Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml

2025-04-12 18:52:41 +00:00 · 2025-04-12 18:52:41 +00:00 · 7a5e29e47d
commit 7a5e29e47d
parent 3943b3d46e
1 changed files with 45 additions and 60 deletions
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@ -181,6 +181,34 @@ data:
      ]
    }    

+  forgejo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "forgejo",
+      "name": "Forgejo Client",
+      "description": "Used for Forgejo SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]    
+
  grafana-client-payload.json: |
    {
      "clientId": "grafana",
@ -219,44 +247,6 @@ data:
      ]
    }    

-  argocd-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "argocd",
-      "name": "ArgoCD Client",
-      "description": "Used for ArgoCD SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://{{{ .Env.DOMAIN }}}/*"
-      ],
-      "webOrigins": [
-        "/*"
-      ],
-      "defaultClientScopes": [
-        "web-origins",
-        "acr",
-        "offline_access",
-        "roles",
-        "profile",
-        "groups",
-        "email"
-      ]
-    }      
-
 ---
 apiVersion: batch/v1
 kind: Job
@ -393,8 +383,8 @@ spec:
              echo "creating Argo Workflows client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/argo-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  -X POST --data @/var/config/argo-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -408,26 +398,21 @@ spec:
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              
              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')

              echo "creating Grafana client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/grafana-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
              
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              
              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -437,7 +422,7 @@ spec:
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/backstage-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -455,15 +440,15 @@ spec:
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')

-              echo "creating ArgoCD client"
+              echo "creating Forgejo client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/argocd-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  -X POST --data @/var/config/forgejo-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
              
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -473,9 +458,9 @@ spec:
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              
-              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
+              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              
              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
              
@ -494,10 +479,10 @@ spec:
                ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                BACKSTAGE_CLIENT_ID: backstage
+                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
+                FORGEJO_CLIENT_ID: forgejo
                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                GRAFANA_CLIENT_ID: grafana
-                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
-                ARGOCD_CLIENT_ID: argocd
              " > /tmp/secret.yaml
              
              ./kubectl apply -f /tmp/secret.yaml