@@ -7,18 +7,50 @@ Merge realms
77{{- $realms = append $realms .Values.keycloak.defaultRealm }}
88{{- end }}
99{{- range $realms }}
10+ {{- $realm := deepCopy . }}
11+ {{- $localDomain := $.Values.global.localClusterDomain }}
12+ {{- $oidcProviderBase := printf "https://spire-spiffe-oidc-discovery-provider.%s" $localDomain }}
13+ {{- if $.Values.keycloak.spiffeIdentityProvider.enabled }}
14+ {{- $spiffeConfig := deepCopy $.Values.keycloak.spiffeIdentityProvider.config }}
15+ {{- $defaultJwksUrl := printf "%s/keys" $oidcProviderBase }}
16+ {{- if or (not (hasKey $spiffeConfig.config "issuer")) (eq (index $spiffeConfig.config "issuer") "") }}
17+ {{- $_ := set $spiffeConfig.config "issuer" $oidcProviderBase }}
18+ {{- end }}
19+ {{- if or (not (hasKey $spiffeConfig.config "jwksUrl")) (eq (index $spiffeConfig.config "jwksUrl") "") }}
20+ {{- $_ := set $spiffeConfig.config "jwksUrl" $defaultJwksUrl }}
21+ {{- end }}
22+ {{- if or (not (hasKey $spiffeConfig.config "authorizationUrl")) (eq (index $spiffeConfig.config "authorizationUrl") "") }}
23+ {{- $_ := set $spiffeConfig.config "authorizationUrl" (printf "%s/authorize" $oidcProviderBase) }}
24+ {{- end }}
25+ {{- if or (not (hasKey $spiffeConfig.config "tokenUrl")) (eq (index $spiffeConfig.config "tokenUrl") "") }}
26+ {{- $_ := set $spiffeConfig.config "tokenUrl" (printf "%s/token" $oidcProviderBase) }}
27+ {{- end }}
28+ {{- $existingIdps := default list $realm.identityProviders }}
29+ {{- $_ := set $realm "identityProviders" (append $existingIdps $spiffeConfig) }}
30+ {{- end }}
31+ {{/* Auto-populate jwt.credential.sub for federated-jwt clients */}}
32+ {{- range $realm.clients }}
33+ {{- if eq (default "" .clientAuthenticatorType) "federated-jwt" }}
34+ {{- $attrs := default dict .attributes }}
35+ {{- if or (not (hasKey $attrs "jwt.credential.sub")) (eq (index $attrs "jwt.credential.sub") "") }}
36+ {{- $clientName := default .clientId .name }}
37+ {{- $_ := set $attrs "jwt.credential.sub" (printf "spiffe://%s/ns/%s/sa/%s" $localDomain $clientName $clientName) }}
38+ {{- end }}
39+ {{- $_ := set . "attributes" $attrs }}
40+ {{- end }}
41+ {{- end }}
1042---
1143apiVersion : k8s.keycloak.org/v2alpha1
1244kind : KeycloakRealmImport
1345metadata :
14- name : " {{ .realm }}-realm-import"
46+ name : " {{ $realm .realm }}-realm-import"
1547 namespace : " {{ $.Release.Namespace }}"
1648 annotations :
1749 argocd.argoproj.io/sync-wave : " 10"
1850spec :
1951 keycloakCRName : keycloak
2052 realm :
21- {{- toYaml . | nindent 4 }}
53+ {{- toYaml $realm | nindent 4 }}
2254 placeholders :
2355 QTODO_ADMIN_PASSWORD :
2456 secret :
@@ -36,13 +68,23 @@ spec:
3668 secret :
3769 name : {{ $.Values.keycloak.users.secretName }}
3870 key : rhtpa-user-password
71+ {{- if and $.Values.keycloak.oidcSecrets.qtodo (default false $.Values.keycloak.oidcSecrets.qtodo.enabled) }}
3972 QTODO_CLIENT_SECRET :
4073 secret :
4174 name : oidc-client-secret
4275 key : client-secret
76+ {{- end }}
4377 RHTPA_CLI_SECRET :
4478 secret :
4579 name : rhtpa-oidc-cli-secret
4680 key : client-secret
81+ ACS_ADMIN_PASSWORD :
82+ secret :
83+ name : {{ $.Values.keycloak.users.secretName }}
84+ key : acs-admin-password
85+ ACS_CLIENT_SECRET :
86+ secret :
87+ name : acs-oidc-client-secret
88+ key : client-secret
89+ {{- end }}
4790{{- end }}
48- {{- end }}
0 commit comments