From f54fdd150b87b57ae7657e3d71fa7b2c83505f49 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 20 Feb 2024 11:36:13 +0000 Subject: [PATCH 01/10] generate providers --- .../templates/ory/vault-secret.yaml.tpl | 11 +++++++++++ terraform/gitops/k8s-cluster-config/ory.tf | 1 + 2 files changed, 12 insertions(+) diff --git a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl index b4fcfd854..2f36dce7a 100644 --- a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl @@ -175,5 +175,16 @@ spec: "mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==", "issuer_url":"https://${keycloak_fqdn}/realms/${keycloak_hubop_realm_name}" } +%{ for pm4ml in pm4mls ~} + ,{ + "id":"${pm4ml.pm4ml}", + "provider":"generic", + "client_id":"${pm4ml.pm4ml}-provider-client", + "client_secret":"{{ .kratosoidcsecret.${pm4ml.pm4ml} }}", + "scope":["openid", "profile", "email"], + "mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==", + "issuer_url":"https://${keycloak_fqdn}/realms/${pm4ml.pm4ml}" + } +%{ endfor ~} ]' type: Opaque diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index 7adff563d..df60c0f88 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -43,6 +43,7 @@ module "generate_ory_files" { hubop_role_assignment_svc_username = var.hubop_realm_role_assignment_svc_user portal_admin_secret_name = join("$", ["", "{${replace(var.hubop_realm_portal_admin_secret, "-", "_")}}"]) portal_admin = var.hubop_realm_portal_admin_user + pm4mls = var.app_var_map.pm4mls } file_list = [for f in fileset(local.ory_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.ory_app_file, f))] template_path = local.ory_template_path From bcb1f663b4086e1c2d7a64558d66e9fd8eed0901 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 20 Feb 2024 12:19:24 +0000 Subject: [PATCH 02/10] generate providers --- .../templates/ory/vault-secret.yaml.tpl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl index 2f36dce7a..38eaf1a75 100644 --- a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl @@ -162,6 +162,15 @@ spec: name: default name: kratosoidcsecret path: ${hubop_oidc_client_secret_secret_path}/${hubop_oidc_client_secret_secret} +%{ for pm4ml in pm4mls ~} + - authentication: + path: kubernetes + role: policy-admin + serviceAccount: + name: default + name: ${pm4ml.pm4ml} + path: ${hubop_oidc_client_secret_secret_path}/${pm4ml.pm4ml}-oidc-provider +%{ endfor ~} output: name: kratos-oidc-providers stringData: @@ -180,7 +189,7 @@ spec: "id":"${pm4ml.pm4ml}", "provider":"generic", "client_id":"${pm4ml.pm4ml}-provider-client", - "client_secret":"{{ .kratosoidcsecret.${pm4ml.pm4ml} }}", + "client_secret":"{{ .${pm4ml.pm4ml}.secret }}", "scope":["openid", "profile", "email"], "mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==", "issuer_url":"https://${keycloak_fqdn}/realms/${pm4ml.pm4ml}" From b406e6771bcc9cbd19ddae98128d268716acb090 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 20 Feb 2024 14:03:47 +0000 Subject: [PATCH 03/10] generate provider secrets --- .../templates/ory/keycloak-realm-cr.yaml.tpl | 46 +++++++++++++++++++ .../templates/ory/vault-secret.yaml.tpl | 2 +- .../gitops/k8s-cluster-config/app-deploy.tf | 11 ++++- 3 files changed, 57 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl b/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl index fd9310862..ef2fdc331 100644 --- a/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl @@ -324,6 +324,52 @@ spec: - phone - offline_access - microprofile-jwt +%{ for pm4ml in pm4mls ~} + - clientId: '${pm4ml.pm4ml} provider' + name: '${pm4ml.pm4ml}-provider-client' + description: '' + rootUrl: '' + adminUrl: '' + baseUrl: '' + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + secret: ${pm4ml.pm4ml}_oidc_provider_secret + redirectUris: + - "*" + webOrigins: + - "*" + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: true + protocol: openid-connect + attributes: + oidc.ciba.grant.enabled: 'false' + oauth2.device.authorization.grant.enabled: 'false' + backchannel.logout.session.required: 'true' + backchannel.logout.revoke.offline.tokens: 'false' + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + defaultClientScopes: + - web-origins + - acr + - roles + - profile + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt +%{ endfor ~} - id: ce8b8b2d-71b8-4ecc-a306-ba657c9e8403 clientId: realm-management name: '$${client_realm-management}' diff --git a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl index 38eaf1a75..8c2a8f63a 100644 --- a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl @@ -169,7 +169,7 @@ spec: serviceAccount: name: default name: ${pm4ml.pm4ml} - path: ${hubop_oidc_client_secret_secret_path}/${pm4ml.pm4ml}-oidc-provider + path: ${hubop_oidc_client_secret_secret_path}/${pm4ml.pm4ml}-oidc-provider-secret %{ endfor ~} output: name: kratos-oidc-providers diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 8a2c64f53..3cf19a84a 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -200,6 +200,11 @@ locals { pm4ml_keycloak_realm_env_secret_map = { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.pm4ml_oidc_client_secret_secret_key } + + pm4ml_provider_secret_map = { for key, pm4ml in local.pm4ml_var_map : + "${key}-oidc-provider-secret" => var.pm4ml_oidc_client_secret_secret_key + } + hubop_keycloak_realm_env_secret_map = { "${var.hubop_oidc_client_secret_secret}" = var.hubop_oidc_client_secret_secret_key "${var.hubop_realm_role_assign_service_secret}" = var.hubop_realm_role_assign_service_secret_key @@ -240,7 +245,11 @@ locals { pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns)) pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) - keycloak_realm_env_secret_map = merge(var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, local.hubop_keycloak_realm_env_secret_map) + keycloak_realm_env_secret_map = merge( + var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, + local.hubop_keycloak_realm_env_secret_map, + local.pm4ml_provider_secret_map + ) internal_gateway_hosts = concat([local.keycloak_admin_fqdn], local.vault_wildcard_gateway == "internal" ? [local.vault_public_fqdn] : [], From 7cf1aed48188ca3f70fec116886eaaa28a7ac5b1 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 20 Feb 2024 14:59:49 +0000 Subject: [PATCH 04/10] improve syntax highlight --- .../generate-files/templates/ory/keycloak-realm-cr.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl b/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl index ef2fdc331..32d749c42 100644 --- a/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl @@ -324,7 +324,7 @@ spec: - phone - offline_access - microprofile-jwt -%{ for pm4ml in pm4mls ~} +# %{ for pm4ml in pm4mls ~} - clientId: '${pm4ml.pm4ml} provider' name: '${pm4ml.pm4ml}-provider-client' description: '' @@ -369,7 +369,7 @@ spec: - phone - offline_access - microprofile-jwt -%{ endfor ~} +# %{ endfor ~} - id: ce8b8b2d-71b8-4ecc-a306-ba657c9e8403 clientId: realm-management name: '$${client_realm-management}' From d3e66da8fe663dc66999546d7aec5001f10507ce Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Wed, 21 Feb 2024 08:55:22 +0000 Subject: [PATCH 05/10] move client --- .../templates/ory/keycloak-realm-cr.yaml.tpl | 46 ------------------- .../pm4ml/keycloak-realm-cr.yaml.tpl | 44 ++++++++++++++++++ terraform/gitops/pm4ml/pm4ml.tf | 1 + 3 files changed, 45 insertions(+), 46 deletions(-) diff --git a/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl b/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl index 32d749c42..fd9310862 100644 --- a/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl @@ -324,52 +324,6 @@ spec: - phone - offline_access - microprofile-jwt -# %{ for pm4ml in pm4mls ~} - - clientId: '${pm4ml.pm4ml} provider' - name: '${pm4ml.pm4ml}-provider-client' - description: '' - rootUrl: '' - adminUrl: '' - baseUrl: '' - surrogateAuthRequired: false - enabled: true - alwaysDisplayInConsole: false - clientAuthenticatorType: client-secret - secret: ${pm4ml.pm4ml}_oidc_provider_secret - redirectUris: - - "*" - webOrigins: - - "*" - notBefore: 0 - bearerOnly: false - consentRequired: false - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: true - serviceAccountsEnabled: false - publicClient: true - frontchannelLogout: true - protocol: openid-connect - attributes: - oidc.ciba.grant.enabled: 'false' - oauth2.device.authorization.grant.enabled: 'false' - backchannel.logout.session.required: 'true' - backchannel.logout.revoke.offline.tokens: 'false' - authenticationFlowBindingOverrides: {} - fullScopeAllowed: true - nodeReRegistrationTimeout: -1 - defaultClientScopes: - - web-origins - - acr - - roles - - profile - - email - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt -# %{ endfor ~} - id: ce8b8b2d-71b8-4ecc-a306-ba657c9e8403 clientId: realm-management name: '$${client_realm-management}' diff --git a/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl index b241de767..e8ca32a18 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl @@ -544,6 +544,50 @@ spec: - phone - offline_access - microprofile-jwt + - clientId: '${pm4ml_namespace} provider' + name: '${pm4ml_namespace}-provider-client' + description: '' + rootUrl: '' + adminUrl: '' + baseUrl: '' + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + secret: ${pm4ml_oidc_provider_secret} + redirectUris: + - "*" + webOrigins: + - "*" + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: true + protocol: openid-connect + attributes: + oidc.ciba.grant.enabled: 'false' + oauth2.device.authorization.grant.enabled: 'false' + backchannel.logout.session.required: 'true' + backchannel.logout.revoke.offline.tokens: 'false' + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + defaultClientScopes: + - web-origins + - acr + - roles + - profile + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt - id: ${keycloak_pm4ml_realm_name} clientId: realm-management name: "$${client_realm-management}" diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index c97faa0d0..98bd720ec 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -7,6 +7,7 @@ module "generate_pm4ml_files" { pm4ml_chart_repo = var.pm4ml_chart_repo pm4ml_release_name = each.key pm4ml_namespace = each.key + pm4ml_oidc_provider_secret = "${replace(each.key, "-", "_")}_oidc_provider_secret" storage_class_name = var.storage_class_name pm4ml_sync_wave = var.pm4ml_sync_wave + index(keys(var.app_var_map), each.key) external_load_balancer_dns = var.external_load_balancer_dns From 8664550141cd1f3ada8ce52978e9aed50c3a8ae2 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Wed, 21 Feb 2024 14:16:31 +0200 Subject: [PATCH 06/10] Update values-pm4ml.yaml.tpl --- .../gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index ea8bc56b9..ac575888c 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -24,7 +24,7 @@ frontend: %{ if ory_stack_enabled ~} CHECK_SESSION_URL: https://${portal_fqdn}/kratos/sessions/whoami LOGIN_URL: https://${auth_fqdn}/kratos/self-service/login/browser - LOGIN_PROVIDER: keycloak + LOGIN_PROVIDER: ${pm4ml_namespace} %{ endif ~} experience-api: From 9839fa248a2e539addb74337bae0018c1005d599 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Thu, 22 Feb 2024 06:35:53 +0000 Subject: [PATCH 07/10] chore: use generic variable names --- .../templates/ory/vault-secret.yaml.tpl | 20 +++++++++---------- .../gitops/k8s-cluster-config/app-deploy.tf | 1 + terraform/gitops/k8s-cluster-config/ory.tf | 1 + 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl index 8c2a8f63a..45f2b46ec 100644 --- a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl @@ -162,15 +162,15 @@ spec: name: default name: kratosoidcsecret path: ${hubop_oidc_client_secret_secret_path}/${hubop_oidc_client_secret_secret} -%{ for pm4ml in pm4mls ~} +# %{ for provider in oidc_providers ~} - authentication: path: kubernetes role: policy-admin serviceAccount: name: default - name: ${pm4ml.pm4ml} - path: ${hubop_oidc_client_secret_secret_path}/${pm4ml.pm4ml}-oidc-provider-secret -%{ endfor ~} + name: ${provider} + path: ${hubop_oidc_client_secret_secret_path}/${provider}-oidc-provider-secret +# %{ endfor ~} output: name: kratos-oidc-providers stringData: @@ -184,16 +184,16 @@ spec: "mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==", "issuer_url":"https://${keycloak_fqdn}/realms/${keycloak_hubop_realm_name}" } -%{ for pm4ml in pm4mls ~} + %{ for provider in oidc_providers ~} ,{ - "id":"${pm4ml.pm4ml}", + "id":"${provider}", "provider":"generic", - "client_id":"${pm4ml.pm4ml}-provider-client", - "client_secret":"{{ .${pm4ml.pm4ml}.secret }}", + "client_id":"${provider}-provider-client", + "client_secret":"{{ .${provider}.secret }}", "scope":["openid", "profile", "email"], "mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==", - "issuer_url":"https://${keycloak_fqdn}/realms/${pm4ml.pm4ml}" + "issuer_url":"https://${keycloak_fqdn}/realms/${provider}" } -%{ endfor ~} + %{ endfor ~} ]' type: Opaque diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 3cf19a84a..a344c3cd7 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -193,6 +193,7 @@ locals { pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml } + oidc_providers = [for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml] mojaloop_keycloak_realm_env_secret_map = { "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index df60c0f88..9c1a31884 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -44,6 +44,7 @@ module "generate_ory_files" { portal_admin_secret_name = join("$", ["", "{${replace(var.hubop_realm_portal_admin_secret, "-", "_")}}"]) portal_admin = var.hubop_realm_portal_admin_user pm4mls = var.app_var_map.pm4mls + oidc_providers = local.oidc_providers } file_list = [for f in fileset(local.ory_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.ory_app_file, f))] template_path = local.ory_template_path From 69067e30cf8af3614f105ba28abdca9ed8acb050 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Thu, 22 Feb 2024 07:45:53 +0000 Subject: [PATCH 08/10] chore: use generic variable names --- .../templates/ory/vault-secret.yaml.tpl | 12 ++--- .../pm4ml/keycloak-realm-cr.yaml.tpl | 44 ------------------- .../gitops/k8s-cluster-config/app-deploy.tf | 24 +++++----- terraform/gitops/pm4ml/pm4ml.tf | 1 - 4 files changed, 20 insertions(+), 61 deletions(-) diff --git a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl index 45f2b46ec..7f283a703 100644 --- a/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl @@ -168,8 +168,8 @@ spec: role: policy-admin serviceAccount: name: default - name: ${provider} - path: ${hubop_oidc_client_secret_secret_path}/${provider}-oidc-provider-secret + name: ${provider.realm} + path: ${hubop_oidc_client_secret_secret_path}/${provider.secret_name} # %{ endfor ~} output: name: kratos-oidc-providers @@ -186,13 +186,13 @@ spec: } %{ for provider in oidc_providers ~} ,{ - "id":"${provider}", + "id":"${provider.realm}", "provider":"generic", - "client_id":"${provider}-provider-client", - "client_secret":"{{ .${provider}.secret }}", + "client_id":"${provider.client_id}", + "client_secret":"{{ .${provider.realm}.${provider.secret_key} }}", "scope":["openid", "profile", "email"], "mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==", - "issuer_url":"https://${keycloak_fqdn}/realms/${provider}" + "issuer_url":"https://${keycloak_fqdn}/realms/${provider.realm}" } %{ endfor ~} ]' diff --git a/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl index e8ca32a18..b241de767 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/keycloak-realm-cr.yaml.tpl @@ -544,50 +544,6 @@ spec: - phone - offline_access - microprofile-jwt - - clientId: '${pm4ml_namespace} provider' - name: '${pm4ml_namespace}-provider-client' - description: '' - rootUrl: '' - adminUrl: '' - baseUrl: '' - surrogateAuthRequired: false - enabled: true - alwaysDisplayInConsole: false - clientAuthenticatorType: client-secret - secret: ${pm4ml_oidc_provider_secret} - redirectUris: - - "*" - webOrigins: - - "*" - notBefore: 0 - bearerOnly: false - consentRequired: false - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: true - serviceAccountsEnabled: false - publicClient: true - frontchannelLogout: true - protocol: openid-connect - attributes: - oidc.ciba.grant.enabled: 'false' - oauth2.device.authorization.grant.enabled: 'false' - backchannel.logout.session.required: 'true' - backchannel.logout.revoke.offline.tokens: 'false' - authenticationFlowBindingOverrides: {} - fullScopeAllowed: true - nodeReRegistrationTimeout: -1 - defaultClientScopes: - - web-origins - - acr - - roles - - profile - - email - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - id: ${keycloak_pm4ml_realm_name} clientId: realm-management name: "$${client_realm-management}" diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index a344c3cd7..4f8c60912 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -93,6 +93,7 @@ module "pm4ml" { cert_manager_namespace = var.cert_manager_namespace pm4ml_oidc_client_secret_secret_key = var.pm4ml_oidc_client_secret_secret_key pm4ml_oidc_client_secret_secret_prefix = var.pm4ml_oidc_client_secret_secret + pm4ml_oidc_client_id_prefix = var.pm4ml_oidc_client_id_prefix istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -154,6 +155,12 @@ variable "pm4ml_oidc_client_secret_secret" { default = "pm4ml-oidc-client-secret" } +variable "pm4ml_oidc_client_id_prefix" { + type = string + description = "pm4ml_oidc_client_id_prefix" + default = "pm4ml-customer-ui" +} + variable "hubop_realm_role_assign_service_secret_key" { type = string default = "secret" @@ -193,7 +200,12 @@ locals { pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml } - oidc_providers = [for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml] + oidc_providers = [for pm4ml in var.app_var_map.pm4mls : { + realm = pm4ml.pm4ml + client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" + secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" + secret_key = var.pm4ml_oidc_client_secret_secret_key + }] mojaloop_keycloak_realm_env_secret_map = { "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key @@ -202,10 +214,6 @@ locals { "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.pm4ml_oidc_client_secret_secret_key } - pm4ml_provider_secret_map = { for key, pm4ml in local.pm4ml_var_map : - "${key}-oidc-provider-secret" => var.pm4ml_oidc_client_secret_secret_key - } - hubop_keycloak_realm_env_secret_map = { "${var.hubop_oidc_client_secret_secret}" = var.hubop_oidc_client_secret_secret_key "${var.hubop_realm_role_assign_service_secret}" = var.hubop_realm_role_assign_service_secret_key @@ -246,11 +254,7 @@ locals { pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns)) pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) - keycloak_realm_env_secret_map = merge( - var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, - local.hubop_keycloak_realm_env_secret_map, - local.pm4ml_provider_secret_map - ) + keycloak_realm_env_secret_map = merge(var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, local.hubop_keycloak_realm_env_secret_map) internal_gateway_hosts = concat([local.keycloak_admin_fqdn], local.vault_wildcard_gateway == "internal" ? [local.vault_public_fqdn] : [], diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 98bd720ec..78550c1aa 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -152,7 +152,6 @@ variable "pm4ml_sync_wave" { variable "pm4ml_oidc_client_id_prefix" { type = string description = "pm4ml_oidc_client_id_prefix" - default = "pm4ml-customer-ui" } variable "pm4ml_oidc_client_secret_secret_key" { From 90fdd35c449f32f238fc26e4dd4ff6c874f72116 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Thu, 22 Feb 2024 07:48:13 +0000 Subject: [PATCH 09/10] chore: use generic variable names --- terraform/gitops/k8s-cluster-config/ory.tf | 1 - terraform/gitops/pm4ml/pm4ml.tf | 1 - 2 files changed, 2 deletions(-) diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index 9c1a31884..1ff195978 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -43,7 +43,6 @@ module "generate_ory_files" { hubop_role_assignment_svc_username = var.hubop_realm_role_assignment_svc_user portal_admin_secret_name = join("$", ["", "{${replace(var.hubop_realm_portal_admin_secret, "-", "_")}}"]) portal_admin = var.hubop_realm_portal_admin_user - pm4mls = var.app_var_map.pm4mls oidc_providers = local.oidc_providers } file_list = [for f in fileset(local.ory_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.ory_app_file, f))] diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 78550c1aa..5346387f6 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -7,7 +7,6 @@ module "generate_pm4ml_files" { pm4ml_chart_repo = var.pm4ml_chart_repo pm4ml_release_name = each.key pm4ml_namespace = each.key - pm4ml_oidc_provider_secret = "${replace(each.key, "-", "_")}_oidc_provider_secret" storage_class_name = var.storage_class_name pm4ml_sync_wave = var.pm4ml_sync_wave + index(keys(var.app_var_map), each.key) external_load_balancer_dns = var.external_load_balancer_dns From cf3c0e7fccd0e5c2e7f5e705912c2258014692b1 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Thu, 22 Feb 2024 07:49:05 +0000 Subject: [PATCH 10/10] chore: use generic variable names --- terraform/gitops/k8s-cluster-config/app-deploy.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 4f8c60912..16ccf34a1 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -213,7 +213,6 @@ locals { pm4ml_keycloak_realm_env_secret_map = { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.pm4ml_oidc_client_secret_secret_key } - hubop_keycloak_realm_env_secret_map = { "${var.hubop_oidc_client_secret_secret}" = var.hubop_oidc_client_secret_secret_key "${var.hubop_realm_role_assign_service_secret}" = var.hubop_realm_role_assign_service_secret_key