adding keycloak support

README.md

@@ -1,23 +1,30 @@
-# indico
-
+# helm chart for indico event maganement application
 
 ## Usage
 
-[Helm](https://helm.sh) must be installed to use the charts.  Please refer to
-Helm's [documentation](https://helm.sh/docs) to get started.
+[Helm](https://helm.sh) must be installed to use the charts. Once Helm has been set up correctly, add the repo as follows:
+```bash
+helm repo add nomad-indico https://nomad-coe.github.io/indico
+helm repo update
+```
 
-Once Helm has been set up correctly, add the repo as follows:
+To install the `RELEASE_NAME` chart:
+```bash
+helm install RELEASE_NAME nomad-indico/indico
+```
 
-  helm repo add nomad-indico https://nomad-coe.github.io/indico
+To uninstall the chart:
+```bash
+helm delete RELEASE_NAME
+```
 
-If you had already added this repo earlier, run `helm repo update` to retrieve
-the latest versions of the packages.  You can then run `helm search repo
-indico` to see the charts.
 
-To install the `<release-name>` chart:
+## Known issues:
 
-    helm install <release-name> nomad-indico/indico
+- after the first deployment the container of the main application and the worker needs to be restarted manually.
 
-To uninstall the chart:
+## Alternative solutions
 
-    helm delete <release-name>
+Similar helm charts:
+- [freedesktop.org](https://gitlab.freedesktop.org/mupuf/indico-k8s/-/tree/master/charts/indico)
+- [nsf-muses](https://gitlab.com/nsf-muses/deployment/kubernetes/-/tree/main/charts/indico)

charts/indico/templates/configmap.yaml

@@ -33,6 +33,41 @@ data:
     # Disable system notices
     SYSTEM_NOTICES_URL = None
 
+    # Authentication settings
+    LOCAL_IDENTITIES = {{ .Values.indico.auth.localIdentities }}
+
+    {{- with .Values.indico.auth.keycloak }}
+    {{- if .enabled }}
+    # Keycloak
+    EXTERNAL_REGISTRATION_URL = {{ .profileUrl | quote }}
+    AUTH_PROVIDERS = {
+        'keycloak': {
+            'type': 'authlib',
+            'title': {{ .title | quote }},
+            'authlib_args': {
+                'client_id': {{ .clientId | quote }},
+                'client_secret': {{ .clientSecret | quote }},
+                'server_metadata_url': {{ .metadataUrl | quote }},
+                'client_kwargs': {'scope': 'openid'}
+            }
+        }
+    }
+    IDENTITY_PROVIDERS = {
+        'keycloak': {
+            'type': 'authlib',
+            'title': {{ .title | quote }},
+            'mapping': {
+                'first_name': 'given_name',
+                'last_name': 'family_name',
+                'email': 'email'
+            },
+            'trusted_email': True,
+            'synced_fields': {'first_name', 'last_name', 'email'}
+        }
+    }
+    {{- end }}
+    {{- end }}
+
 
   uwsgi.ini: |
     [uwsgi]

charts/indico/values.yaml

@@ -2,8 +2,6 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-
-# TODO: Helper
 # secretKey: python -c 'import os; print(repr(os.urandom(32)))'
 
 replicaCount: 1
@@ -99,15 +97,27 @@ indico:
     publicSupport: "[email protected]"
     noReply: "[email protected]"
 
+  # The localIdentities must be set to "True" to bootstrap the application because an initial admin
+  # account must be created. After keycloak is configured, another user can be granted admin privileges
+  # after which localIdentities can be disabled to avoid the Indico login page.
+  auth:
+    localIdentities: "True"
+    keycloak:
+      enabled: false
+      title: ""
+      clientId: ""
+      clientSecret: ""
+      profileUrl: "https://auth.example.com/realms/EXAMPLE/account/"
+      metadataUrl: "https://auth.example.com/realms/EXAMPLE/.well-known/openid-configuration"
 redis:
   auth:
     enabled: false
 
 postgresql:
   auth:
     database: "indico"
-    username: "username"
-    password: "password"
+    username: "indico"
+    password: "indico"
   primary:
     initdb:
       scripts: