Skip to content

Commit

Permalink
feat(upgrade): update init realms (#29)
Browse files Browse the repository at this point in the history
- changed file structure of the initially imported realms to the one of the new version
- realm configuration (centralidp): changed CX-Central realm
- enabled seeding for trailing 'auth'
- changed workflow trigger for init container
- update base image for init containers
- removed init container for upgrade env (consortia)
  • Loading branch information
evegufy authored Nov 27, 2023
1 parent 56690ba commit 826609d
Show file tree
Hide file tree
Showing 94 changed files with 16,980 additions and 56,138 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/cx-iam-consortia.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ name: IAM CONSORTIA
on:
push:
tags:
- '*-consortia'
- 'v*.*.*'
- 'pr*'
workflow_dispatch:

env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cx-iam.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ on:
push:
tags:
- 'v*.*.*'
- '!v*.*.*-consortia'
- 'pr*'
workflow_dispatch:

env:
Expand Down
32 changes: 29 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

New features, fixed bugs, known defects and other noteworthy changes to each release of the Catena-X IAM * Keycloak instances.

## 2.0.0-alpha
## 2.0.0

### Change

Expand All @@ -16,12 +16,38 @@ New features, fixed bugs, known defects and other noteworthy changes to each rel
* removed serviceDiscovery
* set httpRelativePath to '/auth/', as we're migrating from 16.1.1 version which was using the trailing 'auth'
* updated retrieval of service name for seeding job
* enabled seeding for trailing 'auth'
* removed management-password from secrets as key isn't part of default secret anymore
* changed file structure of the initially imported realms to the one of the new version
* realm configuration (centralidp) - updates to CX-Central realm:
* reviewed client scopes of all service accounts and limited it to the assigned roles, if the client scope and the service account roles were not aligned yet
* created role "view_managed_idp" inside the Cl2-CX-Portal client and assigned it to the composite roles "IT Admin" and "Company Admin"
* assigned role "view_semantic_models" from the Cl3-CX-Semantic client to the composite role "Semantic Model Management" from the technical_roles_management client
* assigned role "view_membership" from the Cl2-CX-Portal client to the composite role "CX Membership Info" from the technical_roles_management client
* assigned roles "view_bpn_discovery", "add_bpn_discovery" and "delete_bpn_discovery" from of the Cl22-CX-BPND client, the role "view_discovery_endpoint" from of the Cl21-CX-DF client and role "view_wallet" from of the Cl5-CX-Custodian client to the composite role "Dataspace Discovery" from the technical_roles_management client
* created roles "configure_partner_registration" and "create_partner_registration" inside the Cl2-CX-Portal client
* assigned role "create_partner_registration" to the composite role "Registration External" from the technical_roles_management client
* assigned role "configure_partner_registration" to the composite roles "Company Admin" and "IT Admin"
* created composite role "Offer Management" in client technical_roles_management and associated client roles "add_service_offering", "add_connectors" and "activate_subscription" from Cl2-CX-Portal
* created the client "Cl16-CX-BPDMGate" with the client roles "view_company_data", "update_company_data" and "view_shared_data" and assigned those to service account sa-cl7-cx-5
* deleted the composite roles "App Tech User", "Connector User" and "Service Management" from client technical_roles_management
* deleted clients "Cl6-CX-DAPS", "Cl20-CX-IRS" and "Cl16-CX-BPDMGate-Portal"
* deleted all redirects from Cl2-CX-Portal client other than portal itself

Please be aware that **this version is still in alpha phase**: especially the upgrade documentation WIP.
### Bugfix

* fixed escaping of secret values: quotes added
* realm configuration (centralidp) - fixes to CX-Central realm:
* created role "unsubscribe_apps" inside the Cl2-CX-Portal client and assigned it to the composite roles "Sales Manager", "Purchaser", "CX Admin", "Company Admin" and "Business Admin"
* created role "unsubscribe_services" inside the Cl2-CX-Portal client and assigned it to the composite roles "Sales Manager", "Purchaser", "CX Admin", "Company Admin" and "Business Admin"
* unassigned role "manage-users" and "view-clients" (realm-management client) from the role default-roles-catena-x realm and assigned to the service account sa-cl1-reg-2 the role "manage-users" from the realm-management client
* unassigned role "view_submitted_application" from the Cl2-CX-Portal from the composite role "Service Manager"
* unassigned roles "add_semantic_model", "update_semantic_model" and "delete_semantic_model" from the Cl2-CX-Portal from the composite role "IT Admin"
* assigned roles "view_semantic_model", "add_semantic_model", "update_semantic_model" and "delete_semantic_model" from the Cl2-CX-Portal from the composite roles "Business Admin", "App Manager" and "Service Manager"
* assigned roles "add_semantic_model", "update_semantic_model" and "delete_semantic_model" from the Cl2-CX-Portal from the composite role "Company Admin"
* assigned role "add_self_descriptions" from the Cl2-CX-Portal client to the client scope mapping of the service account sa-cl8-cx-1
* assigned role "update_wallets" from the Cl5-CX-Custodian client to the roles of the service account sa-cl5-custodian-2
* assigned role "view_company_data" from the Cl7-CX-BPDM client to the roles of the service account sa-cl7-cx-5 and to the composite role "Company Admin" from the Cl1-CX-Registration client

### Technical Support

Expand Down Expand Up @@ -80,7 +106,7 @@ New features, fixed bugs, known defects and other noteworthy changes to each rel

### Change

* moved centralidp login theme into iam repository, removed link to portal-assets.
* moved centralidp login theme into iam repository, removed link to Cl2-CX-Portal-assets.
* updated init realms.
* moved to bitnami-full-index as dependency repository.

Expand Down
2 changes: 2 additions & 0 deletions charts/centralidp/templates/job-seeding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ spec:
key: "admin-password"
- name: "KEYCLOAK__CENTRAL__AUTHREALM"
value: "{{ .Values.seeding.authRealm }}"
- name: "KEYCLOAK__CENTRAL__USEAUTHTRAIL"
value: "{{ .Values.seeding.useAuthTrail }}"
- name: "KEYCLOAKSEEDING__DATAPATHES__0"
value: "{{ .Values.seeding.dataPaths.dataPath0 }}"
- name: "KEYCLOAKSEEDING__INSTANCENAME"
Expand Down
7 changes: 4 additions & 3 deletions charts/centralidp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ keycloak:
mountPath: "/realms"
initContainers:
- name: import
image: tractusx/portal-iam:v2.0.0-alpha
image: tractusx/portal-iam:pr29
imagePullPolicy: Always
command:
- sh
Expand Down Expand Up @@ -150,9 +150,10 @@ seeding:
# for configuration possibly not covered by the seeding job
enabled: false
name: "cx-central-realm-upgrade"
image: "tractusx/portal-iam-seeding:v1.2.0-iam"
image: "tractusx/portal-iam-seeding:rc"
portContainer: 8080
authRealm: "master"
useAuthTrail: "true"
dataPaths:
dataPath0: "realms/CX-Central-realm.json"
instanceName: "central"
Expand All @@ -177,7 +178,7 @@ seeding:
mountPath: "app/realms"
initContainers:
- name: init-cx-central
image: tractusx/portal-iam:v2.0.0-alpha
image: tractusx/portal-iam:pr29
imagePullPolicy: Always
command:
- sh
Expand Down
2 changes: 1 addition & 1 deletion charts/sharedidp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ keycloak:
mountPath: "/realms"
initContainers:
- name: import
image: tractusx/portal-iam:v2.0.0-alpha
image: tractusx/portal-iam:pr29
imagePullPolicy: Always
command:
- sh
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
source:
path: charts/centralidp
repoURL: 'https://github.com/eclipse-tractusx/portal-iam.git'
targetRevision: v2.0.0-alpha
targetRevision: upgrade/update-init-realm-json-files
plugin:
env:
- name: AVP_SECRET
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
source:
path: charts/centralidp
repoURL: 'https://github.com/eclipse-tractusx/portal-iam.git'
targetRevision: v2.0.0-alpha
targetRevision: upgrade/update-init-realm-json-files
plugin:
env:
- name: AVP_SECRET
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
source:
path: charts/sharedidp
repoURL: 'https://github.com/eclipse-tractusx/portal-iam.git'
targetRevision: pr23-consortia
targetRevision: upgrade/update-init-realm-json-files
plugin:
env:
- name: AVP_SECRET
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
source:
path: charts/sharedidp
repoURL: 'https://github.com/eclipse-tractusx/portal-iam.git'
targetRevision: fix/generic-template
targetRevision: upgrade/update-init-realm-json-files
plugin:
env:
- name: AVP_SECRET
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
source:
path: charts/sharedidp
repoURL: 'https://github.com/eclipse-tractusx/portal-iam.git'
targetRevision: pr20-consortia
targetRevision: v2.0.0-alpha
plugin:
env:
- name: AVP_SECRET
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ keycloak:
proxy: edge
initContainers:
- name: import
image: tractusx/portal-iam-consortia:v2.0.0-alpha
image: tractusx/portal-iam-consortia:pr29
imagePullPolicy: Always
command:
- sh
Expand Down Expand Up @@ -66,11 +66,11 @@ secrets:
replicationPassword: "<path:portal/data/dev/iam/centralidp-postgres#replication-password>"

seeding:
enabled: false
enabled: true
image: "tractusx/portal-iam-seeding:dev"
initContainers:
- name: init-cx-central
image: tractusx/portal-iam-consortia:pr23-consortia
image: tractusx/portal-iam-consortia:pr29
imagePullPolicy: Always
command:
- sh
Expand Down
19 changes: 17 additions & 2 deletions consortia/environments/centralidp/values-templategeneric.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ keycloak:
proxy: edge
initContainers:
- name: import
image: tractusx/portal-iam:v2.0.0-alpha
image: tractusx/portal-iam:pr29
imagePullPolicy: Always
command:
- sh
Expand Down Expand Up @@ -66,4 +66,19 @@ secrets:
replicationPassword: "<path:portal/data/dev/iam/centralidp-postgres#replication-password>"

seeding:
enabled: false
enabled: true
image: "tractusx/portal-iam-seeding:rc"
initContainers:
- name: init-cx-central
image: tractusx/portal-iam:pr29
imagePullPolicy: Always
command:
- sh
args:
- -c
- |
echo "Copying CX Central realm..."
cp -R /import/catenax-central/realms/* /app/realms
volumeMounts:
- name: realms
mountPath: "app/realms"
56 changes: 1 addition & 55 deletions consortia/environments/centralidp/values-upgrade.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,43 +17,6 @@
# SPDX-License-Identifier: Apache-2.0
###############################################################

keycloak:
production: true
proxy: edge
initContainers:
- name: import
image: tractusx/portal-iam-consortia:v2.0.0-alpha
imagePullPolicy: Always
command:
- sh
args:
- -c
- |
echo "Copying themes..."
cp -R /import/themes/catenax-central/* /themes
echo "Copying realms..."
cp -R /import/catenax-central/upgrade/realms/* /realms
volumeMounts:
- name: themes
mountPath: "/themes"
- name: realms
mountPath: "/realms"
ingress:
enabled: true
ingressClassName: nginx
hostname: centralidp-upgrade.dev.demo.catena-x.net
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS
nginx.ingress.kubernetes.io/cors-allow-origin: https://centralidp-upgrade.dev.demo.catena-x.net, http://localhost:3000
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
nginx.ingress.kubernetes.io/use-regex: "true"
tls: true

secrets:
auth:
existingSecret:
Expand All @@ -63,21 +26,4 @@ secrets:
existingSecret:
postgrespassword: "<path:portal/data/dev/iam/centralidp-postgres#postgres-password>"
password: "<path:portal/data/dev/iam/centralidp-postgres#password>"
replicationPassword: "<path:portal/data/dev/iam/centralidp-postgres#replication-password>"

seeding:
enabled: false
initContainers:
- name: init-cx-central
image: tractusx/portal-iam-consortia:pr20-consortia
imagePullPolicy: Always
command:
- sh
args:
- -c
- |
echo "Copying CX Central realm..."
cp -R /import/catenax-central/upgrade/realms/* /app/realms
volumeMounts:
- name: realms
mountPath: "app/realms"
replicationPassword: "<path:portal/data/dev/iam/centralidp-postgres#replication-password>"
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ keycloak:
mountPath: "/secrets"
initContainers:
- name: import
image: tractusx/portal-iam-consortia:pr23-consortia
image: tractusx/portal-iam-consortia:pr29
imagePullPolicy: Always
command:
- sh
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ keycloak:
mountPath: "/realms"
initContainers:
- name: import
image: tractusx/portal-iam:v2.0.0-alpha
image: tractusx/portal-iam:pr29
imagePullPolicy: Always
command:
- sh
Expand Down
74 changes: 0 additions & 74 deletions consortia/environments/sharedidp/values-upgrade.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,70 +17,6 @@
# SPDX-License-Identifier: Apache-2.0
###############################################################

keycloak:
production: true
proxy: edge
extraVolumes:
- name: themes-catenax-shared
emptyDir: {}
- name: themes-catenax-shared-portal
emptyDir: {}
- name: realms
emptyDir: {}
- name: realm-secrets
secret:
secretName: secret-sharedidp-realms
extraVolumeMounts:
- name: themes-catenax-shared
mountPath: "/opt/bitnami/keycloak/themes/catenax-shared"
- name: themes-catenax-shared-portal
mountPath: "/opt/bitnami/keycloak/themes/catenax-shared-portal"
- name: realms
mountPath: "/realms"
- name: realm-secrets
mountPath: "/secrets"
initContainers:
- name: import
image: tractusx/portal-iam-consortia:pr20-consortia
imagePullPolicy: Always
command:
- sh
args:
- -c
- |
echo "Copying themes-catenax-shared..."
cp -R /import/themes/catenax-shared/* /themes-catenax-shared
echo "Copying themes-catenax-shared-portal..."
cp -R /import/themes/catenax-shared-portal/* /themes-catenax-shared-portal
echo "Copying realms..."
cp -R /import/catenax-shared/upgrade/realms/* /realms
echo "Copying realms-secrets..."
cp /secrets/* /realms
volumeMounts:
- name: themes-catenax-shared
mountPath: "/themes-catenax-shared"
- name: themes-catenax-shared-portal
mountPath: "/themes-catenax-shared-portal"
- name: realms
mountPath: "/realms"
- name: realm-secrets
mountPath: "/secrets"
ingress:
enabled: true
ingressClassName: nginx
hostname: sharedidp-upgrade.dev.demo.catena-x.net
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS
nginx.ingress.kubernetes.io/cors-allow-origin: https://sharedidp-upgrade.dev.demo.catena-x.net, http://localhost:3000
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "20"
nginx.ingress.kubernetes.io/use-regex: "true"
tls: true

secrets:
auth:
existingSecret:
Expand All @@ -91,13 +27,3 @@ secrets:
postgrespassword: "<path:portal/data/dev/iam/sharedidp-postgres#postgres-password>"
password: "<path:portal/data/dev/iam/sharedidp-postgres#password>"
replicationPassword: "<path:portal/data/dev/iam/sharedidp-postgres#replication-password>"
realmuser:
enabled: true
cxtestaccessuser: "<path:portal/data/iam/sharedidp-user#CX-Test-Access-users-0.json>"
company1user: "<path:portal/data/iam/sharedidp-user#Company-1-users-0.json>"
company2user: "<path:portal/data/iam/sharedidp-user#Company-2-users-0.json>"
securitycompany: "<path:portal/data/iam/sharedidp-user#Security-Company-users-0.json>"
cxoperator: "<path:portal/data/iam/sharedidp-user#CX-Operator-users-0.json>"
serviceprovider: "<path:portal/data/iam/sharedidp-user#Service-Provider-users-0.json>"
appprovider: "<path:portal/data/iam/sharedidp-user#App-Provider-users-0.json>"
onboardingprovider: "<path:portal/data/iam/sharedidp-user#Onboarding-Provider-users-0.json>"
Loading

0 comments on commit 826609d

Please sign in to comment.