Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/lifecycle-keycloak/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ apiVersion: v2
name: lifecycle-keycloak
description: Keycloak instance for Lifecycle stack with automated Operator-driven setup and imports
type: application
version: 0.7.3
version: 0.7.4
appVersion: 0.0.0
home: https://goodrxoss.github.io/helm-charts/charts/lifecycle-keycloak/

Expand Down
28 changes: 26 additions & 2 deletions charts/lifecycle-keycloak/templates/internal-realm-kri.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,16 @@ spec:
sslRequired: "external"
registrationAllowed: false
duplicateEmailsAllowed: false
resetPasswordAllowed": false
resetPasswordAllowed: false
loginWithEmailAllowed: true
loginTheme: "lifecycle" # ref for login-theme-configmap.yaml
{{- if .Values.internalIdp.mapAdminRole }}
# --- REALM ROLES ---
roles:
realm:
- name: "admin"
description: "Administrator role with elevated privileges"
{{- end }}
accountTheme: "keycloak"
adminTheme: "keycloak"
emailTheme: "keycloak"
Expand All @@ -50,6 +57,10 @@ spec:
emailVerified: true
firstName: {{ .Values.internalIdp.users.bootstrapUser.firstName | quote }}
lastName: {{ .Values.internalIdp.users.bootstrapUser.lastName | quote }}
{{- if .Values.internalIdp.mapAdminRole }}
realmRoles:
- "admin"
{{- end }}
credentials:
- type: "password"
value: {{ .Values.internalIdp.users.bootstrapUser.password | quote }}
Expand All @@ -65,7 +76,7 @@ spec:
clientAuthenticatorType: "client-jwt"
attributes:
use.jwks.url: "true"
jwks.url: {{ printf "%s/realms/%s/protocol/openid-connect/certs" .Values.hostname .Values.realm | quote }}
jwks.url: {{ printf "%s/realms/%s/protocol/openid-connect/certs" ( .Values.internalIdp.internalUrl | default .Values.hostname ) .Values.realm | quote }}
token.endpoint.auth.signing.alg: "RS256"
publicClient: false
redirectUris:
Expand All @@ -78,3 +89,16 @@ spec:
authorizationServicesEnabled: false
defaultClientScopes: ["web-origins", "acr", "roles", "profile", "basic", "email"]
optionalClientScopes: ["address", "phone", "offline_access", "organization", "microprofile-jwt"]
{{- if .Values.internalIdp.mapAdminRole }}
protocolMappers:
- name: "realm roles"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-realm-role-mapper"
config:
claim.name: "realm_access.roles"
jsonType.label: "String"
multivalued: "true"
id.token.claim: "true"
access.token.claim: "true"
userinfo.token.claim: "true"
{{- end }}
16 changes: 14 additions & 2 deletions charts/lifecycle-keycloak/templates/lifecycle-realm-kri.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,8 @@ spec:
clientId: {{ .Values.internalIdp.clientId | quote }}
clientAuthMethod: "private_key_jwt"
clientAssertionSigningAlg: "RS256"
tokenUrl: {{ printf "%s/realms/%s/protocol/openid-connect/token" .Values.hostname .Values.internalIdp.realm | quote }}
jwksUrl: {{ printf "%s/realms/%s/protocol/openid-connect/certs" .Values.hostname .Values.internalIdp.realm | quote }}
tokenUrl: {{ printf "%s/realms/%s/protocol/openid-connect/token" ( .Values.internalIdp.internalUrl | default .Values.hostname ) .Values.internalIdp.realm | quote }}
jwksUrl: {{ printf "%s/realms/%s/protocol/openid-connect/certs" ( .Values.internalIdp.internalUrl | default .Values.hostname ) .Values.internalIdp.realm | quote }}
authorizationUrl: {{ printf "%s/realms/%s/protocol/openid-connect/auth" .Values.hostname .Values.internalIdp.realm | quote }}
logoutUrl: {{ printf "%s/realms/%s/protocol/openid-connect/logout" .Values.hostname .Values.internalIdp.realm | quote }}
clientAssertionAudience: {{ printf "%s/realms/%s" .Values.hostname .Values.internalIdp.realm | quote }}
Expand Down Expand Up @@ -175,6 +175,17 @@ spec:
syncMode: "LEGACY"

identityProviderMappers:
{{- if .Values.internalIdp.mapAdminRole }}
- name: "Admin Role Mapper"
identityProviderAlias: "company-sso"
identityProviderMapper: "oidc-role-idp-mapper"
config:
syncMode: "FORCE"
claim: "realm_access.roles"
claim.value: "admin"
role: "admin"
{{- end }}

- name: "Github username"
identityProviderAlias: "github"
identityProviderMapper: "github-user-attribute-mapper"
Expand All @@ -191,6 +202,7 @@ spec:
userAttribute: "githubProfilePicture"
jsonField: "avatar_url"


# --- COMPONENTS (USER PROFILE) ---
components:
org.keycloak.userprofile.UserProfileProvider:
Expand Down
3 changes: 3 additions & 0 deletions charts/lifecycle-keycloak/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ internalIdp:
realm: internal
displayName: "Internal SSO"
clientId: internal-sso-client
internalUrl: ""
mapAdminRole: false
users:
bootstrapUser:
username: lifecycle
Expand All @@ -73,6 +75,7 @@ internalIdp:
password: lifecycle
credsTemp: true


instances: 1

ingress:
Expand Down
Loading