Skip to content

Commit f2cd756

Browse files
committed
chore: update keycloak template to be aligned with latest layered-zero-trust submissions.
- Qtodo using federated JWT (SPIFFE) instead of a client secret when oidcSecrets.qtodo.enabled is false. - ACS Central having its own OIDC client and admin user, with secrets coming from Vault and the new ExternalSecrets. Signed-off-by: Min Zhang <minzhang@redhat.com>
1 parent f1f2249 commit f2cd756

6 files changed

Lines changed: 274 additions & 61 deletions
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
{{- if .Values.keycloak.defaultConfig }}
2+
---
3+
apiVersion: "external-secrets.io/v1beta1"
4+
kind: ExternalSecret
5+
metadata:
6+
name: acs-oidc-client-secret
7+
namespace: {{ .Release.Namespace }}
8+
spec:
9+
refreshInterval: 15s
10+
secretStoreRef:
11+
name: {{ .Values.global.secretStore.name }}
12+
kind: {{ .Values.global.secretStore.kind }}
13+
target:
14+
name: acs-oidc-client-secret
15+
template:
16+
type: Opaque
17+
data:
18+
client-secret: "{{ `{{ .client_secret }}` }}"
19+
data:
20+
- secretKey: client_secret
21+
remoteRef:
22+
key: {{ .Values.keycloak.oidcSecrets.acsClient.vaultPath }}
23+
property: admin-password
24+
{{- end }}

templates/keycloak-realm-import.yaml

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,18 +7,50 @@ Merge realms
77
{{- $realms = append $realms .Values.keycloak.defaultRealm }}
88
{{- end }}
99
{{- range $realms }}
10+
{{- $realm := deepCopy . }}
11+
{{- $localDomain := $.Values.global.localClusterDomain }}
12+
{{- $oidcProviderBase := printf "https://spire-spiffe-oidc-discovery-provider.%s" $localDomain }}
13+
{{- if $.Values.keycloak.spiffeIdentityProvider.enabled }}
14+
{{- $spiffeConfig := deepCopy $.Values.keycloak.spiffeIdentityProvider.config }}
15+
{{- $defaultJwksUrl := printf "%s/keys" $oidcProviderBase }}
16+
{{- if or (not (hasKey $spiffeConfig.config "issuer")) (eq (index $spiffeConfig.config "issuer") "") }}
17+
{{- $_ := set $spiffeConfig.config "issuer" $oidcProviderBase }}
18+
{{- end }}
19+
{{- if or (not (hasKey $spiffeConfig.config "jwksUrl")) (eq (index $spiffeConfig.config "jwksUrl") "") }}
20+
{{- $_ := set $spiffeConfig.config "jwksUrl" $defaultJwksUrl }}
21+
{{- end }}
22+
{{- if or (not (hasKey $spiffeConfig.config "authorizationUrl")) (eq (index $spiffeConfig.config "authorizationUrl") "") }}
23+
{{- $_ := set $spiffeConfig.config "authorizationUrl" (printf "%s/authorize" $oidcProviderBase) }}
24+
{{- end }}
25+
{{- if or (not (hasKey $spiffeConfig.config "tokenUrl")) (eq (index $spiffeConfig.config "tokenUrl") "") }}
26+
{{- $_ := set $spiffeConfig.config "tokenUrl" (printf "%s/token" $oidcProviderBase) }}
27+
{{- end }}
28+
{{- $existingIdps := default list $realm.identityProviders }}
29+
{{- $_ := set $realm "identityProviders" (append $existingIdps $spiffeConfig) }}
30+
{{- end }}
31+
{{/* Auto-populate jwt.credential.sub for federated-jwt clients */}}
32+
{{- range $realm.clients }}
33+
{{- if eq (default "" .clientAuthenticatorType) "federated-jwt" }}
34+
{{- $attrs := default dict .attributes }}
35+
{{- if or (not (hasKey $attrs "jwt.credential.sub")) (eq (index $attrs "jwt.credential.sub") "") }}
36+
{{- $clientName := default .clientId .name }}
37+
{{- $_ := set $attrs "jwt.credential.sub" (printf "spiffe://%s/ns/%s/sa/%s" $localDomain $clientName $clientName) }}
38+
{{- end }}
39+
{{- $_ := set . "attributes" $attrs }}
40+
{{- end }}
41+
{{- end }}
1042
---
1143
apiVersion: k8s.keycloak.org/v2alpha1
1244
kind: KeycloakRealmImport
1345
metadata:
14-
name: "{{ .realm }}-realm-import"
46+
name: "{{ $realm.realm }}-realm-import"
1547
namespace: "{{ $.Release.Namespace }}"
1648
annotations:
1749
argocd.argoproj.io/sync-wave: "10"
1850
spec:
1951
keycloakCRName: keycloak
2052
realm:
21-
{{- toYaml . | nindent 4 }}
53+
{{- toYaml $realm | nindent 4 }}
2254
placeholders:
2355
QTODO_ADMIN_PASSWORD:
2456
secret:
@@ -36,13 +68,23 @@ spec:
3668
secret:
3769
name: {{ $.Values.keycloak.users.secretName }}
3870
key: rhtpa-user-password
71+
{{- if and $.Values.keycloak.oidcSecrets.qtodo (default false $.Values.keycloak.oidcSecrets.qtodo.enabled) }}
3972
QTODO_CLIENT_SECRET:
4073
secret:
4174
name: oidc-client-secret
4275
key: client-secret
76+
{{- end }}
4377
RHTPA_CLI_SECRET:
4478
secret:
4579
name: rhtpa-oidc-cli-secret
4680
key: client-secret
81+
ACS_ADMIN_PASSWORD:
82+
secret:
83+
name: {{ $.Values.keycloak.users.secretName }}
84+
key: acs-admin-password
85+
ACS_CLIENT_SECRET:
86+
secret:
87+
name: acs-oidc-client-secret
88+
key: client-secret
89+
{{- end }}
4790
{{- end }}
48-
{{- end }}

templates/keycloak-users-external-secret.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ spec:
1818
qtodo-user1-password: "{{ `{{ .qtodo_user1_password }}` }}"
1919
rhtas-user-password: "{{ `{{ .rhtas_user_password }}` }}"
2020
rhtpa-user-password: "{{ `{{ .rhtpa_user_password }}` }}"
21+
acs-admin-password: "{{ `{{ .acs_admin_password }}` }}"
2122
data:
2223
- secretKey: qtodo_admin_password
2324
remoteRef:
@@ -35,4 +36,8 @@ spec:
3536
remoteRef:
3637
key: {{ .Values.keycloak.users.passwordVaultKey }}
3738
property: rhtpa-user-password
39+
- secretKey: acs_admin_password
40+
remoteRef:
41+
key: secret/data/hub/infra/acs/acs-central
42+
property: admin-password
3843
{{- end }}

templates/keycloak.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,12 @@ metadata:
66
annotations:
77
argocd.argoproj.io/sync-wave: "5"
88
spec:
9+
{{- if .Values.keycloak.spiffeIdentityProvider.enabled }}
10+
features:
11+
enabled:
12+
- spiffe
13+
- client-auth-federated
14+
{{- end }}
915
{{- if eq .Values.keycloak.adminUser.enabled true }}
1016
bootstrapAdmin:
1117
user:

templates/oidc-client-secret-external-secret.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.keycloak.defaultConfig }}
1+
{{- if and .Values.keycloak.defaultConfig (default false .Values.keycloak.oidcSecrets.qtodo.enabled) }}
22
apiVersion: "external-secrets.io/v1beta1"
33
kind: ExternalSecret
44
metadata:

0 commit comments

Comments
 (0)