From 2deb2dfbd25148da5cbbd16c0e19246fa97ba724 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 26 Nov 2024 15:57:53 +0100 Subject: [PATCH 1/3] docs: add note for production mode --- charts/centralidp/README.md | 11 +++++++++++ charts/centralidp/README.md.gotmpl | 11 +++++++++++ charts/sharedidp/README.md | 11 +++++++++++ charts/sharedidp/README.md.gotmpl | 11 +++++++++++ 4 files changed, 44 insertions(+) diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index 56425f1..e6f0f20 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -111,6 +111,17 @@ Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configu ### To 4.0.0 This major changes from the Keycloak version from 23.0.7 to 25.0.6. + +Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of there conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met: + +` +Error: INSTALLATION FAILED: execution error at (centralidp/charts/keycloak/templates/NOTES.txt:100:4): +VALUES VALIDATION: +keycloak: production + In order to enable Production mode, you also need to enable HTTPS/TLS + using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore. +` + No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended. ### To 3.0.1 diff --git a/charts/centralidp/README.md.gotmpl b/charts/centralidp/README.md.gotmpl index b449d0a..37f937f 100644 --- a/charts/centralidp/README.md.gotmpl +++ b/charts/centralidp/README.md.gotmpl @@ -45,6 +45,17 @@ Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configu ### To 4.0.0 This major changes from the Keycloak version from 23.0.7 to 25.0.6. + +Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met: + +` +Error: INSTALLATION FAILED: execution error at (centralidp/charts/keycloak/templates/NOTES.txt:100:4): +VALUES VALIDATION: +keycloak: production + In order to enable Production mode, you also need to enable HTTPS/TLS + using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore. +` + No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended. ### To 3.0.1 diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index 7a900a8..5866a93 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -118,6 +118,17 @@ Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) ### To 4.0.0 This major changes from the Keycloak version from 23.0.7 to 25.0.6. + +Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met: + +` +Error: INSTALLATION FAILED: execution error at (sharedidp/charts/keycloak/templates/NOTES.txt:100:4): +VALUES VALIDATION: +keycloak: production + In order to enable Production mode, you also need to enable HTTPS/TLS + using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore. +` + No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended. ### To 3.0.1 diff --git a/charts/sharedidp/README.md.gotmpl b/charts/sharedidp/README.md.gotmpl index 78cd5c7..3165b3f 100644 --- a/charts/sharedidp/README.md.gotmpl +++ b/charts/sharedidp/README.md.gotmpl @@ -43,6 +43,17 @@ Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) ### To 4.0.0 This major changes from the Keycloak version from 23.0.7 to 25.0.6. + +Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met: + +` +Error: INSTALLATION FAILED: execution error at (sharedidp/charts/keycloak/templates/NOTES.txt:100:4): +VALUES VALIDATION: +keycloak: production + In order to enable Production mode, you also need to enable HTTPS/TLS + using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore. +` + No major issues are expected during the upgrade. Nonetheless, a blue-green deployment approach - [as outlined for previous major version upgrades](#upgrade-approach) - is recommended. ### To 3.0.1 From c5ccf4b1ff82fa364dffedc5598b65ff45a07ffc Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 26 Nov 2024 16:57:23 +0100 Subject: [PATCH 2/3] docs: change intro to readme.md --- ...Identity Provider.md => 01. External Identity Provider.md} | 0 .../{01. Introduction.md => README.md} | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename docs/admin/technical-documentation/{00. External Identity Provider.md => 01. External Identity Provider.md} (100%) rename docs/admin/technical-documentation/{01. Introduction.md => README.md} (86%) diff --git a/docs/admin/technical-documentation/00. External Identity Provider.md b/docs/admin/technical-documentation/01. External Identity Provider.md similarity index 100% rename from docs/admin/technical-documentation/00. External Identity Provider.md rename to docs/admin/technical-documentation/01. External Identity Provider.md diff --git a/docs/admin/technical-documentation/01. Introduction.md b/docs/admin/technical-documentation/README.md similarity index 86% rename from docs/admin/technical-documentation/01. Introduction.md rename to docs/admin/technical-documentation/README.md index 272a9a2..4878f78 100644 --- a/docs/admin/technical-documentation/01. Introduction.md +++ b/docs/admin/technical-documentation/README.md @@ -6,8 +6,8 @@ Authentication Flow - User login to Catena-X ![AuthenticationFlow](/docs/static/authentication-flow.png) -\*(Schatten-) User: The „Schatten-User“ (shadow user) is defined as an empty User frame holding limited information. The actual user is managed in the respective Identity Provider. -The Schatten-User are always federated identities +\*(Schatten-) User: The „Schatten-User“ (shadow user) is defined as an empty User frame holding limited information. The actual user is managed in the respective Identity Provider. +The shadow users are always federated identities. ## Authentication Protocol - OpenID Connect (OIDC) From c2bedd6f4aa247934665e50c08c75dbff8e2af7d Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 26 Nov 2024 17:31:15 +0100 Subject: [PATCH 3/3] docs: add information about realm seeding --- charts/centralidp/README.md | 4 +-- charts/centralidp/values.yaml | 1 + charts/sharedidp/README.md | 2 +- charts/sharedidp/values.yaml | 1 + .../technical-documentation/03. Clients.md | 2 +- docs/admin/technical-documentation/11. FAQ.md | 4 +-- .../14. Realm Seeding.md | 27 +++++++++++++++++++ 7 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 docs/admin/technical-documentation/14. Realm Seeding.md diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index e6f0f20..fca3980 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -91,7 +91,7 @@ dependencies: | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"850M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"850M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding | object | `{"bpn":"BPNL00000003CRHK","clients":{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}},"enabled":true,"extraServiceAccounts":{"clientSecretsAndBpn":[],"existingSecret":""},"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"850M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"850M"}},"serviceAccounts":{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""},"sharedidp":"https://sharedidp.example.org","sslRequired":"external"}` | Seeding job to create and update the CX-Central realm: besides creating the CX-Central realm, the job can be used to update the configuration of the realm when upgrading to a new version; Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details. Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | | realmSeeding.clients | object | `{"bpdm":{"clientSecret":"","redirects":["https://partners-pool.example.org/*"]},"bpdmGate":{"clientSecret":"","redirects":["https://partners-gate.example.org/*"]},"bpdmOrchestrator":{"clientSecret":""},"existingSecret":"","miw":{"clientSecret":"","redirects":["https://managed-identity-wallets.example.org/*"]},"portal":{"redirects":["https://portal.example.org/*"],"rootUrl":"https://portal.example.org/home"},"registration":{"redirects":["https://portal.example.org/*"]},"semantics":{"redirects":["https://portal.example.org/*"]}}` | Set redirect addresses and - in the case of confidential clients - clients secrets for clients which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | | realmSeeding.clients.existingSecret | string | `""` | Option to provide an existingSecret for the clients with clientId as key and clientSecret as value. | | realmSeeding.serviceAccounts | object | `{"clientSecrets":[{"clientId":"sa-cl1-reg-2","clientSecret":""},{"clientId":"sa-cl2-01","clientSecret":""},{"clientId":"sa-cl2-02","clientSecret":""},{"clientId":"sa-cl2-03","clientSecret":""},{"clientId":"sa-cl2-04","clientSecret":""},{"clientId":"sa-cl2-05","clientSecret":""},{"clientId":"sa-cl3-cx-1","clientSecret":""},{"clientId":"sa-cl5-custodian-2","clientSecret":""},{"clientId":"sa-cl7-cx-1","clientSecret":""},{"clientId":"sa-cl7-cx-5","clientSecret":""},{"clientId":"sa-cl7-cx-7","clientSecret":""},{"clientId":"sa-cl8-cx-1","clientSecret":""},{"clientId":"sa-cl21-01","clientSecret":""},{"clientId":"sa-cl22-01","clientSecret":""},{"clientId":"sa-cl24-01","clientSecret":""},{"clientId":"sa-cl25-cx-1","clientSecret":""},{"clientId":"sa-cl25-cx-2","clientSecret":""},{"clientId":"sa-cl25-cx-3","clientSecret":""}],"existingSecret":""}` | Client secrets for service accounts which are part of the basic CX-Central realm setup; SET client secrets for all non-testing and non-local purposes, default value is autogenerated. | @@ -112,7 +112,7 @@ Please see notes at [Values.seeding](values.yaml#L153) for upgrading the configu This major changes from the Keycloak version from 23.0.7 to 25.0.6. -Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of there conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met: +Please be aware that proxy parameter was deprecated and therefore removed. When enabling the production mode, it is to be expected to encounter the following error at install if none of the conditions listed [here](https://github.com/bitnami/charts/blob/eb2b3bdd8612a754c1b7e28237e9a32f6661eaab/bitnami/keycloak/templates/_helpers.tpl#L343) are met: ` Error: INSTALLATION FAILED: execution error at (centralidp/charts/keycloak/templates/NOTES.txt:100:4): diff --git a/charts/centralidp/values.yaml b/charts/centralidp/values.yaml index 5cc9ae4..e109213 100644 --- a/charts/centralidp/values.yaml +++ b/charts/centralidp/values.yaml @@ -132,6 +132,7 @@ keycloak: # -- Seeding job to create and update the CX-Central realm: # besides creating the CX-Central realm, the job can be used to update # the configuration of the realm when upgrading to a new version; +# Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details. # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job. realmSeeding: diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index 5866a93..6e2286c 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -97,7 +97,7 @@ dependencies: | keycloak.externalDatabase.existingSecretUserKey | string | `""` | | | keycloak.externalDatabase.existingSecretDatabaseKey | string | `""` | | | keycloak.externalDatabase.existingSecretPasswordKey | string | `""` | | -| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"},"sslRequired":"external"},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"700M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"700M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | +| realmSeeding | object | `{"enabled":true,"image":{"name":"docker.io/tractusx/portal-iam-seeding:v4.0.0-iam-rc.2","pullPolicy":"IfNotPresent"},"initContainer":{"image":{"name":"docker.io/tractusx/portal-iam:v4.0.0-rc.2","pullPolicy":"IfNotPresent"}},"keycloakServicePort":80,"keycloakServiceTls":false,"portContainer":8080,"realms":{"cxOperator":{"centralidp":"https://centralidp.example.org","existingSecret":"","initialUser":{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"},"mailing":{"from":"email@example.org","host":"smtp.example.org","password":"","port":"123","replyTo":"email@example.org","username":"smtp-user"},"sslRequired":"external"},"master":{"existingSecret":"","serviceAccounts":{"provisioning":{"clientSecret":""},"saCxOperator":{"clientSecret":""}}}},"resources":{"limits":{"cpu":"750m","ephemeral-storage":"1024Mi","memory":"700M"},"requests":{"cpu":"250m","ephemeral-storage":"50Mi","memory":"700M"}}}` | Seeding job to create and update the CX-Operator and master realms: besides creating those realm, the job can be used to update the configuration of the realms when upgrading to a new version; Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details. Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job. | | realmSeeding.realms.cxOperator.centralidp | string | `"https://centralidp.example.org"` | Set centralidp address for the connection to the CX-Central realm. | | realmSeeding.realms.cxOperator.initialUser | object | `{"eMail":"cx-operator@tx.org","firstName":"Operator","lastName":"CX Admin","password":"","username":"cx-operator@tx.org"}` | Configure initial user in CX-Operator realm. | | realmSeeding.realms.cxOperator.initialUser.username | string | `"cx-operator@tx.org"` | SET username for all non-testing and non-local purposes. | diff --git a/charts/sharedidp/values.yaml b/charts/sharedidp/values.yaml index 0f6e16d..d0a42bd 100644 --- a/charts/sharedidp/values.yaml +++ b/charts/sharedidp/values.yaml @@ -140,6 +140,7 @@ keycloak: # -- Seeding job to create and update the CX-Operator and master realms: # besides creating those realm, the job can be used to update # the configuration of the realms when upgrading to a new version; +# Please refer to /docs/admin/technical-documentation/14. Realm Seeding.md for more details. # Please also refer to the 'Post-Upgrade Configuration' section in the README.md # for configuration possibly not covered by the seeding job. realmSeeding: diff --git a/docs/admin/technical-documentation/03. Clients.md b/docs/admin/technical-documentation/03. Clients.md index 4a682c5..c72aa23 100644 --- a/docs/admin/technical-documentation/03. Clients.md +++ b/docs/admin/technical-documentation/03. Clients.md @@ -21,7 +21,7 @@ Manual creation of clients is not part of the concept, all realm administration ## Initial Clients and Service Accounts -During the [import of the realms](/import/realm-config/) at startup, the relevant clients and service accounts are seeded: +During the [seeding of the realms](/import/realm-config/) after install and upgrade, the relevant clients and service accounts are added: | **Instance** | **Client Type** | **Description** | **Client ID** | |--------------|-----------------|-----------------|---------------| diff --git a/docs/admin/technical-documentation/11. FAQ.md b/docs/admin/technical-documentation/11. FAQ.md index aa61a58..73d1b72 100644 --- a/docs/admin/technical-documentation/11. FAQ.md +++ b/docs/admin/technical-documentation/11. FAQ.md @@ -79,7 +79,7 @@ To transform the created "role" to an actual role, since currently its a single 3. Update keycloak base image -The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm import and seeding. +The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm seeding. 4. Update documentation @@ -130,7 +130,7 @@ For the scenario of sql, the relevant sql can get found below: 3. Update Keycloak base image -The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm import and seeding. +The [CX-Central realm file](/import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm seeding. 4. Update documentation diff --git a/docs/admin/technical-documentation/14. Realm Seeding.md b/docs/admin/technical-documentation/14. Realm Seeding.md new file mode 100644 index 0000000..4981d9d --- /dev/null +++ b/docs/admin/technical-documentation/14. Realm Seeding.md @@ -0,0 +1,27 @@ +# Seeding of custom realms + +To add the custom realms to the centralidp and sharedidp instances maintained in the [import/realm-config directory](/import/realm-config/), a seeding job written in dotnet and executed as part of Kubernetes jobs. + +The seeding job itself is currently is maintained in the portal-backend repository, but it's planned to move it this repository (see [sig-release#855](https://github.com/eclipse-tractusx/sig-release/issues/855)). + +The job is highly configurable, for instance environment specific URLs and client secrets can be seeded, please see [Keycloak.Seeding/README.md](https://github.com/eclipse-tractusx/portal-backend/blob/v4.0.0-iam/src/keycloak/Keycloak.Seeding/README.md) for more details. + +It is used to seed - initially and at upgrade: + +- the CX-Central realm into centralidp and +- the CX-Operator realm into sharedidp, + +for the master realm in sharedidp it also seeds two service accounts as well as the entities connected to those (users and and `cx-admin`role). For the detailed configuration please see: + +- [seeding job for centralidp](/charts/centralidp/templates/job-seeding.yaml) and +- [seeding job for sharedidp](/charts/sharedidp/templates/job-seeding.yaml) + +As well as the configuration in the values.yaml files under `Values.realmSeeding`. + +## NOTICE + +This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0). + +- SPDX-License-Identifier: Apache-2.0 +- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation +- Source URL: https://github.com/eclipse-tractusx/portal-