Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml #24
1 changed files with 94 additions and 23 deletions
|
|
@ -71,11 +71,11 @@ data:
|
||||||
},
|
},
|
||||||
"type": "default",
|
"type": "default",
|
||||||
"protocol": "openid-connect"
|
"protocol": "openid-connect"
|
||||||
}
|
}
|
||||||
group-admin-payload.json: |
|
group-admin-payload.json: |
|
||||||
{"name":"admin"}
|
{"name":"admin"}
|
||||||
group-base-user-payload.json: |
|
group-base-user-payload.json: |
|
||||||
{"name":"base-user"}
|
{"name":"base-user"}
|
||||||
group-mapper-payload.json: |
|
group-mapper-payload.json: |
|
||||||
{
|
{
|
||||||
"protocol": "openid-connect",
|
"protocol": "openid-connect",
|
||||||
|
|
@ -88,15 +88,15 @@ data:
|
||||||
"access.token.claim": "true",
|
"access.token.claim": "true",
|
||||||
"userinfo.token.claim": "true"
|
"userinfo.token.claim": "true"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
realm-payload.json: |
|
realm-payload.json: |
|
||||||
{"realm":"cnoe","enabled":true}
|
{"realm":"cnoe","enabled":true}
|
||||||
user-password.json: |
|
user-password.json: |
|
||||||
{
|
{
|
||||||
"temporary": false,
|
"temporary": false,
|
||||||
"type": "password",
|
"type": "password",
|
||||||
"value": "${USER1_PASSWORD}"
|
"value": "${USER1_PASSWORD}"
|
||||||
}
|
}
|
||||||
user-user1.json: |
|
user-user1.json: |
|
||||||
{
|
{
|
||||||
"username": "user1",
|
"username": "user1",
|
||||||
|
|
@ -109,7 +109,7 @@ data:
|
||||||
"/admin"
|
"/admin"
|
||||||
],
|
],
|
||||||
"enabled": true
|
"enabled": true
|
||||||
}
|
}
|
||||||
user-user2.json: |
|
user-user2.json: |
|
||||||
{
|
{
|
||||||
"username": "user2",
|
"username": "user2",
|
||||||
|
|
@ -122,7 +122,7 @@ data:
|
||||||
"/base-user"
|
"/base-user"
|
||||||
],
|
],
|
||||||
"enabled": true
|
"enabled": true
|
||||||
}
|
}
|
||||||
argo-client-payload.json: |
|
argo-client-payload.json: |
|
||||||
{
|
{
|
||||||
"protocol": "openid-connect",
|
"protocol": "openid-connect",
|
||||||
|
|
@ -150,7 +150,7 @@ data:
|
||||||
"webOrigins": [
|
"webOrigins": [
|
||||||
"/*"
|
"/*"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
backstage-client-payload.json: |
|
backstage-client-payload.json: |
|
||||||
{
|
{
|
||||||
|
|
@ -179,7 +179,7 @@ data:
|
||||||
"webOrigins": [
|
"webOrigins": [
|
||||||
"/*"
|
"/*"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
grafana-client-payload.json: |
|
grafana-client-payload.json: |
|
||||||
{
|
{
|
||||||
|
|
@ -217,7 +217,45 @@ data:
|
||||||
"groups",
|
"groups",
|
||||||
"email"
|
"email"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
argocd-client-payload.json: |
|
||||||
|
{
|
||||||
|
"protocol": "openid-connect",
|
||||||
|
"clientId": "argocd",
|
||||||
|
"name": "ArgoCD Client",
|
||||||
|
"description": "Used for ArgoCD SSO",
|
||||||
|
"publicClient": false,
|
||||||
|
"authorizationServicesEnabled": false,
|
||||||
|
"serviceAccountsEnabled": false,
|
||||||
|
"implicitFlowEnabled": false,
|
||||||
|
"directAccessGrantsEnabled": true,
|
||||||
|
"standardFlowEnabled": true,
|
||||||
|
"frontchannelLogout": true,
|
||||||
|
"attributes": {
|
||||||
|
"saml_idp_initiated_sso_url_name": "",
|
||||||
|
"oauth2.device.authorization.grant.enabled": false,
|
||||||
|
"oidc.ciba.grant.enabled": false
|
||||||
|
},
|
||||||
|
"alwaysDisplayInConsole": false,
|
||||||
|
"rootUrl": "",
|
||||||
|
"baseUrl": "",
|
||||||
|
"redirectUris": [
|
||||||
|
"https://{{{ .Env.DOMAIN }}}/*"
|
||||||
|
],
|
||||||
|
"webOrigins": [
|
||||||
|
"/*"
|
||||||
|
],
|
||||||
|
"defaultClientScopes": [
|
||||||
|
"web-origins",
|
||||||
|
"acr",
|
||||||
|
"offline_access",
|
||||||
|
"roles",
|
||||||
|
"profile",
|
||||||
|
"groups",
|
||||||
|
"email"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
|
|
@ -254,7 +292,7 @@ spec:
|
||||||
command: ["/bin/bash", "-c"]
|
command: ["/bin/bash", "-c"]
|
||||||
args:
|
args:
|
||||||
- |
|
- |
|
||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
|
|
||||||
set -ex -o pipefail
|
set -ex -o pipefail
|
||||||
|
|
||||||
|
|
@ -355,8 +393,8 @@ spec:
|
||||||
echo "creating Argo Workflows client"
|
echo "creating Argo Workflows client"
|
||||||
curl -sS -H "Content-Type: application/json" \
|
curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X POST --data @/var/config/argo-client-payload.json \
|
-X POST --data @/var/config/argo-client-payload.json \
|
||||||
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||||
|
|
||||||
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
|
@ -370,21 +408,26 @@ spec:
|
||||||
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
echo "creating Grafana client"
|
echo "creating Grafana client"
|
||||||
curl -sS -H "Content-Type: application/json" \
|
curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X POST --data @/var/config/grafana-client-payload.json \
|
-X POST --data @/var/config/grafana-client-payload.json \
|
||||||
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||||
|
|
||||||
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
|
||||||
|
|
||||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||||
|
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
|
@ -394,18 +437,45 @@ spec:
|
||||||
curl -sS -H "Content-Type: application/json" \
|
curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X POST --data @/var/config/backstage-client-payload.json \
|
-X POST --data @/var/config/backstage-client-payload.json \
|
||||||
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||||
|
|
||||||
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
|
||||||
|
|
||||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||||
|
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
|
echo "creating ArgoCD client"
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X POST --data @/var/config/argocd-client-payload.json \
|
||||||
|
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||||
|
|
||||||
|
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id')
|
||||||
|
|
||||||
|
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||||
|
|
||||||
|
curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||||
|
|
||||||
|
ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||||
|
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||||
|
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||||
|
|
||||||
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
|
||||||
|
|
||||||
|
|
@ -426,7 +496,8 @@ spec:
|
||||||
BACKSTAGE_CLIENT_ID: backstage
|
BACKSTAGE_CLIENT_ID: backstage
|
||||||
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
||||||
GRAFANA_CLIENT_ID: grafana
|
GRAFANA_CLIENT_ID: grafana
|
||||||
|
ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
|
||||||
|
ARGOCD_CLIENT_ID: argocd
|
||||||
" > /tmp/secret.yaml
|
" > /tmp/secret.yaml
|
||||||
|
|
||||||
./kubectl apply -f /tmp/secret.yaml
|
./kubectl apply -f /tmp/secret.yaml
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue