From 86f72646149723e729f50391464ad3fbeb2782b4 Mon Sep 17 00:00:00 2001
From: Helmut Hutzler <helmut.hutzler@th-nuernberg.de>
Date: Wed, 2 Nov 2022 13:50:58 +0000
Subject: [PATCH] New Keycloak Export File
---
Keycloak/install-keycloak.sh | 1 +
Keycloak/ir-keycloak.yaml | 25 +++--
Keycloak/realm-config/RBAC-realm.json | 131 +++++++++++++++++---------
Traefik/traefik-chart-values.yaml | 15 ++-
4 files changed, 116 insertions(+), 56 deletions(-)
diff --git a/Keycloak/install-keycloak.sh b/Keycloak/install-keycloak.sh
index 1e0f8d6..cc0b6ee 100755
--- a/Keycloak/install-keycloak.sh
+++ b/Keycloak/install-keycloak.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+#
if [ -z "$2" ]; then
echo "Error : Missing FQN for Ingress-Host parameter or namespace "
echo "Sample: $0 kube-master-h1.informatik.fh-nuernberg.de testing"
diff --git a/Keycloak/ir-keycloak.yaml b/Keycloak/ir-keycloak.yaml
index 565b324..98fff22 100644
--- a/Keycloak/ir-keycloak.yaml
+++ b/Keycloak/ir-keycloak.yaml
@@ -1,14 +1,4 @@
apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
- name: oidc-app-strip-path-prefix
-spec:
- stripPrefix:
- prefixes:
- - /auth
- - /nginx-blue
----
-apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-oidc-app
@@ -23,3 +13,18 @@ spec:
services:
- name: keycloak-oidc-service
port: 8285
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+ name: ingressroute-oidc-app-web
+spec:
+ entryPoints:
+ - web
+ routes:
+ - match: Host(`_INGRESS_HOST_`) && PathPrefix(`/auth/`)
+ kind: Rule
+ services:
+ - name: keycloak-oidc-service
+ port: 8285
+
diff --git a/Keycloak/realm-config/RBAC-realm.json b/Keycloak/realm-config/RBAC-realm.json
index d52cfbd..20a9b8a 100644
--- a/Keycloak/realm-config/RBAC-realm.json
+++ b/Keycloak/realm-config/RBAC-realm.json
@@ -595,6 +595,26 @@
"realmRoles" : [ "default-roles-rbac" ],
"notBefore" : 0,
"groups" : [ ]
+ }, {
+ "id" : "47306207-e2b8-4ccf-b659-5995dfbd56ed",
+ "createdTimestamp" : 1666946160220,
+ "username" : "xx",
+ "enabled" : false,
+ "totp" : false,
+ "emailVerified" : false,
+ "email" : "xx@yy",
+ "credentials" : [ {
+ "id" : "628324da-d638-4988-8aa8-cbb8ac15b427",
+ "type" : "password",
+ "createdDate" : 1666946160313,
+ "secretData" : "{\"value\":\"AW5lcA7oqlXka6rrdXsh5NJ8pEIGEYI5rrbCPhLuVev4yrYSXw6HZSN+sKusfJ/zxqj1oqUGP1ZreGqW4fYH3Q==\",\"salt\":\"0AexX99D5Z4+Me390CZliA==\",\"additionalParameters\":{}}",
+ "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+ } ],
+ "disableableCredentialTypes" : [ ],
+ "requiredActions" : [ ],
+ "realmRoles" : [ "default-roles-rbac" ],
+ "notBefore" : 0,
+ "groups" : [ ]
} ],
"scopeMappings" : [ {
"clientScope" : "offline_access",
@@ -628,7 +648,9 @@
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
- "attributes" : { },
+ "attributes" : {
+ "post.logout.redirect.uris" : "+"
+ },
"authenticationFlowBindingOverrides" : { },
"fullScopeAllowed" : false,
"nodeReRegistrationTimeout" : 0,
@@ -657,6 +679,7 @@
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
+ "post.logout.redirect.uris" : "+",
"pkce.code.challenge.method" : "S256"
},
"authenticationFlowBindingOverrides" : { },
@@ -692,7 +715,9 @@
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
- "attributes" : { },
+ "attributes" : {
+ "post.logout.redirect.uris" : "+"
+ },
"authenticationFlowBindingOverrides" : { },
"fullScopeAllowed" : false,
"nodeReRegistrationTimeout" : 0,
@@ -701,11 +726,16 @@
}, {
"id" : "1a427460-6954-4f38-8029-e7d08a31174d",
"clientId" : "angular-frontend",
+ "name" : "",
+ "description" : "",
+ "rootUrl" : "",
+ "adminUrl" : "",
+ "baseUrl" : "",
"surrogateAuthRequired" : false,
"enabled" : true,
"alwaysDisplayInConsole" : false,
"clientAuthenticatorType" : "client-secret",
- "redirectUris" : [ "http://localhost:4200/*" ],
+ "redirectUris" : [ "http://localhost:4200/*", "https://kube-master-h1.informatik.fh-nuernberg.de/*" ],
"webOrigins" : [ "+" ],
"notBefore" : 0,
"bearerOnly" : false,
@@ -723,6 +753,7 @@
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
+ "post.logout.redirect.uris" : "+",
"oauth2.device.authorization.grant.enabled" : "false",
"backchannel.logout.revoke.offline.tokens" : "false",
"saml.server.signature" : "false",
@@ -764,13 +795,17 @@
}, {
"id" : "4ab5dce7-e7ac-4e1f-8336-738c9dc3dc00",
"clientId" : "app-client",
- "baseUrl" : "http://localhost:4200",
+ "name" : "",
+ "description" : "",
+ "rootUrl" : "",
+ "adminUrl" : "",
+ "baseUrl" : "https://kube-master-h1.informatik.fh-nuernberg.de/",
"surrogateAuthRequired" : false,
"enabled" : true,
"alwaysDisplayInConsole" : false,
"clientAuthenticatorType" : "client-secret",
"secret" : "0a32b2ad-7b58-4c5b-bffe-7d3673fe70a3",
- "redirectUris" : [ "http://localhost:4200/*" ],
+ "redirectUris" : [ "https://kube-master-h1.informatik.fh-nuernberg.de/*" ],
"webOrigins" : [ "*" ],
"notBefore" : 0,
"bearerOnly" : false,
@@ -789,6 +824,7 @@
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
+ "post.logout.redirect.uris" : "+",
"oauth2.device.authorization.grant.enabled" : "false",
"backchannel.logout.revoke.offline.tokens" : "false",
"saml.server.signature" : "false",
@@ -859,20 +895,18 @@
"allowRemoteResourceManagement" : true,
"policyEnforcementMode" : "ENFORCING",
"resources" : [ {
- "name" : "res:accounts",
+ "name" : "Default Resource",
+ "type" : "urn:app-client:resources:default",
"ownerManagedAccess" : false,
"attributes" : { },
- "_id" : "c353cbb2-3460-4852-953f-605ab5c3a4be",
- "uris" : [ "/accounts" ],
- "scopes" : [ {
- "name" : "scopes:viewall"
- } ]
+ "_id" : "4027b953-2868-499d-9d8c-b133badb96d6",
+ "uris" : [ "/*" ]
}, {
"name" : "res:account",
"ownerManagedAccess" : false,
"attributes" : { },
"_id" : "dcf3dbb7-3adf-4925-9a8c-853b420703ab",
- "uris" : [ "/account/{id}", "/account", "/account/enable/{id}", "/account/disable/{id}" ],
+ "uris" : [ "/api/account/{id}", "/api/account/enable/{id}", "/api/account", "/api/account/disable/{id}" ],
"scopes" : [ {
"name" : "scopes:view"
}, {
@@ -883,14 +917,18 @@
"name" : "scopes:nogo"
}, {
"name" : "scopes:manage"
- } ]
+ } ],
+ "icon_uri" : ""
}, {
- "name" : "Default Resource",
- "type" : "urn:app-client:resources:default",
+ "name" : "res:accounts",
"ownerManagedAccess" : false,
"attributes" : { },
- "_id" : "4027b953-2868-499d-9d8c-b133badb96d6",
- "uris" : [ "/*" ]
+ "_id" : "c353cbb2-3460-4852-953f-605ab5c3a4be",
+ "uris" : [ "/api/accounts" ],
+ "scopes" : [ {
+ "name" : "scopes:viewall"
+ } ],
+ "icon_uri" : ""
} ],
"policies" : [ {
"id" : "8843ffc6-d01b-4203-8e58-c9c00e66e283",
@@ -1014,7 +1052,9 @@
"publicClient" : false,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
- "attributes" : { },
+ "attributes" : {
+ "post.logout.redirect.uris" : "+"
+ },
"authenticationFlowBindingOverrides" : { },
"fullScopeAllowed" : false,
"nodeReRegistrationTimeout" : 0,
@@ -1040,7 +1080,9 @@
"publicClient" : false,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
- "attributes" : { },
+ "attributes" : {
+ "post.logout.redirect.uris" : "+"
+ },
"authenticationFlowBindingOverrides" : { },
"fullScopeAllowed" : false,
"nodeReRegistrationTimeout" : 0,
@@ -1069,6 +1111,7 @@
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
+ "post.logout.redirect.uris" : "+",
"pkce.code.challenge.method" : "S256"
},
"authenticationFlowBindingOverrides" : { },
@@ -1645,7 +1688,7 @@
"subType" : "anonymous",
"subComponents" : { },
"config" : {
- "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper" ]
+ "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper" ]
}
}, {
"id" : "376a316e-e09c-4afb-b75d-d48c3e1a1af3",
@@ -1670,7 +1713,7 @@
"subType" : "authenticated",
"subComponents" : { },
"config" : {
- "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper" ]
+ "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-property-mapper" ]
}
} ],
"org.keycloak.userprofile.UserProfileProvider" : [ {
@@ -1727,7 +1770,7 @@
"internationalizationEnabled" : false,
"supportedLocales" : [ ],
"authenticationFlows" : [ {
- "id" : "f7a0829c-84d1-4f5d-891b-438ff6b100cf",
+ "id" : "cee6b854-66b4-4a8d-8d8a-d47177e017ca",
"alias" : "Account verification options",
"description" : "Method with which to verity the existing account",
"providerId" : "basic-flow",
@@ -1749,7 +1792,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "2c04930e-51db-435f-b359-81d8a8d998b3",
+ "id" : "42979306-8ca7-429d-9a32-8439d7b9301a",
"alias" : "Authentication Options",
"description" : "Authentication options.",
"providerId" : "basic-flow",
@@ -1778,7 +1821,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "fb8ac2a4-2a67-4369-b5ba-862ba363c582",
+ "id" : "2626d242-ab3d-47a4-9895-ea87669cb41a",
"alias" : "Browser - Conditional OTP",
"description" : "Flow to determine if the OTP is required for the authentication",
"providerId" : "basic-flow",
@@ -1800,7 +1843,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "a385b148-84c7-49c6-90c8-976935908a8e",
+ "id" : "7fa6a82f-e767-40be-bf2b-a90b2ef8f258",
"alias" : "Direct Grant - Conditional OTP",
"description" : "Flow to determine if the OTP is required for the authentication",
"providerId" : "basic-flow",
@@ -1822,7 +1865,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "51879e4a-7597-4736-b484-ac6c1fbed64a",
+ "id" : "c960ed1b-7134-4159-8813-09c692bd6cba",
"alias" : "First broker login - Conditional OTP",
"description" : "Flow to determine if the OTP is required for the authentication",
"providerId" : "basic-flow",
@@ -1844,7 +1887,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "33794774-51b4-4794-af28-41368499a7f1",
+ "id" : "d33fdcad-b7ab-4fd7-98ea-19fe23c41755",
"alias" : "Handle Existing Account",
"description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
"providerId" : "basic-flow",
@@ -1866,7 +1909,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "9ec82261-37db-4b1c-a7c5-aa499a9f1391",
+ "id" : "b4327d70-bd57-44f1-a9d6-e3d35f3e999f",
"alias" : "Reset - Conditional OTP",
"description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
"providerId" : "basic-flow",
@@ -1888,7 +1931,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "4f1e0bd6-0b2e-42c4-9d70-0f4a3673b066",
+ "id" : "e0872611-90b8-467c-887b-09cbe323b918",
"alias" : "User creation or linking",
"description" : "Flow for the existing/non-existing user alternatives",
"providerId" : "basic-flow",
@@ -1911,7 +1954,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "0ec96170-56fc-450e-b00d-30836f5133a9",
+ "id" : "c96cfcfc-724a-4e7b-bc2e-0154714d2444",
"alias" : "Verify Existing Account by Re-authentication",
"description" : "Reauthentication of existing account",
"providerId" : "basic-flow",
@@ -1933,7 +1976,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "67b8f5d0-a22b-4991-8987-3ed49242c9e3",
+ "id" : "ce810ab6-64d7-4d0b-9ae4-5390deaf1690",
"alias" : "browser",
"description" : "browser based authentication",
"providerId" : "basic-flow",
@@ -1969,7 +2012,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "23c77dba-808f-4030-b3b7-7bd3597a513a",
+ "id" : "829d3d2f-84f0-4c1c-b763-3b77930bd366",
"alias" : "clients",
"description" : "Base authentication for clients",
"providerId" : "client-flow",
@@ -2005,7 +2048,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "e26d8ff3-c2fb-4dd0-aa26-a9f87a00c2c9",
+ "id" : "b82cef66-20f5-4ac3-bf28-2ab2aa6ebc8e",
"alias" : "direct grant",
"description" : "OpenID Connect Resource Owner Grant",
"providerId" : "basic-flow",
@@ -2034,7 +2077,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "3cee69a0-70c3-4bf9-966b-ee61e99910a3",
+ "id" : "de5f4642-88cd-48b2-9bbe-4d649c7df8ef",
"alias" : "docker auth",
"description" : "Used by Docker clients to authenticate against the IDP",
"providerId" : "basic-flow",
@@ -2049,7 +2092,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "b4e626d0-44d6-427e-b4e2-7c58a0578d7c",
+ "id" : "bb929cea-2c22-473e-9ddb-8a17cc5f342f",
"alias" : "first broker login",
"description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
"providerId" : "basic-flow",
@@ -2072,7 +2115,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "a55542b2-9506-42aa-8562-4c5d6fa37df8",
+ "id" : "b466135e-165a-4837-9b84-e74c41c2888a",
"alias" : "forms",
"description" : "Username, password, otp and other auth forms.",
"providerId" : "basic-flow",
@@ -2094,7 +2137,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "dbf57890-d4ce-493c-a5b2-85ee89712f8f",
+ "id" : "9e131f65-d8fc-4f97-8124-67fb3946ad56",
"alias" : "http challenge",
"description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
"providerId" : "basic-flow",
@@ -2116,7 +2159,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "c00e7d9c-4805-4309-a6b1-da1e22f1762d",
+ "id" : "d8398324-fb99-4682-9ce9-ec465388e09c",
"alias" : "registration",
"description" : "registration flow",
"providerId" : "basic-flow",
@@ -2132,7 +2175,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "2146fd4c-eb77-4adb-bb83-33657441ddd9",
+ "id" : "c2aa10dc-a6d1-4f8d-9736-6f18096c1217",
"alias" : "registration form",
"description" : "registration form",
"providerId" : "form-flow",
@@ -2168,7 +2211,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "ad172e93-d2cc-4a67-99a0-ae743f55accc",
+ "id" : "57b6ba24-23d1-4578-a9f2-9281138616a5",
"alias" : "reset credentials",
"description" : "Reset credentials for a user if they forgot their password or something",
"providerId" : "basic-flow",
@@ -2204,7 +2247,7 @@
"userSetupAllowed" : false
} ]
}, {
- "id" : "7029b8c6-5dc1-4671-8e35-f68d07bc101a",
+ "id" : "73a06ef5-f7bb-4438-af9a-8f5b1262b0fd",
"alias" : "saml ecp",
"description" : "SAML ECP Profile Authentication Flow",
"providerId" : "basic-flow",
@@ -2220,13 +2263,13 @@
} ]
} ],
"authenticatorConfig" : [ {
- "id" : "f80f26f6-4a81-4585-912d-ae9d3218b89b",
+ "id" : "3feaa9b5-6c6a-4608-91bb-3e10a5cc7bbc",
"alias" : "create unique user config",
"config" : {
"require.password.update.after.registration" : "false"
}
}, {
- "id" : "8cc00534-c1d2-4e3e-8b89-99c507be2318",
+ "id" : "3dedfe8f-8c3e-463e-8bd4-74b9ff4a969e",
"alias" : "review profile config",
"config" : {
"update.profile.on.first.login" : "missing"
@@ -2309,7 +2352,7 @@
"clientOfflineSessionIdleTimeout" : "0",
"cibaInterval" : "5"
},
- "keycloakVersion" : "18.0.0",
+ "keycloakVersion" : "19.0.3",
"userManagedAccessAllowed" : true,
"clientProfiles" : {
"profiles" : [ ]
diff --git a/Traefik/traefik-chart-values.yaml b/Traefik/traefik-chart-values.yaml
index c1bd198..00b431f 100644
--- a/Traefik/traefik-chart-values.yaml
+++ b/Traefik/traefik-chart-values.yaml
@@ -553,10 +553,12 @@ hostNetwork: false
# Whether Role Based Access Control objects like roles and rolebindings should be created
rbac:
enabled: true
-
# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
- # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace
+ # If set to true, installs Role and RoleBinding. Providers will only watch target namespace.
namespaced: false
+ # Enable user-facing roles
+ # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+ # aggregateTo: [ "admin" ]
# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
podSecurityPolicy:
@@ -593,6 +595,15 @@ affinity: {}
nodeSelector: {}
tolerations: []
+topologySpreadConstraints: []
+# # This example topologySpreadConstraints forces the scheduler to put traefik pods
+# # on nodes where no other traefik pods are scheduled.
+# - labelSelector:
+# matchLabels:
+# app: '{{ template "traefik.name" . }}'
+# maxSkew: 1
+# topologyKey: kubernetes.io/hostname
+# whenUnsatisfiable: DoNotSchedule
# Pods can have priority.
# Priority indicates the importance of a Pod relative to other Pods.
--
GitLab