Merge branch 'main' into EW-644

.gitattributes

@@ -0,0 +1,2 @@
+*.sh text eol=lf
+redis.conf eol=lf

.github/dependabot.yml

@@ -1,11 +1,10 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
-    directory: "/"
+  - package-ecosystem: 'npm'
+    directory: '/'
     open-pull-requests-limit: 10
-    versioning-strategy: "auto"
+    versioning-strategy: 'auto'
     schedule:
-      interval: "weekly"
-    labels: ["dependencies"]
-
-
+      interval: 'daily'
+    labels:
+      - 'dependencies'

charts/dbildungs-iam/Chart.yaml

@@ -1,11 +1,16 @@
 apiVersion: v2
 name: dbildungs-iam
-version: 0.1.1
+version: 0.2.0
 
 description: dBildungs-IAM
 type: application
 
 dependencies:
+  # In non-test-deployments we expect keycloak to be provided for us thus it needs to be enabled
   - name: dbildungs-iam-keycloak-dev
     version: "*"
     condition: keycloakEnabled
+  # In non-test-deployments we expect redis to be provided for us thus it needs to be enabled
+  - name: dbildungs-iam-redis
+    version: latest
+    condition: redisEnabled

charts/dbildungs-iam/charts/dbildungs-iam-keycloak-dev/dev-realm-spsh.json

@@ -467,6 +467,22 @@
       ],
       "notBefore": 0,
       "groups": []
+    },
+    {
+      "id": "22207262-196f-4995-8011-6830091ebdca",
+      "username": "test",
+      "createdTimestamp": 1697087666332,
+      "enabled": true,
+      "emailVerified": true,
+      "firstName": "Testus",
+      "lastName": "Experimentus",
+      "email": "[email protected]",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "test"
+        }
+      ]
     }
   ],
   "scopeMappings": [
@@ -778,7 +794,6 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "YDp6fYkbUcj4ZkyAOnbAHGQ9O72htc5M",
       "redirectUris": [
         "/*"
       ],
@@ -791,14 +806,15 @@
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": true,
-      "serviceAccountsEnabled": true,
-      "publicClient": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
       "frontchannelLogout": true,
       "protocol": "openid-connect",
       "attributes": {
         "oidc.ciba.grant.enabled": "false",
         "client.secret.creation.time": "1696586327",
         "backchannel.logout.session.required": "true",
+        "post.logout.redirect.uris": "+",
         "oauth2.device.authorization.grant.enabled": "false",
         "display.on.consent.screen": "false",
         "backchannel.logout.revoke.offline.tokens": "false"

charts/dbildungs-iam/charts/dbildungs-iam-redis/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: dbildungs-iam-redis
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.16.0

charts/dbildungs-iam/charts/dbildungs-iam-redis/copy-tls.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+STAGING_DIR="/staging"
+MOUNTED_FILES_DIR="/tls"
+CONFIG_DIR=/data/tls
+
+# Setup working environment
+
+mkdir -p $STAGING_DIR
+mkdir -p $CONFIG_DIR
+# Copy generator script
+cp -v $MOUNTED_FILES_DIR/gencert.sh /staging
+
+# Begin Bracket
+pushd $STAGING_DIR || exit 1
+
+chmod ugo+x gencert.sh
+./gencert.sh
+
+# We have generated our certificates, now we put them in their right place
+cp -v tls/redis.crt tls/redis.key tls/ca.crt $CONFIG_DIR
+# Pre-Made config, correct certs and disabling of non-tls included
+cp -v $MOUNTED_FILES_DIR/redis.conf $CONFIG_DIR
+
+# End Bracket
+popd || exit 1
+
+# $CONFIG_DIR remains behind, that is the point of this script, Staging is cleaned away
+rm -rf $STAGING_DIR

charts/dbildungs-iam/charts/dbildungs-iam-redis/gencert.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# COPIED/MODIFIED from the redis server gen-certs util
+
+# Generate some test certificates which are used by the regression test suite:
+#
+#   tls/ca.{crt,key}          Self signed CA certificate.
+#   tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
+#   tls/client.{crt,key}      A certificate restricted for SSL client usage.
+#   tls/server.{crt,key}      A certificate restricted for SSL server usage.
+#   tls/redis.dh              DH Params file.
+
+generate_cert() {
+    local name=$1
+    local cn="$2"
+    local opts="$3"
+
+    local keyfile=tls/${name}.key
+    local certfile=tls/${name}.crt
+
+    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
+    openssl req \
+        -new -sha256 \
+        -subj "/O=Redis Test/CN=$cn" \
+        -key $keyfile | \
+        openssl x509 \
+            -req -sha256 \
+            -CA tls/ca.crt \
+            -CAkey tls/ca.key \
+            -CAserial tls/ca.txt \
+            -CAcreateserial \
+            -days 365 \
+            $opts \
+            -out $certfile
+}
+
+mkdir -p tls
+[ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096
+openssl req \
+    -x509 -new -nodes -sha256 \
+    -key tls/ca.key \
+    -days 3650 \
+    -subj '/O=Redis Test/CN=Certificate Authority' \
+    -out tls/ca.crt
+
+cat > tls/openssl.cnf <<_END_
+[ server_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = server
+[ client_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = client
+_END_
+
+generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
+generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
+generate_cert redis "Generic-cert"
+
+[ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048

charts/dbildungs-iam/charts/dbildungs-iam-redis/redis.conf

@@ -0,0 +1,8 @@
+tls-cert-file /data/tls/redis.crt
+tls-key-file /data/tls/redis.key
+tls-ca-cert-file /data/tls/ca.crt
+
+requirepass password
+
+tls-port 6379
+port 0

charts/dbildungs-iam/charts/dbildungs-iam-redis/templates/configmap-tls.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dbiam-redis-tls-config
+data:
+{{(.Files.Glob "gencert.sh").AsConfig | indent 2}}
+{{(.Files.Glob "copy-tls.sh").AsConfig | indent 2}}
+{{(.Files.Glob "redis.conf").AsConfig | indent 2}}

charts/dbildungs-iam/charts/dbildungs-iam-redis/templates/deployment.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dbiam-server-redis-deployment
+  labels:
+    app.kubernetes.io/name: dbildungs-iam
+spec:
+  selector:
+    matchLabels:
+      layer: dbildungs-iam-redis
+  replicas: 1
+  template:
+    metadata:
+      name: dbildungs-iam-redis
+      labels:
+        layer: dbildungs-iam-redis
+    spec:
+      initContainers:
+        - name: copy-tls-data
+          image: alpine
+          command: ["/bin/sh","-c", "apk add --no-cache openssl bash;/bin/bash /tls/copy-tls.sh"]
+          volumeMounts:
+            - mountPath: "/tls"
+              name: tls-data
+            - mountPath: "/data"
+              name: data
+      containers:
+        - name: redis
+          image: redis:7.2.2
+          volumeMounts:
+            - mountPath: "/data"
+              name: data
+          ports:
+            - name: redis-port
+              containerPort: 6379
+              hostPort: 6379
+          args:
+            - "/data/tls/redis.conf"
+      volumes:
+        - name: tls-data
+          configMap:
+            name: dbiam-redis-tls-config
+        - name: data
+          emptyDir: {}

charts/dbildungs-iam/charts/dbildungs-iam-redis/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-service
+  labels:
+    app.kubernetes.io/name: dbiam-server
+spec:
+  type: ClusterIP
+  ports:
+    - port: 6379
+      targetPort: redis-port
+      protocol: TCP
+      name: redis-port
+  selector:
+    layer: dbildungs-iam-redis

charts/dbildungs-iam/values.yaml

@@ -1,4 +1,4 @@
-dbildungsIamContainer: "ghcr.io/dbildungsplattform/dbildungs-iam-server/feature/bff_to_helm:latest"
+dbildungsIamContainer: "ghcr.io/dbildungsplattform/dbildungs-iam-server:kc_healthprobe"
 
 dbildungsIamExternalPort: 80
 dbildungsIamCpuMax: 2
@@ -25,4 +25,7 @@ enableServiceMonitor: false
 # Both of these are disabled as to make them intentional
 keycloakEnabled: false
 dbildungs-iam-keycloak-dev:
-  keycloakPublic: false
+  keycloakPublic: false
+
+# do we use a development redis?
+redisEnabled: false