Merge branch 'main' into SPSH-1327

.github/workflows/create-release.yml

@@ -34,14 +34,14 @@ jobs:
     uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-test-sonarcloud.yaml@5
     with:
       node_version: '18'
-      timeout_minutes: 15
+      timeout_minutes: 20
     permissions:
       contents: read
     secrets: inherit
 
   release_image:
     name: "Publish image and scan with trivy"
-    needs: 
+    needs:
      - codeql_analyze
      - nest_lint
      - tests_and_sonarcloud
@@ -57,7 +57,7 @@ jobs:
       container_registry: "ghcr.io"
       fail_on_vulnerabilites: false
       report_location: "Dockerfile"
-  
+
   # Helm Chart
   scan_helm:
     uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5
@@ -70,8 +70,8 @@ jobs:
     secrets: inherit
     with:
       chart_name: "dbildungs-iam-server"
-      helm_chart_version_generation: specified 
-      image_tag_generation: specified 
+      helm_chart_version_generation: specified
+      image_tag_generation: specified
       helm_chart_version: "${{ github.ref_name }}"
       image_tag: "${{ github.ref_name }}"
-      helm_repo_list: "bitnami,https://charts.bitnami.com/bitnami"
+      helm_repo_list: "bitnami,https://charts.bitnami.com/bitnami"

.gitignore

@@ -144,3 +144,4 @@ dist
 .vscode/settings.json
 
 mariadb/
+test/secrets.test.json

charts/dbildungs-iam-server/Chart.yaml

@@ -3,9 +3,4 @@ name: dbildungs-iam-server
 version: 0.2.0
 description: dBildungs-IAM-server
 type: application
-appVersion: ""
-dependencies:
-- name: redis
-  repository: https://charts.bitnami.com/bitnami
-  version: 20.3.0
-  condition: redis.enabled 
+appVersion: ""

charts/dbildungs-iam-server/config/config.json

@@ -24,7 +24,7 @@
     "SERVICE_CLIENT_ID": "spsh-service"
   },
   "REDIS": {
-    "HOST": "dbildungs-iam-server-redis",
+    "HOST": "dbildungs-iam-redis-master.spsh.svc.cluster.local",
     "PORT": 6379,
     "USERNAME": "default",
     "PASSWORD": "",
@@ -51,7 +51,7 @@
     "BACKEND_FOR_FRONTEND_MODULE_LOG_LEVEL": "debug"
   },
   "ITSLEARNING": {
-    "ENABLED": "false",
+    "ENABLED": false,
     "ENDPOINT": "https://itslearning.example.com",
     "USERNAME": "username",
     "PASSWORD": "password",
@@ -60,7 +60,7 @@
     "ROOT_ERSATZ": "ersatz"
   },
   "OX": {
-    "ENABLED": "false",
+    "ENABLED": false,
     "ENDPOINT": "https://ox_ip:ox_port/webservices/OXUserService",
     "CONTEXT_ID": "1337",
     "CONTEXT_NAME": "contextname",
@@ -81,5 +81,13 @@
     "RENAME_WAITING_TIME_IN_SECONDS": 3,
     "STEP_UP_TIMEOUT_ENABLED": "true",
     "STEP_UP_TIMEOUT_IN_SECONDS": 10
+  },
+  "VIDIS": {
+      "BASE_URL": "https://service-stage.vidis.schule",
+      "USERNAME": "",
+      "PASSWORD": "",
+      "REGION_NAME": "test-region",
+      "KEYCLOAK_GROUP": "VIDIS-service",
+      "KEYCLOAK_ROLE": "VIDIS-user"
   }
 }

charts/dbildungs-iam-server/config/secrets.json

@@ -5,4 +5,4 @@
     "REDIS": {
         "PASSWORD": "password"
     }
-}
+}

charts/dbildungs-iam-server/cron/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine:3.19
 
+ENV LOG_FILE_PATH=/var/log/cron.log
+
 # Install necessary packages
 RUN apk update && \
     apk add --no-cache bash cronie jq openssl vim wget

charts/dbildungs-iam-server/cron/scripts/get_access_token.sh

@@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then
   # JWKS_FILE_PATH is set, use the file
   jwks=$(cat "$JWKS_FILE_PATH")
 else
-  echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log
+  echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}"
   exit 1
 fi
 
 # Check if environment variables are set
 if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then
-    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log
+    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}"
     exit 1
 fi
 
@@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]')
 
 # Check if key_json is empty
 if [[ -z "$key_json" ]]; then
-  echo "Error: No keys found in JWKS." >> /var/log/cron.log
+  echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}"
   exit 1
 fi
 
@@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec
 qi=INTEGER:0x$qi_dec
 EOF
 
-echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log
+echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
 
 # Generate the PEM-formatted private key
 temp_key_file=$(mktemp)
 openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1
 openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1
 
-echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log
+echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
 
 # Remove temporary files
 rm "$asn1_structure" "$temp_key_file"
@@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload")
 # Combine header and payload
 header_payload="$header_base64.$payload_base64"
 
-echo "Payload created" >> /var/log/cron.log
+echo "Payload created" >> "${LOG_FILE_PATH}"
 
 # Sign the JWT
 signature=$(echo -n "$header_payload" | \
   openssl dgst -sha256 -sign "$temp_key_file.pem" | \
   openssl enc -base64 -A | tr '+/' '-_' | tr -d '=')
 
-echo "Signed the JWT" >> /var/log/cron.log
+echo "Signed the JWT" >> "${LOG_FILE_PATH}"
 
 # Remove the temporary PEM key file
 rm "$temp_key_file.pem"
@@ -166,15 +166,15 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien
   --header "Content-Type: application/x-www-form-urlencoded" \
   "$kc_token_url")
 
-echo "Access token requested" >> /var/log/cron.log
+echo "Access token requested" >> "${LOG_FILE_PATH}"
 
 # Check if the response contains an access token
 if echo "$response" | grep -q '"access_token"'; then
   # Extract the access token from the response
   access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
   echo "$access_token"
 else
-  echo "Failed to retrieve access token. Response:" >> /var/log/cron.log
-  echo "$response" >> /var/log/cron.log
+  echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}"
+  echo "$response" >> "${LOG_FILE_PATH}"
   exit 1
 fi

charts/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl

@@ -86,24 +86,39 @@
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
                   key: pi-user-realm
-          - name: SYSTEM_RENAME_WAITING_TIME_IN_SECONDS
+          - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-                  key: system-rename-waiting-time-in-seconds
-          - name: SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS
+                  key: redis-password
+          - name: VIDIS_BASE_URL
             valueFrom:
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-                  key: system-step-up-timeout-in-seconds
-          - name: SYSTEM_STEP_UP_TIMEOUT_ENABLED
+                  key: vidis-base-url
+          - name: VIDIS_USERNAME
             valueFrom:
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-                  key: system-step-up-timeout-enabled
-          - name: REDIS_PASSWORD
+                  key: vidis-username
+          - name: VIDIS_PASSWORD
             valueFrom:
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-                  key: redis-password
+                  key: vidis-password
+          - name: VIDIS_REGION_NAME
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-region-name
+          - name: VIDIS_KEYCLOAK_GROUP
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-keycloak-group
+          - name: VIDIS_KEYCLOAK_ROLE
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-keycloak-role
 {{- end}}

charts/dbildungs-iam-server/templates/backend-ingress.yaml

@@ -13,6 +13,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
+  tls:
+  - hosts:
+      - {{ .Values.backendHostname  }}
   ingressClassName: {{ .Values.backend.ingress.ingressClassName }}
   rules:
     - host: {{ .Values.backendHostname }}

charts/dbildungs-iam-server/templates/backend-ingress2nd.yaml

@@ -0,0 +1,30 @@
+{{if .Values.backend.ingress.enabled2nd }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "common.names.name" . }}-backend2nd
+  namespace: {{ template "common.names.namespace" . }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+  annotations:
+    nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .Values.keycloak2ndHostname }},https://{{ .Values.keycloakHostname }}"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    {{- with .Values.backend.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.backend.ingress.ingressClassName }}
+  rules:
+    - host: {{ .Values.backend2ndHostname }}
+      http:
+        paths:
+          {{- range $path := .Values.backend.ingress.paths }}
+          - path: {{ $path }}
+            pathType: {{ $.Values.backend.ingress.pathType }}
+            backend:
+              service:
+                name: {{ template "common.names.name" $ }}-backend
+                port:
+                  number: {{ $.Values.backend.service.ports.http }}
+          {{- end }}
+{{ end }}

charts/dbildungs-iam-server/templates/backend-servicemonitor.yaml

@@ -1,8 +1,8 @@
-{{if .Values.backend.serviceMonitor.enabled }}
+{{ if .Values.backend.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ template "common.names.name" . }}-backend
+  name: {{ template "common.names.name" . }}
   namespace: {{ template "common.names.namespace" . }}
   labels:
     {{- include "common.labels" . | nindent 4 }}
@@ -13,9 +13,11 @@ spec:
       - {{ include "common.names.namespace" . | quote }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ template "common.names.name" . }}-backend
+      app.kubernetes.io/name: {{ template "common.names.name" . }}
       app.kubernetes.io/component: server-backend
   endpoints:
     - port: {{ (index .Values.backend.serviceMonitor.endpoints 0).port }}
+      path: {{ .Values.backend.serviceMonitor.path }}
+      interval: {{ .Values.backend.serviceMonitor.interval }}
 {{ end }}
 

charts/dbildungs-iam-server/templates/configmap.yaml

@@ -16,8 +16,15 @@ data:
   FRONTEND_DEFAULT_LOGIN_REDIRECT: "https://{{ .Values.backendHostname }}/"
   FRONTEND_LOGOUT_REDIRECT: "https://{{ .Values.backendHostname }}/"
   BACKEND_HOSTNAME: "{{ .Values.backendHostname }}"
+  ERROR_PAGE_REDIRECT: "https://{{ .Values.backendHostname }}/login-error"
   LDAP_URL: '{{ .Values.ldap.url | replace "spsh-xxx" .Release.Namespace }}'
   LDAP_BIND_DN: "{{ .Values.ldap.bindDN }}"
   LDAP_OEFFENTLICHE_SCHULEN_DOMAIN: "{{ .Values.ldap.oeffentlicheSchulenDomain }}"
   LDAP_ERSATZSCHULEN_DOMAIN: "{{ .Values.ldap.ersatzschulenDomain }}"
   STATUS_REDIRECT_URL: "{{ .Values.status.url }}"
+  SYSTEM_RENAME_WAITING_TIME_IN_SECONDS: "{{ .Values.backend.env.renameWaitingTimeInSeconds }}"
+  SYSTEM_STEP_UP_TIMEOUT_ENABLED: "{{ .Values.backend.env.stepUpTimeoutEnabled }}"
+  SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS: "{{ .Values.backend.env.stepUpTimeoutInSeconds }}"
+  ITSLEARNING_ROOT: '{{ .Values.itslearning.root }}'
+  ITSLEARNING_ROOT_OEFFENTLICH: '{{ .Values.itslearning.rootOeffentlich }}'
+  ITSLEARNING_ROOT_ERSATZ: '{{ .Values.itslearning.rootErsatz }}'

charts/dbildungs-iam-server/templates/cronjob.yaml

@@ -8,6 +8,8 @@ metadata:
 spec:
   schedule: {{ $job_options.schedule }}
   startingDeadlineSeconds: 300
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
   jobTemplate:
     spec:
       backoffLimit: 0
@@ -22,10 +24,9 @@ spec:
             image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}"
             imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}}
             securityContext:
-              # not yet possible since we need to install some tools
-              # privileged: false
-              # runAsUser: 1000
-              # runAsNonRoot: true
+              privileged: false
+              runAsUser: 1000
+              runAsNonRoot: true
               capabilities:
                 drop:
                   - ALL
@@ -41,6 +42,8 @@ spec:
                   value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}"
                 - name: HTTP_METHOD
                   value: "{{ $job_options.httpMethod }}"
+                - name: LOG_FILE_PATH
+                  value: "/tmp/log/cron.log"
             resources:
               limits:
                 memory: "128Mi"
@@ -52,11 +55,9 @@ spec:
               - "sh"
               - "-c"
               - |
-                  mkdir /scripts &&
-                  cp /scripts_tmp/*.sh /scripts/ &&
-                  chmod +x /scripts/*.sh &&
-                  touch /var/log/cron.log &&
-                  chmod 644 /var/log/cron.log &&
+                  mkdir /tmp/log/ &&
+                  touch /tmp/log/cron.log &&
+                  chmod 644 /tmp/log/cron.log &&
                   cd {{ $.Values.cronjobs.scriptDir }} &&
                   bash {{ $job_options.script }}
             volumeMounts:
@@ -65,7 +66,7 @@ spec:
                 subPath: jwks.json
                 readOnly: true
               - name: script-volume
-                mountPath: /scripts_tmp
+                mountPath: /scripts
                 readOnly: false
             ports:
             - containerPort: {{ $.Values.cronjobs.port }}
@@ -74,6 +75,7 @@ spec:
           - name: script-volume
             configMap:
               name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap
+              defaultMode: 0555
           - name: secret-volume-jwks
             secret:
               secretName: dbildungs-iam-server