DeepCypher/dc-kc
1
0
Fork 0
mirror of https://gitlab.com/deepcypher/dc-kc.git synced 2026-01-27 11:12:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added keycloak complete overhaul

Browse Source
This commit is contained in:
GeorgeRaven
2025-09-04 22:47:46 +01:00
parent 7234aca835
commit 6f23b514d0
42 changed files with 45 additions and 349 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
charts/argo-workflows/templates/oidc/oidc-client.yaml
View File

@@ -4,6 +4,8 @@ metadata:
name: workflows
spec:
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/argo-workflows/templates/oidc/oidc-scopes.yaml
View File

@@ -22,4 +22,4 @@ spec:
# needed by workflows
- flattened-roles
providerConfigRef:
name: default
name: owncloak

2
charts/auth/values.yaml
View File

@@ -10,7 +10,7 @@ keycloak:
existingSecret: postgres # containing `password` and `postgres-password`
ingress:
enabled: true
enabled: false
annotations:
cert-manager.io/cluster-issuer: letsencrypt-dns
traefik.ingress.kubernetes.io/router.middlewares: traefik-headers@kubernetescrd,auth-base-redirect@kubernetescrd

2
charts/backstage/templates/oidc/oidc.yaml
View File

@@ -38,6 +38,6 @@ spec:
realm: {{ .Values.oidc.realm }}
baseUrl: {{ printf "https://auth.%s/realms/%s" .Values.environment.baseDomain .Values.oidc.realm }}
crossplane:
providerConfig: keycloak # the name of the crossplane provider config
providerConfig: owncloak # the name of the crossplane provider config
configmap:
name: oidc-urls

2
charts/bytestash/templates/oidc/oidc-client.yaml
View File

@@ -4,6 +4,8 @@ metadata:
name: bytestash
spec:
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/bytestash/templates/oidc/oidc-scopes.yaml
View File

@@ -21,4 +21,4 @@ spec:
# needed by bytestash
- flattened-roles
providerConfigRef:
name: default
name: owncloak

16
charts/crossplane-late/templates/keycloak/keycloak.sealed.yaml
View File

@@ -1,16 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: keycloak
namespace: crossplane
spec:
encryptedData:
credentials: AgBNpLMbmSmkC647reapFBuO7KAEUmtrIsYQDrZU27y2kVRbJwgiL/+HjB0PMVG455yxBcg+unDP2ScoOsvdQ8jE6jI+i+tiLQPNdAVkl7cgAtub8eY4v5ojVaYEdh/7bkVsTrSu5ObtyZpfFaPxElRb8LFHo/fhZOBpxidlyKaUIFg61J3SIBJCXffy0b7Ts2LaPdkQsInpTrAvMKTXaGqZa9BR5RACvDXO8QEz3rgEqH6qmvxYcQUngcFzF6jGEFkS2URcFb0WEtq/bh6VTjt6YIuar9p6hVSz0Y5HxN3NrFucLkPFZrNLCbg6X/DZYsqoAebtYPYPc14ubIjGCskGY66FV78SPDEe+Wi33km7lk6sGbQLlbSCPwIMAUGB9+PPq3LP37lL8gGv/orzS89mxM+fqZfQWuyom1gfrCZJciUbs8GYpXqcBvM06Se+y/NdLeS0T58yGofYnwIHmFuevnZ195KAWpJbWjazqMriTEAEdv6y3IMRrqlIYPoDOfL/OztNvUYIRQDg6PTUVMQ/KtLC2nActIZrSBO5ej9BX3O++1+177i20U/TbVj4atGrzHMR2sG9/1w2hMN0yk6IBeYkgR5c0++K8Ae0UjvkKWzgdSAhnP+nFZtj/AxIng3K9LBZQG1YWZAh00Ax1+CA47OuUTe/lQY9j4UhrH+tNSsBqhVELPu+u+NFlK4c5e/i20v7TCSawvrZWRSCtQT7oOOyfDKbZbE6lv7lk1RWtC9QjvPe7EW0dVuprTfI86Kp17UwCz8QXlc4IxiDXMQ+0zcZkJkYx4bwIgYHKRi0+ZduXZ9AoxU1KyxAl4b+jnRBQbVPEXsyDgrvlqZR2F8uJKiu0SAIA6C8DsUlcLkl3c+fDTqEhJOLJUuigBghzHoNQm4ujZ7YXJHEecO22OsqjXMjtvtZEdXsMiN287uuYp96Az7AOdL3lZRRYCVYG3UW0Y/rpdTIxv9UyTLYsuyjq+gYKQ6m
template:
metadata:
creationTimestamp: null
name: keycloak
namespace: crossplane
type: Opaque

13
charts/crossplane-late/templates/keycloak/provider-config.yaml
View File

@@ -1,16 +1,3 @@
# this is here for backwards compatibility
apiVersion: keycloak.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: Secret
secretRef:
name: keycloak
namespace: crossplane
key: credentials
---
apiVersion: keycloak.crossplane.io/v1beta1
kind: ProviderConfig
metadata:

2
charts/gitea/templates/oidc/oidc-client.yaml
View File

@@ -4,6 +4,8 @@ metadata:
name: gitea
spec:
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/gitea/templates/oidc/oidc-scopes.yaml
View File

@@ -22,4 +22,4 @@ spec:
# needed by gitea
- flattened-roles
providerConfigRef:
name: default
name: owncloak

2
charts/grafana/templates/oidc/oidc-client.yaml
View File

@@ -5,6 +5,8 @@ metadata:
spec:
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/grafana/templates/oidc/oidc-scopes.yaml
View File

@@ -21,4 +21,4 @@ spec:
# needed by grafana
- flattened-roles
providerConfigRef:
name: default
name: owncloak

2
charts/harbor/templates/oidc/oidc.yaml
View File

@@ -38,6 +38,6 @@ spec:
realm: {{ .Values.oidc.realm }}
baseUrl: {{ printf "https://auth.%s/realms/%s" .Values.environment.baseDomain .Values.oidc.realm }}
crossplane:
providerConfig: keycloak # the name of the crossplane provider config
providerConfig: owncloak # the name of the crossplane provider config
configmap:
name: oidc-urls

20
charts/keycloak-late/templates/clients/builtin-realm-management.yaml
View File

@@ -3,26 +3,6 @@
# THIS SHOULD NOT BE USED TO MODIFY THE CLIENT
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: deepcypher-realm-management
spec:
deletionPolicy: Orphan
forProvider:
realmIdRef:
name: deepcypher
name: realm-management
clientId: realm-management
description: "Built-in realm management client"
managementPolicies:
- Observe
providerConfigRef:
name: default
---
# THIS IS A BUILT IN KEYCLOAK CLIENT
# THIS IS ONLY HERE TO TRACK / OBSERVE IT
# THIS SHOULD NOT BE USED TO MODIFY THE CLIENT
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: own-deepcypher-realm-management
spec:

25
charts/keycloak-late/templates/groups/admin.yaml
View File

@@ -1,30 +1,5 @@
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
name: admin
spec:
deletionPolicy: Delete
forProvider:
realmId: deepcypher
name: admin
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Roles
metadata:
name: admin
spec:
forProvider:
realmId: deepcypher
groupIdRef:
name: admin
roleIdsRefs:
- name: admin
- name: deepcypher-realm-management-realm-admin
providerConfigRef:
name: default
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
name: own-admin
spec:

12
charts/keycloak-late/templates/groups/george.yaml
View File

@@ -1,17 +1,5 @@
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
name: george
spec:
deletionPolicy: Delete
forProvider:
realmId: deepcypher
name: george
attributes:
nextcloud-legacy-id: archer
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
name: own-george
spec:

29
charts/keycloak-late/templates/protocol-mappers/client-roles-in-all-tokens.yaml
View File

@@ -2,35 +2,6 @@
# resource_access.<client_id>.roles
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: client-roles-in-all-tokens
spec:
forProvider:
realmIdRef:
name: deepcypher
clientScopeIdRef:
name: roles-in-all-tokens
name: client-roles-in-all-tokens
protocol: openid-connect
# to find the config keys see:
# https://github.com/keycloak/keycloak/blob/d089e23aef560f9d9ceb96490d68a64aa910b79b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserClientRoleMappingMapper.java#L39
protocolMapper: oidc-usermodel-client-role-mapper
config:
id.token.claim: "true"
access.token.claim: "true"
userinfo.token.claim: "true"
lightweight.claim: "true"
introspection.token.claim: "true"
multivalued: "true"
claim.name: "resource_access.${client_id}.roles"
jsonType.label: "String"
providerConfigRef:
name: default
---
# this adds client roles to all tokens under the claim:
# resource_access.<client_id>.roles
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: own-client-roles-in-all-tokens
spec:

30
charts/keycloak-late/templates/protocol-mappers/flattened-mapper.yaml
View File

@@ -1,30 +0,0 @@
# see: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.8.0/resources/client.keycloak.crossplane.io/ProtocolMapper/v1alpha1
# role mapper example
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: flattened-mapper
spec:
forProvider:
realmIdRef:
name: deepcypher
#clientId: grafana
clientScopeIdRef:
name: flattened-roles
name: flattened-mapper
protocol: openid-connect
protocolMapper: oidc-usermodel-realm-role-mapper
config:
# for available options:
# see: https://github.com/crossplane-contrib/provider-keycloak/issues/90
# and: https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserRealmRoleMappingMapper.java#L40
# which links to the OIDCAttributeMapperHelper at https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserRealmRoleMappingMapper.java#L61
# which then references: https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java#L57
id.token.claim: "true"
access.token.claim: "true"
userinfo.token.claim: "true"
multivalued: "true"
claim.name: "roles"
jsonType.label: "String"
providerConfigRef:
name: default

23
charts/keycloak-late/templates/protocol-mappers/groups.yaml
View File

@@ -1,28 +1,5 @@
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: groups
spec:
forProvider:
realmIdRef:
name: deepcypher
clientScopeIdRef:
name: groups
name: groups
protocol: openid-connect
# https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java#L59C47-L59C75
protocolMapper: oidc-group-membership-mapper
config:
# https://github.com/keycloak/keycloak/blob/0aa14c19e11752898935c36ea7df55a0aa72a5aa/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java#L52-L79
claim.name: "groups"
id.token.claim: "true"
access.token.claim: "true"
userinfo.token.claim: "true"
providerConfigRef:
name: default
---
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: own-groups
spec:

33
charts/keycloak-late/templates/protocol-mappers/nextcloud-legacy-id.yaml
View File

@@ -2,39 +2,6 @@
# role mapper example
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: nextcloud-legacy-id
spec:
forProvider:
realmIdRef:
name: deepcypher
#clientId: grafana
clientScopeIdRef:
name: nextcloud-legacy-id
name: nextcloud-legacy-id
protocol: openid-connect
# name comes from https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java#L69
protocolMapper: oidc-usermodel-attribute-mapper
config:
# for available options:
# which links to the OIDCAttributeMapperHelper at https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserRealmRoleMappingMapper.java#L61
# which then references: https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java#L57
id.token.claim: "true"
access.token.claim: "true"
userinfo.token.claim: "true"
user.attribute: "nextcloud-legacy-id"
#multivalued: "true"
claim.name: "nextcloud-legacy-id"
jsonType.label: "String"
providerConfigRef:
name: default
---
# see: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.8.0/resources/client.keycloak.crossplane.io/ProtocolMapper/v1alpha1
# role mapper example
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: own-nextcloud-legacy-id
spec:

30
charts/keycloak-late/templates/realms/realm-deepcypher.yaml
View File

@@ -1,35 +1,5 @@
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
name: deepcypher
spec:
forProvider:
realm: deepcypher
registrationAllowed: false
# resetPasswordAllowed: true
rememberMe: true
verifyEmail: true
smtpServer:
- from: "noreply@smtp.deepcypher.me"
fromDisplayName: "DeepCypher ({{ .Values.environment.name }})"
host: "in-v3.mailjet.com"
port: "587" # chesterton fence its a string not an int
ssl: false
starttls: true
auth:
- username: "bf3439d38ac0407e26b6d150c0dc31b0"
passwordSecretRef:
name: smtp
namespace: auth
key: password
securityDefenses:
- bruteForceDetection:
- failureResetTimeSeconds: 500
maxLoginFailures: 5
waitIncrementSeconds: 500
---
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
name: owncloak-deepcypher
spec:

4
charts/keycloak-late/templates/realms/smtp-pm.sealed.yaml
View File

@@ -7,8 +7,8 @@ metadata:
namespace: keycloak
spec:
encryptedData:
password: AgBx3VygvC71VXPe0dMzsYhwx6VLDh9Thj6ygDu4u08xaGrxTc9qBsLkzWRWOPiIAN8fFDQhLXkow2/44DJ5MzwhDErkhRSqaUzM4dBpbSr5f5pZsZ25jNZ4ipLOr8WPMsbfHREh45HkdWyhDMF6wBYHk2+8m790eDjaBJZ2oqlxcYICUo8dKLfjbNfQJOCZsnoZeuqQoFJq5YoW7aQay7cYtu2/UToTuXuC2V0vINCLALwEO1GuQ7W6v+AHaan3iYiKkvAitxM8nBTSoffgbR7zh6PjzrMT/bCn0bNRoJ+Q26CVU5cuZV8ld4plyIff141uF3yGgGEHTM7k9AMVeTS5qnkWw14MkVzEoQwgYWBn0iTl9OLrY8At3l+AoNFbh799PAM3sxsZR+LxRfxGc/a9cp00q1B36sIJGE7tI+ULa+USmILnop9ugeC188HHyJKRCBUo8xDeT0EiGfda6Gs0VWI21EtIqdvLFWCJ5atnH51132i1/UfMXrWFIMxtS/BZ+7iZ1EhDLJlvlZulmlGf/llShzwzGvhw5mg1xAEgNVrttZS+3z67MJH0pgXyteDgZcE0bEhHPr6E1eXEwolMAiHrGEqjSV/8l3xWt3QuyH+j0/h1CR3pb2rIkq7Sv++NfawD2o2+o9sy1A6/854cabheBDDtAsvJTLYOL8qSj0pR/yHhm5OcDrfBFoQR3mOAiJkGq3qsPaHdDdmTFaqW
username: AgCZ7YFDK1kOq4GgqIht/TB6ZamJI9magp4xlfq92Ye6uy1aGOQLr9Ssd6UBJvywiI/KCtXkFX+QkeLBwBBWu++54bWeYOugkCoL70BLZw675s2BaDO+ulZs090T9ykwCT/0rBME97IeCod1D310cVZrolmc+irbTV+jKXc8oQJIUFMVfnyhMq1HB7wzBMQ6iBo+/kqw2lQkCr2q9w+T9awO/BKwdKO7OOoGkMWkrgxSvykzlWvGFuQfaVeCCpXF1WANnjMRQXI1MpBNjtt8hG4iX7ibCn4bsL7fONS+8MPnOcqi1wKAPHL5lRFIqixDnFKL+7l4HF79qPFROpUlGgsaGvm96eHA8sbX7ku3ZzG4NxsUBwUt47pHiZ9w6UhmaVtnvwZ51Qh7vkC11OZvYG2kcPB7AHGQ8jEtii2BB9SoNJqekrQ2Qm46noxw3XLrmGulycWdq01yzfxqaGwqjEBeFWwgvIH+Gx/wecdo3rU+HDVhYiYpvlVQkaRKcjZ9pOtJLa9OtVChRP6KjaEIHVAkW5qIYP25NmyxJ81strmQR4jNczcl4FWoqTt8Cb6NjgILaD15p9ubdz1UeCWoQB/mLuEMPqSBmoToK7KEDIByTKaFfH2c+5H7kOtGjyYRvwFdFtYOzfI3qHujeTc9BnlWGTpsehz78SaBkWDIbKRxd3kttAlI2Xd/LhWC3d7F2/cKc8+Jj/cM0Tkw3DTECKqxAkOKI9Y=
password: AgCG2FtyKoGj1PUV1mNWLGhNBwqpw87o+uLzW3LxJPIv5oM6QgZJpz1ZYrCIAw0UNSR9AGX5rJBfSwn9HOrj+M0MTJBImdIX5vOmFY89yiWBu08xAuXYFmQES294V2ool8zJaTcrIzBbrm1mfQBziQs9S4tP2DVDQsPYmeivV8KZe0dcydjuFEzrkgWZLnFTSaPXhRxQF+ovNRIqpQBfInqwl6F8qdzxeX0WJOu6VxeZUqlHjKsFQUlkzHYbks+PX/R7l5bO2DmJQiy9w4/4k6hfTgBPawrzrpQaRrbuSGULHC/mQyCdO9W6U4FsA+9BYSH5fS4roIFP+jLLsCKftuePnYgDkxAlxzkhipKLO/KEP5wYzjAlkNsb0TWjgVa1Cs8MRJ/PNdFxMOpDCeAxCTb33TDi977yBgt8MLFV03jvWoUD3hck9MZ8jON7/O+oVJc4Th7AIhc9cVr9GUR7G2KHtGbzwbdXDy/F8y6sEMceZB/z5y0JEtymFZXqpFzq3QszBJQSbp5875Qr5s9ud+mpmSS/kkEu7RyCz6T4G5v3FX1jJkPQypizZjyb/LHVUPRI8HOAPj3sdXWO7wEgAwHrpYJ+4grHVYoqqhg6xvt3Qp7y47CnP7JUeM+Am/kO7Uourrxv1hpYR8y/e4l5g3OpisNZ9hP0SwFByCRBbPsELObmeXetQodn4/h94xyXcoZiFbCLC+G04Q7TX4+bSLje
username: AgBHRp3e4lwksmd+b55LDQJ/yGnpym0is5c3GU3ncWj2vf58p8kumpmQm3ZX4rIE07LHKhRUGe1O5fEbAPQWVT+1qVy7WdxtqZlGl6kMoovK71TD7uqdehk5fHydXeH7hbx77xMnUsGzyXIBHFRNBmxpAJOC161QTmDhD+OqOy46IXRDbEf/7mMcLs8arP5FElYMgo+FJVSOJ8baCzmvvsVMg1RtlDPo1cOmAq0VCBR7r+fx+zT9YZstAt8MjmUY9eE31of5czZI8SG3UFuRtfnMhtkCz/JJyNXuW/Ap52Ijlt6USc56Y7+XPKKHCFwWyxgG7T97yBQ+KsPPEdK4MhrYo/SKUwrdm8NEBHPSMMjJOb0knWe8dONrpdrQt9sF87ckTyKVB/f/2oB3A0aO8ozIH4esPYjglgu7bgRDRq2/10LwqehmJ7tHK0p6dA+6LM0MVMidvu0Q0p6efacOs4ipIEEN1VjQCzHKv33F7lWBOEapT11eCHpAV9YSNYopz2ZSlLDhELNW8XNur5JgIHLRJ+9xaQiRebBoP6S6sF1zBk28dY9tkwA9BmPDCFf5JP+E9X+tB2xo0OmYOCZ5IFeQhmoJLgcPdAQfLRiFb/4FTZwYWblgCjMhyJoa1ZvgQPdP69PlwstitfWD6xrJKa83sf8einj+eU1jhx1mJDIak4ONNx6Zu/qn4bldTybfjtpohUSCu2FGUr6RnmLA4nAI2oFgOMk=
template:
metadata:
creationTimestamp: null

17
charts/keycloak-late/templates/realms/smtp.sealed.yaml
View File

@@ -1,17 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: smtp
namespace: auth
spec:
encryptedData:
password: AgBgXdt/vURf8xL5JbgulQlQsDVYyzL9K8QIqwfFdWeDgGn1Uma0loMR1DF8CApB4JdQF4bzYumlnyblejdWPO9HhQr9H56BuEh4bX7hsIdcJ/b1bINip6xN8xHJ5kL77o0HyDpfe7ecu8u0ILCOhnA7MNdcQL6Y7qzRtRntVGhyRb3G/m20fpFD/Kg+DycgVq7ktOkIGgptMZLdb2R5DDNfN7KAkTCDvrRKkpcaZZcQ9hvNi5J+ww2HvqIGykqwdjDKtlr4+ZOTq0S6CFDfXah5VlYqP6Vl9ZCG7UM0N4DFwmivrR/WmdZ5eH2o4nqL3H825qjCgSpbYflEy2rkXK3vFVZ50u6lGCpvvBII2Ak0UZTM72aSM5A0xRDSUIwKz9MlSSFNHr32DsMlOERcQUMvj7FuIcixCV/tdOgdtzW3tBjPd/FVNezILv3lTXZY+nUVdqBg3WcGQ9yL5x4+SxqachT8y/pnPzjQB3qkLaodtSi5U1289emtH3+XPB85HsCfbZuQfzNo98BKPzlypbcRDmixfXXeA8Qm20fnGFB3PtEnSFpfkLwZZV4zwd/+MhRQHU6XeCLrgKs96TAvWurrPB9eWZJI3HcrudaqxaniqSOfpy6hH6QW4iQcI6IadyXX4STRbtZqNHmEuyeI3XwU7nrDWwjLn6WCrj2H6YuK11urtkW0PkHMt1PPhhEvuQmMhA2/ZLC6PO7dXMjI3DNJT2s+VWjURmdKCLiFExkG3A==
username: AgBS2pfIgCZIC23N5hMqR51L68ibj3hd4VuVYmCOSSh6aMchXsTyq8fbo4fIyJC4oVGtnPHn/92rrjTVYr4lDEFRVqeWR0uVde9PIPfMavGKIGSfgAZHzVc1Q9Thykb5D5eqE3CFcZM5UuwkpjbWaXg6E+DHW8WlSfN89U6jY7WGD9YnjzznsVTOZXCrlTM36wj/uAOs42MYRGgUrDT3fLaKLILP7ahWKyDQ7Qh0Pw3AEej8eQsIW7oIey9iMjNt9QxmerFt9Eb6nz3xTlgVDrsu+lVS4KKTZSBr9u0Q2zNv23203ckF5EeJNnks1MEEn4Tv6yNPGpjIZ0xqH/hpzzyi7OLpAzaLLtFvcRqr9aoCKxH1ft5RlUllL/iGPGfR8w3X2pgg75XoesTwGdSnzgHvDMceB+ZIZGF0k14UekdGObqyE2Sw3H/visTVsb7Z7nfE4yFY3YOO3es8Mko6+IkKdV0LW5BKyiFXdDHjQHVoWUXLGRw5OjZJvVvJs4DvK0WSd1tKDm55RPdrbuL+N6Zz9p6zHDNv0Qhq33lHcEcM3Tv+4/4KuhZdk+N+JEibepsS/7I2EqKgHBxTug+VPhCZx1AQu32ZyhdvvHLZ86fpIA9nlTAg4Hq+W363NnXAT/89mLM7CrJ6zsZuunvKkKJb3wYBbb9IIT8m3ru0FnlIcK39n2s+12UOw0ZPMoyIm2eYUd7Hl3VaG+eZjt6fz78QbnFtrs9ojuhk/0TTTQVQIw==
template:
metadata:
creationTimestamp: null
name: smtp
namespace: auth
type: kubernetes.io/basic-auth

12
charts/keycloak-late/templates/roles/admin.yaml
View File

@@ -1,17 +1,5 @@
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
name: admin
spec:
forProvider:
realmId: deepcypher
name: admin
description: Administrator for all deepcypher applications.
providerConfigRef:
name: default
---
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
name: own-admin
spec:

22
charts/keycloak-late/templates/roles/builtin-realm-admin.yaml
View File

@@ -3,28 +3,6 @@
# THIS SHOULD NOT BE USED TO MODIFY THE ROLE
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
annotations:
# Here we reference the role by "<realm>/<role_name>"
#crossplane.io/external-name: deepcypher/realm-management/realm-admin
name: deepcypher-realm-management-realm-admin
spec:
deletionPolicy: Orphan
forProvider:
realmId: deepcypher
name: realm-admin
clientIdRef:
name: deepcypher-realm-management
managementPolicies:
- Observe
providerConfigRef:
name: default
---
# THIS IS A BUILT IN KEYCLOAK ROLE
# THIS IS ONLY HERE TO TRACK / OBSERVE IT
# THIS SHOULD NOT BE USED TO MODIFY THE ROLE
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
annotations:
# Here we reference the role by "<realm>/<role_name>"

12
charts/keycloak-late/templates/scopes/groups.yaml
View File

@@ -1,17 +1,5 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: groups
spec:
deletionPolicy: Delete
forProvider:
realmIdRef:
name: deepcypher
name: groups
description: "Group membership list scope"
---
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: own-groups
spec:

12
charts/keycloak-late/templates/scopes/nextcloud-legacy-id.yaml
View File

@@ -1,17 +1,5 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: nextcloud-legacy-id
spec:
deletionPolicy: Delete
forProvider:
realmIdRef:
name: deepcypher
name: nextcloud-legacy-id
description: "Legacy scope to allow old clients to present legacy user ID to nextcloud"
---
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: own-nextcloud-legacy-id
spec:

11
charts/keycloak-late/templates/scopes/scope-flattened-roles.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: flattened-roles
spec:
deletionPolicy: Delete
forProvider:
realmIdRef:
name: deepcypher
name: flattened-roles
description: "Scope that maps roles to a consolidated roles list"

12
charts/keycloak-late/templates/scopes/scope-roles-in-all-tokens.yaml
View File

@@ -1,17 +1,5 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: roles-in-all-tokens
spec:
deletionPolicy: Delete
forProvider:
realmIdRef:
name: deepcypher
name: roles-in-all-tokens
description: "Role membership list scope in all tokens"
---
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: own-roles-in-all-tokens
spec:

6
charts/keycloak-late/templates/users/george.sealed.yaml
View File

@@ -4,13 +4,13 @@ kind: SealedSecret
metadata:
creationTimestamp: null
name: george
namespace: auth
namespace: keycloak
spec:
encryptedData:
password: AgAZu5IZQqFCyCeCobGQAODvOH67dpYiJm8OwFwD3Pwf84o64PpKxuyrRLEJgNZI85K7nqhH40QZWeY4CGKn7Ukehyd1icC1n5rw7oQYTc8J6y93R0vD1Hnhi6UheKOVWthrolaD49I0sIguPJW9oEpGSrIAR5DBILheLcBKiPUslLZ0vVzXWXnNv5xmcG8yHCYdlH/sBAJIk7w1Ij/J91AyJlZl4hD8CSzrzzr4V93a7IMMUXnioovfo8pwbxp2bU9YO8+0UP7g0VcZ+KgVCsVfTDqxRD4HYnvyvICfePEpUimOZYCQgv7ThH+iVbjvByjYFszpVvfhFvWug5EYzZx5rHdeqnPPDu6q6WC8NxlnK4/3xU1h+2Kv4OzbgLIr95TQH3iDod9bMD37ELxWN414h8+HV84mYAZU7jWLuq1Hpm5SVHA1UsRobEBmhkA3hRCgbY1bGh+uuJTUofBmpRw7t18IGvTwsP+53FJe/TdvAX1rY++BOjs9l2SD7VwAFv4f4CBERZMpLaz5y80iSZ8wIEMN4wl+pVQ/+NrVl8p5fQp07YON9Wv1XRCaAxwPWwVeSqOB99nxt9qquQC9M9SMaxReVO4DLluDmlzHdsAeZi+rTkQ8Ae4YgeqSD89fXq2rdmUjplLa5vhyw0Pxen+5vikE/h38AFRGaQuF0TlcZUFiWQtli0SHsDGXWIzyPIDhQOCdhCb1TNXhkSw1MDHewpzFnxZASTjifGl3oHUg2ZCgavPO//JSOzHsneyhe6hGWRjQTomMlGwLaxZDa6m3
password: AgBJ0L0OPbdcIj9qp2QDMJHVEvlsDtZAXkZjHELAOllhgg2J9vEbvg1mjIr4dCSVeqOwW4pHws3rGc/rA1LrrjHp3VxpMFUFO06Xi1SamsbuVi/NVGJ5cr9iZdBB4yJ6XBb6GjJgRr2om/taL+bbU7lusa6S+WSMI4fGwB7d3Fu9Wgz1JVnjBY3W4YlbPopBabxELRbjVDrRakjb2Y1XJM2La95QkC5UgwzkkYLfZEveBOQJfdguHG+wrs+whEhi3NTYNXSS4qLL3QlaRmJjHdtGbLYDYCXxtBJ/ustenuP4uphANNH10tx2LaeeT4/BRoeeXioAGtYmePxe3dk1zDS8qBJnWujs2bCP/jXnXPSTTUfmUo9C3vqRUB0lZtC7zbudhp84Cr141v7GyKVYcjK8YBngQqWniTQUan2AA7sE3WyVO+rt7tEu0w70CgLNfW0GbJiHwtSYDciKK9b4TEN40Ct31hcbKrAZCLFWAg9VTIP9R54dWBE8+a1qpsCqueaEO32CTKyoQqE2WSXY+gbe4+TCcTR/+sTifdkVJazgrE7KwdL9BMCfgcO0xVUk8Dy8jeVGaYNfWQwyhKnXqH4v9xLrV+hN+tQl4JspIknoNNDudeKGoPTCqtONSSZV8UM7HnR/KYDbLLbo2IhT0Z6wB0D5YjI0YdILB+y8otU+jyHf0u6gp2Y+PkoPXcCIYivZ3AFNxbHdcvv6EsyolE8aNAsrhw3t1SBJf4WxWdKhuOhoPGF3EHQeGrpnJ/9QvdQr7wJd0tMdKodjs4HoKtjz
template:
metadata:
creationTimestamp: null
name: george
namespace: auth
namespace: keycloak
type: Opaque

6
charts/keycloak-late/templates/users/user-george.yaml
View File

@@ -13,13 +13,13 @@ spec:
valueSecretRef:
key: password
name: george
namespace: auth
namespace: keycloak
# better to set as group as it's easier to gitops
# as there is no realm > unmanaged attributes option in CRD
# attributes:
# nextcloud-legacy-id: archer
providerConfigRef:
name: default
name: owncloak
---
apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: Groups
@@ -34,4 +34,4 @@ spec:
userIdRef:
name: george
providerConfigRef:
name: default
name: owncloak

7
charts/keycloak/values.yaml
View File

@@ -112,11 +112,18 @@ keycloak:
cert-manager.io/cluster-issuer: letsencrypt-dns
traefik.ingress.kubernetes.io/router.middlewares: traefik-headers@kubernetescrd # ,auth-base-redirect@kubernetescrd
hosts:
- host: auth.deepcypher.me
paths:
- path: /
pathType: ImplementationSpecific
- host: keycloak.deepcypher.me
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: auth.deepcypher.me-tls
hosts:
- auth.deepcypher.me
- secretName: keycloak.deepcypher.me-tls
hosts:
- keycloak.deepcypher.me

2
charts/kro-config/templates/oidc.yaml
View File

@@ -88,6 +88,8 @@ spec:
validRedirectUris: ${schema.spec.client.validRedirectUris}
validPostLogoutRedirectUris: ${schema.spec.client.validPostLogoutRedirectUris}
webOrigins: ${schema.spec.client.webOrigins}
providerConfigRef:
name: ${schema.spec.crossplane.providerConfig}
- id: scopes
template:

2
charts/nextcloud/templates/oidc/oidc-client.yaml
View File

@@ -7,6 +7,8 @@ metadata:
spec:
# https://nextcloud.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/nextcloud/templates/oidc/oidc-scopes.yaml
View File

@@ -24,4 +24,4 @@ spec:
# https://help.nextcloud.com/t/mapping-users-from-openid-to-existing-users/203542/5
- nextcloud-legacy-id
providerConfigRef:
name: default
name: owncloak

2
charts/open-webui/templates/oidc/oidc-client.yaml
View File

@@ -5,6 +5,8 @@ metadata:
spec:
# https://chat.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/open-webui/templates/oidc/oidc-scopes.yaml
View File

@@ -21,4 +21,4 @@ spec:
# needed by chat
- flattened-roles
providerConfigRef:
name: default
name: owncloak

2
charts/opencloud/templates/oidc.yaml
View File

@@ -41,6 +41,6 @@ spec:
realm: {{ .Values.oidc.realm }}
baseUrl: {{ printf "https://auth.%s/realms/%s" .Values.environment.baseDomain .Values.oidc.realm }}
crossplane:
providerConfig: keycloak # the name of the crossplane provider config
providerConfig: owncloak # the name of the crossplane provider config
configmap:
name: oidc-urls

2
charts/penpot/templates/oidc/oidc-client.yaml
View File

@@ -5,6 +5,8 @@ metadata:
spec:
# https://penpot.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/penpot/templates/oidc/oidc-scopes.yaml
View File

@@ -22,4 +22,4 @@ spec:
- groups # OIDC scope to get groups from realm roles like admin etc
- flattened-roles
providerConfigRef:
name: default
name: owncloak

2
charts/wikijs/templates/oidc/oidc-client.yaml
View File

@@ -4,6 +4,8 @@ metadata:
name: wikijs
spec:
deletionPolicy: Delete
providerConfigRef:
name: owncloak
forProvider:
realmIdRef:
name: {{ .Values.oidc.realm }}

2
charts/wikijs/templates/oidc/oidc-scopes.yaml
View File

@@ -22,4 +22,4 @@ spec:
# needed by wikijs
- flattened-roles
providerConfigRef:
name: default
name: owncloak