From 66e6581f116a799c13005e58e15a7e900ef6735b Mon Sep 17 00:00:00 2001 From: Sebastian Wendel Date: Mon, 28 Nov 2022 10:27:34 +0100 Subject: [PATCH] latest changes --- .pre-commit-config.yaml | 5 - base/apps/keycloak/instance.yaml | 2 +- base/apps/keycloak/realm.yaml | 1742 ------------------- base/apps/kustomization.yaml | 2 +- base/charts/external-dns/kustomization.yaml | 11 + base/charts/external-dns/namespace.yaml | 5 + base/charts/external-dns/values.yaml | 11 + base/charts/gitea/values.yaml | 2 +- base/charts/kustomization.yaml | 1 + overlays/dev/keycloak/certificate.yaml | 4 +- 10 files changed, 33 insertions(+), 1752 deletions(-) delete mode 100644 base/apps/keycloak/realm.yaml create mode 100644 base/charts/external-dns/kustomization.yaml create mode 100644 base/charts/external-dns/namespace.yaml create mode 100644 base/charts/external-dns/values.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e518d25..97cb12f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,11 +15,6 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - - repo: https://github.com/crate-ci/typos - rev: v1.10.3 - hooks: - - id: typos - - repo: https://github.com/adrienverge/yamllint rev: v1.27.1 hooks: diff --git a/base/apps/keycloak/instance.yaml b/base/apps/keycloak/instance.yaml index 051d94a..7484846 100644 --- a/base/apps/keycloak/instance.yaml +++ b/base/apps/keycloak/instance.yaml @@ -5,7 +5,7 @@ metadata: name: fcos-keycloak spec: instances: 1 - hostname: id.localhost + hostname: id.dev.fabcity-hamburg.de serverConfiguration: - name: db value: postgres diff --git a/base/apps/keycloak/realm.yaml b/base/apps/keycloak/realm.yaml deleted file mode 100644 index 659d397..0000000 --- a/base/apps/keycloak/realm.yaml +++ /dev/null @@ -1,1742 +0,0 @@ ---- -apiVersion: k8s.keycloak.org/v2alpha1 -kind: KeycloakRealmImport -metadata: - name: fcos-keycloak-realm-fcos -spec: - keycloakCRName: fcos-keycloak - realm: - accessCodeLifespan: 60 - accessCodeLifespanLogin: 1800 - accessCodeLifespanUserAction: 300 - accessTokenLifespan: 300 - accessTokenLifespanForImplicitFlow: 900 - actionTokenGeneratedByAdminLifespan: 43200 - actionTokenGeneratedByUserLifespan: 300 - adminEventsDetailsEnabled: false - adminEventsEnabled: false - attributes: - cibaAuthRequestedUserHint: login_hint - cibaBackchannelTokenDeliveryMode: poll - cibaExpiresIn: "120" - cibaInterval: "5" - clientOfflineSessionIdleTimeout: "0" - clientOfflineSessionMaxLifespan: "0" - clientSessionIdleTimeout: "0" - clientSessionMaxLifespan: "0" - oauth2DeviceCodeLifespan: "600" - oauth2DevicePollingInterval: "5" - parRequestUriLifespan: "60" - authenticationFlows: - - alias: Account verification options - authenticationExecutions: - - authenticator: idp-email-verification - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Verify Existing Account by Re-authentication - priority: 20 - requirement: ALTERNATIVE - userSetupAllowed: false - builtIn: true - description: Method with which to verity the existing account - id: 36a26168-0e75-4189-a6aa-2ee9c4ecfe78 - providerId: basic-flow - topLevel: false - - alias: Authentication Options - authenticationExecutions: - - authenticator: basic-auth - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: basic-auth-otp - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: DISABLED - userSetupAllowed: false - - authenticator: auth-spnego - authenticatorFlow: false - autheticatorFlow: false - priority: 30 - requirement: DISABLED - userSetupAllowed: false - builtIn: true - description: Authentication options. - id: c3764df0-a8fe-46cd-b0c8-9e3e9a3beaa7 - providerId: basic-flow - topLevel: false - - alias: Browser - Conditional OTP - authenticationExecutions: - - authenticator: conditional-user-configured - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: auth-otp-form - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: Flow to determine if the OTP is required for the authentication - id: b73c4aca-5c37-4788-8fd4-12e37a030c9f - providerId: basic-flow - topLevel: false - - alias: Direct Grant - Conditional OTP - authenticationExecutions: - - authenticator: conditional-user-configured - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: direct-grant-validate-otp - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: Flow to determine if the OTP is required for the authentication - id: acad43d1-d07b-4688-88b5-f0cdccb510aa - providerId: basic-flow - topLevel: false - - alias: First broker login - Conditional OTP - authenticationExecutions: - - authenticator: conditional-user-configured - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: auth-otp-form - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: Flow to determine if the OTP is required for the authentication - id: f199cdb4-4f81-4219-8fef-6de25f2449ae - providerId: basic-flow - topLevel: false - - alias: Handle Existing Account - authenticationExecutions: - - authenticator: idp-confirm-link - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Account verification options - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: - Handle what to do if there is existing account with same email/username - like authenticated identity provider - id: 4467a8e4-3d30-4454-8be1-1f7603470ab0 - providerId: basic-flow - topLevel: false - - alias: Reset - Conditional OTP - authenticationExecutions: - - authenticator: conditional-user-configured - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: reset-otp - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: - Flow to determine if the OTP should be reset or not. Set to REQUIRED - to force. - id: 835086ab-1fe4-4ac2-badb-1d24b2821154 - providerId: basic-flow - topLevel: false - - alias: User creation or linking - authenticationExecutions: - - authenticator: idp-create-user-if-unique - authenticatorConfig: create unique user config - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Handle Existing Account - priority: 20 - requirement: ALTERNATIVE - userSetupAllowed: false - builtIn: true - description: Flow for the existing/non-existing user alternatives - id: c9682ef1-608e-4a95-9523-589e21e7e806 - providerId: basic-flow - topLevel: false - - alias: Verify Existing Account by Re-authentication - authenticationExecutions: - - authenticator: idp-username-password-form - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: First broker login - Conditional OTP - priority: 20 - requirement: CONDITIONAL - userSetupAllowed: false - builtIn: true - description: Reauthentication of existing account - id: 5e765fd1-2ead-4a69-b3de-6d39c1a7205c - providerId: basic-flow - topLevel: false - - alias: browser - authenticationExecutions: - - authenticator: auth-cookie - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticator: auth-spnego - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: DISABLED - userSetupAllowed: false - - authenticator: identity-provider-redirector - authenticatorFlow: false - autheticatorFlow: false - priority: 25 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: forms - priority: 30 - requirement: ALTERNATIVE - userSetupAllowed: false - builtIn: true - description: browser based authentication - id: e6014eb8-8834-431a-8c49-14fffd4ffa51 - providerId: basic-flow - topLevel: true - - alias: clients - authenticationExecutions: - - authenticator: client-secret - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticator: client-jwt - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticator: client-secret-jwt - authenticatorFlow: false - autheticatorFlow: false - priority: 30 - requirement: ALTERNATIVE - userSetupAllowed: false - - authenticator: client-x509 - authenticatorFlow: false - autheticatorFlow: false - priority: 40 - requirement: ALTERNATIVE - userSetupAllowed: false - builtIn: true - description: Base authentication for clients - id: 97a6bada-407b-4375-adf5-d7f2808d8bbe - providerId: client-flow - topLevel: true - - alias: direct grant - authenticationExecutions: - - authenticator: direct-grant-validate-username - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: direct-grant-validate-password - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Direct Grant - Conditional OTP - priority: 30 - requirement: CONDITIONAL - userSetupAllowed: false - builtIn: true - description: OpenID Connect Resource Owner Grant - id: 80f04414-1efb-4f3d-9308-79f22c9aab63 - providerId: basic-flow - topLevel: true - - alias: docker auth - authenticationExecutions: - - authenticator: docker-http-basic-authenticator - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: Used by Docker clients to authenticate against the IDP - id: 7be0d885-e452-4c53-8f46-c2477aa3b2e9 - providerId: basic-flow - topLevel: true - - alias: first broker login - authenticationExecutions: - - authenticator: idp-review-profile - authenticatorConfig: review profile config - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: User creation or linking - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: - Actions taken after first broker login with identity provider account, - which is not yet linked to any Keycloak account - id: 74dc5597-261c-46bc-9575-bdd8da35b277 - providerId: basic-flow - topLevel: true - - alias: forms - authenticationExecutions: - - authenticator: auth-username-password-form - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Browser - Conditional OTP - priority: 20 - requirement: CONDITIONAL - userSetupAllowed: false - builtIn: true - description: Username, password, otp and other auth forms. - id: c66738ba-ab41-4580-ab4d-3398c23dd01b - providerId: basic-flow - topLevel: false - - alias: http challenge - authenticationExecutions: - - authenticator: no-cookie-redirect - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Authentication Options - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: - An authentication flow based on challenge-response HTTP Authentication - Schemes - id: afa818e1-f903-4056-835e-faebb39ef2ab - providerId: basic-flow - topLevel: true - - alias: registration - authenticationExecutions: - - authenticator: registration-page-form - authenticatorFlow: true - autheticatorFlow: true - flowAlias: registration form - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: registration flow - id: 703e03db-21da-4753-af36-b02f07eaff49 - providerId: basic-flow - topLevel: true - - alias: registration form - authenticationExecutions: - - authenticator: registration-user-creation - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: registration-profile-action - authenticatorFlow: false - autheticatorFlow: false - priority: 40 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: registration-password-action - authenticatorFlow: false - autheticatorFlow: false - priority: 50 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: registration-recaptcha-action - authenticatorFlow: false - autheticatorFlow: false - priority: 60 - requirement: DISABLED - userSetupAllowed: false - builtIn: true - description: registration form - id: 3477b1ee-aaeb-4879-899f-61248ecfb50f - providerId: form-flow - topLevel: false - - alias: reset credentials - authenticationExecutions: - - authenticator: reset-credentials-choose-user - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: reset-credential-email - authenticatorFlow: false - autheticatorFlow: false - priority: 20 - requirement: REQUIRED - userSetupAllowed: false - - authenticator: reset-password - authenticatorFlow: false - autheticatorFlow: false - priority: 30 - requirement: REQUIRED - userSetupAllowed: false - - authenticatorFlow: true - autheticatorFlow: true - flowAlias: Reset - Conditional OTP - priority: 40 - requirement: CONDITIONAL - userSetupAllowed: false - builtIn: true - description: Reset credentials for a user if they forgot their password or something - id: a2fc8dd3-2c73-41c7-8322-8b4b6bde63a6 - providerId: basic-flow - topLevel: true - - alias: saml ecp - authenticationExecutions: - - authenticator: http-basic-authenticator - authenticatorFlow: false - autheticatorFlow: false - priority: 10 - requirement: REQUIRED - userSetupAllowed: false - builtIn: true - description: SAML ECP Profile Authentication Flow - id: 204de4e0-ad0c-4b19-9907-891273c21f98 - providerId: basic-flow - topLevel: true - authenticatorConfig: - - alias: create unique user config - config: - require.password.update.after.registration: "false" - id: 3379bbe0-8100-4f3d-8c5b-975ab184862d - - alias: review profile config - config: - update.profile.on.first.login: missing - id: af9628e1-3298-47c6-8e34-567901d565d3 - browserFlow: browser - browserSecurityHeaders: - contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; - contentSecurityPolicyReportOnly: "" - strictTransportSecurity: max-age=31536000; includeSubDomains - xContentTypeOptions: nosniff - xFrameOptions: SAMEORIGIN - xRobotsTag: none - xXSSProtection: 1; mode=block - bruteForceProtected: false - clientAuthenticationFlow: clients - clientOfflineSessionIdleTimeout: 0 - clientOfflineSessionMaxLifespan: 0 - clientPolicies: - policies: [] - clientProfiles: - profiles: [] - clientScopeMappings: - account: - - client: account-console - roles: - - manage-account - clientScopes: - - attributes: - consent.screen.text: ${phoneScopeConsentText} - display.on.consent.screen: "true" - include.in.token.scope: "true" - description: "OpenID Connect built-in scope: phone" - id: 595abb89-0a89-4ca4-bde9-aadeae2129cc - name: phone - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - claim.name: phone_number - id.token.claim: "true" - jsonType.label: String - user.attribute: phoneNumber - userinfo.token.claim: "true" - consentRequired: false - id: 0a8e871f-4344-4670-bb6b-7c5f38e431c9 - name: phone number - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: phone_number_verified - id.token.claim: "true" - jsonType.label: boolean - user.attribute: phoneNumberVerified - userinfo.token.claim: "true" - consentRequired: false - id: 567fb19f-9be2-4214-a58c-2099d0936f7d - name: phone number verified - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - attributes: - consent.screen.text: "" - display.on.consent.screen: "false" - include.in.token.scope: "false" - description: OpenID Connect scope for add allowed web origins to the access token - id: 16908f37-6df3-4891-ae89-b7e43ca1ad1a - name: web-origins - protocol: openid-connect - protocolMappers: - - config: {} - consentRequired: false - id: ab28ff4e-e035-4cdc-9701-268d4f73587f - name: allowed web origins - protocol: openid-connect - protocolMapper: oidc-allowed-origins-mapper - - attributes: - display.on.consent.screen: "false" - include.in.token.scope: "true" - description: Microprofile - JWT built-in scope - id: dacca0d6-b20f-4e1c-9494-68e56d79c914 - name: microprofile-jwt - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - claim.name: groups - id.token.claim: "true" - jsonType.label: String - multivalued: "true" - user.attribute: foo - consentRequired: false - id: 3355a2a1-6ec0-4766-86ac-babb06332fb5 - name: groups - protocol: openid-connect - protocolMapper: oidc-usermodel-realm-role-mapper - - config: - access.token.claim: "true" - claim.name: upn - id.token.claim: "true" - jsonType.label: String - user.attribute: username - userinfo.token.claim: "true" - consentRequired: false - id: 81ff519d-6a11-44ab-9284-e7cb7700c1df - name: upn - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - - attributes: - consent.screen.text: ${offlineAccessScopeConsentText} - display.on.consent.screen: "true" - description: "OpenID Connect built-in scope: offline_access" - id: 2ebc29d4-708c-482a-87b5-dacd90da3c71 - name: offline_access - protocol: openid-connect - - attributes: - consent.screen.text: ${profileScopeConsentText} - display.on.consent.screen: "true" - include.in.token.scope: "true" - description: "OpenID Connect built-in scope: profile" - id: 4e90dadb-68a9-4551-9bc7-ea366f2c115f - name: profile - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - claim.name: locale - id.token.claim: "true" - jsonType.label: String - user.attribute: locale - userinfo.token.claim: "true" - consentRequired: false - id: c18323c4-cba0-4f19-9b58-16cf3fb6a9e7 - name: locale - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: picture - id.token.claim: "true" - jsonType.label: String - user.attribute: picture - userinfo.token.claim: "true" - consentRequired: false - id: 67c10665-63a7-4d9b-a3dc-6bbbc18be220 - name: picture - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: birthdate - id.token.claim: "true" - jsonType.label: String - user.attribute: birthdate - userinfo.token.claim: "true" - consentRequired: false - id: e1ba37db-180c-4448-bcba-3ba64a13973a - name: birthdate - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: nickname - id.token.claim: "true" - jsonType.label: String - user.attribute: nickname - userinfo.token.claim: "true" - consentRequired: false - id: 0c5477b7-44a5-4ea5-ba5b-f4891eb17924 - name: nickname - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: updated_at - id.token.claim: "true" - jsonType.label: long - user.attribute: updatedAt - userinfo.token.claim: "true" - consentRequired: false - id: 1703ddd9-181f-4eba-90dc-a2f5cad1e8f9 - name: updated at - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: family_name - id.token.claim: "true" - jsonType.label: String - user.attribute: lastName - userinfo.token.claim: "true" - consentRequired: false - id: d386db89-7b87-446a-a487-c1ba2caf5da7 - name: family name - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - - config: - access.token.claim: "true" - claim.name: given_name - id.token.claim: "true" - jsonType.label: String - user.attribute: firstName - userinfo.token.claim: "true" - consentRequired: false - id: 56c38e83-d49c-4a52-9985-486f2fca8d0d - name: given name - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - - config: - access.token.claim: "true" - claim.name: zoneinfo - id.token.claim: "true" - jsonType.label: String - user.attribute: zoneinfo - userinfo.token.claim: "true" - consentRequired: false - id: 8a8b8ff2-ff7f-4e87-97e7-abb1f4b30bc9 - name: zoneinfo - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - id.token.claim: "true" - userinfo.token.claim: "true" - consentRequired: false - id: eeadf444-9fd4-4498-887a-26b81f57dc7f - name: full name - protocol: openid-connect - protocolMapper: oidc-full-name-mapper - - config: - access.token.claim: "true" - claim.name: middle_name - id.token.claim: "true" - jsonType.label: String - user.attribute: middleName - userinfo.token.claim: "true" - consentRequired: false - id: 936a7f51-942b-48ad-96b8-5d71a0e5882b - name: middle name - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: profile - id.token.claim: "true" - jsonType.label: String - user.attribute: profile - userinfo.token.claim: "true" - consentRequired: false - id: d4858873-0a13-4638-9568-13560b227645 - name: profile - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: website - id.token.claim: "true" - jsonType.label: String - user.attribute: website - userinfo.token.claim: "true" - consentRequired: false - id: 480406b1-5518-4db2-8168-42a98685e562 - name: website - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: gender - id.token.claim: "true" - jsonType.label: String - user.attribute: gender - userinfo.token.claim: "true" - consentRequired: false - id: ec5e2347-12b6-42dd-9e0a-e1394906d109 - name: gender - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - - config: - access.token.claim: "true" - claim.name: preferred_username - id.token.claim: "true" - jsonType.label: String - user.attribute: username - userinfo.token.claim: "true" - consentRequired: false - id: 7bca0c9c-7afa-4dbc-b2a4-9344dc20546c - name: username - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - - attributes: - consent.screen.text: ${samlRoleListScopeConsentText} - display.on.consent.screen: "true" - description: SAML role list - id: a49f6ed3-bf3e-4528-aed6-7d08f49a2155 - name: role_list - protocol: saml - protocolMappers: - - config: - attribute.name: Role - attribute.nameformat: Basic - single: "false" - consentRequired: false - id: 22a0423f-d8d3-498f-904d-780923046434 - name: role list - protocol: saml - protocolMapper: saml-role-list-mapper - - attributes: - consent.screen.text: ${emailScopeConsentText} - display.on.consent.screen: "true" - include.in.token.scope: "true" - description: "OpenID Connect built-in scope: email" - id: dfea39e8-bd93-4fe6-9096-4a4dc7c944f6 - name: email - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - claim.name: email_verified - id.token.claim: "true" - jsonType.label: boolean - user.attribute: emailVerified - userinfo.token.claim: "true" - consentRequired: false - id: 80384ec1-aa0c-455a-98d6-f29c6d597f3f - name: email verified - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - - config: - access.token.claim: "true" - claim.name: email - id.token.claim: "true" - jsonType.label: String - user.attribute: email - userinfo.token.claim: "true" - consentRequired: false - id: 7d1f9404-0946-4feb-bac7-04a254fbaf53 - name: email - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - - attributes: - consent.screen.text: ${rolesScopeConsentText} - display.on.consent.screen: "true" - include.in.token.scope: "false" - description: OpenID Connect scope for add user roles to the access token - id: d8d3c7df-247d-44de-a18b-cbc1c900671f - name: roles - protocol: openid-connect - protocolMappers: - - config: {} - consentRequired: false - id: e5fd07b9-a571-4cac-a618-dd0c2ed31807 - name: audience resolve - protocol: openid-connect - protocolMapper: oidc-audience-resolve-mapper - - config: - access.token.claim: "true" - claim.name: realm_access.roles - jsonType.label: String - multivalued: "true" - user.attribute: foo - consentRequired: false - id: bed57a1a-92ae-4e81-897d-4f4a495fdaa4 - name: realm roles - protocol: openid-connect - protocolMapper: oidc-usermodel-realm-role-mapper - - config: - access.token.claim: "true" - claim.name: resource_access.${client_id}.roles - jsonType.label: String - multivalued: "true" - user.attribute: foo - consentRequired: false - id: 4ac4c30b-b94b-4aab-87c0-0b29407c5bfd - name: client roles - protocol: openid-connect - protocolMapper: oidc-usermodel-client-role-mapper - - attributes: - display.on.consent.screen: "false" - include.in.token.scope: "false" - description: - OpenID Connect scope for add acr (authentication context class reference) - to the token - id: 8e5da383-c0bc-4f74-a470-9b955d62b48d - name: acr - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - id.token.claim: "true" - consentRequired: false - id: c78faeaa-a0e8-43a5-8c03-ca52fba6dcb1 - name: acr loa level - protocol: openid-connect - protocolMapper: oidc-acr-mapper - - attributes: - consent.screen.text: ${addressScopeConsentText} - display.on.consent.screen: "true" - include.in.token.scope: "true" - description: "OpenID Connect built-in scope: address" - id: ff1a7a07-f870-40d6-88f3-4fd3064311ad - name: address - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - id.token.claim: "true" - user.attribute.country: country - user.attribute.formatted: formatted - user.attribute.locality: locality - user.attribute.postal_code: postal_code - user.attribute.region: region - user.attribute.street: street - userinfo.token.claim: "true" - consentRequired: false - id: 79996945-c538-4ebd-bab8-fc195ed58d6b - name: address - protocol: openid-connect - protocolMapper: oidc-address-mapper - clientSessionIdleTimeout: 0 - clientSessionMaxLifespan: 0 - clients: - - alwaysDisplayInConsole: false - attributes: {} - authenticationFlowBindingOverrides: {} - baseUrl: /realms/FCOS/account/ - bearerOnly: false - clientAuthenticatorType: client-secret - clientId: account - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: false - enabled: true - frontchannelLogout: false - fullScopeAllowed: false - id: e48e2348-19e8-4885-b185-89f5fc4c8678 - implicitFlowEnabled: false - name: ${client_account} - nodeReRegistrationTimeout: 0 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - publicClient: true - redirectUris: - - /realms/FCOS/account/* - rootUrl: ${authBaseUrl} - serviceAccountsEnabled: false - standardFlowEnabled: true - surrogateAuthRequired: false - webOrigins: [] - - alwaysDisplayInConsole: false - attributes: - pkce.code.challenge.method: S256 - authenticationFlowBindingOverrides: {} - baseUrl: /realms/FCOS/account/ - bearerOnly: false - clientAuthenticatorType: client-secret - clientId: account-console - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: false - enabled: true - frontchannelLogout: false - fullScopeAllowed: false - id: 7bd4ff0a-43e6-4a64-9838-27606e7f1883 - implicitFlowEnabled: false - name: ${client_account-console} - nodeReRegistrationTimeout: 0 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - protocolMappers: - - config: {} - consentRequired: false - id: a672a105-0a1c-4866-83fe-942fb1ffddee - name: audience resolve - protocol: openid-connect - protocolMapper: oidc-audience-resolve-mapper - publicClient: true - redirectUris: - - /realms/FCOS/account/* - rootUrl: ${authBaseUrl} - serviceAccountsEnabled: false - standardFlowEnabled: true - surrogateAuthRequired: false - webOrigins: [] - - alwaysDisplayInConsole: false - attributes: {} - authenticationFlowBindingOverrides: {} - bearerOnly: false - clientAuthenticatorType: client-secret - clientId: admin-cli - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: true - enabled: true - frontchannelLogout: false - fullScopeAllowed: false - id: 87a15c32-f017-4024-9e67-36ee52bfa010 - implicitFlowEnabled: false - name: ${client_admin-cli} - nodeReRegistrationTimeout: 0 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - publicClient: true - redirectUris: [] - serviceAccountsEnabled: false - standardFlowEnabled: false - surrogateAuthRequired: false - webOrigins: [] - - alwaysDisplayInConsole: false - attributes: {} - authenticationFlowBindingOverrides: {} - bearerOnly: true - clientAuthenticatorType: client-secret - clientId: broker - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: false - enabled: true - frontchannelLogout: false - fullScopeAllowed: false - id: 1b3d41b6-c46c-4467-bd89-aeb245d9bc27 - implicitFlowEnabled: false - name: ${client_broker} - nodeReRegistrationTimeout: 0 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - publicClient: false - redirectUris: [] - serviceAccountsEnabled: false - standardFlowEnabled: true - surrogateAuthRequired: false - webOrigins: [] - - adminUrl: https://code.localhost/ - alwaysDisplayInConsole: false - attributes: - acr.loa.map: "{}" - backchannel.logout.revoke.offline.tokens: "false" - backchannel.logout.session.required: "true" - client.secret.creation.time: "1659197992" - client_credentials.use_refresh_token: "false" - display.on.consent.screen: "false" - exclude.session.state.from.auth.response: "false" - frontchannel.logout.session.required: "false" - id.token.as.detached.signature: "false" - jwt.credential.certificate: MIICmTCCAYECBgGCT/ul7TANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVnaXRlYTAeFw0yMjA3MzAxNjM5MjhaFw0zMjA3MzAxNjQxMDhaMBAxDjAMBgNVBAMMBWdpdGVhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkDVroannSK3edquahlj81T976m/CZ0Go9NUeAdo8oXfvm4SyLtwXavCtk+EdGQgQsYRIXmrfr15iBwNawO07pYvdbUG9UCEOjl1c33jKFAgfvRh21whtqX1pCyYpto4RIQq1WDTMVFk8dOGgn3JFONQbG3iHovNFKRaDmnoSGNXtOAtT8kdVQYso2EH2AbgzAcZIowFEyw2qkkbJvGKrNRUtbOKwgYMBQTB7nQmpfB1Pl6jXFKARZ3zymUFCxsZZcLbO7BruYZ/ISkT2d70s/dLCMyh6p0seswC6iW+RTsY3pACdnUK260p0FEhRSzYoYm770SkUnp9xwf0g667mDwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAiXTy+yzwpn7AEpDxLFi77egRcce1fPZK0JKYUPq0WyLcci+g3a5R2gB6UIxQkL+btcXSudje8l5H4MC4HIh4N0y3AID4mxylMGmFzbvalMqLxsOIm/kGVomWPpL051UNOl0VgEe+SWfrHzPkgxqtK6EwF82MxxRhJeWNx0K9BLFISUESJx0C96OJUVWPCy1HRrv8TR5Jy6xuTY7htnXvwvm65QjJGb24bEALtI2M8mt6MSXUCrXcRaTHRGrc53BzgNgsHv1g2cWOUHrxQN/3JabnbRoOkcFK49Z36O0UYqkoBAGwt+iHMp48Df/qAFqcXqrc5tYlwSzr+Pxl8B//E - logoUri: https://code.localhost/assets/img/logo.svg - oauth2.device.authorization.grant.enabled: "false" - oidc.ciba.grant.enabled: "false" - require.pushed.authorization.requests: "false" - saml.allow.ecp.flow: "false" - saml.artifact.binding: "false" - saml.assertion.signature: "false" - saml.authnstatement: "false" - saml.client.signature: "false" - saml.encrypt: "false" - saml.force.post.binding: "false" - saml.multivalued.roles: "false" - saml.onetimeuse.condition: "false" - saml.server.signature: "false" - saml.server.signature.keyinfo.ext: "false" - saml_force_name_id_format: "false" - tls.client.certificate.bound.access.tokens: "false" - token.response.type.bearer.lower-case: "false" - use.refresh.tokens: "true" - authenticationFlowBindingOverrides: {} - baseUrl: https://code.localhost/ - bearerOnly: false - clientAuthenticatorType: client-secret - clientId: gitea - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: true - enabled: true - frontchannelLogout: false - fullScopeAllowed: true - id: d6440c47-e878-4db5-84b4-dd4f6189eec0 - implicitFlowEnabled: false - nodeReRegistrationTimeout: -1 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - publicClient: false - redirectUris: - - https://code.localhost/* - rootUrl: https://code.localhost/ - secret: "**********" - serviceAccountsEnabled: false - standardFlowEnabled: true - surrogateAuthRequired: false - webOrigins: - - https://code.localhost - - alwaysDisplayInConsole: false - attributes: {} - authenticationFlowBindingOverrides: {} - bearerOnly: true - clientAuthenticatorType: client-secret - clientId: realm-management - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: false - enabled: true - frontchannelLogout: false - fullScopeAllowed: false - id: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - implicitFlowEnabled: false - name: ${client_realm-management} - nodeReRegistrationTimeout: 0 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - publicClient: false - redirectUris: [] - serviceAccountsEnabled: false - standardFlowEnabled: true - surrogateAuthRequired: false - webOrigins: [] - - alwaysDisplayInConsole: false - attributes: - pkce.code.challenge.method: S256 - authenticationFlowBindingOverrides: {} - baseUrl: /admin/FCOS/console/ - bearerOnly: false - clientAuthenticatorType: client-secret - clientId: security-admin-console - consentRequired: false - defaultClientScopes: - - web-origins - - acr - - profile - - roles - - email - directAccessGrantsEnabled: false - enabled: true - frontchannelLogout: false - fullScopeAllowed: false - id: f0dcfd6d-0727-494f-99da-623440fce890 - implicitFlowEnabled: false - name: ${client_security-admin-console} - nodeReRegistrationTimeout: 0 - notBefore: 0 - optionalClientScopes: - - address - - phone - - offline_access - - microprofile-jwt - protocol: openid-connect - protocolMappers: - - config: - access.token.claim: "true" - claim.name: locale - id.token.claim: "true" - jsonType.label: String - user.attribute: locale - userinfo.token.claim: "true" - consentRequired: false - id: 971f4b36-499e-415a-9eff-ca169a179936 - name: locale - protocol: openid-connect - protocolMapper: oidc-usermodel-attribute-mapper - publicClient: true - redirectUris: - - /admin/FCOS/console/* - rootUrl: ${authAdminUrl} - serviceAccountsEnabled: false - standardFlowEnabled: true - surrogateAuthRequired: false - webOrigins: - - + - components: - org.keycloak.keys.KeyProvider: - - config: - priority: - - "100" - id: b279908d-5db3-4731-b611-631a775b6f1e - name: rsa-generated - providerId: rsa-generated - subComponents: {} - - config: - algorithm: - - RSA-OAEP - priority: - - "100" - id: ecd9d203-f52a-4be3-8ecb-8a1febcfd920 - name: rsa-enc-generated - providerId: rsa-enc-generated - subComponents: {} - - config: - priority: - - "100" - id: fb81b872-d412-4ce3-85c9-b938ccff3a21 - name: aes-generated - providerId: aes-generated - subComponents: {} - - config: - algorithm: - - HS256 - priority: - - "100" - id: e25549ad-5764-48e5-811e-5d55933cccb1 - name: hmac-generated - providerId: hmac-generated - subComponents: {} - org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy: - - config: - allow-default-scopes: - - "true" - id: 956a3c65-191e-4ce9-811b-92c6e0aecd64 - name: Allowed Client Scopes - providerId: allowed-client-templates - subComponents: {} - subType: authenticated - - config: {} - id: dcf4e968-e765-4463-8f6a-9efe9641f1c8 - name: Full Scope Disabled - providerId: scope - subComponents: {} - subType: anonymous - - config: - allowed-protocol-mapper-types: - - saml-user-attribute-mapper - - oidc-sha256-pairwise-sub-mapper - - saml-role-list-mapper - - oidc-usermodel-property-mapper - - oidc-full-name-mapper - - oidc-address-mapper - - oidc-usermodel-attribute-mapper - - saml-user-property-mapper - id: 0b9ec446-4576-47a3-b4e4-e148d1cc34eb - name: Allowed Protocol Mapper Types - providerId: allowed-protocol-mappers - subComponents: {} - subType: authenticated - - config: - allowed-protocol-mapper-types: - - oidc-usermodel-attribute-mapper - - oidc-full-name-mapper - - saml-user-property-mapper - - oidc-usermodel-property-mapper - - oidc-address-mapper - - saml-role-list-mapper - - oidc-sha256-pairwise-sub-mapper - - saml-user-attribute-mapper - id: d62669ab-bef4-445a-8af9-c4a9c5ba185c - name: Allowed Protocol Mapper Types - providerId: allowed-protocol-mappers - subComponents: {} - subType: anonymous - - config: - max-clients: - - "200" - id: 99bded69-c8e1-4d7b-bedf-dc3b9adc3df0 - name: Max Clients Limit - providerId: max-clients - subComponents: {} - subType: anonymous - - config: - allow-default-scopes: - - "true" - id: c81c78dc-690c-4a49-9d29-4efb2a779e1f - name: Allowed Client Scopes - providerId: allowed-client-templates - subComponents: {} - subType: anonymous - - config: - client-uris-must-match: - - "true" - host-sending-registration-request-must-match: - - "true" - id: f0b635ca-4683-4cde-9c2a-6d2f724b6af4 - name: Trusted Hosts - providerId: trusted-hosts - subComponents: {} - subType: anonymous - - config: {} - id: f533e43e-a477-44a4-a057-b509faec1b35 - name: Consent Required - providerId: consent-required - subComponents: {} - subType: anonymous - org.keycloak.userprofile.UserProfileProvider: - - config: {} - id: a50af860-ae3e-4ea3-bbbb-3395468e99a5 - providerId: declarative-user-profile - subComponents: {} - defaultDefaultClientScopes: - - role_list - - profile - - email - - roles - - web-origins - - acr - defaultOptionalClientScopes: - - offline_access - - address - - phone - - microprofile-jwt - defaultRole: - clientRole: false - composite: true - containerId: FCOS - description: ${role_default-roles} - id: 8236985f-5c47-4ae8-a082-bcdf043bfb1a - name: default-roles-fcos - defaultSignatureAlgorithm: RS256 - directGrantFlow: direct grant - dockerAuthenticationFlow: docker auth - duplicateEmailsAllowed: false - editUsernameAllowed: false - enabled: true - enabledEventTypes: [] - eventsEnabled: false - eventsListeners: - - jboss-logging - failureFactor: 30 - groups: - - attributes: {} - clientRoles: {} - id: cd3663b9-c680-44ca-9002-28eabadfd2e1 - name: git-admin - path: /git-admin - realmRoles: [] - subGroups: [] - - attributes: {} - clientRoles: {} - id: 81c58533-c852-4793-8707-852941c41f9f - name: git-user - path: /git-user - realmRoles: [] - subGroups: [] - id: FCOS - identityProviderMappers: [] - identityProviders: [] - internationalizationEnabled: false - keycloakVersion: 18.0.2 - loginWithEmailAllowed: true - maxDeltaTimeSeconds: 43200 - maxFailureWaitSeconds: 900 - minimumQuickLoginWaitSeconds: 60 - notBefore: 0 - oauth2DeviceCodeLifespan: 600 - oauth2DevicePollingInterval: 5 - offlineSessionIdleTimeout: 2592000 - offlineSessionMaxLifespan: 5184000 - offlineSessionMaxLifespanEnabled: false - otpPolicyAlgorithm: HmacSHA1 - otpPolicyDigits: 6 - otpPolicyInitialCounter: 0 - otpPolicyLookAheadWindow: 1 - otpPolicyPeriod: 30 - otpPolicyType: totp - otpSupportedApplications: - - FreeOTP - - Google Authenticator - permanentLockout: false - quickLoginCheckMilliSeconds: 1000 - realm: FCOS - refreshTokenMaxReuse: 0 - registrationAllowed: false - registrationEmailAsUsername: false - registrationFlow: registration - rememberMe: true - requiredActions: - - alias: CONFIGURE_TOTP - config: {} - defaultAction: false - enabled: true - name: Configure OTP - priority: 10 - providerId: CONFIGURE_TOTP - - alias: terms_and_conditions - config: {} - defaultAction: false - enabled: false - name: Terms and Conditions - priority: 20 - providerId: terms_and_conditions - - alias: UPDATE_PASSWORD - config: {} - defaultAction: false - enabled: true - name: Update Password - priority: 30 - providerId: UPDATE_PASSWORD - - alias: UPDATE_PROFILE - config: {} - defaultAction: false - enabled: true - name: Update Profile - priority: 40 - providerId: UPDATE_PROFILE - - alias: VERIFY_EMAIL - config: {} - defaultAction: false - enabled: true - name: Verify Email - priority: 50 - providerId: VERIFY_EMAIL - - alias: delete_account - config: {} - defaultAction: false - enabled: false - name: Delete Account - priority: 60 - providerId: delete_account - - alias: update_user_locale - config: {} - defaultAction: false - enabled: true - name: Update User Locale - priority: 1000 - providerId: update_user_locale - requiredCredentials: - - password - resetCredentialsFlow: reset credentials - resetPasswordAllowed: true - revokeRefreshToken: false - roles: - client: - account: - - attributes: {} - clientRole: true - composite: true - composites: - client: - account: - - manage-account-links - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_manage-account} - id: c1cdb902-b162-45a3-9a4b-b50593c12946 - name: manage-account - - attributes: {} - clientRole: true - composite: true - composites: - client: - account: - - view-consent - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_manage-consent} - id: ee6c0792-f853-4135-8367-fbcab56ea90e - name: manage-consent - - attributes: {} - clientRole: true - composite: false - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_delete-account} - id: 743a0f33-ed13-4c50-8d5a-7491d5445b34 - name: delete-account - - attributes: {} - clientRole: true - composite: false - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_view-profile} - id: 35ce19b1-91fc-4e00-81fc-8dffdaf851e2 - name: view-profile - - attributes: {} - clientRole: true - composite: false - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_manage-account-links} - id: 2bd30b98-4687-4a18-93dc-d22c854564ec - name: manage-account-links - - attributes: {} - clientRole: true - composite: false - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_view-applications} - id: 87f99f3b-4452-4ddf-8c72-7c53052c5a93 - name: view-applications - - attributes: {} - clientRole: true - composite: false - containerId: e48e2348-19e8-4885-b185-89f5fc4c8678 - description: ${role_view-consent} - id: 9eddf037-4328-40c6-89e3-7d82d14b15a5 - name: view-consent - account-console: [] - admin-cli: [] - broker: - - attributes: {} - clientRole: true - composite: false - containerId: 1b3d41b6-c46c-4467-bd89-aeb245d9bc27 - description: ${role_read-token} - id: 60efb5c4-a961-4bc3-a7e3-c98329418d6a - name: read-token - gitea: [] - realm-management: - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_query-users} - id: d8c9b922-fca6-4f08-9a7a-6471988dd2a0 - name: query-users - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_view-realm} - id: 39c41134-0bd8-46ee-8ff4-874c5266deff - name: view-realm - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_query-realms} - id: 6257b9e1-1132-4548-9bc0-b90253a7b89c - name: query-realms - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_manage-clients} - id: 2b351ad9-1b75-41b5-812a-209f3bbe6696 - name: manage-clients - - attributes: {} - clientRole: true - composite: true - composites: - client: - realm-management: - - query-clients - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_view-clients} - id: 850756bb-d861-409c-8cd9-e429d1e7eb43 - name: view-clients - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_query-clients} - id: 214bb298-7105-421a-9eca-9c836259f40f - name: query-clients - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_view-events} - id: 3d3ce776-02b6-429a-97e1-1172ecd9806c - name: view-events - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_impersonation} - id: d738809e-4503-4aef-8227-e139025faaa8 - name: impersonation - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_manage-events} - id: c949d52c-4724-4fa5-a720-854ee941fccc - name: manage-events - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_query-groups} - id: f49f94a9-72a7-4c34-94d7-6e1c82ef1deb - name: query-groups - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_manage-realm} - id: c53cbaf9-536d-4534-9706-96a34b11489f - name: manage-realm - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_manage-authorization} - id: 8bf06820-87cc-4ff7-b166-70eca0902204 - name: manage-authorization - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_create-client} - id: 1eab1f4c-cd9e-4163-8a33-e1939fb830f4 - name: create-client - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_manage-identity-providers} - id: 08e6a07d-ffca-4e1c-bafd-0c544706fdd6 - name: manage-identity-providers - - attributes: {} - clientRole: true - composite: true - composites: - client: - realm-management: - - query-groups - - query-users - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_view-users} - id: da4254d8-6f31-4dda-9e8c-91a7b9f9e265 - name: view-users - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_view-authorization} - id: 59fba727-7d4d-4d4b-ba4e-6ecbd48516a7 - name: view-authorization - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_manage-users} - id: 658144c2-39f8-4adc-b19c-a6871e18be5e - name: manage-users - - attributes: {} - clientRole: true - composite: true - composites: - client: - realm-management: - - query-users - - view-realm - - query-realms - - manage-clients - - view-clients - - query-clients - - view-events - - manage-events - - query-groups - - impersonation - - manage-realm - - manage-authorization - - create-client - - manage-identity-providers - - view-users - - view-authorization - - view-identity-providers - - manage-users - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_realm-admin} - id: 6b2d807c-d95e-42da-903e-2b15b90bc462 - name: realm-admin - - attributes: {} - clientRole: true - composite: false - containerId: b66f006c-3ec3-4ae8-a1ad-058daa0484ca - description: ${role_view-identity-providers} - id: 57228151-cad5-4be8-9662-d336c49e0105 - name: view-identity-providers - security-admin-console: [] - realm: - - attributes: {} - clientRole: false - composite: false - containerId: FCOS - description: ${role_offline-access} - id: 68b06128-786b-4223-a4fd-0c54c944fecf - name: offline_access - - attributes: {} - clientRole: false - composite: false - containerId: FCOS - description: ${role_uma_authorization} - id: 49c22b02-d67f-4921-965d-93409612cf03 - name: uma_authorization - - attributes: {} - clientRole: false - composite: true - composites: - client: - account: - - manage-account - - view-profile - realm: - - offline_access - - uma_authorization - containerId: FCOS - description: ${role_default-roles} - id: 8236985f-5c47-4ae8-a082-bcdf043bfb1a - name: default-roles-fcos - scopeMappings: - - clientScope: offline_access - roles: - - offline_access - smtpServer: {} - sslRequired: external - ssoSessionIdleTimeout: 1800 - ssoSessionIdleTimeoutRememberMe: 0 - ssoSessionMaxLifespan: 36000 - ssoSessionMaxLifespanRememberMe: 0 - supportedLocales: [] - userManagedAccessAllowed: false - verifyEmail: false - waitIncrementSeconds: 60 - webAuthnPolicyAcceptableAaguids: [] - webAuthnPolicyAttestationConveyancePreference: not specified - webAuthnPolicyAuthenticatorAttachment: not specified - webAuthnPolicyAvoidSameAuthenticatorRegister: false - webAuthnPolicyCreateTimeout: 0 - webAuthnPolicyPasswordlessAcceptableAaguids: [] - webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified - webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified - webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false - webAuthnPolicyPasswordlessCreateTimeout: 0 - webAuthnPolicyPasswordlessRequireResidentKey: not specified - webAuthnPolicyPasswordlessRpEntityName: keycloak - webAuthnPolicyPasswordlessRpId: "" - webAuthnPolicyPasswordlessSignatureAlgorithms: - - ES256 - webAuthnPolicyPasswordlessUserVerificationRequirement: not specified - webAuthnPolicyRequireResidentKey: not specified - webAuthnPolicyRpEntityName: keycloak - webAuthnPolicyRpId: "" - webAuthnPolicySignatureAlgorithms: - - ES256 - webAuthnPolicyUserVerificationRequirement: not specified diff --git a/base/apps/kustomization.yaml b/base/apps/kustomization.yaml index 40d36ba..20e2acb 100644 --- a/base/apps/kustomization.yaml +++ b/base/apps/kustomization.yaml @@ -1,4 +1,4 @@ --- resources: - cert-manager - - keycloak + # - keycloak diff --git a/base/charts/external-dns/kustomization.yaml b/base/charts/external-dns/kustomization.yaml new file mode 100644 index 0000000..c64c0c9 --- /dev/null +++ b/base/charts/external-dns/kustomization.yaml @@ -0,0 +1,11 @@ +--- +namespace: external-dns +resources: + - namespace.yaml +helmCharts: + - name: external-dns + version: 1.11.0 + releaseName: fcos-external-dns + namespace: external-dns + repo: https://kubernetes-sigs.github.io/external-dns/ + valuesFile: values.yaml diff --git a/base/charts/external-dns/namespace.yaml b/base/charts/external-dns/namespace.yaml new file mode 100644 index 0000000..3e353b5 --- /dev/null +++ b/base/charts/external-dns/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: external-dns diff --git a/base/charts/external-dns/values.yaml b/base/charts/external-dns/values.yaml new file mode 100644 index 0000000..85c3213 --- /dev/null +++ b/base/charts/external-dns/values.yaml @@ -0,0 +1,11 @@ +--- +provider: rfc2136 +extraArgs: + - --rfc2136-host=dns.svc.mesh.sourceindex.de + - --rfc2136-port=53 + - --rfc2136-zone=dev.fabcity-hamburg.de + - --rfc2136-tsig-keyname=k8s + - --rfc2136-tsig-secret=vIGI59apswrajcLTuw3j9xX9/Y/LewNtxJwqXxI3sUEQYvxRjQH7PuVtcEEXu4vr + - --rfc2136-tsig-secret-alg=hmac-sha384 + - --rfc2136-tsig-axfr + - --domain-filter=dev.fabcity-hamburg.de diff --git a/base/charts/gitea/values.yaml b/base/charts/gitea/values.yaml index 705585f..1e4e7da 100644 --- a/base/charts/gitea/values.yaml +++ b/base/charts/gitea/values.yaml @@ -16,7 +16,7 @@ ingress: kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" hosts: - - host: code.localhost + - host: code.dev.fabcity-hamburg.de paths: - path: / pathType: Prefix diff --git a/base/charts/kustomization.yaml b/base/charts/kustomization.yaml index 41be811..8d8ab55 100644 --- a/base/charts/kustomization.yaml +++ b/base/charts/kustomization.yaml @@ -1,4 +1,5 @@ --- resources: - ingress-nginx + - external-dns - gitea diff --git a/overlays/dev/keycloak/certificate.yaml b/overlays/dev/keycloak/certificate.yaml index 896a00b..f182e71 100644 --- a/overlays/dev/keycloak/certificate.yaml +++ b/overlays/dev/keycloak/certificate.yaml @@ -21,6 +21,6 @@ spec: issuerRef: name: selfsigned-issuer kind: ClusterIssuer - commonName: "id.localhost" + commonName: "id.dev.fabcity-hamburg.de" dnsNames: - - "id.localhost" + - "id.dev.fabcity-hamburg.de"