dbildungs-iam-keycloak

dBildungsplattform · Dec 17, 2024 · 2d5d308 · 2d5d308
1 parent 69e9299
commit 2d5d308
Show file tree

Hide file tree

Showing 10 changed files with 308 additions and 12 deletions.
diff --git a/automation/dbildungs-iam-keycloak/Chart.yaml b/automation/dbildungs-iam-keycloak/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: dbp-1084
+appVersion: SPSH-1651
 description: A Helm Chart for the dbildungs-iam-keycloak
 name: dbildungs-iam-keycloak
 type: application
-version: 0.0.0-dbp-1084-20241217-1458
+version: 0.0.0-spsh-1651-20241217-1520
diff --git a/automation/dbildungs-iam-keycloak/dev-realm-spsh.json b/automation/dbildungs-iam-keycloak/dev-realm-spsh.json
@@ -853,7 +853,7 @@
           "oidc.ciba.grant.enabled": "false",
           "client.secret.creation.time": "1727357679",
           "backchannel.logout.session.required": "true",
-          "jwt.credential.certificate": "MIICpzCCAY8CBgGSudz1xDANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxzcHNoLXNlcnZpY2UwHhcNMjQxMDIzMTQ1MDE4WhcNMzQxMDIzMTQ1MTU4WjAXMRUwEwYDVQQDDAxzcHNoLXNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4+xc3VFrYv+1A5Eoa+7firuYN/+3FwoLKSYAe68FQrPTDA27qyTdtPwbZfYe33lxREq7YgAF0T9qGVShXQrQqv+vvf0IDBdsTWd2UbEnJ02vj0CvDKV+1bFBWQt2Ead7MF6Wsw0HbK1tWMlvdZZl7YwypH8uHmXtGvdnnYNCLzJYPEWU4so6CPVAB89cTdspceYGg9HUnoWKv7IklAL/fJfJ/IWO/D/tEmPqM5taONuQmnwmYFhXMFAVRu32uixIYXNzr8Tw9w5naHIjENib83OtiqwidZrGbL7djNidIIs0XOzTxRlOzJ/+ajvUUQJLEQPEpjyd0QFEk2RshtcD9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGsR/rbVu+Yf0rvYsfz59etjNoEtTq8l4jbDMChJRnanLHJvAxqHl0co1m+MbxTYB+l2cnqS6tpwea0LfKICXAamMScxe8dcq86DHV8RFOpWLszZgxFuPNplVxZxWde2AhwxCTz/wF2bPllJGc8mxJK0DJkuC50zh9yXQ6XFfwT9qTVAvqv3aEEKidmY3uDxRYFnzmLzqu7ac+Q3e/AWtP+PCQ+vmSJaSK4Uyn21wu3VN+1Gb8clPVI2pkNypSExq/OeS6g1BZy6Sng9mxG42602RLQj7QwK4GQHxYqMCEagf2W1OzC9pt+kGGg0JlN1kxeodiKLvU/Q8zWGCURWY30=",
+          "jwt.credential.certificate": "${KC_SERVICE_CLIENT_CERTIFICATE}",
           "oauth2.device.authorization.grant.enabled": "false",
           "display.on.consent.screen": "false",
           "backchannel.logout.revoke.offline.tokens": "false"
@@ -959,7 +959,7 @@
           "oauth2.device.authorization.grant.enabled": "false",
           "display.on.consent.screen": "false",
           "backchannel.logout.revoke.offline.tokens": "false",
-          "acr.loa.map": "{\"gold\":\"10\"}",
+          "acr.loa.map": "{\"gold\":\"10\", \"silver\":\"15\"}",
           "default.acr.values": "0"
         },
         "authenticationFlowBindingOverrides": {
@@ -1445,6 +1445,72 @@
           "configure": true,
           "manage": true
         }
+      },
+      {
+        "id": "dd986a17-44c7-4ec9-87f6-addf1646ecf0",
+        "clientId": "${KC_SCHOOLSH_CLIENT_ID}",
+        "name": "School-SH",
+        "description": "",
+        "rootUrl": "${KC_SCHOOLSH_CLIENT_ROOT_URL}",
+        "adminUrl": "",
+        "baseUrl": "",
+        "surrogateAuthRequired": false,
+        "enabled": true,
+        "alwaysDisplayInConsole": false,
+        "clientAuthenticatorType": "client-secret",
+        "secret": "${KC_SCHOOLSH_CLIENT_SECRET}",
+        "redirectUris": [
+          "/cgi/samlauth"
+        ],
+        "webOrigins": [
+          "+"
+        ],
+        "notBefore": 0,
+        "bearerOnly": false,
+        "consentRequired": false,
+        "standardFlowEnabled": true,
+        "implicitFlowEnabled": false,
+        "directAccessGrantsEnabled": false,
+        "serviceAccountsEnabled": false,
+        "publicClient": false,
+        "frontchannelLogout": true,
+        "protocol": "saml",
+        "attributes": {
+          "saml.assertion.signature": "true",
+          "saml_assertion_consumer_url_redirect": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/samlauth",
+          "saml_single_logout_service_url_post": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/tmlogout",
+          "saml.force.post.binding": "true",
+          "saml.encrypt": "true",
+          "saml_assertion_consumer_url_post": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/samlauth",
+          "saml.server.signature": "true",
+          "saml.server.signature.keyinfo.ext": "false",
+          "saml.signing.certificate": "${KC_SCHOOLSH_CLIENT_SIGNING_CERTIFICATE}",
+          "saml_single_logout_service_url_redirect": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/tmlogout",
+          "saml.artifact.binding": "false",
+          "saml.signature.algorithm": "RSA_SHA256",
+          "saml_force_name_id_format": "false",
+          "saml.client.signature": "true",
+          "saml.encryption.certificate": "${KC_SCHOOLSH_CLIENT_ENCRYPTION_CERTIFICATE}",
+          "saml.authnstatement": "true",
+          "display.on.consent.screen": "false",
+          "saml_name_id_format": "username",
+          "saml.allow.ecp.flow": "false",
+          "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
+          "saml.onetimeuse.condition": "false",
+          "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "NONE"
+        },
+        "authenticationFlowBindingOverrides": {},
+        "fullScopeAllowed": true,
+        "nodeReRegistrationTimeout": -1,
+        "defaultClientScopes": [
+          "role_list"
+        ],
+        "optionalClientScopes": [],
+        "access": {
+          "view": true,
+          "configure": true,
+          "manage": true
+        }
       }
     ],
     "clientScopes": [
@@ -2126,12 +2192,27 @@
         },
         {
           "id": "d47622d7-8d04-4d38-b7f0-d80eb182f80d",
-          "name": "rsa-generated",
-          "providerId": "rsa-generated",
+          "name": "rsa",
+          "providerId": "rsa",
           "subComponents": {},
           "config": {
+            "privateKey": [
+              "${KC_RS256_PRIVATE_KEY}"
+            ],
+            "certificate": [
+              "${KC_RS256_CERTIFICATE}"
+            ],
+            "active": [
+              "true"
+            ],
+            "enabled": [
+              "true"
+            ],
             "priority": [
               "100"
+            ],
+            "algorithm": [
+              "RS256"
             ]
           }
         },
@@ -2817,7 +2898,7 @@
           "piservicepass" : "${PI_ADMIN_PASSWORD}",
           "piserver" : "${PI_BASE_URL}",
           "piserviceaccount" : "${PI_ADMIN_USER}",
-          "pidefaultmessage" : "Diese Aktion setzt eine Zwei-Faktor-Authentifizierung voraus. Bitte geben Sie das Einmalpasswort von Ihrem 2FA-Token ein.",
+          "pidefaultmessage" : "Diese Aktion setzt eine Zwei-Faktor-Authentifizierung voraus. Bitte geben Sie die 6 Ziffern des Einmalpassworts von Ihrem 2FA-Token ein.",
           "preftokentype" : "OTP",
           "pirealm" : "${PI_REALM}",
           "pidolog" : "true",

diff --git a/automation/dbildungs-iam-keycloak/prod-realm-spsh.json b/automation/dbildungs-iam-keycloak/prod-realm-spsh.json
@@ -851,7 +851,7 @@
           "oidc.ciba.grant.enabled": "false",
           "client.secret.creation.time": "1727357679",
           "backchannel.logout.session.required": "true",
-          "jwt.credential.certificate": "MIICpzCCAY8CBgGSudz1xDANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxzcHNoLXNlcnZpY2UwHhcNMjQxMDIzMTQ1MDE4WhcNMzQxMDIzMTQ1MTU4WjAXMRUwEwYDVQQDDAxzcHNoLXNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4+xc3VFrYv+1A5Eoa+7firuYN/+3FwoLKSYAe68FQrPTDA27qyTdtPwbZfYe33lxREq7YgAF0T9qGVShXQrQqv+vvf0IDBdsTWd2UbEnJ02vj0CvDKV+1bFBWQt2Ead7MF6Wsw0HbK1tWMlvdZZl7YwypH8uHmXtGvdnnYNCLzJYPEWU4so6CPVAB89cTdspceYGg9HUnoWKv7IklAL/fJfJ/IWO/D/tEmPqM5taONuQmnwmYFhXMFAVRu32uixIYXNzr8Tw9w5naHIjENib83OtiqwidZrGbL7djNidIIs0XOzTxRlOzJ/+ajvUUQJLEQPEpjyd0QFEk2RshtcD9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGsR/rbVu+Yf0rvYsfz59etjNoEtTq8l4jbDMChJRnanLHJvAxqHl0co1m+MbxTYB+l2cnqS6tpwea0LfKICXAamMScxe8dcq86DHV8RFOpWLszZgxFuPNplVxZxWde2AhwxCTz/wF2bPllJGc8mxJK0DJkuC50zh9yXQ6XFfwT9qTVAvqv3aEEKidmY3uDxRYFnzmLzqu7ac+Q3e/AWtP+PCQ+vmSJaSK4Uyn21wu3VN+1Gb8clPVI2pkNypSExq/OeS6g1BZy6Sng9mxG42602RLQj7QwK4GQHxYqMCEagf2W1OzC9pt+kGGg0JlN1kxeodiKLvU/Q8zWGCURWY30=",
+          "jwt.credential.certificate": "${KC_SERVICE_CLIENT_CERTIFICATE}",
           "oauth2.device.authorization.grant.enabled": "false",
           "display.on.consent.screen": "false",
           "backchannel.logout.revoke.offline.tokens": "false"
@@ -1282,6 +1282,72 @@
           "configure": true,
           "manage": true
         }
+      },
+      {
+        "id": "dd986a17-44c7-4ec9-87f6-addf1646ecf0",
+        "clientId": "${KC_SCHOOLSH_CLIENT_ID}",
+        "name": "School-SH",
+        "description": "",
+        "rootUrl": "${KC_SCHOOLSH_CLIENT_ROOT_URL}",
+        "adminUrl": "",
+        "baseUrl": "",
+        "surrogateAuthRequired": false,
+        "enabled": true,
+        "alwaysDisplayInConsole": false,
+        "clientAuthenticatorType": "client-secret",
+        "secret": "${KC_SCHOOLSH_CLIENT_SECRET}",
+        "redirectUris": [
+          "/cgi/samlauth"
+        ],
+        "webOrigins": [
+          "+"
+        ],
+        "notBefore": 0,
+        "bearerOnly": false,
+        "consentRequired": false,
+        "standardFlowEnabled": true,
+        "implicitFlowEnabled": false,
+        "directAccessGrantsEnabled": false,
+        "serviceAccountsEnabled": false,
+        "publicClient": false,
+        "frontchannelLogout": true,
+        "protocol": "saml",
+        "attributes": {
+          "saml.assertion.signature": "true",
+          "saml_assertion_consumer_url_redirect": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/samlauth",
+          "saml_single_logout_service_url_post": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/tmlogout",
+          "saml.force.post.binding": "true",
+          "saml.encrypt": "true",
+          "saml_assertion_consumer_url_post": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/samlauth",
+          "saml.server.signature": "true",
+          "saml.server.signature.keyinfo.ext": "false",
+          "saml.signing.certificate": "${KC_SCHOOLSH_CLIENT_SIGNING_CERTIFICATE}",
+          "saml_single_logout_service_url_redirect": "${KC_SCHOOLSH_CLIENT_ROOT_URL}/cgi/tmlogout",
+          "saml.artifact.binding": "false",
+          "saml.signature.algorithm": "RSA_SHA256",
+          "saml_force_name_id_format": "false",
+          "saml.client.signature": "true",
+          "saml.encryption.certificate": "${KC_SCHOOLSH_CLIENT_ENCRYPTION_CERTIFICATE}",
+          "saml.authnstatement": "true",
+          "display.on.consent.screen": "false",
+          "saml_name_id_format": "username",
+          "saml.allow.ecp.flow": "false",
+          "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
+          "saml.onetimeuse.condition": "false",
+          "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "NONE"
+        },
+        "authenticationFlowBindingOverrides": {},
+        "fullScopeAllowed": true,
+        "nodeReRegistrationTimeout": -1,
+        "defaultClientScopes": [
+          "role_list"
+        ],
+        "optionalClientScopes": [],
+        "access": {
+          "view": true,
+          "configure": true,
+          "manage": true
+        }
       }
     ],
     "clientScopes": [
@@ -1963,12 +2029,27 @@
         },
         {
           "id": "d47622d7-8d04-4d38-b7f0-d80eb182f80d",
-          "name": "rsa-generated",
-          "providerId": "rsa-generated",
+          "name": "rsa",
+          "providerId": "rsa",
           "subComponents": {},
           "config": {
+            "privateKey": [
+              "${KC_RS256_PRIVATE_KEY}"
+            ],
+            "certificate": [
+              "${KC_RS256_CERTIFICATE}"
+            ],
+            "active": [
+              "true"
+            ],
+            "enabled": [
+              "true"
+            ],
             "priority": [
               "100"
+            ],
+            "algorithm": [
+              "RS256"
             ]
           }
         },
@@ -2654,7 +2735,7 @@
           "piservicepass" : "${PI_ADMIN_PASSWORD}",
           "piserver" : "${PI_BASE_URL}",
           "piserviceaccount" : "${PI_ADMIN_USER}",
-          "pidefaultmessage" : "Diese Aktion setzt eine Zwei-Faktor-Authentifizierung voraus. Bitte geben Sie das Einmalpasswort von Ihrem 2FA-Token ein.",
+          "pidefaultmessage" : "Diese Aktion setzt eine Zwei-Faktor-Authentifizierung voraus. Bitte geben Sie die 6 Ziffern des Einmalpassworts von Ihrem 2FA-Token ein.",
           "preftokentype" : "OTP",
           "pirealm" : "${PI_REALM}",
           "pidolog" : "true",

diff --git a/automation/dbildungs-iam-keycloak/templates/configmap.yaml b/automation/dbildungs-iam-keycloak/templates/configmap.yaml
@@ -11,5 +11,7 @@ data:
   KC_ROOT_URL: "https://{{ .Values.frontendHostname }}"
   KC_PROXY: "edge"
   KEYCLOAK_ADMIN: admin
+  KC_SCHOOLSH_CLIENT_ID: "{{ .Values.schoolsh.clientId }}"
+  KC_SCHOOLSH_CLIENT_ROOT_URL: "{{ .Values.schoolsh.rootUrl }}"
   KC_HTTP_MANAGEMENT_PORT: "8090"
   STATUS_URL: "{{ .Values.status.url }}"
diff --git a/automation/dbildungs-iam-keycloak/templates/deployment.yaml b/automation/dbildungs-iam-keycloak/templates/deployment.yaml
@@ -50,6 +50,8 @@ spec:
           env:
             - name: JAVA_OPTS_APPEND
               value: "-Djgroups.dns.query={{ template "common.names.name" . }}-headless.{{ template "common.names.namespace" . }}.svc.cluster.local"
+            - name: KC_HTTP_POOL_MAX_THREADS
+              value: "{{ .Values.threadPool }}"
             - name: KEYCLOAK_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -70,6 +72,16 @@ spec:
                 secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
                   key: db-password
+            - name: KC_RS256_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-rs256-privateKey
+            - name: KC_RS256_CERTIFICATE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-rs256-certificate
             - name: KC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
@@ -80,6 +92,11 @@ spec:
                 secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
                   key: keycloak-adminSecret
+            - name: KC_SERVICE_CLIENT_CERTIFICATE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-serviceClientCertificate
             - name: KC_ITSLEARNING_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
@@ -127,6 +144,21 @@ spec:
                   key: keycloak-nextcloud-clientSecret
             - name: KC_DB_URL
               value: "jdbc:postgresql://$(DB_HOST)/$(DB_NAME)"
+            - name: KC_SCHOOLSH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-schoolsh-clientSecret
+            - name: KC_SCHOOLSH_CLIENT_SIGNING_CERTIFICATE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-schoolsh-signingCertificate
+            - name: KC_SCHOOLSH_CLIENT_ENCRYPTION_CERTIFICATE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-schoolsh-encryptionCertificate
             {{- if .Values.extraEnvVars }}
             {{ toYaml .Values.extraEnvVars | nindent 12 }}
             {{- end }}
@@ -146,4 +178,4 @@ spec:
             name: {{ .Values.realm.name }}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
-        {{- end }}
+        {{- end }}
diff --git a/automation/dbildungs-iam-keycloak/templates/ingress2nd.yaml b/automation/dbildungs-iam-keycloak/templates/ingress2nd.yaml
@@ -0,0 +1,29 @@
+{{if .Values.ingress.enabled2nd }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "common.names.name" . }}-2nd
+  namespace: {{ template "common.names.namespace" . }}
+  labels: 
+    {{- include "common.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  tls:
+    - hosts:
+        - {{ .Values.keycloak2ndHostname  }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  rules:
+    - host: {{ .Values.keycloak2ndHostname  }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.path }}
+            pathType: {{ .Values.ingress.pathType }}
+            backend: 
+              service:
+                name: {{ template "common.names.name" . }}
+                port:
+                  number: {{ .Values.service.ports.http }}
+{{- end }}
diff --git a/automation/dbildungs-iam-keycloak/templates/keycloak-servicemonitor.yaml b/automation/dbildungs-iam-keycloak/templates/keycloak-servicemonitor.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.keycloak.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "common.names.name" . }}
+  namespace: {{ template "common.names.namespace" . }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+    app.kubernetes.io/component: keycloak
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ include "common.names.namespace" . | quote }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "common.names.name" . }}
+  endpoints:
+    - port: {{ .Values.keycloak.serviceMonitor.port }}
+      path: {{ .Values.keycloak.serviceMonitor.path }}
+      interval: {{ .Values.keycloak.serviceMonitor.interval | default "30s" }}
+{{- end }}