dbildungs-iam-server

automation/dbildungs-iam-server/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: SPSH-1529
+appVersion: SPSH-1034
 description: dBildungs-IAM-server
 name: dbildungs-iam-server
 type: application
-version: 0.0.0-spsh-1529-20241217-0730
+version: 0.0.0-spsh-1034-20241217-0746

automation/dbildungs-iam-server/config/config.json

@@ -33,8 +33,7 @@
   "LDAP": {
     "URL": "ldap://spsh-xxx.svc.cluster.local",
     "BIND_DN": "cn=admin,dc=schule-sh,dc=de",
-    "ADMIN_PASSWORD": "password",
-    "BASE_DN": "dc=schule-sh,dc=de"
+    "ADMIN_PASSWORD": "password"
   },
   "DATA": {
     "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057"
@@ -82,5 +81,13 @@
     "RENAME_WAITING_TIME_IN_SECONDS": 3,
     "STEP_UP_TIMEOUT_ENABLED": "true",
     "STEP_UP_TIMEOUT_IN_SECONDS": 10
+  },
+  "VIDIS": {
+      "BASE_URL": "https://service-stage.vidis.schule",
+      "USERNAME": "",
+      "PASSWORD": "",
+      "REGION_NAME": "test-region",
+      "KEYCLOAK_GROUP": "VIDIS-service",
+      "KEYCLOAK_ROLE": "VIDIS-user"
   }
 }

automation/dbildungs-iam-server/cron/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine:3.19
 
+ENV LOG_FILE_PATH=/var/log/cron.log
+
 # Install necessary packages
 RUN apk update && \
     apk add --no-cache bash cronie jq openssl vim wget

automation/dbildungs-iam-server/cron/scripts/get_access_token.sh

@@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then
   # JWKS_FILE_PATH is set, use the file
   jwks=$(cat "$JWKS_FILE_PATH")
 else
-  echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log
+  echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}"
   exit 1
 fi
 
 # Check if environment variables are set
 if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then
-    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log
+    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}"
     exit 1
 fi
 
@@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]')
 
 # Check if key_json is empty
 if [[ -z "$key_json" ]]; then
-  echo "Error: No keys found in JWKS." >> /var/log/cron.log
+  echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}"
   exit 1
 fi
 
@@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec
 qi=INTEGER:0x$qi_dec
 EOF
 
-echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log
+echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
 
 # Generate the PEM-formatted private key
 temp_key_file=$(mktemp)
 openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1
 openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1
 
-echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log
+echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
 
 # Remove temporary files
 rm "$asn1_structure" "$temp_key_file"
@@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload")
 # Combine header and payload
 header_payload="$header_base64.$payload_base64"
 
-echo "Payload created" >> /var/log/cron.log
+echo "Payload created" >> "${LOG_FILE_PATH}"
 
 # Sign the JWT
 signature=$(echo -n "$header_payload" | \
   openssl dgst -sha256 -sign "$temp_key_file.pem" | \
   openssl enc -base64 -A | tr '+/' '-_' | tr -d '=')
 
-echo "Signed the JWT" >> /var/log/cron.log
+echo "Signed the JWT" >> "${LOG_FILE_PATH}"
 
 # Remove the temporary PEM key file
 rm "$temp_key_file.pem"
@@ -166,15 +166,15 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien
   --header "Content-Type: application/x-www-form-urlencoded" \
   "$kc_token_url")
 
-echo "Access token requested" >> /var/log/cron.log
+echo "Access token requested" >> "${LOG_FILE_PATH}"
 
 # Check if the response contains an access token
 if echo "$response" | grep -q '"access_token"'; then
   # Extract the access token from the response
   access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
   echo "$access_token"
 else
-  echo "Failed to retrieve access token. Response:" >> /var/log/cron.log
-  echo "$response" >> /var/log/cron.log
+  echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}"
+  echo "$response" >> "${LOG_FILE_PATH}"
   exit 1
 fi

automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl

@@ -91,4 +91,34 @@
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
                   key: redis-password
+          - name: VIDIS_BASE_URL
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-base-url
+          - name: VIDIS_USERNAME
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-username
+          - name: VIDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-password
+          - name: VIDIS_REGION_NAME
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-region-name
+          - name: VIDIS_KEYCLOAK_GROUP
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-keycloak-group
+          - name: VIDIS_KEYCLOAK_ROLE
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: vidis-keycloak-role
 {{- end}}

automation/dbildungs-iam-server/templates/cronjob.yaml

@@ -8,6 +8,8 @@ metadata:
 spec:
   schedule: {{ $job_options.schedule }}
   startingDeadlineSeconds: 300
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
   jobTemplate:
     spec:
       backoffLimit: 0
@@ -22,10 +24,9 @@ spec:
             image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}"
             imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}}
             securityContext:
-              # not yet possible since we need to install some tools
-              # privileged: false
-              # runAsUser: 1000
-              # runAsNonRoot: true
+              privileged: false
+              runAsUser: 1000
+              runAsNonRoot: true
               capabilities:
                 drop:
                   - ALL
@@ -41,6 +42,8 @@ spec:
                   value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}"
                 - name: HTTP_METHOD
                   value: "{{ $job_options.httpMethod }}"
+                - name: LOG_FILE_PATH
+                  value: "/tmp/log/cron.log"
             resources:
               limits:
                 memory: "128Mi"
@@ -52,11 +55,9 @@ spec:
               - "sh"
               - "-c"
               - |
-                  mkdir /scripts &&
-                  cp /scripts_tmp/*.sh /scripts/ &&
-                  chmod +x /scripts/*.sh &&
-                  touch /var/log/cron.log &&
-                  chmod 644 /var/log/cron.log &&
+                  mkdir /tmp/log/ &&
+                  touch /tmp/log/cron.log &&
+                  chmod 644 /tmp/log/cron.log &&
                   cd {{ $.Values.cronjobs.scriptDir }} &&
                   bash {{ $job_options.script }}
             volumeMounts:
@@ -65,7 +66,7 @@ spec:
                 subPath: jwks.json
                 readOnly: true
               - name: script-volume
-                mountPath: /scripts_tmp
+                mountPath: /scripts
                 readOnly: false
             ports:
             - containerPort: {{ $.Values.cronjobs.port }}
@@ -74,6 +75,7 @@ spec:
           - name: script-volume
             configMap:
               name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap
+              defaultMode: 0555
           - name: secret-volume-jwks
             secret:
               secretName: dbildungs-iam-server

automation/dbildungs-iam-server/templates/secret.yaml

@@ -24,4 +24,10 @@ data:
   pi-user-realm: {{ .Values.auth.pi_user_realm }}
   secrets-json: {{ .Values.auth.secrets_json }}
   redis-password: {{ .Values.auth.redis_password }}
+  vidis-base-url: {{ .Values.auth.vidis_base_url }}
+  vidis-username: {{ .Values.auth.vidis_username }}
+  vidis-password: {{ .Values.auth.vidis_password }}
+  vidis-region-name: {{ .Values.auth.vidis_region_name }}
+  vidis-keycloak-group: {{ .Values.auth.vidis_keycloak_group }}
+  vidis-keycloak-role: {{ .Values.auth.vidis_keycloak_role }}
 {{- end }}

automation/dbildungs-iam-server/values.yaml

@@ -33,7 +33,6 @@ ldap:
   bindDN: cn=admin,dc=schule-sh,dc=de
   oeffentlicheSchulenDomain: schule-sh.de
   ersatzschulenDomain: ersatzschule-sh.de
-  base_dn: dc=schule-sh,dc=de
 
 itslearning:
   root: sh
@@ -59,6 +58,12 @@ auth:
   pi_user_resolver: ''
   pi_user_realm: ''
   redis_password: ''
+  vidis_base_url: ''
+  vidis_username: ''
+  vidis_password: ''
+  vidis_region_name: ''
+  vidis_keycloak_group: ''
+  vidis_keycloak_role: ''
 
 backend:
   replicaCount: 1
@@ -157,8 +162,8 @@ status:
 cronjobs:
   enabled: true
   image:
-    tag: DBP-1083-latest
-    repository: ghcr.io/hpi-schul-cloud/cron-tools
+    tag: '1.1.0'
+    repository: docker.io/schulcloud/cron-tools
     pullPolicy: IfNotPresent
   port: 5656
   keycloakTokenUrl: '/realms/SPSH/protocol/openid-connect/token'