Skip to content

Commit

Permalink
refactor(core): add identity admin client
Browse files Browse the repository at this point in the history
  • Loading branch information
aabouzaid committed Nov 23, 2024
1 parent 6b4bcff commit 99482ac
Show file tree
Hide file tree
Showing 6 changed files with 69 additions and 60 deletions.
6 changes: 6 additions & 0 deletions charts/camunda-platform-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,11 @@ Please see the corresponding [release guide](../../docs/release.md) to find out
| `global.identity.auth.jwksUrl` | defines the JWKS URL, which is used by the services to validate the JWT tokens. | `""` |
| `global.identity.auth.type` | defines the type of authentication which should be used. Defaults to Keycloak | `KEYCLOAK` |
| `global.identity.auth.publicIssuerUrl` | Can be overwritten if ingress is in use and an external IP is available. | `http://localhost:18080/auth/realms/camunda-platform` |
| `global.identity.auth.admin` | configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts | |
| `global.identity.auth.admin.enabled` | if true, creates the admin client which is used in administration operations if needed. | `false` |
| `global.identity.auth.admin.clientId` | defines the client id. | `admin` |
| `global.identity.auth.admin.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` |
| `global.identity.auth.admin.existingSecretKey` | defines the key within the existing secret object. | `admin-secret` |
| `global.identity.auth.identity` | configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts | |
| `global.identity.auth.identity.clientId` | defines the client id, which is used by Identity in authentication flows. | `camunda-identity` |
| `global.identity.auth.identity.audience` | defines the audience, which is used by Identity. | `camunda-identity-resource-server` |
Expand Down Expand Up @@ -532,6 +537,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out
| `identity.firstUser.lastName` | defines the last name of the first user; a name is required to use WebModeler | `User` |
| `identity.firstUser.existingSecret` | can be used to use an own existing secret for Identity first user. | `""` |
| `identity.firstUser.existingSecretKey` | defines the key within the existing secret object. | `identity-firstuser-password` |
| `identity.users` | configuration to configure properties of the Identity users, which can be used to access web applications. | `[]` |
| `identity.image` | configuration to configure the identity image specifics | |
| `identity.image.registry` | can be used to set container image registry. | `""` |
| `identity.image.repository` | defines which image repository to use | `camunda/identity` |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,22 @@ metadata:
"context" $) | nindent 4 }}
type: Opaque
data:
{{- $identityAuthAdmin := (
(typeIs "string" .Values.global.identity.auth.admin.existingSecret) |
ternary false true
) }}
{{- $identityAuth := dict
"admin" (((.Values.global.identity.auth).admin).existingSecret).name
"connectors" (.Values.global.identity.auth.connectors.existingSecret).name
"console" (.Values.global.identity.auth.console.existingSecret).name
"core" (.Values.global.identity.auth.core.existingSecret).name
"optimize" (.Values.global.identity.auth.optimize.existingSecret).name
}}
{{- if or ($identityAuth.connectors) ($identityAuth.console)
{{- if or ($identityAuthAdmin)
($identityAuth.connectors) ($identityAuth.console)
($identityAuth.core) ($identityAuth.optimize)
}}
# Identity apps auth.
{{- if $identityAuth.admin }}
{{- if $identityAuthAdmin }}
{{ .Values.global.identity.auth.admin.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
{{- end }}
{{- if $identityAuth.connectors }}
Expand Down
25 changes: 25 additions & 0 deletions charts/camunda-platform-alpha/templates/identity/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,9 @@ data:
- Web Modeler Admin
{{- end }}
{{- end }}
{{- if .Values.identity.users }}
{{- include "common.tplvalues.render" (dict "value" .Values.identity.users "context" $) | nindent 8 }}
{{- end }}
environment:
clients:
- name: Identity
Expand All @@ -226,6 +229,28 @@ data:
root-url: {{ include "identity.externalUrl" . | quote }}
redirect-uris:
- "/auth/login-callback"
{{- if .Values.global.identity.auth.admin.enabled }}
- name: {{ .Values.global.identity.auth.admin.clientId | title | default "Admin" | quote }}
id: {{ .Values.global.identity.auth.admin.clientId | default "admin" | quote }}
type: CONFIDENTIAL
secret: ${VALUES_CAMUNDA_ADMIN_CLIENT_SECRET:}
root-url: "http://placeholder"
redirect-uris:
- "/placeholder"
permissions:
- resourceServerId: {{ include "identity.authAudience" . | quote }}
definition: read
- resourceServerId: {{ include "identity.authAudience" . | quote }}
definition: write
- resourceServerId: {{ include "console.authAudience" . | quote }}
definition: "write:*"
- resourceServerId: {{ include "webModeler.authClientApiAudience" . | quote }}
definition: "write:*"
- resourceServerId: {{ include "core.authAudience" . | quote }}
definition: "write:*"
- resourceServerId: {{ include "optimize.authAudience" . | quote }}
definition: "write:*"
{{- end }}
# The presets key should be removed when 8.6.0 of the applications are released
presets:
core:
Expand Down
11 changes: 11 additions & 0 deletions charts/camunda-platform-alpha/templates/identity/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,17 @@ spec:
key: {{ .Values.global.identity.auth.identity.existingSecretKey }}
{{- end }}
{{- end }}
{{- if .Values.global.identity.auth.admin.enabled }}
- name: VALUES_CAMUNDA_ADMIN_CLIENT_SECRET
{{- if (typeIs "string" .Values.global.identity.auth.admin.existingSecret) }}
value: {{ .Values.global.identity.auth.admin.existingSecret | quote }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Values.global.identity.auth.admin.existingSecret.name }}
key: {{ .Values.global.identity.auth.admin.existingSecretKey }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.identityPostgresql.enabled .Values.identity.externalDatabase.enabled }}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,70 +1,19 @@
identity:
# Keycloak client seed which is used to query Camunda APIs.
env:
- name: KEYCLOAK_CLIENTS_2_ID
value: test
- name: KEYCLOAK_CLIENTS_2_NAME
value: Test
- name: KEYCLOAK_CLIENTS_2_SECRET
valueFrom:
secretKeyRef:
name: integration-test-credentials
key: identity-admin-client-password
- name: KEYCLOAK_CLIENTS_2_REDIRECT_URIS_0
value: /dummy
- name: KEYCLOAK_CLIENTS_2_ROOT_URL
value: http://dummy
- name: KEYCLOAK_CLIENTS_2_TYPE
value: CONFIDENTIAL
#######################
# Management Group
#######################
# Identity access.
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_RESOURCE_SERVER_ID
value: camunda-identity-resource-server
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_DEFINITION
value: read
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_RESOURCE_SERVER_ID
value: camunda-identity-resource-server
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_DEFINITION
value: write
# Console access.
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_RESOURCE_SERVER_ID
value: console-api
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_DEFINITION
value: "write:*"
# WebModeler access.
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_RESOURCE_SERVER_ID
value: web-modeler-api
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_DEFINITION
value: "write:*"
#######################
# Orchestration Group
#######################
# Core access.
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_RESOURCE_SERVER_ID
value: core-api
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_DEFINITION
value: "write:*"
# Optimize access.
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_RESOURCE_SERVER_ID
value: optimize-api
- name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_DEFINITION
value: "write:*"

# Auth to avoid Docker download rate limit.
# https://docs.docker.com/docker-hub/download-rate-limit/
identityKeycloak:
global:
# Auth to avoid Docker download rate limit.
# https://docs.docker.com/docker-hub/download-rate-limit/
image:
pullSecrets:
- name: index-docker-io

global:
identityKeycloak:
# Auth to avoid Docker download rate limit.
image:
pullSecrets:
- name: index-docker-io

elasticsearch:
# Auth to avoid Docker download rate limit.
global:
imagePullSecrets:
- name: index-docker-io
14 changes: 14 additions & 0 deletions charts/camunda-platform-alpha/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,17 @@ global:
## @param global.identity.auth.publicIssuerUrl Can be overwritten if ingress is in use and an external IP is available.
publicIssuerUrl: "http://localhost:18080/auth/realms/camunda-platform"

## @extra global.identity.auth.admin configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts
admin:
## @param global.identity.auth.admin.enabled if true, creates the admin client which is used in administration operations if needed.
enabled: false
## @param global.identity.auth.admin.clientId defines the client id.
clientId: admin
## @param global.identity.auth.admin.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
existingSecret:
## @param global.identity.auth.admin.existingSecretKey defines the key within the existing secret object.
existingSecretKey: admin-secret

#######################
# Management Group
#######################
Expand Down Expand Up @@ -427,6 +438,9 @@ identity:
## @param identity.firstUser.existingSecretKey defines the key within the existing secret object.
existingSecretKey: "identity-firstuser-password"

## @param identity.users configuration to configure properties of the Identity users, which can be used to access web applications.
users: []

## @extra identity.image configuration to configure the identity image specifics
image:
## @param identity.image.registry can be used to set container image registry.
Expand Down

0 comments on commit 99482ac

Please sign in to comment.