Skip to content

Commit

Permalink
dbildungs-iam-server
Browse files Browse the repository at this point in the history
  • Loading branch information
dbildungs-iam-server-gha committed Dec 17, 2024
1 parent 686de30 commit 0a31533
Show file tree
Hide file tree
Showing 10 changed files with 145 additions and 119 deletions.
4 changes: 2 additions & 2 deletions automation/dbildungs-iam-server/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
appVersion: SPSH-1570
appVersion: dbp-1084
description: dBildungs-IAM-server
name: dbildungs-iam-server
type: application
version: 0.0.0-spsh-1570-20241217-1340
version: 0.0.0-dbp-1084-20241217-1549
8 changes: 8 additions & 0 deletions automation/dbildungs-iam-server/config/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -81,5 +81,13 @@
"RENAME_WAITING_TIME_IN_SECONDS": 3,
"STEP_UP_TIMEOUT_ENABLED": "true",
"STEP_UP_TIMEOUT_IN_SECONDS": 10
},
"VIDIS": {
"BASE_URL": "https://service-stage.vidis.schule",
"USERNAME": "",
"PASSWORD": "",
"REGION_NAME": "test-region",
"KEYCLOAK_GROUP": "VIDIS-service",
"KEYCLOAK_ROLE": "VIDIS-user"
}
}
2 changes: 2 additions & 0 deletions automation/dbildungs-iam-server/cron/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
FROM alpine:3.19

ENV LOG_FILE_PATH=/var/log/cron.log

# Install necessary packages
RUN apk update && \
apk add --no-cache bash cronie jq openssl vim wget
Expand Down
20 changes: 10 additions & 10 deletions automation/dbildungs-iam-server/cron/scripts/get_access_token.sh
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then
# JWKS_FILE_PATH is set, use the file
jwks=$(cat "$JWKS_FILE_PATH")
else
echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log
echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}"
exit 1
fi

# Check if environment variables are set
if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then
echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log
echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}"
exit 1
fi

Expand All @@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]')

# Check if key_json is empty
if [[ -z "$key_json" ]]; then
echo "Error: No keys found in JWKS." >> /var/log/cron.log
echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}"
exit 1
fi

Expand Down Expand Up @@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec
qi=INTEGER:0x$qi_dec
EOF

echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log
echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"

# Generate the PEM-formatted private key
temp_key_file=$(mktemp)
openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1
openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1

echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log
echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"

# Remove temporary files
rm "$asn1_structure" "$temp_key_file"
Expand Down Expand Up @@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload")
# Combine header and payload
header_payload="$header_base64.$payload_base64"

echo "Payload created" >> /var/log/cron.log
echo "Payload created" >> "${LOG_FILE_PATH}"

# Sign the JWT
signature=$(echo -n "$header_payload" | \
openssl dgst -sha256 -sign "$temp_key_file.pem" | \
openssl enc -base64 -A | tr '+/' '-_' | tr -d '=')

echo "Signed the JWT" >> /var/log/cron.log
echo "Signed the JWT" >> "${LOG_FILE_PATH}"

# Remove the temporary PEM key file
rm "$temp_key_file.pem"
Expand All @@ -166,15 +166,15 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien
--header "Content-Type: application/x-www-form-urlencoded" \
"$kc_token_url")

echo "Access token requested" >> /var/log/cron.log
echo "Access token requested" >> "${LOG_FILE_PATH}"

# Check if the response contains an access token
if echo "$response" | grep -q '"access_token"'; then
# Extract the access token from the response
access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
echo "$access_token"
else
echo "Failed to retrieve access token. Response:" >> /var/log/cron.log
echo "$response" >> /var/log/cron.log
echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}"
echo "$response" >> "${LOG_FILE_PATH}"
exit 1
fi
Original file line number Diff line number Diff line change
@@ -1,94 +1,94 @@
{{- define "dbildungs-iam-server-backend-envs" }}
- name: DB_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: db-password
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: db-username
- name: DB_HOST
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: db-host
- name: KC_ADMIN_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: keycloak-adminSecret
- name: DB_CLIENT_URL
value: "postgres://$(DB_HOST)/"
- name: KC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: keycloak-clientSecret
- name: KC_SERVICE_CLIENT_PRIVATE_JWKS
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: service-account-private-jwks
- name: FRONTEND_SESSION_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: frontend-sessionSecret
- name: ITSLEARNING_ENABLED
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-enabled
- name: ITSLEARNING_ENDPOINT
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-endpoint
- name: ITSLEARNING_USERNAME
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-username
- name: ITSLEARNING_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-password
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: ldap-admin-password
- name: PI_BASE_URL
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-base-url
- name: PI_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-admin-user
- name: PI_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-admin-password
- name: PI_USER_RESOLVER
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-user-resolver
- name: PI_REALM
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-user-realm
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: redis-password
- name: DB_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: db-password
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: db-username
- name: DB_HOST
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: db-host
- name: KC_ADMIN_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: keycloak-adminSecret
- name: DB_CLIENT_URL
value: "postgres://$(DB_HOST)/"
- name: KC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: keycloak-clientSecret
- name: KC_SERVICE_CLIENT_PRIVATE_JWKS
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: service-account-private-jwks
- name: FRONTEND_SESSION_SECRET
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: frontend-sessionSecret
- name: ITSLEARNING_ENABLED
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-enabled
- name: ITSLEARNING_ENDPOINT
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-endpoint
- name: ITSLEARNING_USERNAME
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-username
- name: ITSLEARNING_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: itslearning-password
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: ldap-admin-password
- name: PI_BASE_URL
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-base-url
- name: PI_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-admin-user
- name: PI_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-admin-password
- name: PI_USER_RESOLVER
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-user-resolver
- name: PI_REALM
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-user-realm
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: redis-password
{{- end}}
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,9 @@ spec:
command: [ "node", "dist/src/console/main.js", "keycloak", "update-clients", "dev" ]
env:
{{- include "dbildungs-iam-server-backend-envs" . | indent 12 }}
{{- if .Values.backend.extraEnvVars }}
{{ toYaml .Values.backend.extraEnvVars | nindent 12 }}
{{- end }}
{{- if .Values.backend.extraEnvVars }}
{{ toYaml .Values.backend.extraEnvVars | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ template "common.names.name" . }}
Expand Down
1 change: 1 addition & 0 deletions automation/dbildungs-iam-server/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,4 @@ data:
ITSLEARNING_ROOT: '{{ .Values.itslearning.root }}'
ITSLEARNING_ROOT_OEFFENTLICH: '{{ .Values.itslearning.rootOeffentlich }}'
ITSLEARNING_ROOT_ERSATZ: '{{ .Values.itslearning.rootErsatz }}'
NODE_OPTIONS: "--max-old-space-size={{ .Values.backend.env.maxOldSpaceSize }}"
22 changes: 12 additions & 10 deletions automation/dbildungs-iam-server/templates/cronjob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ metadata:
spec:
schedule: {{ $job_options.schedule }}
startingDeadlineSeconds: 300
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 0
Expand All @@ -22,10 +24,9 @@ spec:
image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}"
imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}}
securityContext:
# not yet possible since we need to install some tools
# privileged: false
# runAsUser: 1000
# runAsNonRoot: true
privileged: false
runAsUser: 1000
runAsNonRoot: true
capabilities:
drop:
- ALL
Expand All @@ -41,6 +42,8 @@ spec:
value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}"
- name: HTTP_METHOD
value: "{{ $job_options.httpMethod }}"
- name: LOG_FILE_PATH
value: "/tmp/log/cron.log"
resources:
limits:
memory: "128Mi"
Expand All @@ -52,11 +55,9 @@ spec:
- "sh"
- "-c"
- |
mkdir /scripts &&
cp /scripts_tmp/*.sh /scripts/ &&
chmod +x /scripts/*.sh &&
touch /var/log/cron.log &&
chmod 644 /var/log/cron.log &&
mkdir /tmp/log/ &&
touch /tmp/log/cron.log &&
chmod 644 /tmp/log/cron.log &&
cd {{ $.Values.cronjobs.scriptDir }} &&
bash {{ $job_options.script }}
volumeMounts:
Expand All @@ -65,7 +66,7 @@ spec:
subPath: jwks.json
readOnly: true
- name: script-volume
mountPath: /scripts_tmp
mountPath: /scripts
readOnly: false
ports:
- containerPort: {{ $.Values.cronjobs.port }}
Expand All @@ -74,6 +75,7 @@ spec:
- name: script-volume
configMap:
name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap
defaultMode: 0555
- name: secret-volume-jwks
secret:
secretName: dbildungs-iam-server
Expand Down
6 changes: 6 additions & 0 deletions automation/dbildungs-iam-server/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,10 @@ data:
pi-user-realm: {{ .Values.auth.pi_user_realm }}
secrets-json: {{ .Values.auth.secrets_json }}
redis-password: {{ .Values.auth.redis_password }}
vidis-base-url: {{ .Values.auth.vidis_base_url }}
vidis-username: {{ .Values.auth.vidis_username }}
vidis-password: {{ .Values.auth.vidis_password }}
vidis-region-name: {{ .Values.auth.vidis_region_name }}
vidis-keycloak-group: {{ .Values.auth.vidis_keycloak_group }}
vidis-keycloak-role: {{ .Values.auth.vidis_keycloak_role }}
{{- end }}
Loading

0 comments on commit 0a31533

Please sign in to comment.