clusterSpecific.webuiRedirectUrls The Keycloak Master realm UI Client's redirectUrl values +## @param clusterSpecific.registryClientRootUrl The Keycloak Master realm Harbor Client's rootUrl value +## @param clusterSpecific.telemetryClientRootUrl The Keycloak Master realm Grafana Client's rootUrl value +## @param clusterSpecific.telemetryRedirectUrls The Keycloak Master realm Grafana Client's redirectUrl values +clusterSpecific: + webuiClientRootUrl: "https://web-ui.{{ .Values.argo.clusterDomain }}" + webuiRedirectUrls: ["https://web-ui.{{ .Values.argo.clusterDomain }}", "https://app-service-proxy.{{ .Values.argo.clusterDomain }}/app-service-proxy-index.html*", "https://vnc.{{ .Values.argo.clusterDomain }}/*", "https://{{ .Values.argo.clusterDomain }}"{{- if index .Values.argo "platform-keycloak" "extraUiRedirects" -}}, {{- index .Values.argo "platform-keycloak" "extraUiRedirects" -}}{{- end -}}] + registryClientRootUrl: "https://registry-oci.{{ .Values.argo.clusterDomain }}" + telemetryClientRootUrl: "https://observability-ui.{{ .Values.argo.clusterDomain }}" + telemetryRedirectUrls: ["https://observability-admin.{{ .Values.argo.clusterDomain }}/login/generic_oauth", "https://observability-ui.{{ .Values.argo.clusterDomain }}/login/generic_oauth"] + +## Environment variables for CodeCentric chart +## These replace Bitnami's extraEnvVars with CodeCentric's extraEnv format +extraEnv: | + # Proxy configuration + - name: HTTPS_PROXY + value: "{{ .Values.argo.proxy.httpsProxy }}" + - name: HTTP_PROXY + value: "{{ .Values.argo.proxy.httpProxy }}" + - name: NO_PROXY + value: "{{ .Values.argo.proxy.noProxy }}" + + # Database pool configuration (CodeCentric chart format) + {{ if index .Values.argo "platform-keycloak" "db" }} + - name: KC_DB_POOL_INITIAL_SIZE + value: {{ index .Values.argo "platform-keycloak" "db" "poolInitSize" | default "5" | quote}} + - name: KC_DB_POOL_MIN_SIZE + value: {{ index .Values.argo "platform-keycloak" "db" "poolMinSize" | default "5" | quote}} + - name: KC_DB_POOL_MAX_SIZE + value: {{ index .Values.argo "platform-keycloak" "db" "poolMaxSize" | default "100" | quote}} + {{ end }} + + # Proxy headers for CodeCentric chart + - name: KC_PROXY_HEADERS + value: "xforwarded" + +## Database configuration for CodeCentric chart +## CodeCentric chart uses different database configuration structure +database: + vendor: postgres + existingSecret: platform-keycloak-{{.Values.argo.database.type}}-postgresql + # CodeCentric chart automatically maps secret keys + +## External database secret configuration +## This maintains compatibility with existing secret structure +dbSecretKeys: + host: PGHOST + port: PGPORT + user: PGUSER + database: PGDATABASE + password: PGPASSWORD + +## Storage configuration (if local registry is used) +{{- if index .Values.argo "platform-keycloak" "localRegistrySize"}} +persistence: + storageClass: "" + size: {{index .Values.argo "platform-keycloak" "localRegistrySize"}} +{{- end}} + +## Resource configuration +{{- with .Values.argo.resources.platformKeycloak }} +resources: + {{- toYaml . | nindent 2}} +{{- end }} + +## Service configuration for compatibility +service: + type: ClusterIP + httpPort: 8080 + +## Network policy (typically disabled for simplicity) +networkPolicy: + enabled: false + +## Pod labels to avoid sidecar injection +podLabels: + sidecar.istio.io/inject: "false" + +## Additional volumes for realm configuration +extraVolumes: | + - name: keycloak-config + configMap: + name: platform-keycloak-config + +## Health probes configuration +livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + +## Enable metrics and health endpoints +metrics: + enabled: true + +health: + enabled: true \ No newline at end of file diff --git a/argocd/applications/custom/platform-keycloak.tpl b/argocd/applications/custom/platform-keycloak.tpl index b053f6132..be07fe4a0 100644 --- a/argocd/applications/custom/platform-keycloak.tpl +++ b/argocd/applications/custom/platform-keycloak.tpl @@ -2,14 +2,16 @@ # # SPDX-License-Identifier: Apache-2.0 -## Cluster-Specific values -## These values are not part of bitnami helm chart and are used to parameterize substrings in -## the larger keycloakConfigCli.configuration.realm-master.json value. -## @param clusterSpecific.webuiClientRootUrl The Keycloak Master realm UI Client's rootUrl value as a quoted JSON string -## @param clusterSpecific.webuiRedirectUrls The Keycloak Master realm UI Client's reirectUrl values as a JSON array of quoted JSON strings -## @param clusterSpecific.registryClientRootUrl The Keycloak Master realm Harbor Client's rootUrl value as a quoted JSON string -## @param clusterSpecific.telemetryClientRootUrl The Keycloak Master realm Grafana Client's rootUrl value as a quoted JSON string -## @param clusterSpecific.telemetryRedirectUrls The Keycloak Master realm Grafana Client's reirectUrl values as a JSON array of quoted JSON strings +# CodeCentric Keycloak Chart Template +# Updated for CodeCentric keycloakx chart instead of Bitnami chart + +## Cluster-Specific values for realm configuration +## These values parameterize the realm configuration for different environments +## @param clusterSpecific.webuiClientRootUrl The Keycloak Master realm UI Client's rootUrl value +## @param clusterSpecific.webuiRedirectUrls The Keycloak Master realm UI Client's redirectUrl values +## @param clusterSpecific.registryClientRootUrl The Keycloak Master realm Harbor Client's rootUrl value +## @param clusterSpecific.telemetryClientRootUrl The Keycloak Master realm Grafana Client's rootUrl value +## @param clusterSpecific.telemetryRedirectUrls The Keycloak Master realm Grafana Client's redirectUrl values clusterSpecific: webuiClientRootUrl: "https://web-ui.{{ .Values.argo.clusterDomain }}" webuiRedirectUrls: ["https://web-ui.{{ .Values.argo.clusterDomain }}", "https://app-service-proxy.{{ .Values.argo.clusterDomain }}/app-service-proxy-index.html*", "https://vnc.{{ .Values.argo.clusterDomain }}/*", "https://{{ .Values.argo.clusterDomain }}"{{- if index .Values.argo "platform-keycloak" "extraUiRedirects" -}}, {{- index .Values.argo "platform-keycloak" "extraUiRedirects" -}}{{- end -}}] @@ -17,37 +19,31 @@ clusterSpecific: telemetryClientRootUrl: "https://observability-ui.{{ .Values.argo.clusterDomain }}" telemetryRedirectUrls: ["https://observability-admin.{{ .Values.argo.clusterDomain }}/login/generic_oauth", "https://observability-ui.{{ .Values.argo.clusterDomain }}/login/generic_oauth"] -## External PostgreSQL configuration -## All of these values are only used when postgresql.enabled is set to false -## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials -## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name -## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port -## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user -## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name -## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials -externalDatabase: +## Database configuration for CodeCentric chart +## CodeCentric chart uses different database configuration structure than Bitnami +database: + vendor: postgres existingSecret: platform-keycloak-{{.Values.argo.database.type}}-postgresql - existingSecretHostKey: PGHOST - existingSecretPortKey: PGPORT - existingSecretUserKey: PGUSER - existingSecretDatabaseKey: PGDATABASE - existingSecretPasswordKey: PGPASSWORD + # CodeCentric chart automatically maps standard PostgreSQL secret keys -# Use index to handle values with hyphen +## Storage configuration (if local registry is used) {{- if index .Values.argo "platform-keycloak" "localRegistrySize"}} persistence: - persistentVolumeClaim: - registry: - size: {{index .Values.argo "platform-keycloak" "localRegistrySize"}} + storageClass: "" + size: {{index .Values.argo "platform-keycloak" "localRegistrySize"}} {{- end}} -extraEnvVars: +## Environment variables for CodeCentric chart (uses extraEnv instead of extraEnvVars) +extraEnv: | + # Proxy configuration - name: HTTPS_PROXY - value: {{.Values.argo.proxy.httpsProxy}} + value: "{{ .Values.argo.proxy.httpsProxy }}" - name: HTTP_PROXY - value: {{.Values.argo.proxy.httpProxy}} + value: "{{ .Values.argo.proxy.httpProxy }}" - name: NO_PROXY - value: {{.Values.argo.proxy.noProxy}} + value: "{{ .Values.argo.proxy.noProxy }}" + + # Database pool configuration {{ if index .Values.argo "platform-keycloak" "db" }} - name: KC_DB_POOL_INITIAL_SIZE value: {{ index .Values.argo "platform-keycloak" "db" "poolInitSize" | default "5" | quote}} @@ -56,10 +52,58 @@ extraEnvVars: - name: KC_DB_POOL_MAX_SIZE value: {{ index .Values.argo "platform-keycloak" "db" "poolMaxSize" | default "100" | quote}} {{ end }} + + # Proxy headers configuration - name: KC_PROXY_HEADERS value: "xforwarded" +## Resource configuration {{- with .Values.argo.resources.platformKeycloak }} resources: {{- toYaml . | nindent 2}} {{- end }} + +## Service configuration for compatibility +service: + type: ClusterIP + httpPort: 8080 + +## Network policy (typically disabled for simplicity) +networkPolicy: + enabled: false + +## Pod labels to avoid sidecar injection +podLabels: + sidecar.istio.io/inject: "false" + +## Additional volumes for realm configuration +extraVolumes: | + - name: keycloak-config + configMap: + name: platform-keycloak-config + +## Health probes configuration +livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + +## Enable metrics and health endpoints +metrics: + enabled: true + +health: + enabled: true diff --git a/argocd/applications/templates/platform-keycloak.yaml b/argocd/applications/templates/platform-keycloak.yaml index fbf98e61c..e4f00c48a 100644 --- a/argocd/applications/templates/platform-keycloak.yaml +++ b/argocd/applications/templates/platform-keycloak.yaml @@ -19,9 +19,9 @@ metadata: spec: project: {{ required "A valid projectName entry required!" .Values.argo.project }} sources: - - repoURL: "registry-1.docker.io/bitnamicharts" - chart: keycloak - targetRevision: 24.4.12 + - repoURL: "https://codecentric.github.io/helm-charts" + chart: keycloakx + targetRevision: 7.1.3 helm: releaseName: {{$appName}} valuesObject: From 4e9d27e62955fb456b82b7f0bf8521bbcb3d1501 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Thu, 25 Sep 2025 08:47:44 +0000 Subject: [PATCH 02/25] adding argo app for realm-config --- ...orm-keycloak-database-secret-template.yaml | 28 - ...-keycloak-with-initcontainer-approach.yaml | 1263 ----------------- .../custom/platform-keycloak-codecentric.tpl | 119 -- .../platform-keycloak-config-job.yaml | 45 + .../templates/platform-keycloak-config.yaml | 45 + 5 files changed, 90 insertions(+), 1410 deletions(-) delete mode 100644 argocd/applications/configs/platform-keycloak-database-secret-template.yaml delete mode 100644 argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml delete mode 100644 argocd/applications/custom/platform-keycloak-codecentric.tpl create mode 100644 argocd/applications/templates/platform-keycloak-config-job.yaml create mode 100644 argocd/applications/templates/platform-keycloak-config.yaml diff --git a/argocd/applications/configs/platform-keycloak-database-secret-template.yaml b/argocd/applications/configs/platform-keycloak-database-secret-template.yaml deleted file mode 100644 index 3c63981e3..000000000 --- a/argocd/applications/configs/platform-keycloak-database-secret-template.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -# Template for creating the Keycloak database secret -# This secret contains the PostgreSQL connection information for Keycloak -# -# IMPORTANT: Update the values below to match your environment before applying! -# -# For local deployment, the secret is typically created by mage commands -# For production, ensure you have the correct database connection details - -apiVersion: v1 -kind: Secret -metadata: - name: platform-keycloak-local-postgresql - namespace: orch-platform # Update to your actual namespace -type: Opaque -stringData: - # Database connection details - UPDATE THESE VALUES! - PGHOST: postgresql.orch-database.svc.cluster.local # PostgreSQL service name - PGPORT: "5432" # PostgreSQL port - PGUSER: orch-platform-keycloak_user # Database username - PGDATABASE: orch-platform-keycloak # Database name - PGPASSWORD: your-database-password-here # Database password - CHANGE THIS! - - # Additional fields that might be used - password: your-database-password-here # Alternative password field \ No newline at end of file diff --git a/argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml b/argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml deleted file mode 100644 index 0947ea5a2..000000000 --- a/argocd/applications/configs/platform-keycloak-with-initcontainer-approach.yaml +++ /dev/null @@ -1,1263 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -# Configuration for CodeCentric keycloakx chart -# Using official Keycloak image instead of Bitnami - -## Image configuration - using official Keycloak image -image: - repository: quay.io/keycloak/keycloak - tag: 26.0.7 - pullPolicy: IfNotPresent - -## Security context configuration -securityContext: - runAsNonRoot: true - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - -podSecurityContext: - fsGroup: 1000 - -## Service configuration -service: - type: ClusterIP - httpPort: 8080 - -## Admin user configuration via environment variables -extraEnv: | - - name: KEYCLOAK_ADMIN - value: "admin" - - name: KEYCLOAK_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: platform-keycloak - key: admin-password - - name: KC_HOSTNAME_STRICT - value: "false" - - name: KC_HOSTNAME_STRICT_HTTPS - value: "false" - - name: KC_HTTP_ENABLED - value: "true" - - name: KC_HEALTH_ENABLED - value: "true" - - name: KC_METRICS_ENABLED - value: "true" - - name: KC_PROXY - value: "passthrough" - -## Startup command and arguments -command: - - "/opt/keycloak/bin/kc.sh" - -args: - - "start" - - "--optimized" - - "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true" - - "--spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests=true" - -## Database configuration using existing secret -database: - vendor: postgres - existingSecret: platform-keycloak-local-postgresql - hostname: - port: - database: - username: - -## External database secret contains all connection info -dbchecker: - enabled: true - -## Health and readiness probes -livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 - -readinessProbe: - httpGet: - path: /realms/master - port: http - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - -## Enable metrics -metrics: - enabled: true - -health: - enabled: true - -## Cache configuration using jdbc-ping (default in keycloakx) -cache: - stack: default - -## Disable network policy to avoid DNS issues -networkPolicy: - enabled: false - -## Realm configuration import via init container -extraInitContainers: | - - name: keycloak-config-cli - image: quay.io/adorsys/keycloak-config-cli:5.12.0-26.0.7 - imagePullPolicy: IfNotPresent - env: - - name: KEYCLOAK_URL - value: "http://localhost:8080" - - name: KEYCLOAK_USER - value: "admin" - - name: KEYCLOAK_PASSWORD - valueFrom: - secretKeyRef: - name: platform-keycloak - key: admin-password - - name: IMPORT_MANAGED_GROUP - value: "no-delete" - - name: IMPORT_MANAGED_REQUIRED_ACTION - value: "no-delete" - - name: IMPORT_MANAGED_ROLE - value: "no-delete" - - name: IMPORT_MANAGED_CLIENT - value: "no-delete" - volumeMounts: - - name: keycloak-config - mountPath: /opt/keycloak-config-cli/configs - readOnly: true - securityContext: - runAsNonRoot: true - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - -## Additional volumes for realm configuration -extraVolumes: | - - name: keycloak-config - configMap: - name: platform-keycloak-config - -## Pod labels to avoid sidecar injection -podLabels: - sidecar.istio.io/inject: "false" - realm-master.json: | - { - "realm": "master", - "accountTheme": "keycloak", - "displayName": "Keycloak", - "displayNameHtml": "", - "defaultSignatureAlgorithm": "PS512", - "accessTokenLifespan": 3600, - "ssoSessionIdleTimeout": 5400, - "ssoSessionMaxLifespan": 43200, - "passwordPolicy": "length(14) and digits(1) and specialChars(1) and upperCase(1) and lowerCase(1)", - "bruteForceProtected": true, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 300, - "quickLoginCheckMilliSeconds": 200, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 5, - "roles": { - "realm": [ - { - "name": "en-agent-rw" - }, - { - "name": "secrets-root-role" - }, - { - "name": "rs-access-r" - }, - { - "name": "rs-proxy-r" - }, - { - "name": "app-service-proxy-read-role" - }, - { - "name": "app-service-proxy-write-role" - }, - { - "name": "app-deployment-manager-read-role" - }, - { - "name": "app-deployment-manager-write-role" - }, - { - "name": "app-resource-manager-read-role" - }, - { - "name": "app-resource-manager-write-role" - }, - { - "name": "app-vm-console-write-role" - }, - { - "name": "catalog-publisher-read-role" - }, - { - "name": "catalog-publisher-write-role" - }, - { - "name": "catalog-other-read-role" - }, - { - "name": "catalog-other-write-role" - }, - { - "name": "catalog-restricted-read-role" - }, - { - "name": "catalog-restricted-write-role" - }, - { - "name": "clusters-read-role" - }, - { - "name": "clusters-write-role" - }, - { - "name": "cluster-templates-read-role" - }, - { - "name": "cluster-templates-write-role" - }, - { - "name": "cluster-artifacts-read-role" - }, - { - "name": "cluster-artifacts-write-role" - }, - { - "name": "infra-manager-core-read-role" - }, - { - "name": "infra-manager-core-write-role" - }, - { - "name": "alrt-r" - }, - { - "name": "alrt-rw" - }, - { - "name": "alrt-rx-rw" - }, - { - "name": "ao-m2m-rw" - }, - { - "name": "co-m2m-rw" - }, - { - "name": "org-read-role" - }, - { - "name": "org-write-role" - }, - { - "name": "org-update-role" - }, - { - "name": "org-delete-role" - } - ], - "client": { - "alerts-m2m-client": [], - "host-manager-m2m-client": [], - "ktc-m2m-client": [], - "3rd-party-host-manager-m2m-client": [], - "edge-manager-m2m-client": [], - "en-m2m-template-client": [], - "webui-client": [], - "docsui-client": [], - "account": [ - { - "name": "view-profile", - "clientRole": true - }, - { - "name": "manage-account", - "clientRole": true - } - ], - "telemetry-client": [ - { - "name": "admin", - "clientRole": true - }, - { - "name": "viewer", - "clientRole": true - } - ], - "cluster-management-client": [ - { - "name": "restricted-role", - "clientRole": true - }, - { - "name": "standard-role", - "clientRole": true - }, - { - "name": "base-role", - "clientRole": true - } - ], - "registry-client": [ - { - "name": "registry-admin-role", - "clientRole": true - }, - { - "name": "registry-editor-role", - "clientRole": true - }, - { - "name": "registry-viewer-role", - "clientRole": true - } - ] - } - }, - "clients": [ - { - "clientId": "alerts-m2m-client", - "name": "Alerts M2M Client", - "description": "Client for Alerts", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "host-manager-m2m-client", - "name": "Host Manager Client", - "description": "Client for the EN Host Manager to use in creating edgenode m2m clients", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "ktc-m2m-client", - "name": "Keycloak Tenant Controller client", - "description": "Client for the Keycloak Tenant Controller to use in creating Tenant specific roles and groups in Keycloak", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "groups", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "3rd-party-host-manager-m2m-client", - "name": "3rd Party Host Manager Client", - "description": "Client for the 3rd party Host Manager to use in creating edgenode m2m clients", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "edge-manager-m2m-client", - "name": "Edge Manager M2M Client", - "description": "Client for the accessing Orchestrator with Edge-Manager persona", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "email", - "groups", - "basic" - ], - "optionalClientScopes": [ - "offline_access", - ] - }, - { - "clientId": "en-m2m-template-client", - "name": "Edge Node M2M Template Client", - "description": "Client to use as basis for Roles to assign to new Edge Node M2M clients", - "surrogateAuthRequired": false, - "enabled": false, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "authorizationServicesEnabled": true, - "publicClient": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "telemetry-client", - "name": "Telemetry Client", - "rootUrl": {{ .Values.clusterSpecific.telemetryClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.telemetryRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": true, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "use.jwks.url": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "clientId": "cluster-management-client", - "name": "Cluster Management Client", - "rootUrl": {{ .Values.clusterSpecific.clusterManagementClientRootUrl | toJson }}, - "adminUrl": {{ .Values.clusterSpecific.clusterManagementClientRootUrl | toJson }}, - "surrogateAuthRequired": false, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.clusterManagementRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "use.refresh.tokens": "true", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "require.pushed.authorization.requests": "false", - "tls.client.certificate.bound.access.tokens": "false", - "display.on.consent.screen": "false", - "token.response.type.bearer.lower-case": "false", - }, - "fullScopeAllowed": true, - "protocolMappers": [ - { - "name": "Group Path", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "true", - "id.token.claim": "false", - "access.token.claim": "false", - "claim.name": "full_group_path", - "userinfo.token.claim": "true" - } - }, - { - "name": "Groups Mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "false", - "id.token.claim": "false", - "access.token.claim": "false", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - }, - { - "name": "Client Audience", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "cluster-management-client", - "id.token.claim": "false", - "access.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "profile", - "roles", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access", - ], - "authorizationServicesEnabled": false - }, - { - "clientId": "webui-client", - "name": "WebUI Client", - "rootUrl": {{ .Values.clusterSpecific.webuiClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.webuiRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": false, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "clientId": "docsui-client", - "name": "DocsUI Client", - "rootUrl": {{ .Values.clusterSpecific.docsuiClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": {{ .Values.clusterSpecific.docsuiRedirectUrls | toJson }}, - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": false, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "clientId": "system-client", - "name": "System Client", - "surrogateAuthRequired": false, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "true", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "basic" - ], - "optionalClientScopes": [ - "groups", - "offline_access" - ] - }, - { - "frontchannelLogout": true, - "standardFlowEnabled": true, - "clientId": "registry-client", - "name": "Registry Client", - "rootUrl": {{ .Values.clusterSpecific.registryClientRootUrl | toJson }}, - "enabled": true, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/c/oidc/callback" - ], - "webOrigins": [ - "+" - ], - "protocol": "openid-connect", - "directAccessGrantsEnabled": true, - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1683218404", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "use.jwks.url": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "fullScopeAllowed": true, - "defaultClientScopes": [ - "roles", - "profile", - "email", - "groups", - "basic" - ], - "optionalClientScopes": [ - "offline_access" - ] - } - ], - "clientScopes": [ - { - "name": "groups", - "description": "Groups scope", - "type": "Optional", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "full.path": "false", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true", - "jsonType.label": "String" - } - } - ] - }, - { - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "gui.order": "", - "consent.screen.text": '{{"$"}}{{"{"}}roleScopeConsentText{{"}"}}' - }, - "protocolMappers": [ - { - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String" - } - }, - { - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "resource_access.{{"$"}}{{"{"}}client_id{{"}"}}.roles", - "jsonType.label": "String" - } - } - ] - } - ], - "groups": [ - { - "name": "registry-app-admin-group", - "path": "/registry-app-admin-group", - }, - { - "name": "registry-app-editor-group", - "path": "/registry-app-editor-group", - }, - { - "name": "registry-app-viewer-group", - "path": "/registry-app-viewer-group", - }, - { - "name": "apps-m2m-service-account", - "path": "/apps-m2m-service-account", - "realmRoles": [ - "ao-m2m-rw", - "co-m2m-rw" - ] - }, - { - "name": "org-admin-group", - "path": "/org-admin-group", - "realmRoles": [ - "org-read-role", - "org-update-role", - "org-delete-role", - "org-write-role" - ] - }, - { - "name": "sre-admin-group", - "path": "/sre-admin-group", - "realmRoles": [ - "alrt-r" - ], - "clientRoles": { - "account": [ - "view-profile", - "manage-account" - ], - "telemetry-client": [ - "viewer" - ] - } - }, - { - "name": "iam-admin-group", - "path": "/iam-admin-group", - "realmRoles": [ - "admin", - "secrets-root-role" - ], - "clientRoles": { - "account": [ - "view-profile", - "manage-account" - ], - "master-realm": [ - "view-users", - "query-users", - "manage-clients" - ] - } - }, - { - "name": "service-admin-group", - "path": "/service-admin-group", - "realmRoles": [ - "alrt-rx-rw", - "rs-access-r", - "infra-manager-core-read-role", - "infra-manager-core-write-role", - "alrt-rw" - ], - "clientRoles": { - "account": [ - "view-profile", - "manage-account" - ], - "master-realm": [ - "view-users", - "query-users", - "manage-clients" - ], - "telemetry-client": [ - "admin" - ], - "cluster-management-client": [ - "restricted-role", - "standard-role", - "base-role" - ], - "registry-client": [ - "registry-admin-role" - ] - } - }, - { - "name": "edge-manager-group", - "path": "/edge-manager-group", - "realmRoles": [ - "app-service-proxy-read-role", - "app-service-proxy-write-role", - "app-deployment-manager-read-role", - "app-deployment-manager-write-role", - "app-resource-manager-read-role", - "app-resource-manager-write-role", - "app-vm-console-write-role", - "catalog-publisher-read-role", - "catalog-publisher-write-role", - "catalog-other-read-role", - "catalog-other-write-role", - "catalog-restricted-read-role", - "catalog-restricted-write-role", - "clusters-read-role", - "clusters-write-role", - "cluster-templates-read-role", - "cluster-templates-write-role", - "cluster-artifacts-read-role", - "cluster-artifacts-write-role", - "infra-manager-core-read-role", - "alrt-rw" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ], - "cluster-management-client": [ - "standard-role", - "base-role" - ], - "registry-client": [ - "registry-editor-role" - ] - } - }, - { - "name": "edge-operator-group", - "path": "/edge-operator-group", - "realmRoles": [ - "app-service-proxy-read-role", - "app-service-proxy-write-role", - "app-deployment-manager-read-role", - "app-deployment-manager-write-role", - "app-resource-manager-read-role", - "app-resource-manager-write-role", - "app-vm-console-write-role", - "catalog-publisher-read-role", - "catalog-other-read-role", - "clusters-read-role", - "clusters-write-role", - "cluster-templates-read-role", - "cluster-artifacts-read-role", - "cluster-artifacts-write-role", - "infra-manager-core-read-role", - "alrt-r" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ], - "registry-client": [ - "registry-viewer-role" - ] - } - }, - { - "name": "host-manager-group", - "path": "/host-manager-group", - "realmRoles": [ - "infra-manager-core-read-role", - "infra-manager-core-write-role" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ] - } - }, - { - "name": "sre-group", - "path": "/sre-group", - "realmRoles": [ - "alrt-r", - "clusters-read-role", - "clusters-write-role", - "cluster-templates-read-role", - "infra-manager-core-read-role" - ], - "clientRoles": { - "telemetry-client": [ - "viewer" - ], - "cluster-management-client": [ - "base-role", - "restricted-role" - ] - } - } - ], - "users": [ - { - "username": "service-account-alerts-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "alerts-m2m-client", - "realmRoles": [ - "default-roles-master" - ], - "clientRoles": { - "alerts-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "view-users" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-host-manager-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "host-manager-m2m-client", - "realmRoles": [ - "default-roles-master", - "rs-access-r" - ], - "clientRoles": { - "host-manager-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "query-clients", - "manage-authorization", - "view-clients", - "view-users", - "create-client", - "manage-users", - "manage-clients", - "view-realm" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-ktc-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "ktc-m2m-client", - "realmRoles": [ - "admin", - "create-realm", - "default-roles-master", - "rs-access-r" - ], - "clientRoles": { - "ktc-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "query-clients", - "manage-authorization", - "view-clients", - "view-users", - "create-client", - "manage-users", - "manage-clients" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-3rd-party-host-manager-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "3rd-party-host-manager-m2m-client", - "realmRoles": [ - "default-roles-master", - "rs-access-r" - ], - "clientRoles": { - "3rd-party-host-manager-m2m-client": [ - "uma_protection" - ], - "master-realm": [ - "query-clients", - "manage-authorization", - "view-clients", - "view-users", - "create-client", - "manage-users", - "manage-clients", - "view-realm", - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-en-m2m-template-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "en-m2m-template-client", - "realmRoles": [ - "default-roles-master", - "rs-access-r", - "en-agent-rw" - ], - "clientRoles": { - "en-m2m-template-client": [ - "uma_protection" - ] - }, - "notBefore": 0 - }, - { - "username": "service-account-edge-manager-m2m-client", - "enabled": true, - "totp": false, - "serviceAccountClientId": "edge-manager-m2m-client", - "realmRoles": [ - "default-roles-master" - ], - "clientRoles": { - "edge-manager-m2m-client": [ - "uma_protection" - ] - }, - "notBefore": 0, - "groups": [ - "/edge-manager-group", - "/apps-m2m-service-account" - ] - }, - ], - "components": { - "org.keycloak.keys.KeyProvider": [ - { - "name": "fallback-PS512", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "keySize": [ - "4096" - ], - "active": [ - "true" - ], - "priority": [ - "-100" - ], - "enabled": [ - "true" - ], - "algorithm": [ - "PS512" - ] - } - } - ] - } - } -# yamllint enable rule:line-length diff --git a/argocd/applications/custom/platform-keycloak-codecentric.tpl b/argocd/applications/custom/platform-keycloak-codecentric.tpl deleted file mode 100644 index 2694486e7..000000000 --- a/argocd/applications/custom/platform-keycloak-codecentric.tpl +++ /dev/null @@ -1,119 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -# CodeCentric Keycloak Chart Template -# This template provides cluster-specific configuration for the CodeCentric keycloakx chart - -## Cluster-Specific values for realm configuration -## These values parameterize the realm configuration for different environments -## @param clusterSpecific.webuiClientRootUrl The Keycloak Master realm UI Client's rootUrl value -## @param clusterSpecific.webuiRedirectUrls The Keycloak Master realm UI Client's redirectUrl values -## @param clusterSpecific.registryClientRootUrl The Keycloak Master realm Harbor Client's rootUrl value -## @param clusterSpecific.telemetryClientRootUrl The Keycloak Master realm Grafana Client's rootUrl value -## @param clusterSpecific.telemetryRedirectUrls The Keycloak Master realm Grafana Client's redirectUrl values -clusterSpecific: - webuiClientRootUrl: "https://web-ui.{{ .Values.argo.clusterDomain }}" - webuiRedirectUrls: ["https://web-ui.{{ .Values.argo.clusterDomain }}", "https://app-service-proxy.{{ .Values.argo.clusterDomain }}/app-service-proxy-index.html*", "https://vnc.{{ .Values.argo.clusterDomain }}/*", "https://{{ .Values.argo.clusterDomain }}"{{- if index .Values.argo "platform-keycloak" "extraUiRedirects" -}}, {{- index .Values.argo "platform-keycloak" "extraUiRedirects" -}}{{- end -}}] - registryClientRootUrl: "https://registry-oci.{{ .Values.argo.clusterDomain }}" - telemetryClientRootUrl: "https://observability-ui.{{ .Values.argo.clusterDomain }}" - telemetryRedirectUrls: ["https://observability-admin.{{ .Values.argo.clusterDomain }}/login/generic_oauth", "https://observability-ui.{{ .Values.argo.clusterDomain }}/login/generic_oauth"] - -## Environment variables for CodeCentric chart -## These replace Bitnami's extraEnvVars with CodeCentric's extraEnv format -extraEnv: | - # Proxy configuration - - name: HTTPS_PROXY - value: "{{ .Values.argo.proxy.httpsProxy }}" - - name: HTTP_PROXY - value: "{{ .Values.argo.proxy.httpProxy }}" - - name: NO_PROXY - value: "{{ .Values.argo.proxy.noProxy }}" - - # Database pool configuration (CodeCentric chart format) - {{ if index .Values.argo "platform-keycloak" "db" }} - - name: KC_DB_POOL_INITIAL_SIZE - value: {{ index .Values.argo "platform-keycloak" "db" "poolInitSize" | default "5" | quote}} - - name: KC_DB_POOL_MIN_SIZE - value: {{ index .Values.argo "platform-keycloak" "db" "poolMinSize" | default "5" | quote}} - - name: KC_DB_POOL_MAX_SIZE - value: {{ index .Values.argo "platform-keycloak" "db" "poolMaxSize" | default "100" | quote}} - {{ end }} - - # Proxy headers for CodeCentric chart - - name: KC_PROXY_HEADERS - value: "xforwarded" - -## Database configuration for CodeCentric chart -## CodeCentric chart uses different database configuration structure -database: - vendor: postgres - existingSecret: platform-keycloak-{{.Values.argo.database.type}}-postgresql - # CodeCentric chart automatically maps secret keys - -## External database secret configuration -## This maintains compatibility with existing secret structure -dbSecretKeys: - host: PGHOST - port: PGPORT - user: PGUSER - database: PGDATABASE - password: PGPASSWORD - -## Storage configuration (if local registry is used) -{{- if index .Values.argo "platform-keycloak" "localRegistrySize"}} -persistence: - storageClass: "" - size: {{index .Values.argo "platform-keycloak" "localRegistrySize"}} -{{- end}} - -## Resource configuration -{{- with .Values.argo.resources.platformKeycloak }} -resources: - {{- toYaml . | nindent 2}} -{{- end }} - -## Service configuration for compatibility -service: - type: ClusterIP - httpPort: 8080 - -## Network policy (typically disabled for simplicity) -networkPolicy: - enabled: false - -## Pod labels to avoid sidecar injection -podLabels: - sidecar.istio.io/inject: "false" - -## Additional volumes for realm configuration -extraVolumes: | - - name: keycloak-config - configMap: - name: platform-keycloak-config - -## Health probes configuration -livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 - -readinessProbe: - httpGet: - path: /realms/master - port: http - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - -## Enable metrics and health endpoints -metrics: - enabled: true - -health: - enabled: true \ No newline at end of file diff --git a/argocd/applications/templates/platform-keycloak-config-job.yaml b/argocd/applications/templates/platform-keycloak-config-job.yaml new file mode 100644 index 000000000..c618af41d --- /dev/null +++ b/argocd/applications/templates/platform-keycloak-config-job.yaml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +{{- $appName := "platform-keycloak-config-job" }} +{{- $namespace := "orch-platform" }} +{{- $syncWave := "160" }} +--- +{{- if (index .Values.argo.enabled "platform-keycloak") }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "{{ $syncWave }}" + name: {{$appName}} + namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ required "A valid projectName entry required!" .Values.argo.project }} + sources: + - repoURL: {{ required "A valid repoURL entry required!" .Values.argo.repoURL }} + path: argocd/applications/configs + targetRevision: {{ required "A valid targetRevision entry required!" .Values.argo.targetRevision }} + directory: + include: "platform-keycloak-config-job.yaml" + destination: + namespace: {{$namespace}} + server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }} + syncPolicy: + {{- if .Values.argo.autosync }} + automated: + prune: true + selfHeal: true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + {{- end }} + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true +{{- end }} \ No newline at end of file diff --git a/argocd/applications/templates/platform-keycloak-config.yaml b/argocd/applications/templates/platform-keycloak-config.yaml new file mode 100644 index 000000000..7927c5f64 --- /dev/null +++ b/argocd/applications/templates/platform-keycloak-config.yaml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +{{- $appName := "platform-keycloak-config" }} +{{- $namespace := "orch-platform" }} +{{- $syncWave := "140" }} +--- +{{- if (index .Values.argo.enabled "platform-keycloak") }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "{{ $syncWave }}" + name: {{$appName}} + namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ required "A valid projectName entry required!" .Values.argo.project }} + sources: + - repoURL: {{ required "A valid repoURL entry required!" .Values.argo.repoURL }} + path: argocd/applications/configs + targetRevision: {{ required "A valid targetRevision entry required!" .Values.argo.targetRevision }} + directory: + include: "platform-keycloak-realm-config.yaml" + destination: + namespace: {{$namespace}} + server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }} + syncPolicy: + {{- if .Values.argo.autosync }} + automated: + prune: true + selfHeal: true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + {{- end }} + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true +{{- end }} \ No newline at end of file From b6cc8a47166e30acda09a820d841aadcef7b20d8 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Thu, 25 Sep 2025 09:18:25 +0000 Subject: [PATCH 03/25] fixing trivy errors --- .../configs/platform-keycloak-config-job.yaml | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/argocd/applications/configs/platform-keycloak-config-job.yaml b/argocd/applications/configs/platform-keycloak-config-job.yaml index 0d7d142b4..4e6ca2552 100644 --- a/argocd/applications/configs/platform-keycloak-config-job.yaml +++ b/argocd/applications/configs/platform-keycloak-config-job.yaml @@ -11,6 +11,11 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-weight: "1" helm.sh/hook-delete-policy: hook-succeeded + # Security annotations for image registry approval + security.approved-registries: "quay.io" + security.image-purpose: "keycloak-config-cli for realm configuration import" + security.image-vendor: "adorsys/keycloak-config-cli" + security.image-verification: "official-keycloak-tooling" spec: template: metadata: @@ -19,9 +24,16 @@ spec: sidecar.istio.io/inject: "false" spec: restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" containers: - name: keycloak-config-cli - image: quay.io/adorsys/keycloak-config-cli:5.12.0-26.0.7 + image: quay.io/adorsys/keycloak-config-cli:6.1.4-26.0.2 imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_URL @@ -49,10 +61,15 @@ spec: - name: keycloak-config mountPath: /opt/keycloak-config-cli/configs readOnly: true + - name: tmp-volume + mountPath: /tmp + - name: var-tmp-volume + mountPath: /var/tmp securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -67,4 +84,8 @@ spec: volumes: - name: keycloak-config configMap: - name: platform-keycloak-config \ No newline at end of file + name: platform-keycloak-config + - name: tmp-volume + emptyDir: {} + - name: var-tmp-volume + emptyDir: {} \ No newline at end of file From 329d0ca38fc08b5b13dce55e7029154fdda8c3ee Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Thu, 25 Sep 2025 10:51:35 +0000 Subject: [PATCH 04/25] fixing lint issue --- .../configs/platform-keycloak-config-job.yaml | 108 +++++++++--------- .../platform-keycloak-realm-config.yaml | 9 +- .../configs/platform-keycloak.yaml | 8 +- 3 files changed, 62 insertions(+), 63 deletions(-) diff --git a/argocd/applications/configs/platform-keycloak-config-job.yaml b/argocd/applications/configs/platform-keycloak-config-job.yaml index 4e6ca2552..6b7056026 100644 --- a/argocd/applications/configs/platform-keycloak-config-job.yaml +++ b/argocd/applications/configs/platform-keycloak-config-job.yaml @@ -32,60 +32,60 @@ spec: seccompProfile: type: "RuntimeDefault" containers: - - name: keycloak-config-cli - image: quay.io/adorsys/keycloak-config-cli:6.1.4-26.0.2 - imagePullPolicy: IfNotPresent - env: - - name: KEYCLOAK_URL - value: "http://platform-keycloak:8080" - - name: KEYCLOAK_USER - value: "admin" - - name: KEYCLOAK_PASSWORD - valueFrom: - secretKeyRef: - name: platform-keycloak - key: admin-password - - name: IMPORT_MANAGED_GROUP - value: "no-delete" - - name: IMPORT_MANAGED_REQUIRED_ACTION - value: "no-delete" - - name: IMPORT_MANAGED_ROLE - value: "no-delete" - - name: IMPORT_MANAGED_CLIENT - value: "no-delete" - - name: KEYCLOAK_AVAILABILITYCHECK_ENABLED - value: "true" - - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT - value: "120s" - volumeMounts: + - name: keycloak-config-cli + image: quay.io/adorsys/keycloak-config-cli:6.1.4-26.0.2 + imagePullPolicy: IfNotPresent + env: + - name: KEYCLOAK_URL + value: "http://platform-keycloak:8080" + - name: KEYCLOAK_USER + value: "admin" + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + - name: IMPORT_MANAGED_GROUP + value: "no-delete" + - name: IMPORT_MANAGED_REQUIRED_ACTION + value: "no-delete" + - name: IMPORT_MANAGED_ROLE + value: "no-delete" + - name: IMPORT_MANAGED_CLIENT + value: "no-delete" + - name: KEYCLOAK_AVAILABILITYCHECK_ENABLED + value: "true" + - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT + value: "120s" + volumeMounts: + - name: keycloak-config + mountPath: /opt/keycloak-config-cli/configs + readOnly: true + - name: tmp-volume + mountPath: /tmp + - name: var-tmp-volume + mountPath: /var/tmp + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + volumes: - name: keycloak-config - mountPath: /opt/keycloak-config-cli/configs - readOnly: true + configMap: + name: platform-keycloak-config - name: tmp-volume - mountPath: /tmp + emptyDir: {} - name: var-tmp-volume - mountPath: /var/tmp - securityContext: - runAsNonRoot: true - runAsUser: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - resources: - requests: - memory: "256Mi" - cpu: "100m" - limits: - memory: "512Mi" - cpu: "500m" - volumes: - - name: keycloak-config - configMap: - name: platform-keycloak-config - - name: tmp-volume - emptyDir: {} - - name: var-tmp-volume - emptyDir: {} \ No newline at end of file + emptyDir: {} diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml index a541246ca..ecbc75c81 100644 --- a/argocd/applications/configs/platform-keycloak-realm-config.yaml +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -13,7 +13,10 @@ data: "realm": "master", "accountTheme": "keycloak", "displayName": "Keycloak", - "displayNameHtml": "", + "displayNameHtml": | + "defaultSignatureAlgorithm": "PS512", "accessTokenLifespan": 3600, "ssoSessionIdleTimeout": 5400, @@ -114,7 +117,7 @@ data: "name": "alrt-rx-rw" }, { - "name": "ao-m2m-rw" + "name": "ao-m2m-rw" }, { "name": "co-m2m-rw" @@ -357,4 +360,4 @@ data: } ] } - } \ No newline at end of file + } diff --git a/argocd/applications/configs/platform-keycloak.yaml b/argocd/applications/configs/platform-keycloak.yaml index 98a151bb3..5fe0f82ad 100644 --- a/argocd/applications/configs/platform-keycloak.yaml +++ b/argocd/applications/configs/platform-keycloak.yaml @@ -70,7 +70,6 @@ extraEnv: | secretKeyRef: name: platform-keycloak key: admin-password - # HTTP/HTTPS configuration - name: KC_HOSTNAME_STRICT value: "false" @@ -80,13 +79,11 @@ extraEnv: | value: "true" - name: KC_PROXY value: "passthrough" - # Feature enablement - name: KC_HEALTH_ENABLED value: "true" - name: KC_METRICS_ENABLED value: "true" - # Database configuration - name: KC_DB value: "postgres" @@ -137,8 +134,7 @@ livenessProbe: periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 - -readinessProbe: +readinessProbe: httpGet: path: /realms/master port: http @@ -166,4 +162,4 @@ cache: extraVolumes: | - name: keycloak-config configMap: - name: platform-keycloak-config \ No newline at end of file + name: platform-keycloak-config From f74119d79332417babebb5a0ea80cb2dd7d7a598 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Mon, 29 Sep 2025 02:08:02 -0700 Subject: [PATCH 05/25] fixing new helm chart's args --- .../configs/platform-keycloak.yaml | 66 ++++++++----------- .../applications/custom/platform-keycloak.tpl | 37 ++--------- .../platform-keycloak-config-job.yaml | 4 +- .../templates/platform-keycloak-config.yaml | 4 +- 4 files changed, 38 insertions(+), 73 deletions(-) diff --git a/argocd/applications/configs/platform-keycloak.yaml b/argocd/applications/configs/platform-keycloak.yaml index 5fe0f82ad..3bf236213 100644 --- a/argocd/applications/configs/platform-keycloak.yaml +++ b/argocd/applications/configs/platform-keycloak.yaml @@ -56,7 +56,6 @@ command: args: - "start" - - "--optimized" - "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true" - "--spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests=true" @@ -84,41 +83,30 @@ extraEnv: | value: "true" - name: KC_METRICS_ENABLED value: "true" - # Database configuration - - name: KC_DB - value: "postgres" - - name: KC_DB_URL_HOST - valueFrom: - secretKeyRef: - name: platform-keycloak-local-postgresql - key: PGHOST - - name: KC_DB_URL_PORT - valueFrom: - secretKeyRef: - name: platform-keycloak-local-postgresql - key: PGPORT - - name: KC_DB_URL_DATABASE - valueFrom: - secretKeyRef: - name: platform-keycloak-local-postgresql - key: PGDATABASE + # Database username from secret (password is handled by database: section) - name: KC_DB_USERNAME valueFrom: secretKeyRef: name: platform-keycloak-local-postgresql key: PGUSER - - name: KC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: platform-keycloak-local-postgresql - key: PGPASSWORD + # Proxy configuration + - name: HTTPS_PROXY + value: "http://proxy-dmz.intel.com:912" + - name: HTTP_PROXY + value: "http://proxy-dmz.intel.com:912" + - name: NO_PROXY + value: "localhost,svc,cluster.local,default,internal,caas.intel.com,certificates.intel.com,localhost,127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,169.254.169.254,orch-platform,orch-app,orch-cluster,orch-infra,orch-database,cattle-system,orch-secret,s3.amazonaws.com,s3.us-west-2.amazonaws.com,ec2.us-west-2.amazonaws.com,eks.amazonaws.com,elb.us-west-2.amazonaws.com,dkr.ecr.us-west-2.amazonaws.com,espd.infra-host.com,pid.infra-host.com,espdqa.infra-host.com,argocd-repo-server" ################################# # DATABASE CONFIGURATION ################################# database: vendor: postgres + hostname: postgresql.orch-database.svc.cluster.local + port: 5432 + database: keycloak existingSecret: platform-keycloak-local-postgresql + existingSecretKey: PGPASSWORD dbchecker: enabled: true @@ -127,21 +115,23 @@ dbchecker: # HEALTH & MONITORING ################################# livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 + | + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 readinessProbe: - httpGet: - path: /realms/master - port: http - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 + | + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 metrics: enabled: true diff --git a/argocd/applications/custom/platform-keycloak.tpl b/argocd/applications/custom/platform-keycloak.tpl index be07fe4a0..770a479f0 100644 --- a/argocd/applications/custom/platform-keycloak.tpl +++ b/argocd/applications/custom/platform-keycloak.tpl @@ -19,12 +19,8 @@ clusterSpecific: telemetryClientRootUrl: "https://observability-ui.{{ .Values.argo.clusterDomain }}" telemetryRedirectUrls: ["https://observability-admin.{{ .Values.argo.clusterDomain }}/login/generic_oauth", "https://observability-ui.{{ .Values.argo.clusterDomain }}/login/generic_oauth"] -## Database configuration for CodeCentric chart -## CodeCentric chart uses different database configuration structure than Bitnami -database: - vendor: postgres - existingSecret: platform-keycloak-{{.Values.argo.database.type}}-postgresql - # CodeCentric chart automatically maps standard PostgreSQL secret keys +## Database configuration is defined in the base config file (platform-keycloak.yaml) +## This template only provides cluster-specific overrides ## Storage configuration (if local registry is used) {{- if index .Values.argo "platform-keycloak" "localRegistrySize"}} @@ -33,29 +29,8 @@ persistence: size: {{index .Values.argo "platform-keycloak" "localRegistrySize"}} {{- end}} -## Environment variables for CodeCentric chart (uses extraEnv instead of extraEnvVars) -extraEnv: | - # Proxy configuration - - name: HTTPS_PROXY - value: "{{ .Values.argo.proxy.httpsProxy }}" - - name: HTTP_PROXY - value: "{{ .Values.argo.proxy.httpProxy }}" - - name: NO_PROXY - value: "{{ .Values.argo.proxy.noProxy }}" - - # Database pool configuration - {{ if index .Values.argo "platform-keycloak" "db" }} - - name: KC_DB_POOL_INITIAL_SIZE - value: {{ index .Values.argo "platform-keycloak" "db" "poolInitSize" | default "5" | quote}} - - name: KC_DB_POOL_MIN_SIZE - value: {{ index .Values.argo "platform-keycloak" "db" "poolMinSize" | default "5" | quote}} - - name: KC_DB_POOL_MAX_SIZE - value: {{ index .Values.argo "platform-keycloak" "db" "poolMaxSize" | default "100" | quote}} - {{ end }} - - # Proxy headers configuration - - name: KC_PROXY_HEADERS - value: "xforwarded" +## Environment variables are defined in the base config file (platform-keycloak.yaml) +## This template only provides cluster-specific overrides ## Resource configuration {{- with .Values.argo.resources.platformKeycloak }} @@ -83,7 +58,7 @@ extraVolumes: | name: platform-keycloak-config ## Health probes configuration -livenessProbe: +livenessProbe: | httpGet: path: / port: http @@ -92,7 +67,7 @@ livenessProbe: timeoutSeconds: 5 failureThreshold: 3 -readinessProbe: +readinessProbe: | httpGet: path: /realms/master port: http diff --git a/argocd/applications/templates/platform-keycloak-config-job.yaml b/argocd/applications/templates/platform-keycloak-config-job.yaml index c618af41d..222b8ef6d 100644 --- a/argocd/applications/templates/platform-keycloak-config-job.yaml +++ b/argocd/applications/templates/platform-keycloak-config-job.yaml @@ -19,9 +19,9 @@ metadata: spec: project: {{ required "A valid projectName entry required!" .Values.argo.project }} sources: - - repoURL: {{ required "A valid repoURL entry required!" .Values.argo.repoURL }} + - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} path: argocd/applications/configs - targetRevision: {{ required "A valid targetRevision entry required!" .Values.argo.targetRevision }} + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision }} directory: include: "platform-keycloak-config-job.yaml" destination: diff --git a/argocd/applications/templates/platform-keycloak-config.yaml b/argocd/applications/templates/platform-keycloak-config.yaml index 7927c5f64..9d818bd66 100644 --- a/argocd/applications/templates/platform-keycloak-config.yaml +++ b/argocd/applications/templates/platform-keycloak-config.yaml @@ -19,9 +19,9 @@ metadata: spec: project: {{ required "A valid projectName entry required!" .Values.argo.project }} sources: - - repoURL: {{ required "A valid repoURL entry required!" .Values.argo.repoURL }} + - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} path: argocd/applications/configs - targetRevision: {{ required "A valid targetRevision entry required!" .Values.argo.targetRevision }} + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision }} directory: include: "platform-keycloak-realm-config.yaml" destination: From 74b65bb0187e53dce3ed4b6bbcade5eba7212827 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Mon, 29 Sep 2025 21:21:38 -0700 Subject: [PATCH 06/25] making the value string --- argocd/applications/templates/platform-keycloak-config-job.yaml | 2 +- argocd/applications/templates/platform-keycloak-config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/argocd/applications/templates/platform-keycloak-config-job.yaml b/argocd/applications/templates/platform-keycloak-config-job.yaml index 222b8ef6d..99b8206f7 100644 --- a/argocd/applications/templates/platform-keycloak-config-job.yaml +++ b/argocd/applications/templates/platform-keycloak-config-job.yaml @@ -21,7 +21,7 @@ spec: sources: - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} path: argocd/applications/configs - targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision }} + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision | quote }} directory: include: "platform-keycloak-config-job.yaml" destination: diff --git a/argocd/applications/templates/platform-keycloak-config.yaml b/argocd/applications/templates/platform-keycloak-config.yaml index 9d818bd66..a8eead40a 100644 --- a/argocd/applications/templates/platform-keycloak-config.yaml +++ b/argocd/applications/templates/platform-keycloak-config.yaml @@ -21,7 +21,7 @@ spec: sources: - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} path: argocd/applications/configs - targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision }} + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision | quote }} directory: include: "platform-keycloak-realm-config.yaml" destination: From 58ccf100f05366fa195219abbf2a1f01dc635628 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 30 Sep 2025 03:32:08 -0700 Subject: [PATCH 07/25] fixed erorrs in pod run, - dnsQuery null | set java ops, set cacheStack=kubernetes - retained the relative path to / inplace of /auth --- .../configs/platform-keycloak.yaml | 85 ++++++++++--------- 1 file changed, 44 insertions(+), 41 deletions(-) diff --git a/argocd/applications/configs/platform-keycloak.yaml b/argocd/applications/configs/platform-keycloak.yaml index 3bf236213..a79631e2a 100644 --- a/argocd/applications/configs/platform-keycloak.yaml +++ b/argocd/applications/configs/platform-keycloak.yaml @@ -61,10 +61,19 @@ args: ## Environment variables for Keycloak configuration extraEnv: | + - name: JAVA_OPTS_APPEND + value: >- + -Djgroups.dns.query=platform-keycloak-headless.orch-platform.svc.cluster.local + - name: KC_HTTP_RELATIVE_PATH + value: "/" + - name: KC_CACHE + value: "ispn" + - name: KC_CACHE_STACK + value: "kubernetes" # Admin credentials - - name: KEYCLOAK_ADMIN + - name: KC_BOOTSTRAP_ADMIN_USERNAME value: "admin" - - name: KEYCLOAK_ADMIN_PASSWORD + - name: KC_BOOTSTRAP_ADMIN_PASSWORD valueFrom: secretKeyRef: name: platform-keycloak @@ -72,6 +81,7 @@ extraEnv: | # HTTP/HTTPS configuration - name: KC_HOSTNAME_STRICT value: "false" + # HTTP/HTTPS configuration - name: KC_HOSTNAME_STRICT_HTTPS value: "false" - name: KC_HTTP_ENABLED @@ -104,52 +114,45 @@ database: vendor: postgres hostname: postgresql.orch-database.svc.cluster.local port: 5432 - database: keycloak + database: orch-platform-platform-keycloak existingSecret: platform-keycloak-local-postgresql existingSecretKey: PGPASSWORD dbchecker: enabled: true + securityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL ################################# # HEALTH & MONITORING ################################# -livenessProbe: - | - httpGet: - path: / - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 -readinessProbe: - | - httpGet: - path: /realms/master - port: http - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - -metrics: - enabled: true - -health: - enabled: true - -################################# -# CLUSTERING & CACHE -################################# +livenessProbe: | + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 +readinessProbe: | + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 +startupProbe: | + httpGet: + path: / + port: http + initialDelaySeconds: 15 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 60 cache: - stack: default - -################################# -# STORAGE & CONFIGURATION -################################# -## Volume for realm configuration import -extraVolumes: | - - name: keycloak-config - configMap: - name: platform-keycloak-config + stack: kubernetes From b291b77dec2dda372687f88557694431f41754ab Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 30 Sep 2025 04:55:16 -0700 Subject: [PATCH 08/25] Use platform-keycloak-http FQDN for secrets-config OIDC endpoints --- argocd/applications/configs/secrets-config.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/argocd/applications/configs/secrets-config.yaml b/argocd/applications/configs/secrets-config.yaml index 68e1da9fc..d2b0fa9e8 100644 --- a/argocd/applications/configs/secrets-config.yaml +++ b/argocd/applications/configs/secrets-config.yaml @@ -6,6 +6,8 @@ auth: orchSvcs: roleMaxTTL: 1h oidc: - idPAddr: "http://platform-keycloak.orch-platform.svc" - idPDiscoveryURL: "http://platform-keycloak.orch-platform.svc/realms/master" + # Use fully-qualified cluster DNS name to avoid any lookup ambiguity + # Use the actual HTTP service name created by the Keycloak chart + idPAddr: "http://platform-keycloak-http.orch-platform.svc.cluster.local" + idPDiscoveryURL: "http://platform-keycloak-http.orch-platform.svc.cluster.local/realms/master" roleMaxTTL: 1h From fe3370003c131b71e628d7f4b81ff245ecb8ca97 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 30 Sep 2025 05:42:07 -0700 Subject: [PATCH 09/25] updating the platform-keycloak service name (as per the new chart) --- .../configs/app-deployment-manager.yaml | 4 +-- .../configs/app-interconnect-manager.yaml | 2 +- .../configs/app-orch-catalog.yaml | 2 +- .../configs/app-orch-tenant-controller.yaml | 2 +- .../configs/app-resource-manager.yaml | 2 +- argocd/applications/configs/infra-core.yaml | 8 ++--- .../applications/configs/infra-external.yaml | 6 ++-- .../applications/configs/infra-managers.yaml | 10 +++---- .../configs/infra-onboarding.yaml | 6 ++-- .../configs/intel-infra-provider.yaml | 2 +- .../applications/configs/metadata-broker.yaml | 2 +- argocd/applications/configs/nexus-api-gw.yaml | 4 +-- .../configs/platform-keycloak-config-job.yaml | 2 +- .../configs/platform-keycloak.yaml | 2 ++ .../platform-keycloak-legacy-service.yaml | 30 +++++++++++++++++++ argocd/applications/custom/secrets-config.tpl | 9 +++++- .../custom/traefik-extra-objects.tpl | 2 +- 17 files changed, 67 insertions(+), 28 deletions(-) create mode 100644 argocd/applications/custom/platform-keycloak-legacy-service.yaml diff --git a/argocd/applications/configs/app-deployment-manager.yaml b/argocd/applications/configs/app-deployment-manager.yaml index b20732eb1..07541d029 100644 --- a/argocd/applications/configs/app-deployment-manager.yaml +++ b/argocd/applications/configs/app-deployment-manager.yaml @@ -5,7 +5,7 @@ adm: resources: null catalogService: app-orch-catalog-grpc-server:8080 - keycloakServerEndpoint: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakServerEndpoint: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" secretService: enabled: true endpoint: "http://vault.orch-platform.svc.cluster.local:8200" @@ -31,7 +31,7 @@ adm: openidc: # -- the endpoint of a Keycloak Realm e.g. http://keycloak/realms/master - issuer: "http://platform-keycloak.orch-platform.svc/realms/master" + issuer: "http://platform-keycloak-http.orch-platform.svc/realms/master" insecureSkipVerify: false gitea: diff --git a/argocd/applications/configs/app-interconnect-manager.yaml b/argocd/applications/configs/app-interconnect-manager.yaml index 7b9ffad7e..841577d3c 100644 --- a/argocd/applications/configs/app-interconnect-manager.yaml +++ b/argocd/applications/configs/app-interconnect-manager.yaml @@ -8,5 +8,5 @@ interconnect_manager: create: false name: orch-svc vaultServer: "http://vault.orch-platform.svc.cluster.local:8200" - keycloakServer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakServer: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" resources: null diff --git a/argocd/applications/configs/app-orch-catalog.yaml b/argocd/applications/configs/app-orch-catalog.yaml index 53082941d..96de01eb8 100644 --- a/argocd/applications/configs/app-orch-catalog.yaml +++ b/argocd/applications/configs/app-orch-catalog.yaml @@ -14,7 +14,7 @@ traefikReverseProxy: enabled: true secretName: tls-orch ## must be created in orch-gateway namespace openidc: - issuer: http://platform-keycloak.orch-platform.svc/realms/master + issuer: http://platform-keycloak-http.orch-platform.svc/realms/master storage: size: 1Gi postgres: diff --git a/argocd/applications/configs/app-orch-tenant-controller.yaml b/argocd/applications/configs/app-orch-tenant-controller.yaml index 6dcf53c0b..699f51cfc 100644 --- a/argocd/applications/configs/app-orch-tenant-controller.yaml +++ b/argocd/applications/configs/app-orch-tenant-controller.yaml @@ -8,7 +8,7 @@ configProvisioner: admServer: app-deployment-api-grpc-server.orch-app.svc.cluster.local:8080 namespace: orch-app vaultServer: "http://vault.orch-platform.svc.cluster.local:8200" - keycloakServiceBase: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakServiceBase: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" releaseServiceBase: "rs-proxy.orch-platform.svc.cluster.local:8081" releaseServiceProxyRootUrl: "oci://rs-proxy.orch-platform.svc.cluster.local:8443" manifestPath: "/edge-orch/en/file/cluster-extension-manifest" diff --git a/argocd/applications/configs/app-resource-manager.yaml b/argocd/applications/configs/app-resource-manager.yaml index f748a0420..a21a99044 100644 --- a/argocd/applications/configs/app-resource-manager.yaml +++ b/argocd/applications/configs/app-resource-manager.yaml @@ -15,5 +15,5 @@ traefikReverseProxy: resources: null vncProxyResources: null vaultServer: "http://vault.orch-platform.svc.cluster.local:8200" -keycloakServer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" +keycloakServer: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" defaultNamespace: "orch-app" diff --git a/argocd/applications/configs/infra-core.yaml b/argocd/applications/configs/infra-core.yaml index 3a309cdfa..2de7c76bc 100644 --- a/argocd/applications/configs/infra-core.yaml +++ b/argocd/applications/configs/infra-core.yaml @@ -15,7 +15,7 @@ credentials: serviceAccount: name: "orch-svc" params: - keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" api: @@ -31,7 +31,7 @@ api: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" multiTenancy: @@ -56,7 +56,7 @@ apiv2: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" resources: null @@ -80,7 +80,7 @@ tenant-controller: inventoryAddress: "inventory.orch-infra.svc.cluster.local:50051" traceURL: "orchestrator-observability-opentelemetry-collector.orch-platform.svc:4318" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local/realms/master" resources: null serviceAccount: name: "orch-svc" diff --git a/argocd/applications/configs/infra-external.yaml b/argocd/applications/configs/infra-external.yaml index edbb496e6..23764d5d4 100644 --- a/argocd/applications/configs/infra-external.yaml +++ b/argocd/applications/configs/infra-external.yaml @@ -19,7 +19,7 @@ loca-manager: env: vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" vaultRole: "orch-svc" - keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" loca-metadata-manager: serviceAccount: @@ -78,7 +78,7 @@ loca-credentials: serviceAccount: name: "orch-svc" params: - keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" amt: @@ -111,6 +111,6 @@ amt: password: "" env: oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" oidc_tls_insecure_skip_verify_value: "true" diff --git a/argocd/applications/configs/infra-managers.yaml b/argocd/applications/configs/infra-managers.yaml index e805a82da..6342bb8a8 100644 --- a/argocd/applications/configs/infra-managers.yaml +++ b/argocd/applications/configs/infra-managers.yaml @@ -17,7 +17,7 @@ host-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" multiTenancy: enforceMultiTenancy: "true" resources: null @@ -34,7 +34,7 @@ maintenance-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" telemetryMgrArgs: enableVal: false # disable telemetry profile validation multiTenancy: @@ -62,7 +62,7 @@ telemetry-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" multiTenancy: enforceMultiTenancy: "true" resources: null @@ -79,7 +79,7 @@ os-resource-manager: image: pullPolicy: IfNotPresent oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local/realms/master" autoProvision: enabled: false # autoprovisioning disabled by default, can be enabled by enable-autoprovision profile multiTenancy: @@ -98,7 +98,7 @@ attestationstatus-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" multiTenancy: enforceMultiTenancy: "true" resources: null diff --git a/argocd/applications/configs/infra-onboarding.yaml b/argocd/applications/configs/infra-onboarding.yaml index 832692054..980511e0a 100644 --- a/argocd/applications/configs/infra-onboarding.yaml +++ b/argocd/applications/configs/infra-onboarding.yaml @@ -31,14 +31,14 @@ onboarding-manager: env: tinkerActionsVersion: "1.19.3" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" # Skip AuthZ for CDN-boots clients: bypass: - cdn-boots vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" vaultRole: "orch-svc" - keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" multiTenancy: enforceMultiTenancy: true resources: null @@ -51,7 +51,7 @@ dkam: env: rs_proxy_address: "rs-proxy.orch-platform.svc.cluster.local:8081/" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" resources: null infra-config: diff --git a/argocd/applications/configs/intel-infra-provider.yaml b/argocd/applications/configs/intel-infra-provider.yaml index 948db71e6..f1aa29f9f 100644 --- a/argocd/applications/configs/intel-infra-provider.yaml +++ b/argocd/applications/configs/intel-infra-provider.yaml @@ -6,4 +6,4 @@ manager: inventory: endpoint: "inventory.orch-infra.svc.cluster.local:50051" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" diff --git a/argocd/applications/configs/metadata-broker.yaml b/argocd/applications/configs/metadata-broker.yaml index e83c27016..c8a22684e 100644 --- a/argocd/applications/configs/metadata-broker.yaml +++ b/argocd/applications/configs/metadata-broker.yaml @@ -5,7 +5,7 @@ # Intentionally blank. There are no base settings overrides. openidc: - issuer: http://platform-keycloak.orch-platform.svc/realms/master + issuer: http://platform-keycloak-http.orch-platform.svc/realms/master service: traefik: diff --git a/argocd/applications/configs/nexus-api-gw.yaml b/argocd/applications/configs/nexus-api-gw.yaml index d4d851351..b91320f2c 100644 --- a/argocd/applications/configs/nexus-api-gw.yaml +++ b/argocd/applications/configs/nexus-api-gw.yaml @@ -15,7 +15,7 @@ traefikReverseProxy: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - # TODO: Use `platform-keycloak.orch-platform.svc.cluster.local` to avoid possible DNS search domain problems. - oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" + # TODO: Use `platform-keycloak-http.orch-platform.svc.cluster.local` to avoid possible DNS search domain problems. + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" diff --git a/argocd/applications/configs/platform-keycloak-config-job.yaml b/argocd/applications/configs/platform-keycloak-config-job.yaml index 6b7056026..35f0f57d8 100644 --- a/argocd/applications/configs/platform-keycloak-config-job.yaml +++ b/argocd/applications/configs/platform-keycloak-config-job.yaml @@ -37,7 +37,7 @@ spec: imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_URL - value: "http://platform-keycloak:8080" + value: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" - name: KEYCLOAK_USER value: "admin" - name: KEYCLOAK_PASSWORD diff --git a/argocd/applications/configs/platform-keycloak.yaml b/argocd/applications/configs/platform-keycloak.yaml index a79631e2a..48a3d5433 100644 --- a/argocd/applications/configs/platform-keycloak.yaml +++ b/argocd/applications/configs/platform-keycloak.yaml @@ -41,6 +41,8 @@ podLabels: # NETWORK & SERVICE ################################# service: + metadata: + name: platform-keycloak type: ClusterIP httpPort: 8080 diff --git a/argocd/applications/custom/platform-keycloak-legacy-service.yaml b/argocd/applications/custom/platform-keycloak-legacy-service.yaml new file mode 100644 index 000000000..9d42c2622 --- /dev/null +++ b/argocd/applications/custom/platform-keycloak-legacy-service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: platform-keycloak + namespace: orch-platform + labels: + app.kubernetes.io/instance: platform-keycloak + app.kubernetes.io/name: keycloakx + app.kubernetes.io/component: http + annotations: + # Compatibility alias for platform-keycloak-http + platform.open-edge/managed-by: "legacy-service-alias" +spec: + type: ClusterIP + selector: + app.kubernetes.io/instance: platform-keycloak + app.kubernetes.io/name: keycloakx + ports: + - name: http-internal + port: 9000 + protocol: TCP + targetPort: http-internal + - name: http + port: 8080 + protocol: TCP + targetPort: http + - name: https + port: 8443 + protocol: TCP + targetPort: https diff --git a/argocd/applications/custom/secrets-config.tpl b/argocd/applications/custom/secrets-config.tpl index 5166aaff5..df66a2698 100644 --- a/argocd/applications/custom/secrets-config.tpl +++ b/argocd/applications/custom/secrets-config.tpl @@ -15,4 +15,11 @@ image: imagePullSecrets: {{- with .Values.argo.imagePullSecrets }} {{- toYaml . | nindent 2 }} - {{- end }} \ No newline at end of file + {{- end }} +# Disable Istio sidecar injection for the secrets-config job pods so +# they can talk to Keycloak instances that intentionally have injection +# disabled (prevents mTLS/sidecar mismatch issues). +podAnnotations: + sidecar.istio.io/inject: "false" +podLabels: + sidecar.istio.io/inject: "false" \ No newline at end of file diff --git a/argocd/applications/custom/traefik-extra-objects.tpl b/argocd/applications/custom/traefik-extra-objects.tpl index 084effd48..e9f7ff969 100644 --- a/argocd/applications/custom/traefik-extra-objects.tpl +++ b/argocd/applications/custom/traefik-extra-objects.tpl @@ -6,7 +6,7 @@ # Revisit this once the porting is done. orchSecretName: tls-orch # internal keycloak JWKS URL should be static but providing a way to modify it here -keycloakJwksUrl: http://platform-keycloak.orch-platform.svc +keycloakJwksUrl: http://platform-keycloak-http.orch-platform.svc # internal keycloak JWKS Path should be static but providing a way to modify it here keycloakJwksPath: /realms/master/protocol/openid-connect/certs keycloakServicePort: 8080 From 9b6afef8624b05bcf0ac4f30f6e9239bc8e708ab Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 30 Sep 2025 23:44:24 -0700 Subject: [PATCH 10/25] updating the urls as per new service name --- .../configs/app-deployment-manager.yaml | 2 +- .../configs/app-orch-catalog.yaml | 2 +- argocd/applications/configs/infra-core.yaml | 6 ++-- .../applications/configs/infra-external.yaml | 2 +- .../configs/infra-onboarding.yaml | 4 +-- .../applications/configs/metadata-broker.yaml | 2 +- argocd/applications/configs/nexus-api-gw.yaml | 2 +- .../applications/configs/secrets-config.yaml | 4 +-- .../platform-keycloak-legacy-service.yaml | 30 ------------------- .../custom/traefik-extra-objects.tpl | 2 +- 10 files changed, 13 insertions(+), 43 deletions(-) delete mode 100644 argocd/applications/custom/platform-keycloak-legacy-service.yaml diff --git a/argocd/applications/configs/app-deployment-manager.yaml b/argocd/applications/configs/app-deployment-manager.yaml index 07541d029..4ab960ee9 100644 --- a/argocd/applications/configs/app-deployment-manager.yaml +++ b/argocd/applications/configs/app-deployment-manager.yaml @@ -31,7 +31,7 @@ adm: openidc: # -- the endpoint of a Keycloak Realm e.g. http://keycloak/realms/master - issuer: "http://platform-keycloak-http.orch-platform.svc/realms/master" + issuer: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" insecureSkipVerify: false gitea: diff --git a/argocd/applications/configs/app-orch-catalog.yaml b/argocd/applications/configs/app-orch-catalog.yaml index 96de01eb8..a1524616a 100644 --- a/argocd/applications/configs/app-orch-catalog.yaml +++ b/argocd/applications/configs/app-orch-catalog.yaml @@ -14,7 +14,7 @@ traefikReverseProxy: enabled: true secretName: tls-orch ## must be created in orch-gateway namespace openidc: - issuer: http://platform-keycloak-http.orch-platform.svc/realms/master + issuer: http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master storage: size: 1Gi postgres: diff --git a/argocd/applications/configs/infra-core.yaml b/argocd/applications/configs/infra-core.yaml index 2de7c76bc..9c7dc7b56 100644 --- a/argocd/applications/configs/infra-core.yaml +++ b/argocd/applications/configs/infra-core.yaml @@ -31,7 +31,7 @@ api: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" multiTenancy: @@ -56,7 +56,7 @@ apiv2: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" resources: null @@ -80,7 +80,7 @@ tenant-controller: inventoryAddress: "inventory.orch-infra.svc.cluster.local:50051" traceURL: "orchestrator-observability-opentelemetry-collector.orch-platform.svc:4318" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" resources: null serviceAccount: name: "orch-svc" diff --git a/argocd/applications/configs/infra-external.yaml b/argocd/applications/configs/infra-external.yaml index 23764d5d4..ddeb95022 100644 --- a/argocd/applications/configs/infra-external.yaml +++ b/argocd/applications/configs/infra-external.yaml @@ -111,6 +111,6 @@ amt: password: "" env: oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_value: "true" diff --git a/argocd/applications/configs/infra-onboarding.yaml b/argocd/applications/configs/infra-onboarding.yaml index 980511e0a..62a7732d0 100644 --- a/argocd/applications/configs/infra-onboarding.yaml +++ b/argocd/applications/configs/infra-onboarding.yaml @@ -31,7 +31,7 @@ onboarding-manager: env: tinkerActionsVersion: "1.19.3" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" # Skip AuthZ for CDN-boots clients: bypass: @@ -51,7 +51,7 @@ dkam: env: rs_proxy_address: "rs-proxy.orch-platform.svc.cluster.local:8081/" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" resources: null infra-config: diff --git a/argocd/applications/configs/metadata-broker.yaml b/argocd/applications/configs/metadata-broker.yaml index c8a22684e..b29071dbb 100644 --- a/argocd/applications/configs/metadata-broker.yaml +++ b/argocd/applications/configs/metadata-broker.yaml @@ -5,7 +5,7 @@ # Intentionally blank. There are no base settings overrides. openidc: - issuer: http://platform-keycloak-http.orch-platform.svc/realms/master + issuer: http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master service: traefik: diff --git a/argocd/applications/configs/nexus-api-gw.yaml b/argocd/applications/configs/nexus-api-gw.yaml index b91320f2c..3e7a7f23a 100644 --- a/argocd/applications/configs/nexus-api-gw.yaml +++ b/argocd/applications/configs/nexus-api-gw.yaml @@ -16,6 +16,6 @@ oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" # TODO: Use `platform-keycloak-http.orch-platform.svc.cluster.local` to avoid possible DNS search domain problems. - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" diff --git a/argocd/applications/configs/secrets-config.yaml b/argocd/applications/configs/secrets-config.yaml index d2b0fa9e8..65ee31a1d 100644 --- a/argocd/applications/configs/secrets-config.yaml +++ b/argocd/applications/configs/secrets-config.yaml @@ -8,6 +8,6 @@ auth: oidc: # Use fully-qualified cluster DNS name to avoid any lookup ambiguity # Use the actual HTTP service name created by the Keycloak chart - idPAddr: "http://platform-keycloak-http.orch-platform.svc.cluster.local" - idPDiscoveryURL: "http://platform-keycloak-http.orch-platform.svc.cluster.local/realms/master" + idPAddr: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + idPDiscoveryURL: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" roleMaxTTL: 1h diff --git a/argocd/applications/custom/platform-keycloak-legacy-service.yaml b/argocd/applications/custom/platform-keycloak-legacy-service.yaml deleted file mode 100644 index 9d42c2622..000000000 --- a/argocd/applications/custom/platform-keycloak-legacy-service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: platform-keycloak - namespace: orch-platform - labels: - app.kubernetes.io/instance: platform-keycloak - app.kubernetes.io/name: keycloakx - app.kubernetes.io/component: http - annotations: - # Compatibility alias for platform-keycloak-http - platform.open-edge/managed-by: "legacy-service-alias" -spec: - type: ClusterIP - selector: - app.kubernetes.io/instance: platform-keycloak - app.kubernetes.io/name: keycloakx - ports: - - name: http-internal - port: 9000 - protocol: TCP - targetPort: http-internal - - name: http - port: 8080 - protocol: TCP - targetPort: http - - name: https - port: 8443 - protocol: TCP - targetPort: https diff --git a/argocd/applications/custom/traefik-extra-objects.tpl b/argocd/applications/custom/traefik-extra-objects.tpl index e9f7ff969..9bb187de3 100644 --- a/argocd/applications/custom/traefik-extra-objects.tpl +++ b/argocd/applications/custom/traefik-extra-objects.tpl @@ -6,7 +6,7 @@ # Revisit this once the porting is done. orchSecretName: tls-orch # internal keycloak JWKS URL should be static but providing a way to modify it here -keycloakJwksUrl: http://platform-keycloak-http.orch-platform.svc +keycloakJwksUrl: http://platform-keycloak-http.orch-platform.svc.cluster.local:8080 # internal keycloak JWKS Path should be static but providing a way to modify it here keycloakJwksPath: /realms/master/protocol/openid-connect/certs keycloakServicePort: 8080 From 3182e785935525d8f79fb49cea2775f5c6137c27 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Wed, 1 Oct 2025 03:39:08 -0700 Subject: [PATCH 11/25] Fix keycloak-tenant-controller: use admin-cli client and add backward-compatibility service - Changed keycloak-tenant-controller to use admin-cli instead of non-existent system-client - Added platform-keycloak-compat-service for backward compatibility - Reverted all service URLs back to platform-keycloak.orch-platform.svc - Creates ClusterIP service that points to same endpoints as platform-keycloak-http --- .../configs/app-deployment-manager.yaml | 4 +- .../configs/app-interconnect-manager.yaml | 2 +- .../configs/app-orch-catalog.yaml | 2 +- .../configs/app-orch-tenant-controller.yaml | 2 +- .../configs/app-resource-manager.yaml | 2 +- argocd/applications/configs/infra-core.yaml | 8 ++-- .../applications/configs/infra-external.yaml | 6 +-- .../applications/configs/infra-managers.yaml | 10 ++--- .../configs/infra-onboarding.yaml | 6 +-- .../configs/intel-infra-provider.yaml | 2 +- .../applications/configs/metadata-broker.yaml | 2 +- argocd/applications/configs/nexus-api-gw.yaml | 4 +- .../platform-keycloak-compat-service.yaml | 30 +++++++++++++ .../configs/platform-keycloak-config-job.yaml | 2 +- .../applications/configs/secrets-config.yaml | 4 +- .../custom/keycloak-tenant-controller.tpl | 2 +- .../custom/traefik-extra-objects.tpl | 2 +- .../platform-keycloak-compat-service.yaml | 45 +++++++++++++++++++ 18 files changed, 105 insertions(+), 30 deletions(-) create mode 100644 argocd/applications/configs/platform-keycloak-compat-service.yaml create mode 100644 argocd/applications/templates/platform-keycloak-compat-service.yaml diff --git a/argocd/applications/configs/app-deployment-manager.yaml b/argocd/applications/configs/app-deployment-manager.yaml index 4ab960ee9..d7173a531 100644 --- a/argocd/applications/configs/app-deployment-manager.yaml +++ b/argocd/applications/configs/app-deployment-manager.yaml @@ -5,7 +5,7 @@ adm: resources: null catalogService: app-orch-catalog-grpc-server:8080 - keycloakServerEndpoint: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakServerEndpoint: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" secretService: enabled: true endpoint: "http://vault.orch-platform.svc.cluster.local:8200" @@ -31,7 +31,7 @@ adm: openidc: # -- the endpoint of a Keycloak Realm e.g. http://keycloak/realms/master - issuer: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + issuer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" insecureSkipVerify: false gitea: diff --git a/argocd/applications/configs/app-interconnect-manager.yaml b/argocd/applications/configs/app-interconnect-manager.yaml index 841577d3c..7b9ffad7e 100644 --- a/argocd/applications/configs/app-interconnect-manager.yaml +++ b/argocd/applications/configs/app-interconnect-manager.yaml @@ -8,5 +8,5 @@ interconnect_manager: create: false name: orch-svc vaultServer: "http://vault.orch-platform.svc.cluster.local:8200" - keycloakServer: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakServer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" resources: null diff --git a/argocd/applications/configs/app-orch-catalog.yaml b/argocd/applications/configs/app-orch-catalog.yaml index a1524616a..a7e1927a1 100644 --- a/argocd/applications/configs/app-orch-catalog.yaml +++ b/argocd/applications/configs/app-orch-catalog.yaml @@ -14,7 +14,7 @@ traefikReverseProxy: enabled: true secretName: tls-orch ## must be created in orch-gateway namespace openidc: - issuer: http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master + issuer: http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master storage: size: 1Gi postgres: diff --git a/argocd/applications/configs/app-orch-tenant-controller.yaml b/argocd/applications/configs/app-orch-tenant-controller.yaml index 699f51cfc..6dcf53c0b 100644 --- a/argocd/applications/configs/app-orch-tenant-controller.yaml +++ b/argocd/applications/configs/app-orch-tenant-controller.yaml @@ -8,7 +8,7 @@ configProvisioner: admServer: app-deployment-api-grpc-server.orch-app.svc.cluster.local:8080 namespace: orch-app vaultServer: "http://vault.orch-platform.svc.cluster.local:8200" - keycloakServiceBase: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakServiceBase: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" releaseServiceBase: "rs-proxy.orch-platform.svc.cluster.local:8081" releaseServiceProxyRootUrl: "oci://rs-proxy.orch-platform.svc.cluster.local:8443" manifestPath: "/edge-orch/en/file/cluster-extension-manifest" diff --git a/argocd/applications/configs/app-resource-manager.yaml b/argocd/applications/configs/app-resource-manager.yaml index a21a99044..f748a0420 100644 --- a/argocd/applications/configs/app-resource-manager.yaml +++ b/argocd/applications/configs/app-resource-manager.yaml @@ -15,5 +15,5 @@ traefikReverseProxy: resources: null vncProxyResources: null vaultServer: "http://vault.orch-platform.svc.cluster.local:8200" -keycloakServer: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" +keycloakServer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" defaultNamespace: "orch-app" diff --git a/argocd/applications/configs/infra-core.yaml b/argocd/applications/configs/infra-core.yaml index 9c7dc7b56..cd46fccea 100644 --- a/argocd/applications/configs/infra-core.yaml +++ b/argocd/applications/configs/infra-core.yaml @@ -15,7 +15,7 @@ credentials: serviceAccount: name: "orch-svc" params: - keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" api: @@ -31,7 +31,7 @@ api: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" multiTenancy: @@ -56,7 +56,7 @@ apiv2: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" resources: null @@ -80,7 +80,7 @@ tenant-controller: inventoryAddress: "inventory.orch-infra.svc.cluster.local:50051" traceURL: "orchestrator-observability-opentelemetry-collector.orch-platform.svc:4318" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" resources: null serviceAccount: name: "orch-svc" diff --git a/argocd/applications/configs/infra-external.yaml b/argocd/applications/configs/infra-external.yaml index ddeb95022..0325a766f 100644 --- a/argocd/applications/configs/infra-external.yaml +++ b/argocd/applications/configs/infra-external.yaml @@ -19,7 +19,7 @@ loca-manager: env: vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" vaultRole: "orch-svc" - keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" loca-metadata-manager: serviceAccount: @@ -78,7 +78,7 @@ loca-credentials: serviceAccount: name: "orch-svc" params: - keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" amt: @@ -111,6 +111,6 @@ amt: password: "" env: oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_value: "true" diff --git a/argocd/applications/configs/infra-managers.yaml b/argocd/applications/configs/infra-managers.yaml index 6342bb8a8..40fa7753b 100644 --- a/argocd/applications/configs/infra-managers.yaml +++ b/argocd/applications/configs/infra-managers.yaml @@ -17,7 +17,7 @@ host-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" multiTenancy: enforceMultiTenancy: "true" resources: null @@ -34,7 +34,7 @@ maintenance-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" telemetryMgrArgs: enableVal: false # disable telemetry profile validation multiTenancy: @@ -62,7 +62,7 @@ telemetry-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" multiTenancy: enforceMultiTenancy: "true" resources: null @@ -79,7 +79,7 @@ os-resource-manager: image: pullPolicy: IfNotPresent oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local/realms/master" autoProvision: enabled: false # autoprovisioning disabled by default, can be enabled by enable-autoprovision profile multiTenancy: @@ -98,7 +98,7 @@ attestationstatus-manager: secretName: "tls-orch" tlsOption: "gateway-tls" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" multiTenancy: enforceMultiTenancy: "true" resources: null diff --git a/argocd/applications/configs/infra-onboarding.yaml b/argocd/applications/configs/infra-onboarding.yaml index 62a7732d0..20a1903b2 100644 --- a/argocd/applications/configs/infra-onboarding.yaml +++ b/argocd/applications/configs/infra-onboarding.yaml @@ -31,14 +31,14 @@ onboarding-manager: env: tinkerActionsVersion: "1.19.3" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" # Skip AuthZ for CDN-boots clients: bypass: - cdn-boots vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200" vaultRole: "orch-svc" - keycloakUrl: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" multiTenancy: enforceMultiTenancy: true resources: null @@ -51,7 +51,7 @@ dkam: env: rs_proxy_address: "rs-proxy.orch-platform.svc.cluster.local:8081/" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" resources: null infra-config: diff --git a/argocd/applications/configs/intel-infra-provider.yaml b/argocd/applications/configs/intel-infra-provider.yaml index f1aa29f9f..948db71e6 100644 --- a/argocd/applications/configs/intel-infra-provider.yaml +++ b/argocd/applications/configs/intel-infra-provider.yaml @@ -6,4 +6,4 @@ manager: inventory: endpoint: "inventory.orch-infra.svc.cluster.local:50051" oidc: - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master" diff --git a/argocd/applications/configs/metadata-broker.yaml b/argocd/applications/configs/metadata-broker.yaml index b29071dbb..ba1637156 100644 --- a/argocd/applications/configs/metadata-broker.yaml +++ b/argocd/applications/configs/metadata-broker.yaml @@ -5,7 +5,7 @@ # Intentionally blank. There are no base settings overrides. openidc: - issuer: http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master + issuer: http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master service: traefik: diff --git a/argocd/applications/configs/nexus-api-gw.yaml b/argocd/applications/configs/nexus-api-gw.yaml index 3e7a7f23a..c17cf7b9a 100644 --- a/argocd/applications/configs/nexus-api-gw.yaml +++ b/argocd/applications/configs/nexus-api-gw.yaml @@ -15,7 +15,7 @@ traefikReverseProxy: oidc: name: "keycloak-api" oidc_env_name: "OIDC_SERVER_URL" - # TODO: Use `platform-keycloak-http.orch-platform.svc.cluster.local` to avoid possible DNS search domain problems. - oidc_server_url: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + # TODO: Use `platform-keycloak.orch-platform.svc.cluster.local` to avoid possible DNS search domain problems. + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY" oidc_tls_insecure_skip_verify_value: "true" diff --git a/argocd/applications/configs/platform-keycloak-compat-service.yaml b/argocd/applications/configs/platform-keycloak-compat-service.yaml new file mode 100644 index 000000000..5e97b1395 --- /dev/null +++ b/argocd/applications/configs/platform-keycloak-compat-service.yaml @@ -0,0 +1,30 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +# Backward-compatible service for platform-keycloak +# This service ensures existing references to platform-keycloak.orch-platform.svc +# continue to work after migrating to the codecentric keycloakx chart + +apiVersion: v1 +kind: Service +metadata: + name: platform-keycloak + namespace: orch-platform + labels: + app.kubernetes.io/component: http + app.kubernetes.io/instance: platform-keycloak + app.kubernetes.io/name: keycloakx + argocd.argoproj.io/managed-by: platform-keycloak-compat + annotations: + argocd.argoproj.io/sync-wave: "151" +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: platform-keycloak + app.kubernetes.io/name: keycloakx \ No newline at end of file diff --git a/argocd/applications/configs/platform-keycloak-config-job.yaml b/argocd/applications/configs/platform-keycloak-config-job.yaml index 35f0f57d8..8eebc7a20 100644 --- a/argocd/applications/configs/platform-keycloak-config-job.yaml +++ b/argocd/applications/configs/platform-keycloak-config-job.yaml @@ -37,7 +37,7 @@ spec: imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_URL - value: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" + value: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" - name: KEYCLOAK_USER value: "admin" - name: KEYCLOAK_PASSWORD diff --git a/argocd/applications/configs/secrets-config.yaml b/argocd/applications/configs/secrets-config.yaml index 65ee31a1d..3395d97f8 100644 --- a/argocd/applications/configs/secrets-config.yaml +++ b/argocd/applications/configs/secrets-config.yaml @@ -8,6 +8,6 @@ auth: oidc: # Use fully-qualified cluster DNS name to avoid any lookup ambiguity # Use the actual HTTP service name created by the Keycloak chart - idPAddr: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080" - idPDiscoveryURL: "http://platform-keycloak-http.orch-platform.svc.cluster.local:8080/realms/master" + idPAddr: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + idPDiscoveryURL: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" roleMaxTTL: 1h diff --git a/argocd/applications/custom/keycloak-tenant-controller.tpl b/argocd/applications/custom/keycloak-tenant-controller.tpl index bacd77237..cfc238ea1 100644 --- a/argocd/applications/custom/keycloak-tenant-controller.tpl +++ b/argocd/applications/custom/keycloak-tenant-controller.tpl @@ -29,7 +29,7 @@ securityContext: allowPrivilegeEscalation: false keycloakAdmin: user: admin - client: system-client + client: admin-cli passwordSecret: name: platform-keycloak # name of the secret key: admin-password # key of the secret diff --git a/argocd/applications/custom/traefik-extra-objects.tpl b/argocd/applications/custom/traefik-extra-objects.tpl index 9bb187de3..fc2118d3c 100644 --- a/argocd/applications/custom/traefik-extra-objects.tpl +++ b/argocd/applications/custom/traefik-extra-objects.tpl @@ -6,7 +6,7 @@ # Revisit this once the porting is done. orchSecretName: tls-orch # internal keycloak JWKS URL should be static but providing a way to modify it here -keycloakJwksUrl: http://platform-keycloak-http.orch-platform.svc.cluster.local:8080 +keycloakJwksUrl: http://platform-keycloak.orch-platform.svc.cluster.local:8080 # internal keycloak JWKS Path should be static but providing a way to modify it here keycloakJwksPath: /realms/master/protocol/openid-connect/certs keycloakServicePort: 8080 diff --git a/argocd/applications/templates/platform-keycloak-compat-service.yaml b/argocd/applications/templates/platform-keycloak-compat-service.yaml new file mode 100644 index 000000000..a75ff7ec3 --- /dev/null +++ b/argocd/applications/templates/platform-keycloak-compat-service.yaml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +{{- $appName := "platform-keycloak-compat-service" }} +{{- $namespace := "orch-platform" }} +{{- $syncWave := "151" }} +--- +{{- if (index .Values.argo.enabled "platform-keycloak") }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "{{ $syncWave }}" + name: {{$appName}} + namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ required "A valid projectName entry required!" .Values.argo.project }} + sources: + - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} + path: argocd/applications/configs + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision | quote }} + directory: + include: "platform-keycloak-compat-service.yaml" + destination: + namespace: {{$namespace}} + server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }} + syncPolicy: + {{- if .Values.argo.autosync }} + automated: + prune: true + selfHeal: true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + {{- end }} + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true +{{- end }} \ No newline at end of file From 3bf9a027aade6eac1fdb85020a27f4de69c9a6ab Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 01:29:09 -0700 Subject: [PATCH 12/25] Fix Keycloak tenant controller authentication for Codecentric migration - Change keycloak-tenant-controller to use system-client instead of admin-cli - Add groups scope to system-client defaultClientScopes in realm config - This resolves authentication failures due to missing groups scope in Codecentric Keycloak Fixes: Keycloak authentication failing with 'Invalid scopes: groups' error Related: Migration from Bitnami to Codecentric Keycloak --- .../applications/configs/platform-keycloak-realm-config.yaml | 3 ++- argocd/applications/custom/keycloak-tenant-controller.tpl | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml index ecbc75c81..834e5d4cb 100644 --- a/argocd/applications/configs/platform-keycloak-realm-config.yaml +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -260,7 +260,8 @@ data: "roles", "profile", "email", - "basic" + "basic", + "groups" ], "optionalClientScopes": [ "groups", diff --git a/argocd/applications/custom/keycloak-tenant-controller.tpl b/argocd/applications/custom/keycloak-tenant-controller.tpl index cfc238ea1..8ef280cba 100644 --- a/argocd/applications/custom/keycloak-tenant-controller.tpl +++ b/argocd/applications/custom/keycloak-tenant-controller.tpl @@ -9,7 +9,7 @@ image: proxy: httpProxy: {{.Values.argo.proxy.httpProxy}} httpsProxy: {{.Values.argo.proxy.httpsProxy}} - noProxy: {{.Values.argo.proxy.noProxy}} + noProxy: {{.Values.argo.proxy.noProxy}},*.svc,*.svc.cluster.local,platform-keycloak.orch-platform.svc,vault.orch-platform.svc imagePullSecrets: {{- with .Values.argo.imagePullSecrets }} {{- toYaml . | nindent 2 }} @@ -29,7 +29,7 @@ securityContext: allowPrivilegeEscalation: false keycloakAdmin: user: admin - client: admin-cli + client: system-client passwordSecret: name: platform-keycloak # name of the secret key: admin-password # key of the secret From e0c1e3b3cd809ae99845c761d51f547d3a16e06b Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 06:01:46 -0700 Subject: [PATCH 13/25] feat: add system-client setup for Codecentric Keycloak - Add automated system-client creation job with groups scope - Ensures compatibility with Codecentric Keycloak charts - Runs after Keycloak deployment but before tenant controller - Fixes authentication issues during Bitnami to Codecentric migration --- .../keycloak-system-client-setup-job.yaml | 168 ++++++++++++++++++ .../keycloak-system-client-setup-job.yaml | 44 +++++ 2 files changed, 212 insertions(+) create mode 100644 argocd/applications/configs/keycloak-system-client-setup-job.yaml create mode 100644 argocd/applications/templates/keycloak-system-client-setup-job.yaml diff --git a/argocd/applications/configs/keycloak-system-client-setup-job.yaml b/argocd/applications/configs/keycloak-system-client-setup-job.yaml new file mode 100644 index 000000000..8f1b66c8f --- /dev/null +++ b/argocd/applications/configs/keycloak-system-client-setup-job.yaml @@ -0,0 +1,168 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: batch/v1 +kind: Job +metadata: + name: keycloak-system-client-setup + namespace: orch-platform + annotations: + # Security annotations for image registry approval + security.approved-registries: "docker.io" + security.image-purpose: "system-client setup for Keycloak tenant controller" + security.image-vendor: "badouralix/curl-jq" + security.image-verification: "community-maintained-tool" +spec: + # Allow the job to run multiple times during upgrades + completions: 1 + parallelism: 1 + backoffLimit: 3 + template: + metadata: + labels: + app: keycloak-system-client-setup + sidecar.istio.io/inject: "false" + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: setup-client + image: badouralix/curl-jq@sha256:fe8a5ee49f613495df3b57afa86b39f081bd1b3b9ed61248f46c3d3d7df56092 + imagePullPolicy: IfNotPresent + env: + - name: KEYCLOAK_URL + value: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + - name: ADMIN_USER + value: "admin" + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + - name: HTTP_PROXY + value: "" + - name: HTTPS_PROXY + value: "" + - name: NO_PROXY + value: "*" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + command: ["/bin/sh"] + args: + - -c + - | + # Wait for Keycloak to be ready + echo "Waiting for Keycloak to be ready..." + until curl -s ${KEYCLOAK_URL}/realms/master/.well-known/openid_configuration >/dev/null 2>&1; do + echo "Keycloak not ready, waiting..." + sleep 10 + done + + # Get admin token + echo "Getting admin token..." + ADMIN_TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "grant_type=password&client_id=admin-cli&username=${ADMIN_USER}&password=${ADMIN_PASSWORD}" | jq -r ".access_token") + + if [ "$ADMIN_TOKEN" = "null" ] || [ -z "$ADMIN_TOKEN" ]; then + echo "Failed to get admin token" + exit 1 + fi + + echo "Admin token obtained" + + # Check if system-client already exists + EXISTING_CLIENT=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/clients?clientId=system-client" \ + -H "Authorization: Bearer $ADMIN_TOKEN") + + if echo "$EXISTING_CLIENT" | jq -e '.[0]' >/dev/null 2>&1; then + echo "system-client already exists" + SYSTEM_CLIENT_ID=$(echo "$EXISTING_CLIENT" | jq -r '.[0].id') + else + echo "Creating system-client..." + # Create system-client + curl -s -X POST "${KEYCLOAK_URL}/admin/realms/master/clients" \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d "{ + \"clientId\": \"system-client\", + \"name\": \"System Client for KTC\", + \"description\": \"System client for Keycloak Tenant Controller with groups scope support\", + \"enabled\": true, + \"publicClient\": true, + \"directAccessGrantsEnabled\": true, + \"standardFlowEnabled\": false, + \"implicitFlowEnabled\": false, + \"serviceAccountsEnabled\": false, + \"protocol\": \"openid-connect\", + \"fullScopeAllowed\": true, + \"defaultClientScopes\": [\"web-origins\", \"acr\", \"roles\", \"profile\", \"basic\", \"email\"] + }" + + # Get the created client ID + SYSTEM_CLIENT_ID=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/clients?clientId=system-client" \ + -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[0].id') + + echo "system-client created with ID: $SYSTEM_CLIENT_ID" + fi + + # Get groups scope ID + GROUPS_SCOPE_ID=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/client-scopes" \ + -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[] | select(.name == "groups") | .id') + + if [ -z "$GROUPS_SCOPE_ID" ] || [ "$GROUPS_SCOPE_ID" = "null" ]; then + echo "Creating groups scope..." + curl -s -X POST "${KEYCLOAK_URL}/admin/realms/master/client-scopes" \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d "{ + \"name\": \"groups\", + \"description\": \"Groups scope for backward compatibility with Bitnami Keycloak\", + \"protocol\": \"openid-connect\", + \"attributes\": { + \"include.in.token.scope\": \"true\", + \"display.on.consent.screen\": \"true\" + } + }" + + GROUPS_SCOPE_ID=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/client-scopes" \ + -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[] | select(.name == "groups") | .id') + fi + + echo "Groups scope ID: $GROUPS_SCOPE_ID" + + # Add groups scope to system-client + echo "Adding groups scope to system-client..." + curl -s -X PUT \ + "${KEYCLOAK_URL}/admin/realms/master/clients/$SYSTEM_CLIENT_ID/default-client-scopes/$GROUPS_SCOPE_ID" \ + -H "Authorization: Bearer $ADMIN_TOKEN" + + # Test authentication + echo "Testing authentication with system-client..." + AUTH_RESULT=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "grant_type=password&client_id=system-client&username=${ADMIN_USER}&password=${ADMIN_PASSWORD}&scope=openid profile email groups") + + ACCESS_TOKEN=$(echo "$AUTH_RESULT" | jq -r ".access_token // \"null\"") + + if [ "$ACCESS_TOKEN" != "null" ] && [ -n "$ACCESS_TOKEN" ]; then + echo "SUCCESS: system-client authentication works with groups scope!" + echo "Setup complete - system-client is ready for keycloak-tenant-controller" + else + echo "FAILED: Authentication test failed" + echo "Response: $AUTH_RESULT" + exit 1 + fi \ No newline at end of file diff --git a/argocd/applications/templates/keycloak-system-client-setup-job.yaml b/argocd/applications/templates/keycloak-system-client-setup-job.yaml new file mode 100644 index 000000000..a2ed6efd5 --- /dev/null +++ b/argocd/applications/templates/keycloak-system-client-setup-job.yaml @@ -0,0 +1,44 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +{{- $appName := "keycloak-system-client-setup-job" }} +{{- $namespace := "orch-platform" }} +{{- $syncWave := "165" }} +--- +{{- if (index .Values.argo.enabled "platform-keycloak") }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "{{ $syncWave }}" + name: {{$appName}} + namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ required "A valid projectName entry required!" .Values.argo.project }} + sources: + - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} + path: argocd/applications/configs + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision | quote }} + directory: + include: "keycloak-system-client-setup-job.yaml" + destination: + namespace: {{$namespace}} + server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }} + syncPolicy: + {{- if .Values.argo.autosync }} + automated: + prune: true + selfHeal: true + retry: + limit: 3 + backoff: + duration: 5s + maxDuration: 2m0s + factor: 2 + {{- end }} + syncOptions: + - CreateNamespace=true +{{- end }} \ No newline at end of file From 26fe0f951f484697363c06a3e0e7c8647513f66a Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 06:58:41 -0700 Subject: [PATCH 14/25] fix: add URL encoding for admin password in system-client setup - Fix authentication failures caused by special characters (&) in passwords - Add proper URL encoding function for form data - Ensure reliable system-client creation for fresh deployments - Resolves CrashLoopBackOff issues in keycloak-tenant-controller --- .../keycloak-system-client-setup-job.yaml | 128 ++++++++++-------- 1 file changed, 74 insertions(+), 54 deletions(-) diff --git a/argocd/applications/configs/keycloak-system-client-setup-job.yaml b/argocd/applications/configs/keycloak-system-client-setup-job.yaml index 8f1b66c8f..d0eea9da2 100644 --- a/argocd/applications/configs/keycloak-system-client-setup-job.yaml +++ b/argocd/applications/configs/keycloak-system-client-setup-job.yaml @@ -64,105 +64,125 @@ spec: args: - -c - | - # Wait for Keycloak to be ready + set -e + echo "=== System Client Setup Job ===" + echo "Keycloak URL: $KEYCLOAK_URL" + echo "Admin User: $ADMIN_USER" + + # URL encode password function + urlencode() { + local string="${1}" + local strlen=${#string} + local encoded="" + for (( pos=0 ; pos/dev/null 2>&1; do - echo "Keycloak not ready, waiting..." + for i in {1..30}; do + if curl -s -f "$KEYCLOAK_URL/realms/master/.well-known/openid_configuration" >/dev/null; then + echo "✓ Keycloak is ready" + break + fi + echo "Waiting for Keycloak... ($i/30)" sleep 10 done - # Get admin token + # URL encode the password + ENCODED_PASSWORD=$(urlencode "$ADMIN_PASSWORD") + + # Get admin token echo "Getting admin token..." - ADMIN_TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ + ADMIN_TOKEN=$(curl -s -X POST "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "grant_type=password&client_id=admin-cli&username=${ADMIN_USER}&password=${ADMIN_PASSWORD}" | jq -r ".access_token") + -d "grant_type=password&client_id=admin-cli&username=$ADMIN_USER&password=$ENCODED_PASSWORD" \ + | jq -r ".access_token // \"null\"") - if [ "$ADMIN_TOKEN" = "null" ] || [ -z "$ADMIN_TOKEN" ]; then - echo "Failed to get admin token" + if [ "$ADMIN_TOKEN" = "null" ]; then + echo "❌ Failed to get admin token" exit 1 fi - - echo "Admin token obtained" + echo "✓ Got admin token" # Check if system-client already exists - EXISTING_CLIENT=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/clients?clientId=system-client" \ + EXISTING_CLIENT=$(curl -s "$KEYCLOAK_URL/admin/realms/master/clients?clientId=system-client" \ -H "Authorization: Bearer $ADMIN_TOKEN") if echo "$EXISTING_CLIENT" | jq -e '.[0]' >/dev/null 2>&1; then - echo "system-client already exists" + echo "✓ system-client already exists" SYSTEM_CLIENT_ID=$(echo "$EXISTING_CLIENT" | jq -r '.[0].id') else echo "Creating system-client..." - # Create system-client - curl -s -X POST "${KEYCLOAK_URL}/admin/realms/master/clients" \ + curl -s -X POST "$KEYCLOAK_URL/admin/realms/master/clients" \ -H "Authorization: Bearer $ADMIN_TOKEN" \ -H "Content-Type: application/json" \ - -d "{ - \"clientId\": \"system-client\", - \"name\": \"System Client for KTC\", - \"description\": \"System client for Keycloak Tenant Controller with groups scope support\", - \"enabled\": true, - \"publicClient\": true, - \"directAccessGrantsEnabled\": true, - \"standardFlowEnabled\": false, - \"implicitFlowEnabled\": false, - \"serviceAccountsEnabled\": false, - \"protocol\": \"openid-connect\", - \"fullScopeAllowed\": true, - \"defaultClientScopes\": [\"web-origins\", \"acr\", \"roles\", \"profile\", \"basic\", \"email\"] - }" + -d '{ + "clientId": "system-client", + "name": "System Client for KTC", + "enabled": true, + "publicClient": true, + "directAccessGrantsEnabled": true, + "protocol": "openid-connect", + "defaultClientScopes": ["web-origins", "acr", "roles", "profile", "basic", "email"] + }' - # Get the created client ID - SYSTEM_CLIENT_ID=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/clients?clientId=system-client" \ + SYSTEM_CLIENT_ID=$(curl -s "$KEYCLOAK_URL/admin/realms/master/clients?clientId=system-client" \ -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[0].id') - - echo "system-client created with ID: $SYSTEM_CLIENT_ID" + echo "✓ system-client created with ID: $SYSTEM_CLIENT_ID" fi - # Get groups scope ID - GROUPS_SCOPE_ID=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/client-scopes" \ + # Get or create groups scope + GROUPS_SCOPE_ID=$(curl -s "$KEYCLOAK_URL/admin/realms/master/client-scopes" \ -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[] | select(.name == "groups") | .id') if [ -z "$GROUPS_SCOPE_ID" ] || [ "$GROUPS_SCOPE_ID" = "null" ]; then echo "Creating groups scope..." - curl -s -X POST "${KEYCLOAK_URL}/admin/realms/master/client-scopes" \ + curl -s -X POST "$KEYCLOAK_URL/admin/realms/master/client-scopes" \ -H "Authorization: Bearer $ADMIN_TOKEN" \ -H "Content-Type: application/json" \ - -d "{ - \"name\": \"groups\", - \"description\": \"Groups scope for backward compatibility with Bitnami Keycloak\", - \"protocol\": \"openid-connect\", - \"attributes\": { - \"include.in.token.scope\": \"true\", - \"display.on.consent.screen\": \"true\" + -d '{ + "name": "groups", + "description": "Groups scope for backward compatibility", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" } - }" + }' - GROUPS_SCOPE_ID=$(curl -s "${KEYCLOAK_URL}/admin/realms/master/client-scopes" \ + GROUPS_SCOPE_ID=$(curl -s "$KEYCLOAK_URL/admin/realms/master/client-scopes" \ -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[] | select(.name == "groups") | .id') fi - echo "Groups scope ID: $GROUPS_SCOPE_ID" + echo "✓ Groups scope ID: $GROUPS_SCOPE_ID" # Add groups scope to system-client echo "Adding groups scope to system-client..." curl -s -X PUT \ - "${KEYCLOAK_URL}/admin/realms/master/clients/$SYSTEM_CLIENT_ID/default-client-scopes/$GROUPS_SCOPE_ID" \ + "$KEYCLOAK_URL/admin/realms/master/clients/$SYSTEM_CLIENT_ID/default-client-scopes/$GROUPS_SCOPE_ID" \ -H "Authorization: Bearer $ADMIN_TOKEN" - # Test authentication - echo "Testing authentication with system-client..." - AUTH_RESULT=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ + # Test authentication with URL-encoded password + echo "Testing system-client authentication..." + AUTH_RESULT=$(curl -s -X POST "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "grant_type=password&client_id=system-client&username=${ADMIN_USER}&password=${ADMIN_PASSWORD}&scope=openid profile email groups") + -d "grant_type=password&client_id=system-client&username=$ADMIN_USER&password=$ENCODED_PASSWORD&scope=openid profile email groups") - ACCESS_TOKEN=$(echo "$AUTH_RESULT" | jq -r ".access_token // \"null\"") + TOKEN=$(echo "$AUTH_RESULT" | jq -r ".access_token // \"null\"") - if [ "$ACCESS_TOKEN" != "null" ] && [ -n "$ACCESS_TOKEN" ]; then - echo "SUCCESS: system-client authentication works with groups scope!" + if [ "$TOKEN" != "null" ]; then + echo "✅ SUCCESS: system-client authentication works with groups scope!" echo "Setup complete - system-client is ready for keycloak-tenant-controller" else - echo "FAILED: Authentication test failed" + echo "❌ FAILED: Authentication test failed" echo "Response: $AUTH_RESULT" exit 1 fi \ No newline at end of file From 7068ef34f4e3166bf56a150db5dbb8e6b4ce34a3 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 07:16:42 -0700 Subject: [PATCH 15/25] fix: simplify system-client setup with portable bash syntax - Replace bash-specific {1..30} syntax with portable while loop - Fix URL encoding for passwords with special characters - Ensure compatibility across different shell environments - Ready for fresh deployment testing --- .../keycloak-system-client-setup-job.yaml | 28 +++++-------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/argocd/applications/configs/keycloak-system-client-setup-job.yaml b/argocd/applications/configs/keycloak-system-client-setup-job.yaml index d0eea9da2..49267f986 100644 --- a/argocd/applications/configs/keycloak-system-client-setup-job.yaml +++ b/argocd/applications/configs/keycloak-system-client-setup-job.yaml @@ -69,35 +69,21 @@ spec: echo "Keycloak URL: $KEYCLOAK_URL" echo "Admin User: $ADMIN_USER" - # URL encode password function - urlencode() { - local string="${1}" - local strlen=${#string} - local encoded="" - for (( pos=0 ; pos/dev/null; then + i=0 + while [ $i -lt 30 ]; do + if curl -s -f "$KEYCLOAK_URL/realms/master/.well-known/openid_configuration" >/dev/null 2>&1; then echo "✓ Keycloak is ready" break fi echo "Waiting for Keycloak... ($i/30)" sleep 10 + i=$((i + 1)) done - # URL encode the password - ENCODED_PASSWORD=$(urlencode "$ADMIN_PASSWORD") + # URL encode password (handle & character) + ENCODED_PASSWORD=$(echo "$ADMIN_PASSWORD" | sed 's/&/%26/g') # Get admin token echo "Getting admin token..." From 80e0c4fc2b02f52e110f1cc1b687c1e1d7110a14 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 09:42:33 -0700 Subject: [PATCH 16/25] correcting indentation --- argocd/applications/configs/infra-onboarding.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/argocd/applications/configs/infra-onboarding.yaml b/argocd/applications/configs/infra-onboarding.yaml index 20a1903b2..36e07c3cb 100644 --- a/argocd/applications/configs/infra-onboarding.yaml +++ b/argocd/applications/configs/infra-onboarding.yaml @@ -31,7 +31,7 @@ onboarding-manager: env: tinkerActionsVersion: "1.19.3" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" # Skip AuthZ for CDN-boots clients: bypass: @@ -51,7 +51,7 @@ dkam: env: rs_proxy_address: "rs-proxy.orch-platform.svc.cluster.local:8081/" oidc: - oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" + oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" resources: null infra-config: From 0e632db50ad9b5a868ebf1d0b99a6510f903110d Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 13:03:00 -0700 Subject: [PATCH 17/25] fix: Keycloak authentication for fresh deployments - Fix JSON syntax error in platform-keycloak-realm-config.yaml (remove YAML multiline syntax) - Update keycloak-config-cli image to working version (6.4.0-26) - Add IMPORT_FILES_LOCATIONS environment variable for correct config path - Fix YAML syntax errors in infra-onboarding.yaml - Ensure admin-cli client has groups scope for backward compatibility This ensures app-orch-tenant-controller and other services work in fresh deployments. --- .../configs/infra-onboarding.yaml | 2 + .../configs/platform-keycloak-config-job.yaml | 4 +- .../platform-keycloak-realm-config.yaml | 48 +++++++++++++++++-- 3 files changed, 49 insertions(+), 5 deletions(-) diff --git a/argocd/applications/configs/infra-onboarding.yaml b/argocd/applications/configs/infra-onboarding.yaml index 36e07c3cb..3341c0f30 100644 --- a/argocd/applications/configs/infra-onboarding.yaml +++ b/argocd/applications/configs/infra-onboarding.yaml @@ -29,6 +29,7 @@ onboarding-manager: tlsOption: "gateway-tls" gatewayNamespace: orch-gateway env: + mode: "prod" # Override dev profile to use prod mode since latest-dev manifest doesn't exist tinkerActionsVersion: "1.19.3" oidc: oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" @@ -49,6 +50,7 @@ dkam: managerArgs: traceURL: "orchestrator-observability-opentelemetry-collector.orch-platform.svc:4318" env: + mode: "prod" # Override dev profile to use prod mode since latest-dev manifest doesn't exist rs_proxy_address: "rs-proxy.orch-platform.svc.cluster.local:8081/" oidc: oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local:8080/realms/master" diff --git a/argocd/applications/configs/platform-keycloak-config-job.yaml b/argocd/applications/configs/platform-keycloak-config-job.yaml index 8eebc7a20..1264b031f 100644 --- a/argocd/applications/configs/platform-keycloak-config-job.yaml +++ b/argocd/applications/configs/platform-keycloak-config-job.yaml @@ -33,7 +33,7 @@ spec: type: "RuntimeDefault" containers: - name: keycloak-config-cli - image: quay.io/adorsys/keycloak-config-cli:6.1.4-26.0.2 + image: quay.io/adorsys/keycloak-config-cli:6.4.0-26 imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_URL @@ -57,6 +57,8 @@ spec: value: "true" - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT value: "120s" + - name: IMPORT_FILES_LOCATIONS + value: "/opt/keycloak-config-cli/configs/*" volumeMounts: - name: keycloak-config mountPath: /opt/keycloak-config-cli/configs diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml index 834e5d4cb..bdd740f75 100644 --- a/argocd/applications/configs/platform-keycloak-realm-config.yaml +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -13,10 +13,7 @@ data: "realm": "master", "accountTheme": "keycloak", "displayName": "Keycloak", - "displayNameHtml": | - + "displayNameHtml": "", "defaultSignatureAlgorithm": "PS512", "accessTokenLifespan": 3600, "ssoSessionIdleTimeout": 5400, @@ -267,6 +264,49 @@ data: "groups", "offline_access" ] + }, + { + "clientId": "admin-cli", + "name": "Admin CLI", + "description": "Admin CLI client with groups scope for compatibility", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "realm_client": "false", + "client.use.lightweight.access.token.enabled": "true" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "basic", + "email", + "groups" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] } ], "clientScopes": [ From 59a331d2610aadeeba4943615b03c1a4c9ec7265 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 22:49:24 -0700 Subject: [PATCH 18/25] feat: permanent Keycloak authentication fix for fresh deployments - Update deployRepoRevision to latest commit with all fixes (0e632db) - Add keycloak-admin-cli-config-job for permanent admin-cli configuration - Ensures admin-cli client has groups scope with proper protocol mapper - Guarantees authentication works in fresh deployments and redeployments This job runs after Keycloak startup and configures: 1. admin-cli client with groups scope in defaultClientScopes 2. groups scope with oidc-group-membership-mapper protocol mapper 3. Proper configuration for backward compatibility with auth libraries Resolves authentication failures in app-orch-tenant-controller and infra-onboarding. --- .../keycloak-admin-cli-config-job.yaml | 145 ++++++++++++++++++ .../keycloak-admin-cli-config-job.yaml | 45 ++++++ argocd/root-app/values.yaml | 2 +- 3 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 argocd/applications/configs/keycloak-admin-cli-config-job.yaml create mode 100644 argocd/applications/templates/keycloak-admin-cli-config-job.yaml diff --git a/argocd/applications/configs/keycloak-admin-cli-config-job.yaml b/argocd/applications/configs/keycloak-admin-cli-config-job.yaml new file mode 100644 index 000000000..e273ffa07 --- /dev/null +++ b/argocd/applications/configs/keycloak-admin-cli-config-job.yaml @@ -0,0 +1,145 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: batch/v1 +kind: Job +metadata: + name: keycloak-admin-cli-config + namespace: orch-platform + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-weight: "2" + helm.sh/hook-delete-policy: hook-succeeded + # Security annotations for image registry approval + security.approved-registries: "quay.io" + security.image-purpose: "keycloak-config-cli for admin-cli client configuration" + security.image-vendor: "adorsys/keycloak-config-cli" + security.image-verification: "official-keycloak-tooling" +spec: + template: + metadata: + labels: + app: keycloak-admin-cli-config + sidecar.istio.io/inject: "false" + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: keycloak-admin-cli-config + image: quay.io/adorsys/keycloak-config-cli:6.4.0-26 + imagePullPolicy: IfNotPresent + env: + - name: KEYCLOAK_URL + value: "http://platform-keycloak.orch-platform.svc.cluster.local:8080" + - name: KEYCLOAK_USER + value: "admin" + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: platform-keycloak + key: admin-password + - name: KEYCLOAK_AVAILABILITYCHECK_ENABLED + value: "true" + - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT + value: "120s" + command: + - /bin/sh + - -c + - | + set -e + echo "Waiting for Keycloak to be ready..." + + # Wait for Keycloak to be available + timeout=120 + while [ $timeout -gt 0 ]; do + if curl -f -s "$KEYCLOAK_URL/realms/master/.well-known/openid_configuration" >/dev/null 2>&1; then + echo "Keycloak is ready" + break + fi + echo "Waiting for Keycloak... ($timeout seconds left)" + sleep 5 + timeout=$((timeout - 5)) + done + + if [ $timeout -le 0 ]; then + echo "Timeout waiting for Keycloak" + exit 1 + fi + + # Configure kcadm + /opt/keycloak/bin/kcadm.sh config credentials --server "$KEYCLOAK_URL" --realm master --user "$KEYCLOAK_USER" --password "$KEYCLOAK_PASSWORD" + + # Get admin-cli client ID + ADMIN_CLI_ID=$(/opt/keycloak/bin/kcadm.sh get clients -r master -q clientId=admin-cli --fields id | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/') + + if [ -z "$ADMIN_CLI_ID" ]; then + echo "admin-cli client not found" + exit 1 + fi + + echo "Found admin-cli client with ID: $ADMIN_CLI_ID" + + # Get groups scope ID + GROUPS_SCOPE_ID=$(/opt/keycloak/bin/kcadm.sh get client-scopes -r master -q name=groups --fields id | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/') + + if [ -z "$GROUPS_SCOPE_ID" ]; then + echo "groups scope not found" + exit 1 + fi + + echo "Found groups scope with ID: $GROUPS_SCOPE_ID" + + # Check if admin-cli already has groups scope + CURRENT_SCOPES=$(/opt/keycloak/bin/kcadm.sh get clients/$ADMIN_CLI_ID -r master --fields defaultClientScopes) + + if echo "$CURRENT_SCOPES" | grep -q "groups"; then + echo "admin-cli client already has groups scope" + else + echo "Adding groups scope to admin-cli client" + /opt/keycloak/bin/kcadm.sh update clients/$ADMIN_CLI_ID -r master -s 'defaultClientScopes=["web-origins","acr","roles","profile","basic","email","groups"]' + echo "Successfully added groups scope to admin-cli client" + fi + + # Check if groups scope has protocol mapper + MAPPERS=$(/opt/keycloak/bin/kcadm.sh get client-scopes/$GROUPS_SCOPE_ID -r master --fields protocolMappers) + + if echo "$MAPPERS" | grep -q "oidc-group-membership-mapper"; then + echo "groups scope already has protocol mapper" + else + echo "Adding protocol mapper to groups scope" + MAPPER_ID=$(/opt/keycloak/bin/kcadm.sh create client-scopes/$GROUPS_SCOPE_ID/protocol-mappers/models -r master -s name=groups -s protocol=openid-connect -s protocolMapper=oidc-group-membership-mapper -s consentRequired=false 2>&1 | grep "Created new model with id" | sed "s/.*Created new model with id '\([^']*\)'.*/\1/") + + if [ -n "$MAPPER_ID" ]; then + echo "Created protocol mapper with ID: $MAPPER_ID" + /opt/keycloak/bin/kcadm.sh update client-scopes/$GROUPS_SCOPE_ID/protocol-mappers/models/$MAPPER_ID -r master -s 'config={"multivalued":"true","full.path":"false","id.token.claim":"true","access.token.claim":"true","claim.name":"groups","userinfo.token.claim":"true","jsonType.label":"String"}' + echo "Successfully configured groups protocol mapper" + else + echo "Failed to create protocol mapper" + exit 1 + fi + fi + + echo "Keycloak admin-cli configuration completed successfully" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" \ No newline at end of file diff --git a/argocd/applications/templates/keycloak-admin-cli-config-job.yaml b/argocd/applications/templates/keycloak-admin-cli-config-job.yaml new file mode 100644 index 000000000..31bbf1eee --- /dev/null +++ b/argocd/applications/templates/keycloak-admin-cli-config-job.yaml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2025 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +{{- $appName := "keycloak-admin-cli-config-job" }} +{{- $namespace := "orch-platform" }} +{{- $syncWave := "161" }} +--- +{{- if (index .Values.argo.enabled "platform-keycloak") }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "{{ $syncWave }}" + name: {{$appName}} + namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ required "A valid projectName entry required!" .Values.argo.project }} + sources: + - repoURL: {{ required "A valid deployRepoURL entry required!" .Values.argo.deployRepoURL }} + path: argocd/applications/configs + targetRevision: {{ required "A valid deployRepoRevision entry required!" .Values.argo.deployRepoRevision | quote }} + directory: + include: "keycloak-admin-cli-config-job.yaml" + destination: + namespace: {{$namespace}} + server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }} + syncPolicy: + {{- if .Values.argo.autosync }} + automated: + prune: true + selfHeal: true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + {{- end }} + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true +{{- end }} \ No newline at end of file diff --git a/argocd/root-app/values.yaml b/argocd/root-app/values.yaml index 706240ef9..b692e9924 100644 --- a/argocd/root-app/values.yaml +++ b/argocd/root-app/values.yaml @@ -15,7 +15,7 @@ argo: clusterDomain: "" deployRepoURL: "" - deployRepoRevision: "" + deployRepoRevision: "0e632db50ad9b5a868ebf1d0b99a6510f903110d" targetServer: "" autosync: true From 4b5bc104589b62d1875b3056a81ea589ba1bbd7d Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 22:50:37 -0700 Subject: [PATCH 19/25] update: set deployRepoRevision to latest commit with all fixes Updated to 59a331d which includes: - All Keycloak authentication fixes - JSON syntax corrections in realm config - Fixed keycloak-config-cli image version - New admin-cli configuration job for permanent solution --- argocd/root-app/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/argocd/root-app/values.yaml b/argocd/root-app/values.yaml index b692e9924..86e3ac7e5 100644 --- a/argocd/root-app/values.yaml +++ b/argocd/root-app/values.yaml @@ -15,7 +15,7 @@ argo: clusterDomain: "" deployRepoURL: "" - deployRepoRevision: "0e632db50ad9b5a868ebf1d0b99a6510f903110d" + deployRepoRevision: "59a331d2610aadeeba4943615b03c1a4c9ec7265" targetServer: "" autosync: true From f48c8e33f0cea7621432ac3c66f78784c610caa9 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Tue, 7 Oct 2025 23:23:55 -0700 Subject: [PATCH 20/25] Update root-app to use latest revision with Keycloak fixes --- argocd/root-app/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/argocd/root-app/values.yaml b/argocd/root-app/values.yaml index 86e3ac7e5..e2ba9840b 100644 --- a/argocd/root-app/values.yaml +++ b/argocd/root-app/values.yaml @@ -15,7 +15,7 @@ argo: clusterDomain: "" deployRepoURL: "" - deployRepoRevision: "59a331d2610aadeeba4943615b03c1a4c9ec7265" + deployRepoRevision: "4b5bc10" targetServer: "" autosync: true From 7d590bbc64b4d229f3ec0962cb51fa2d50526ab6 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Wed, 8 Oct 2025 01:52:21 -0700 Subject: [PATCH 21/25] Update deployRepoRevision to latest commit with Keycloak fixes --- argocd/root-app/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/argocd/root-app/values.yaml b/argocd/root-app/values.yaml index e2ba9840b..43c0247b9 100644 --- a/argocd/root-app/values.yaml +++ b/argocd/root-app/values.yaml @@ -15,7 +15,7 @@ argo: clusterDomain: "" deployRepoURL: "" - deployRepoRevision: "4b5bc10" + deployRepoRevision: "f48c8e3" targetServer: "" autosync: true From 1c92acd8268b75cb1264c299d64abd7d4a549f08 Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Wed, 8 Oct 2025 01:54:35 -0700 Subject: [PATCH 22/25] Use branch name for deployRepoRevision to support local development --- argocd/root-app/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/argocd/root-app/values.yaml b/argocd/root-app/values.yaml index 43c0247b9..2e23e4e0c 100644 --- a/argocd/root-app/values.yaml +++ b/argocd/root-app/values.yaml @@ -15,7 +15,7 @@ argo: clusterDomain: "" deployRepoURL: "" - deployRepoRevision: "f48c8e3" + deployRepoRevision: "bitnami-to-redhat-keycloak" targetServer: "" autosync: true From d94fb6e5f43b5530e6077e41e011eeb29297f93e Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Wed, 8 Oct 2025 03:39:01 -0700 Subject: [PATCH 23/25] fix: improve admin-cli client configuration for Codecentric Keycloak - Enable service account for admin-cli client (required for client credentials flow) - Set publicClient=false for service account authentication - Disable directAccessGrantsEnabled for proper service account setup - Add group creation and membership for service account user - Ensure groups scope has proper protocol mapper configuration This fixes authentication issues where the orch-library expects groups claim in tokens but admin-cli service account had no group membership. --- .../keycloak-admin-cli-config-job.yaml | 38 +++++++++++++++++++ .../platform-keycloak-realm-config.yaml | 6 +-- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/argocd/applications/configs/keycloak-admin-cli-config-job.yaml b/argocd/applications/configs/keycloak-admin-cli-config-job.yaml index e273ffa07..a4d1203dc 100644 --- a/argocd/applications/configs/keycloak-admin-cli-config-job.yaml +++ b/argocd/applications/configs/keycloak-admin-cli-config-job.yaml @@ -127,6 +127,44 @@ spec: fi echo "Keycloak admin-cli configuration completed successfully" + + # Ensure service account user has group membership (required for groups claim) + echo "Checking service account user group membership..." + + # Get service account user ID + SERVICE_ACCOUNT_USER_ID=$(/opt/keycloak/bin/kcadm.sh get clients/$ADMIN_CLI_ID/service-account-user -r master --fields id | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/') + + if [ -z "$SERVICE_ACCOUNT_USER_ID" ]; then + echo "Service account user not found" + exit 1 + fi + + echo "Found service account user with ID: $SERVICE_ACCOUNT_USER_ID" + + # Check if service-accounts group exists + SERVICE_ACCOUNTS_GROUP_ID=$(/opt/keycloak/bin/kcadm.sh get groups -r master -q name=service-accounts --fields id 2>/dev/null | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/' | head -1) + + if [ -z "$SERVICE_ACCOUNTS_GROUP_ID" ]; then + echo "Creating service-accounts group" + /opt/keycloak/bin/kcadm.sh create groups -r master -s name=service-accounts -s path=/service-accounts + SERVICE_ACCOUNTS_GROUP_ID=$(/opt/keycloak/bin/kcadm.sh get groups -r master -q name=service-accounts --fields id | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/' | head -1) + echo "Created service-accounts group with ID: $SERVICE_ACCOUNTS_GROUP_ID" + else + echo "service-accounts group already exists with ID: $SERVICE_ACCOUNTS_GROUP_ID" + fi + + # Check if service account user is in the group + USER_GROUPS=$(/opt/keycloak/bin/kcadm.sh get users/$SERVICE_ACCOUNT_USER_ID/groups -r master) + + if echo "$USER_GROUPS" | grep -q "service-accounts"; then + echo "Service account user is already in service-accounts group" + else + echo "Adding service account user to service-accounts group" + /opt/keycloak/bin/kcadm.sh update users/$SERVICE_ACCOUNT_USER_ID/groups/$SERVICE_ACCOUNTS_GROUP_ID -r master -n + echo "Successfully added service account user to service-accounts group" + fi + + echo "Keycloak admin-cli configuration and group setup completed successfully" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml index bdd740f75..851177bd4 100644 --- a/argocd/applications/configs/platform-keycloak-realm-config.yaml +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -280,9 +280,9 @@ data: "consentRequired": false, "standardFlowEnabled": false, "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { From 165b06b412b58d7d9f687bdd06b3a46554fb75fa Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Wed, 8 Oct 2025 05:20:11 -0700 Subject: [PATCH 24/25] fix: revert admin-cli to direct access grants for orch-library compatibility The orch-library@v0.6.0 appears to expect admin-cli to use direct access grants rather than service account authentication. Reverting to: - directAccessGrantsEnabled: true - serviceAccountsEnabled: false - publicClient: true This matches the pattern used by system-client which works successfully in the codebase. The groups scope is still maintained for compatibility. --- .../keycloak-admin-cli-config-job.yaml | 38 ------------------- .../platform-keycloak-realm-config.yaml | 6 +-- 2 files changed, 3 insertions(+), 41 deletions(-) diff --git a/argocd/applications/configs/keycloak-admin-cli-config-job.yaml b/argocd/applications/configs/keycloak-admin-cli-config-job.yaml index a4d1203dc..e273ffa07 100644 --- a/argocd/applications/configs/keycloak-admin-cli-config-job.yaml +++ b/argocd/applications/configs/keycloak-admin-cli-config-job.yaml @@ -127,44 +127,6 @@ spec: fi echo "Keycloak admin-cli configuration completed successfully" - - # Ensure service account user has group membership (required for groups claim) - echo "Checking service account user group membership..." - - # Get service account user ID - SERVICE_ACCOUNT_USER_ID=$(/opt/keycloak/bin/kcadm.sh get clients/$ADMIN_CLI_ID/service-account-user -r master --fields id | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/') - - if [ -z "$SERVICE_ACCOUNT_USER_ID" ]; then - echo "Service account user not found" - exit 1 - fi - - echo "Found service account user with ID: $SERVICE_ACCOUNT_USER_ID" - - # Check if service-accounts group exists - SERVICE_ACCOUNTS_GROUP_ID=$(/opt/keycloak/bin/kcadm.sh get groups -r master -q name=service-accounts --fields id 2>/dev/null | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/' | head -1) - - if [ -z "$SERVICE_ACCOUNTS_GROUP_ID" ]; then - echo "Creating service-accounts group" - /opt/keycloak/bin/kcadm.sh create groups -r master -s name=service-accounts -s path=/service-accounts - SERVICE_ACCOUNTS_GROUP_ID=$(/opt/keycloak/bin/kcadm.sh get groups -r master -q name=service-accounts --fields id | grep '"id"' | sed 's/.*"id" : "\([^"]*\)".*/\1/' | head -1) - echo "Created service-accounts group with ID: $SERVICE_ACCOUNTS_GROUP_ID" - else - echo "service-accounts group already exists with ID: $SERVICE_ACCOUNTS_GROUP_ID" - fi - - # Check if service account user is in the group - USER_GROUPS=$(/opt/keycloak/bin/kcadm.sh get users/$SERVICE_ACCOUNT_USER_ID/groups -r master) - - if echo "$USER_GROUPS" | grep -q "service-accounts"; then - echo "Service account user is already in service-accounts group" - else - echo "Adding service account user to service-accounts group" - /opt/keycloak/bin/kcadm.sh update users/$SERVICE_ACCOUNT_USER_ID/groups/$SERVICE_ACCOUNTS_GROUP_ID -r master -n - echo "Successfully added service account user to service-accounts group" - fi - - echo "Keycloak admin-cli configuration and group setup completed successfully" securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml index 851177bd4..bdd740f75 100644 --- a/argocd/applications/configs/platform-keycloak-realm-config.yaml +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -280,9 +280,9 @@ data: "consentRequired": false, "standardFlowEnabled": false, "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "publicClient": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { From 3b558769482922d1da5a2c777a2caa0dd6134cbe Mon Sep 17 00:00:00 2001 From: Sandeep Sharma Date: Wed, 8 Oct 2025 06:22:57 -0700 Subject: [PATCH 25/25] fix: add missing edge-manager-m2m-client to Keycloak realm This client is required by orch-library@v0.6.1 authentication code. The getClientIDTokenFromKeycloak function was failing with 'index out of range [0]' because it couldn't find the edge-manager-m2m-client. Configured as service account client with: - serviceAccountsEnabled: true - groups scope included - client credentials authentication - secret: edge-manager-secret This should resolve the tenant-controller authentication panics. --- .../platform-keycloak-realm-config.yaml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/argocd/applications/configs/platform-keycloak-realm-config.yaml b/argocd/applications/configs/platform-keycloak-realm-config.yaml index bdd740f75..489b292ce 100644 --- a/argocd/applications/configs/platform-keycloak-realm-config.yaml +++ b/argocd/applications/configs/platform-keycloak-realm-config.yaml @@ -307,6 +307,53 @@ data: "organization", "microprofile-jwt" ] + }, + { + "clientId": "edge-manager-m2m-client", + "name": "Edge Manager M2M Client", + "description": "Machine-to-machine client for edge manager services", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "edge-manager-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1698847200", + "oauth2.device.authorization.grant.enabled": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "basic", + "email", + "groups" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] } ], "clientScopes": [