From 789c09ea59563918c25365b5cd61d462185b4629 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 15 Oct 2024 19:11:17 +0200 Subject: [PATCH] feat: improve default config for ingress and redirects (#208) - improve default configuration for ingress - improve default redirects and environment config https://github.com/eclipse-tractusx/portal-iam/issues/86 --- charts/centralidp/README.md | 22 ++++------- charts/centralidp/values.yaml | 38 ++++++++++--------- charts/sharedidp/README.md | 18 +++------ charts/sharedidp/values.yaml | 34 +++++++++-------- .../helm-values/centralidp/values-int.yaml | 4 +- .../helm-values/sharedidp/values-int.yaml | 1 - 6 files changed, 52 insertions(+), 65 deletions(-) diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index 950e4568..8c0aea71 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -62,19 +62,11 @@ dependencies: | keycloak.initContainers[0].volumeMounts[0].name | string | `"themes"` | | | keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes"` | | | keycloak.service.sessionAffinity | string | `"ClientIP"` | | -| keycloak.ingress.enabled | bool | `false` | | -| keycloak.ingress.ingressClassName | string | `"nginx"` | | -| keycloak.ingress.hostname | string | `"centralidp.example.org"` | Provide default path for the ingress record. | -| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://centralidp.example.org"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"128k"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffers-number" | string | `"20"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | | -| keycloak.ingress.tls | bool | `true` | | +| keycloak.ingress.enabled | bool | `false` | Enable ingress record generation | +| keycloak.ingress.ingressClassName | string | `""` | | +| keycloak.ingress.hostname | string | `""` | Provide default path for the ingress record. | +| keycloak.ingress.annotations | object | `{}` | Optional annotations when using the nginx ingress class; Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | +| keycloak.ingress.tls | bool | `false` | | | keycloak.rbac.create | bool | `true` | | | keycloak.rbac.rules[0].apiGroups[0] | string | `""` | | | keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | @@ -100,8 +92,8 @@ dependencies: | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | -| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | +| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. | | realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. | diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 9b71db26..3cfdf3e9 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -58,24 +58,26 @@ keycloak: service: sessionAffinity: ClientIP ingress: + # -- Enable ingress record generation enabled: false - ingressClassName: nginx + ingressClassName: "" # -- Provide default path for the ingress record. - hostname: centralidp.example.org - annotations: - # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; - # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; - # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. - cert-manager.io/cluster-issuer: "" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://centralidp.example.org" - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" - nginx.ingress.kubernetes.io/proxy-buffering: "on" - nginx.ingress.kubernetes.io/proxy-buffers-number: "20" - nginx.ingress.kubernetes.io/use-regex: "true" - tls: true + hostname: "" + # -- Optional annotations when using the nginx ingress class; + # Enable TLS configuration for the host defined at `ingress.hostname` parameter; + # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. + annotations: {} + # cert-manager.io/cluster-issuer: "" + # nginx.ingress.kubernetes.io/cors-allow-credentials: "true" + # nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" + # nginx.ingress.kubernetes.io/cors-allow-origin: "https://centralidp.example.org" + # nginx.ingress.kubernetes.io/enable-cors: "true" + # nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" + # nginx.ingress.kubernetes.io/proxy-buffering: "on" + # nginx.ingress.kubernetes.io/proxy-buffers-number: "20" + # nginx.ingress.kubernetes.io/use-regex: "true" + tls: false rbac: create: true rules: @@ -145,11 +147,11 @@ realmSeeding: clients: registration: redirects: - - https://portal.example.org + - https://portal.example.org/* portal: rootUrl: https://portal.example.org/home redirects: - - https://portal.example.org + - https://portal.example.org/* semantics: redirects: - https://portal.example.org/* diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index f603e70f..0f170e26 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -68,19 +68,11 @@ dependencies: | keycloak.initContainers[0].volumeMounts[1].name | string | `"themes-catenax-shared-portal"` | | | keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/themes-catenax-shared-portal"` | | | keycloak.service.sessionAffinity | string | `"ClientIP"` | | -| keycloak.ingress.enabled | bool | `false` | | -| keycloak.ingress.ingressClassName | string | `"nginx"` | | -| keycloak.ingress.hostname | string | `"sharedidp.example.org"` | Provide default path for the ingress record. | -| keycloak.ingress.annotations."cert-manager.io/cluster-issuer" | string | `""` | Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-credentials" | string | `"true"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-methods" | string | `"PUT, GET, POST, OPTIONS"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://sharedidp.example.org"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffer-size" | string | `"128k"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffering" | string | `"on"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/proxy-buffers-number" | string | `"20"` | | -| keycloak.ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | | -| keycloak.ingress.tls | bool | `true` | | +| keycloak.ingress.enabled | bool | `false` | Enable ingress record generation | +| keycloak.ingress.ingressClassName | string | `""` | | +| keycloak.ingress.hostname | string | `""` | Provide default path for the ingress record. | +| keycloak.ingress.annotations | object | `{}` | Optional annotations when using the nginx ingress class; Enable TLS configuration for the host defined at `ingress.hostname` parameter; TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. | +| keycloak.ingress.tls | bool | `false` | | | keycloak.rbac.create | bool | `true` | | | keycloak.rbac.rules[0].apiGroups[0] | string | `""` | | | keycloak.rbac.rules[0].resources[0] | string | `"pods"` | | diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index fbf5b6c0..ba5f5c45 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -66,24 +66,26 @@ keycloak: service: sessionAffinity: ClientIP ingress: + # -- Enable ingress record generation enabled: false - ingressClassName: nginx + ingressClassName: "" # -- Provide default path for the ingress record. - hostname: sharedidp.example.org - annotations: - # -- Enable TLS configuration for the host defined at `ingress.hostname` parameter; - # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; - # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. - cert-manager.io/cluster-issuer: "" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://sharedidp.example.org" - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" - nginx.ingress.kubernetes.io/proxy-buffering: "on" - nginx.ingress.kubernetes.io/proxy-buffers-number: "20" - nginx.ingress.kubernetes.io/use-regex: "true" - tls: true + hostname: "" + # -- Optional annotations when using the nginx ingress class; + # Enable TLS configuration for the host defined at `ingress.hostname` parameter; + # TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`; + # Provide the name of ClusterIssuer to acquire the certificate required for this Ingress. + annotations: {} + # cert-manager.io/cluster-issuer: "" + # nginx.ingress.kubernetes.io/cors-allow-credentials: "true" + # nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" + # nginx.ingress.kubernetes.io/cors-allow-origin: "https://sharedidp.example.org" + # nginx.ingress.kubernetes.io/enable-cors: "true" + # nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" + # nginx.ingress.kubernetes.io/proxy-buffering: "on" + # nginx.ingress.kubernetes.io/proxy-buffers-number: "20" + # nginx.ingress.kubernetes.io/use-regex: "true" + tls: false rbac: create: true rules: diff --git a/environments/helm-values/centralidp/values-int.yaml b/environments/helm-values/centralidp/values-int.yaml index c33200ac..681485d4 100644 --- a/environments/helm-values/centralidp/values-int.yaml +++ b/environments/helm-values/centralidp/values-int.yaml @@ -46,12 +46,12 @@ realmSeeding: clients: registration: redirects: - - https://portal.int.catena-x.net + - https://portal.int.catena-x.net/* - http://localhost:3000/* portal: rootUrl: https://portal.int.catena-x.net/home redirects: - - https://portal.int.catena-x.net + - https://portal.int.catena-x.net/* - http://localhost:3000/* semantics: redirects: diff --git a/environments/helm-values/sharedidp/values-int.yaml b/environments/helm-values/sharedidp/values-int.yaml index 0cc03eb9..df6b9384 100644 --- a/environments/helm-values/sharedidp/values-int.yaml +++ b/environments/helm-values/sharedidp/values-int.yaml @@ -43,7 +43,6 @@ keycloak: postgresPassword: "" realmSeeding: - enabled: true realms: cxOperator: centralidp: "https://centralidp.int.catena-x.net"