Merge pull request #619 from catenax-ng/feature/TRI-244-remove-keycloak

feat(impl):[TRI-244] keycloak removal

.github/workflows/BETA-xray-cucumber-integration.yaml

@@ -38,7 +38,7 @@ jobs:
       - name: Build with Maven
         if: ${{ steps.download.outputs.http_response == '200' }}
         env:
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET_BETA }}
+          OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET_BETA }}
         run: |
           unzip -o features.zip -d irs-cucumber-tests/src/test/resources/features
           mvn --batch-mode clean install -pl irs-cucumber-tests,irs-models -D"cucumber.filter.tags"="not @Ignore and @INTEGRATION_TEST"

.github/workflows/irs-load-test.yaml

@@ -39,9 +39,9 @@ jobs:
 
       - name: Run Gatling tests
         env:
-          KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
-          KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
+          OAUTH2_HOST: ${{ secrets.OAUTH2_CLIENT_TOKEN_URI }}
+          OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET }}
+          OAUTH2_CLIENT_ID: ${{ secrets.OAUTH2_CLIENT_ID }}
           IRS_HOST: ${{ github.event.inputs.irs-host || 'https://irs-full.dev.demo.catena-x.net' }}
           TEST_CYCLES: ${{ github.event.inputs.test-cycles || '20' }}
         run: |

.github/workflows/tavern-integration.yml

@@ -61,9 +61,9 @@ jobs:
         env:
           IRS_HOST: ${{ 'https://irs.int.demo.catena-x.net' }}
           IRS_ESS_HOST: ${{ github.event.inputs.irs-ess-host || 'https://irs-ess.int.demo.catena-x.net' }}
-          KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
-          KEYCLOAK_CLIENT_ID: ${{ secrets.ORG_IRS_OAUTH2_CLIENT_ID_INT }}
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.ORG_IRS_OAUTH2_CLIENT_SECRET_INT }}
+          OAUTH2_HOST: ${{ secrets.OAUTH2_CLIENT_TOKEN_URI }}
+          OAUTH2_CLIENT_ID: ${{ secrets.ORG_IRS_OAUTH2_CLIENT_ID_INT }}
+          OAUTH2_CLIENT_SECRET: ${{ secrets.ORG_IRS_OAUTH2_CLIENT_SECRET_INT }}
           GLOBAL_ASSET_ID_AS_PLANNED: ${{ github.event.inputs.global-asset-id-asPlanned || 'urn:uuid:0733946c-59c6-41ae-9570-cb43a6e4c79e' }}
           BPN_AS_PLANNED: ${{ github.event.inputs.bpn-asPlanned || 'BPNL00000003AYRE' }}
           GLOBAL_ASSET_ID_AS_BUILT: ${{ github.event.inputs.global-asset-id-asBuilt || 'urn:uuid:1b17682e-5e2a-4913-aa1b-7d59a072a3cb' }}

.github/workflows/tavern.yml

@@ -63,9 +63,9 @@ jobs:
         env:
           IRS_HOST: ${{ 'https://irs.dev.demo.catena-x.net' }}
           IRS_ESS_HOST: ${{ github.event.inputs.irs-ess-host || 'https://irs-ess.int.demo.catena-x.net' }}
-          KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
-          KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET }}
+          OAUTH2_HOST: ${{ secrets.OAUTH2_CLIENT_TOKEN_URI }}
+          OAUTH2_CLIENT_ID: ${{ secrets.OAUTH2_CLIENT_ID }}
+          OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET }}
           GLOBAL_ASSET_ID_AS_PLANNED: ${{ github.event.inputs.global-asset-id-asPlanned || 'urn:uuid:0733946c-59c6-41ae-9570-cb43a6e4c79e' }}
           BPN_AS_PLANNED: ${{ github.event.inputs.bpn-asPlanned || 'BPNL00000003AYRE' }}
           GLOBAL_ASSET_ID_AS_BUILT: ${{ github.event.inputs.global-asset-id-asBuilt || 'urn:uuid:6d505432-8b31-4966-9514-4b753372683f' }}

.github/workflows/xray-cucumber-integration.yaml

@@ -3,7 +3,7 @@ name: IRS Cucumber Integration test Xray execution
 on:
   workflow_call: # Trigger by another workflow
     secrets:
-      keycloakTokenUrl:
+      oauth2TokenUrl:
         required: true
       clientId:
         required: true
@@ -57,9 +57,9 @@ jobs:
       - name: Build with Maven
         if: ${{ steps.download.outputs.http_response == '200' }}
         env:
-          KEYCLOAK_HOST: ${{ secrets.keycloakTokenUrl }}
-          KEYCLOAK_CLIENT_ID: ${{ secrets.clientId }}
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.clientSecret }}
+          OAUTH2_HOST: ${{ secrets.oauth2TokenUrl }}
+          OAUTH2_CLIENT_ID: ${{ secrets.clientId }}
+          OAUTH2_CLIENT_SECRET: ${{ secrets.clientSecret }}
           ISSUE_FILTER: ${{ inputs.executionFilter }}
         run: |
           unzip -o features.zip -d irs-cucumber-tests/src/test/resources/features

CHANGELOG.md

@@ -8,6 +8,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - IRS can now check the readiness of external services. Use the new ``management.health.dependencies.enabled`` config entry to determine if external dependencies health checks should be checked (false by default).
   - The map of external services healthcheck endpoints can be configured with ``management.health.dependencies.urls`` property, eg. ``service_name: http://service_name_host/health``
+
+### Changed
+- Changed name of spring's OAuth2 client registration from 'keycloak' to 'common' like below:
+  ```
+  spring:
+    security:
+      oauth2:
+        client:
+          registration:
+            keycloak:
+              authorization-grant-type: client_credentials
+              client-id: 
+              client-secret: 
+          provider:
+            keycloak:
+              token-uri:
+  ```
+  to:
+  ```
+  spring:
+    security:
+      oauth2:
+        client:
+          registration:
+            common:
+              authorization-grant-type: client_credentials
+              client-id: 
+              client-secret: 
+          provider:
+            common:
+              token-uri:
+  ```
 
 ## [4.0.1] - 2023-11-10
 ### Changed

charts/irs-helm/CHANGELOG.md

@@ -5,6 +5,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Changed
+- Changed configuration for OAuth2 client from:
+  ```
+  keycloak:
+    oauth2:
+      clientId: 
+      clientSecret:  
+      clientTokenUri: 
+      jwkSetUri:  
+  ```
+  to:
+  ```
+  oauth2:
+    clientId: 
+    clientSecret:  
+    clientTokenUri: 
+    jwkSetUri:  
+  ```
 
 ## [6.9.1]
 ### Changed

charts/irs-helm/templates/configmap-spring-app-config.yaml

@@ -51,20 +51,20 @@ data:
         oauth2:
           client:
             registration:
-              keycloak:
-                client-id: "${KEYCLOAK_OAUTH2_CLIENT_ID}" # taken from secret ENV
-                client-secret: "${KEYCLOAK_OAUTH2_CLIENT_SECRET}" # taken from secret ENV
+              common:
+                client-id: "${OAUTH2_CLIENT_ID}" # taken from secret ENV
+                client-secret: "${OAUTH2_CLIENT_SECRET}" # taken from secret ENV
               portal:
                 client-id: ${PORTAL_OAUTH2_CLIENT_ID} # taken from secret ENV
                 client-secret: ${PORTAL_OAUTH2_CLIENT_SECRET} # taken from secret ENV
             provider:
-              keycloak:
-                token-uri: {{ tpl (.Values.keycloak.oauth2.clientTokenUri | default "http://localhost") . | quote }}
+              common:
+                token-uri: {{ tpl (.Values.oauth2.clientTokenUri | default "http://localhost") . | quote }}
               portal:
-                token-uri: {{ tpl (.Values.keycloak.oauth2.clientTokenUri | default "http://localhost") . | quote }}
+                token-uri: {{ tpl (.Values.oauth2.clientTokenUri | default "http://localhost") . | quote }}
           resourceserver:
             jwt:
-              jwk-set-uri: {{ tpl (.Values.keycloak.oauth2.jwkSetUri | default "http://localhost") . | quote }}
+              jwk-set-uri: {{ tpl (.Values.oauth2.jwkSetUri | default "http://localhost") . | quote }}
 
     digitalTwinRegistry:
       descriptorEndpoint: {{ tpl (.Values.digitalTwinRegistry.descriptorEndpoint | default "") . | quote }}

charts/irs-helm/templates/deployment.yaml

@@ -81,16 +81,16 @@ spec:
                 secretKeyRef:
                   name: {{ template "irs.secretName" . }}
                   key: minioPassword
-            - name: KEYCLOAK_OAUTH2_CLIENT_ID
+            - name: OAUTH2_CLIENT_ID
               valueFrom:
                 secretKeyRef:
                   name: {{ template "irs.secretName" . }}
-                  key: keycloakClientId
-            - name: KEYCLOAK_OAUTH2_CLIENT_SECRET
+                  key: clientId
+            - name: OAUTH2_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
                   name: {{ template "irs.secretName" . }}
-                  key: keycloakClientSecret
+                  key: clientSecret
             - name: PORTAL_OAUTH2_CLIENT_ID
               valueFrom:
                 secretKeyRef:

charts/irs-helm/templates/secrets.yaml

@@ -35,8 +35,8 @@ type: Opaque
 data:
   minioUser: {{ .Values.minioUser | default "minio" | b64enc | quote }}
   minioPassword: {{ .Values.minioPassword | default "minioPass" | b64enc | quote }}
-  keycloakClientId: {{ .Values.keycloak.oauth2.clientId | default "keycloakClientId" | b64enc | quote }}
-  keycloakClientSecret: {{ .Values.keycloak.oauth2.clientSecret | default "keycloakClientSecret" | b64enc | quote }}
+  clientId: {{ .Values.oauth2.clientId | default "clientId" | b64enc | quote }}
+  clientSecret: {{ .Values.oauth2.clientSecret | default "clientSecret" | b64enc | quote }}
   portalClientId: {{ .Values.portal.oauth2.clientId | default "portalClientId" | b64enc | quote }}
   portalClientSecret: {{ .Values.portal.oauth2.clientSecret | default "portalClientSecret" | b64enc | quote }}
   edcApiSecret: {{ .Values.edc.controlplane.apikey.secret | toString | default "" | b64enc | quote }}

charts/irs-helm/values.yaml

@@ -148,12 +148,11 @@ bpdm:
 minioUser: "minio"  # <minio-username>
 minioPassword:  # <minio-password>
 minioUrl: "http://{{ .Release.Name }}-minio:9000"
-keycloak:
-  oauth2:
-    clientId:  # <keycloak-client-id>
-    clientSecret:  # <keycloak-client-secret>
-    clientTokenUri:  # <keycloak-token-uri>
-    jwkSetUri:  # <keycloak-jwkset-uri>
+oauth2:
+  clientId:  # <oauth2-client-id>
+  clientSecret:  # <oauth2-client-secret>
+  clientTokenUri:  # <oauth2-token-uri>
+  jwkSetUri:  # <oauth2-jwkset-uri>
 portal:
   oauth2:
     clientId:  # <portal-client-id>

docs/src/docs/administration/configuration.adoc

@@ -6,7 +6,7 @@
 Take the following template and adjust the configuration parameters (<placeholders> mark the relevant spots).
 You can define the URLs as well as most of the secrets yourself.
 
-The Keycloak, MIW and Vault configuration / secrets depend on your setup and might need to be provided externally.
+The OAuth2, MIW and Vault configuration / secrets depend on your setup and might need to be provided externally.
 
 include::irs-spring-config.adoc[leveloffset=+1]
 
@@ -61,11 +61,11 @@ The URL of the SemanticsHub. The IRS uses this service to fetch aspect schemas f
 ==== <bpdm-url>
 The URL of the BPDM service. The IRS uses this service to fetch business partner information based on BPNs.
 
-==== <keycloak-token-uri>
-The URL of the Keycloak token API. Used by the IRS for token creation to authenticate with other services.
+==== <oauth2-token-uri>
+The URL of the OAuth2 token API. Used by the IRS for token creation to authenticate with other services.
 
-==== <keycloak-jwkset-uri>
-The URL of the Keycloak JWK Set. Used by the IRS to validate tokens when the IRS API is called.
+==== <oauth2-jwkset-uri>
+The URL of the OAuth2 JWK Set. Used by the IRS to validate tokens when the IRS API is called.
 
 ==== <grafana-url>
 The hostname where Grafana will be made available.
@@ -139,11 +139,11 @@ This is a list of all secrets used in the deployment.
 
 WARNING: Keep the values for these settings safe and do not publish them!
 
-=== <keycloak-client-id>
-Client ID for Keycloak. Request this from your Keycloak operator.
+=== <common-client-id>
+Client ID for OAuth2 provider. Request this from your OAuth2 operator.
 
-=== <keycloak-client-secret>
-Client secret for Keycloak. Request this from your Keycloak operator.
+=== <common-client-secret>
+Client secret for OAuth2 provider. Request this from your OAuth2 operator.
 
 === <minio-username>
 Login username for Minio. To be defined by you.

docs/src/docs/arc42/cross-cutting/under-the-hood.adoc

@@ -20,7 +20,7 @@ There currently is no transaction management in the IRS.
 There is no session handling in the IRS, access is solely based on bearer tokens, the API is stateless.
 
 == Communication and integration
-All interfaces to other systems are using RESTful calls over HTTP(S). Where central authentication is required, a common Keycloak instance is used.
+All interfaces to other systems are using RESTful calls over HTTP(S). Where central authentication is required, a common OAuth2 provider is used.
 
 For outgoing calls, the Spring RestTemplate mechanism is used and separate RestTemplates are created for the different ways of authentication.
 

docs/src/docs/arc42/scope-context/technical-context.adoc

@@ -8,9 +8,9 @@ include::../../../uml-diagrams/scope-context/irs-overall-decentral-system-view.p
 == Component overview
 
 === IRS-API
-We provide a REST API that can be consumed by any system registered in the Catena-X Keycloak, e.g. the Dismantler Dashboard. The development of such a consumer service is not part of the IRS application. Each system that acts as a client to the Restful application IRS can be used instead, if it supports any REST call of the designed REST endpoints in the REST Controller of the IRS application. For communication, the transport protocol HTTP(S) should be established.
+We provide a REST API that can be consumed by any system registered in the Catena-X OAuth2 protocol provider, e.g. the Dismantler Dashboard. The development of such a consumer service is not part of the IRS application. Each system that acts as a client to the Restful application IRS can be used instead, if it supports any REST call of the designed REST endpoints in the REST Controller of the IRS application. For communication, the transport protocol HTTP(S) should be established.
 
-In order to consume the Restful application IRS, the security aspect should be taken in consideration. IRS is a Spring Boot based application and is secured with the OpenID connector provider Keycloak and the OAuth2. This means for the consumers (users) that they need to authenticate themselves in order to be authorized to get access to the IRS. They generate a bearer token that they get from Keycloak and attach it to the HTTP header parameter Authorization. Certainly, both a consumer and the IRS should use the same configured Keycloak Realm.
+In order to consume the Restful application IRS, the security aspect should be taken in consideration. IRS is a Spring Boot based application and is secured with the OpenID connector provider with OAuth2 protocol. This means for the consumers (users) that they need to authenticate themselves in order to be authorized to get access to the IRS. They generate a bearer token that they get from OAuth2 provider and attach it to the HTTP header parameter Authorization.
 
 === Registry API
 The IRS acts as a consumer of the component Asset Administration Shell Registry. The IRS contains a Restful client (REST template) that build a REST call to the mentioned Digital Twin Registry API based on its known URL (the AAS registry URL is configured in the IRS Restful API). The request contains the given "globalAssetId" by the consumer. Like described in the above section, the security aspect is required in order to achieve a REST call against the AAS Registry. As a response, the IRS gets the corresponding asset administration shell descriptor. The last one contains a list of submodel descriptors which can be filtered by the aspect type entered by the consumer. An aspect type like SingleLevelBomAsBuilt, SerialPart etc. And as mentioned above, the transport protocol HTTP(S) is used for the REST call communication.

docs/src/uml-diagrams/building-block-view/whitebox_overall.puml

@@ -13,7 +13,7 @@ component [**IRSApplication**] <<System>> {
 }
 
 component [**CatenaX-Network**] <<CX-Environment>> {
-    component [**IAM/KeyCloak**] <<System>> as IAM_IRS
+    component [**IAM/OAuth2**] <<System>> as IAM_IRS
     component [**Digital Twin Registry**] <<System>> as DT_REG
     component [**IAM/DAPS**] <<System>> as IAM_DAPS
     IAM_IRS --[hidden]> DT_REG

docs/src/uml-diagrams/building-block-view/whitebox_overall_decentral.puml

@@ -26,7 +26,7 @@ package [**OEM**] <<CatenaX Company>> as consumer {
 package [**CatenaX-Network**] as network {
     component [**Managed Identity Wallet**] <<System>> as miw
     component [**Portal Application**] <<System>> as IAM_IRS
-    component [**Portal (IAM/IdP/KeyCloak)**] <<System>> as Portal_IdP
+    component [**Portal (IAM/IdP/OAuth2)**] <<System>> as Portal_IdP
     component [**EDC Discovery Service**] <<System>> as edc_discovery
     component [**Discovery Finder**] <<System>> as discovery_finder
     component [**Semantic Hub**] <<System>> as semantic_hub

docs/src/uml-diagrams/deployment-view/level-0-dev.puml

@@ -5,7 +5,7 @@ skinparam nodesep 100
 skinparam ranksep 20
 skinparam defaultFontName "Architects daughter"
 
-cloud Keycloak
+cloud OAuth2
 
 node "Kubernetes Cluster" as k8s {
 
@@ -28,6 +28,6 @@ node "Kubernetes Cluster" as k8s {
 
 }
 
-IRS --> Keycloak
+IRS --> OAuth2
 
 @enduml

docs/src/uml-diagrams/deployment-view/level-0-int.puml

@@ -7,7 +7,7 @@ skinparam defaultFontName "Architects daughter"
 
 cloud "Digital Twin Registry" as dtr
 cloud "EDC Providers" as providers
-cloud Keycloak
+cloud OAuth2
 cloud "HashiCorp Vault" as vault
 
 node "IRS Kubernetes Cluster" as k8s {
@@ -23,7 +23,7 @@ node "IRS Kubernetes Cluster" as k8s {
 
 }
 
-IRS -> Keycloak
+IRS -> OAuth2
 providers -- dtr
 consumer -- providers
 consumer -- vault

docs/src/uml-diagrams/deployment-view/level-0-isolated.puml

@@ -21,7 +21,7 @@ node "Kubernetes Cluster" as k8s {
         component "Decentral Registry" as dtr
     }
 
-    component Keycloak
+    component OAuth2
     component "Managed IdentityWallet" as MIW
 
     component "Discovery Service" as ds
@@ -40,9 +40,9 @@ node "Kubernetes Cluster" as k8s {
     provider -- submodel
     provider -- dtr
 
-    Keycloak ---> ds
-    Keycloak ---> IRS
-    Keycloak ---> semHub
+    OAuth2 ---> ds
+    OAuth2 ---> IRS
+    OAuth2 ---> semHub
 
     IRS -> semHub
     IRS -> frontend

docs/src/uml-diagrams/scope-context/irs-overall-decentral-system-view.puml

@@ -18,7 +18,7 @@ node "Group of Submodel Endpoints" {
 }
 node "Central Services" {
     node "IAM" {
-        [**Keycloak**] <<Component>> as KIAM
+        [**OAuth2**] <<Component>> as OAuth2
     }
     [**Discovery Service**] <<Central Service>> as DS
     interface "Discovery API" as DAPI
@@ -35,10 +35,10 @@ interface "Submodel API" as ISubModelAPI
 Consumer -( IAPI
 IAPI - IRS
 IRS --( DAPI
-IRS -- KIAM
+IRS -- OAuth2
 IRS -( IEDC
 
-DS -- KIAM
+DS -- OAuth2
 DS - DAPI
 
 IEDC - EDC

docs/src/uml-diagrams/scope-context/irs-overall-system-view.puml

@@ -17,7 +17,7 @@ node "Group of Submodel Endpoints" {
   [**Submodel-Server**] <<Component>> as SN
 }
 node "IAM" {
-    [**Keycloak**] <<Component>> as KIAM
+    [**OAuth2**] <<Component>> as OAuth2
 }
 actor Consumer
 
@@ -37,5 +37,5 @@ IRS --( IRAPI
 IRAPI -- AASR
 IRS --down( IAMAPI
 AASR --( IAMAPI
-KIAM -- IAMAPI
+OAuth2 -- IAMAPI
 @enduml