Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kratos pm4ml providers #113

Merged
merged 11 commits into from
Feb 22, 2024
Merged

Kratos pm4ml providers #113

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
f54fdd1
generate providers
kalinkrustev Feb 20, 2024
bcb1f66
generate providers
kalinkrustev Feb 20, 2024
b406e67
generate provider secrets
kalinkrustev Feb 20, 2024
7cf1aed
improve syntax highlight
kalinkrustev Feb 20, 2024
d3e66da
move client
kalinkrustev Feb 21, 2024
8664550
Update values-pm4ml.yaml.tpl
kalinkrustev Feb 21, 2024
684e9a8
Merge branch 'main' into kratos-providers
dfry Feb 21, 2024
9839fa2
chore: use generic variable names
kalinkrustev Feb 22, 2024
69067e3
chore: use generic variable names
kalinkrustev Feb 22, 2024
90fdd35
chore: use generic variable names
kalinkrustev Feb 22, 2024
cf3c0e7
chore: use generic variable names
kalinkrustev Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions terraform/gitops/generate-files/templates/ory/keycloak-realm-cr.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,52 @@ spec:
- phone
- offline_access
- microprofile-jwt
# %{ for pm4ml in pm4mls ~}
- clientId: '${pm4ml.pm4ml} provider'
kalinkrustev marked this conversation as resolved.
Show resolved Hide resolved
name: '${pm4ml.pm4ml}-provider-client'
description: ''
rootUrl: ''
adminUrl: ''
baseUrl: ''
surrogateAuthRequired: false
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: client-secret
secret: ${pm4ml.pm4ml}_oidc_provider_secret
redirectUris:
- "*"
webOrigins:
- "*"
notBefore: 0
bearerOnly: false
consentRequired: false
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
publicClient: true
frontchannelLogout: true
protocol: openid-connect
attributes:
oidc.ciba.grant.enabled: 'false'
oauth2.device.authorization.grant.enabled: 'false'
backchannel.logout.session.required: 'true'
backchannel.logout.revoke.offline.tokens: 'false'
authenticationFlowBindingOverrides: {}
fullScopeAllowed: true
nodeReRegistrationTimeout: -1
defaultClientScopes:
- web-origins
- acr
- roles
- profile
- email
optionalClientScopes:
- address
- phone
- offline_access
- microprofile-jwt
# %{ endfor ~}
- id: ce8b8b2d-71b8-4ecc-a306-ba657c9e8403
clientId: realm-management
name: '$${client_realm-management}'
Expand Down
20 changes: 20 additions & 0 deletions terraform/gitops/generate-files/templates/ory/vault-secret.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,15 @@ spec:
name: default
name: kratosoidcsecret
path: ${hubop_oidc_client_secret_secret_path}/${hubop_oidc_client_secret_secret}
%{ for pm4ml in pm4mls ~}
kalinkrustev marked this conversation as resolved.
Show resolved Hide resolved
- authentication:
path: kubernetes
role: policy-admin
serviceAccount:
name: default
name: ${pm4ml.pm4ml}
path: ${hubop_oidc_client_secret_secret_path}/${pm4ml.pm4ml}-oidc-provider-secret
%{ endfor ~}
output:
name: kratos-oidc-providers
stringData:
Expand All @@ -175,5 +184,16 @@ spec:
"mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==",
"issuer_url":"https://${keycloak_fqdn}/realms/${keycloak_hubop_realm_name}"
}
%{ for pm4ml in pm4mls ~}
,{
"id":"${pm4ml.pm4ml}",
"provider":"generic",
"client_id":"${pm4ml.pm4ml}-provider-client",
"client_secret":"{{ .${pm4ml.pm4ml}.secret }}",
"scope":["openid", "profile", "email"],
"mapper_url":"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ==",
"issuer_url":"https://${keycloak_fqdn}/realms/${pm4ml.pm4ml}"
}
%{ endfor ~}
]'
type: Opaque
11 changes: 10 additions & 1 deletion terraform/gitops/k8s-cluster-config/app-deploy.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,11 @@ locals {
pm4ml_keycloak_realm_env_secret_map = { for key, pm4ml in local.pm4ml_var_map :
"${var.pm4ml_oidc_client_secret_secret}-${key}" => var.pm4ml_oidc_client_secret_secret_key
dfry marked this conversation as resolved.
Show resolved Hide resolved
}

pm4ml_provider_secret_map = { for key, pm4ml in local.pm4ml_var_map :
dfry marked this conversation as resolved.
Show resolved Hide resolved
"${key}-oidc-provider-secret" => var.pm4ml_oidc_client_secret_secret_key
}

hubop_keycloak_realm_env_secret_map = {
"${var.hubop_oidc_client_secret_secret}" = var.hubop_oidc_client_secret_secret_key
"${var.hubop_realm_role_assign_service_secret}" = var.hubop_realm_role_assign_service_secret_key
Expand Down Expand Up @@ -240,7 +245,11 @@ locals {
pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns))
pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts)

keycloak_realm_env_secret_map = merge(var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, local.hubop_keycloak_realm_env_secret_map)
keycloak_realm_env_secret_map = merge(
var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map,
local.hubop_keycloak_realm_env_secret_map,
local.pm4ml_provider_secret_map
)

internal_gateway_hosts = concat([local.keycloak_admin_fqdn],
local.vault_wildcard_gateway == "internal" ? [local.vault_public_fqdn] : [],
Expand Down
1 change: 1 addition & 0 deletions terraform/gitops/k8s-cluster-config/ory.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ module "generate_ory_files" {
hubop_role_assignment_svc_username = var.hubop_realm_role_assignment_svc_user
portal_admin_secret_name = join("$", ["", "{${replace(var.hubop_realm_portal_admin_secret, "-", "_")}}"])
portal_admin = var.hubop_realm_portal_admin_user
pm4mls = var.app_var_map.pm4mls
}
file_list = [for f in fileset(local.ory_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.ory_app_file, f))]
template_path = local.ory_template_path
Expand Down