feat: improve realm seeding (#198)

- autogenerate client secrets at install a default secret might be to unsecure even if secrets should always be set at install; also, secrets aren't regenerated at helm upgrade - enable option to set `sslrequired`for cx-central and cx-operator realms to not run into `The url [authorization_url] requires secure connections` when running without https locally - fix and improve style #86
eclipse-tractusx · Oct 11, 2024 · c96973e · c96973e
1 parent 5ed14ce
commit c96973e
Show file tree

Hide file tree

Showing 17 changed files with 165 additions and 110 deletions.
diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md
@@ -100,14 +100,14 @@ dependencies:
 | keycloak.externalDatabase.existingSecretUserKey | string | `""` |  |
 | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` |  |
 | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` |  |
-| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
-| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". |
+| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-alpha.1","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-alpha.1","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. |
+| realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
 | realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. |
-| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is "changeme". |
+| realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. |
 | realmSeeding.serviceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for the base service accounts with clientId as key and clientSecret as value. |
 | realmSeeding.bpn | string | `"BPNL00000003CRHK"` | Set value for the 'bpn' user attribute for the initial user and the base service account users. |
 | realmSeeding.sharedidp | string | `"https://sharedidp.example.org"` | Set sharedidp address to enable the identity provider connection to CX-Operator realm. |
-| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is "changeme". |
+| realmSeeding.extraServiceAccounts | object | `{"clientSecretsAndBpn":[],"existingSecret":""}` | Set client secrets and bpn user attribute for additional service accounts; meant to enable possible test data, default value for client secrets is autogenerated. |
 | realmSeeding.extraServiceAccounts.existingSecret | string | `""` | Option to provide an existingSecret for additional service accounts with clientId as key and clientSecret as value. |
 | realmSeeding.resources | object | `{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"600M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"600M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
 

diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml
@@ -65,6 +65,8 @@ spec:
             value: "central"
           - name: "KEYCLOAKSEEDING__REALMS__0__REALM"
             value: "CX-Central"
+          - name: "KEYCLOAKSEEDING__REALMS__0__SSLREQUIRED"
+            value: "{{ .Values.realmSeeding.sslRequired }}"
 
           #############################
           ## INITIAL USER

diff --git a/charts/centralidp/templates/secret-base-service-accounts.yaml b/charts/centralidp/templates/secret-base-service-accounts.yaml
@@ -18,14 +18,26 @@
 */}}
 
 {{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.serviceAccounts.existingSecret) -}}
+{{- $secretName := include "centralidp.secret.serviceAccounts" . -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "centralidp.secret.serviceAccounts" . }}
   namespace: {{ .Release.Namespace }}
 type: Opaque
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
+{{ if $secret -}}
+data:
+  # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on)
+  # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
+  # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
+  {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }}
+  {{ .clientId }}: {{ coalesce ( .clientSecret | b64enc ) ( index $secret.data .clientId ) | default ( randAlphaNum 32 ) | quote }}
+  {{- end }}
+{{ else -}}
 stringData:
   {{- range .Values.realmSeeding.serviceAccounts.clientSecrets }}
-  {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }}
+  {{ .clientId }}: {{ .clientSecret | default ( randAlphaNum 32 ) | quote }}
   {{- end }}
+{{ end }}
 {{- end -}}
diff --git a/charts/centralidp/templates/secret-clients.yaml b/charts/centralidp/templates/secret-clients.yaml
@@ -18,15 +18,29 @@
 */}}
 
 {{- if and (.Values.realmSeeding.enabled) (not .Values.realmSeeding.clients.existingSecret) -}}
+{{- $secretName := include "centralidp.secret.clients" . -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "centralidp.secret.clients" . }}
   namespace: {{ .Release.Namespace }}
 type: Opaque
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
+{{ if $secret -}}
+data:
+  # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on)
+  # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
+  # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
+  miw: {{ coalesce ( .Values.realmSeeding.clients.miw.clientSecret | b64enc ) ( index $secret.data "miw" ) | default ( randAlphaNum 32 ) | quote }}
+  bpdm: {{ coalesce ( .Values.realmSeeding.clients.bpdm.clientSecret | b64enc ) ( index $secret.data "bpdm" ) | default ( randAlphaNum 32 ) | quote }}
+  bpdm-gate: {{ coalesce ( .Values.realmSeeding.clients.bpdmGate.clientSecret | b64enc ) ( index $secret.data "bpdm-gate" ) | default ( randAlphaNum 32 ) | quote }}
+  bpdm-orchestrator: {{ coalesce ( .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | b64enc ) ( index $secret.data "bpdm-orchestrator" ) | default ( randAlphaNum 32 ) | quote }}
+{{ else -}}
 stringData:
-  miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default "changeme" | quote }}
-  bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default "changeme" | quote }}
-  bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default "changeme" | quote }}
-  bpdm-orchestrator: {{ .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | default "changeme" | quote }}
+  # if secret doesn't exist, use provided value from values file or generate a random one
+  miw: {{ .Values.realmSeeding.clients.miw.clientSecret | default ( randAlphaNum 32 ) | quote }}
+  bpdm: {{ .Values.realmSeeding.clients.bpdm.clientSecret | default ( randAlphaNum 32 ) | quote }}
+  bpdm-gate: {{ .Values.realmSeeding.clients.bpdmGate.clientSecret | default ( randAlphaNum 32 ) | quote }}
+  bpdm-orchestrator: {{ .Values.realmSeeding.clients.bpdmOrchestrator.clientSecret | default ( randAlphaNum 32 ) | quote }}
+{{ end }}
 {{- end -}}
diff --git a/charts/centralidp/templates/secret-extra-service-accounts.yaml b/charts/centralidp/templates/secret-extra-service-accounts.yaml
@@ -18,14 +18,27 @@
 */}}
 
 {{- if and (.Values.realmSeeding.enabled) (.Values.realmSeeding.extraServiceAccounts.clientSecrets) (not .Values.realmSeeding.extraServiceAccounts.existingSecret) -}}
+{{- $secretName := include "centralidp.secret.extraServiceAccounts" . -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "centralidp.secret.extraServiceAccounts" . }}
   namespace: {{ .Release.Namespace }}
 type: Opaque
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
+{{ if $secret -}}
+data:
+  # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on)
+  # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
+  # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
+  {{- range .Values.realmSeeding.extraServiceAccounts.clientSecrets }}
+  {{ .clientId }}: {{ coalesce ( .clientSecret | b64enc ) ( index $secret.data .clientId ) | default ( randAlphaNum 32 ) | quote }}
+  {{- end }}
+{{ else -}}
 stringData:
+  # if secret doesn't exist, use provided value from values file or generate a random one
   {{- range .Values.realmSeeding.extraServiceAccounts.clientSecrets }}
-  {{ .clientId }}: {{ .clientSecret | default "changeme" | quote }}
+  {{ .clientId }}: {{ .clientSecret | default ( randAlphaNum 32 ) | quote }}
   {{- end }}
+{{ end }}
 {{- end -}}