epam · Artem-Zahumonnyi · Apr 30, 2024 · May 16, 2024
@@ -0,0 +1,24 @@
+{{- if and .Values.externalSecrets.enabled .Values.externalSecrets.manageEDPInstallSecrets .Values.sso.keycloakOperatorResources.createKeycloakCR }}
+{{- $secretStore := include "edp-install.secretStoreName" . }}
+{{- $awsSecretName := .Values.externalSecrets.manageEDPInstallSecretsName }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-client-broker-secret
+spec:
+  target:
+    template:
+      metadata:
+        labels:
+          app.edp.epam.com/secret-type: keycloak
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ $secretStore }}
+  data:
+  - secretKey: clientSecret
+    remoteRef:
+      key: {{ $awsSecretName }}
+      property: keycloak-client-broker-secret.clientSecret
+{{- end }}
@@ -0,0 +1,63 @@
+{{- if .Values.sso.enabled -}}
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmIdentityProvider
+metadata:
+  name: broker-idp
+spec:
+  realmRef:
+    kind: KeycloakRealm
+    name: main
+  alias: {{ .Values.sso.ssoRealmName }}
+  displayName: "{{ .Values.sso.ssoRealmName }}"
+  authenticateByDefault: false
+  enabled: true
+  firstBrokerLoginFlowAlias: "first broker login"
+  providerId: "keycloak-oidc"
+  config:
+    acceptsPromptNoneForwardFromClient: "false"
+    allowedClockSkew: "0"
+    authorizationUrl: "{{ .Values.sso.keycloakUrl }}/realms/{{ .Values.sso.ssoRealmName }}/protocol/openid-connect/auth"
+    backchannelSupported: "false"
+    clientAuthMethod: "client_secret_post"
+    clientId: {{ .Values.sso.realmName }}
+    clientSecret: "$keycloak-client-broker-secret:clientSecret"
+    defaultScope: ""
+    disableUserInfo: "false"
+    forwardParameters: ""
+    guiOrder: ""
+    hideOnLoginPage: "true"
+    issuer: "{{ .Values.sso.keycloakUrl }}/realms/{{ .Values.sso.ssoRealmName }}"
+    jwksUrl: "{{ .Values.sso.keycloakUrl }}/realms/{{ .Values.sso.ssoRealmName }}/protocol/openid-connect/certs"
+    loginHint: "false"
+    logoutUrl: "{{ .Values.sso.keycloakUrl }}/realms/{{ .Values.sso.ssoRealmName }}/protocol/openid-connect/logout"
+    passMaxAge: "false"
+    pkceEnabled: "false"
+    prompt: ""
+    syncMode: "IMPORT"
+    tokenUrl: "{{ .Values.sso.keycloakUrl }}/realms/{{ .Values.sso.ssoRealmName }}/protocol/openid-connect/token"
+    uiLocales: "false"
+    userInfoUrl: "{{ .Values.sso.keycloakUrl }}/realms/{{ .Values.sso.ssoRealmName }}/protocol/openid-connect/userinfo"
+    validateSignature: "false"
+  mappers:
+    - name: "realm-management.realm-admin"
+      identityProviderMapper: "keycloak-oidc-role-to-role-idp-mapper"
+      identityProviderAlias: "{{ .Values.sso.ssoRealmName }}"
+      config:
+        external.role: "{{ .Values.sso.realmName }}.administrator"
+        role: "realm-management.realm-admin"
+        syncMode: "INHERIT"
+    - name: "administrator"
+      identityProviderMapper: "keycloak-oidc-role-to-role-idp-mapper"
+      identityProviderAlias: "{{ .Values.sso.ssoRealmName }}"
+      config:
+        role: "administrator"
+        external.role: "{{ .Values.sso.realmName }}.administrator"
+        syncMode: "INHERIT"
+    - name: "developer"
+      identityProviderMapper: "keycloak-oidc-role-to-role-idp-mapper"
+      identityProviderAlias: "{{ .Values.sso.ssoRealmName }}"
+      config:
+        external.role: "{{ .Values.sso.realmName }}.developer"
+        role: "developer"
+        syncMode: "INHERIT"
+{{ end }}
@@ -0,0 +1,26 @@
+{{- if .Values.sso.enabled -}}
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakAuthFlow
+metadata:
+  name: keycloakauthflow-browser
+spec:
+  realmRef:
+    kind: KeycloakRealm
+    name: main
+  alias: browsers
+  description: browser based authentication
+  providerId: basic-flow
+  topLevel: true
+  builtIn: false
+  authenticationExecutions:
+    - authenticator: "auth-cookie"
+      priority: 0
+      requirement: "ALTERNATIVE"
+    - authenticator: "identity-provider-redirector"
+      priority: 1
+      requirement: "ALTERNATIVE"
+      authenticatorConfig:
+        alias: EPAM-SSO
+        config:
+          "defaultProvider": "{{ .Values.sso.ssoRealmName }}"
+{{ end }}
@@ -10,17 +10,5 @@ spec:
     kind: {{ .Values.sso.keycloakOperatorResources.kind }}
     name: {{ .Values.sso.keycloakOperatorResources.name }}
   realmName: {{ default .Release.Namespace .Values.sso.realmName }}
-  ssoRealmEnabled: true
-  ssoRealmName: {{ .Values.sso.ssoRealmName }}
-  users:
-  {{- range .Values.sso.admins }}
-  - username: {{.}}
-    realmRoles:
-      - administrator
-  {{- end}}
-  {{- range .Values.sso.developers }}
-  - username: {{.}}
-    realmRoles:
-      - developer
-  {{- end}}
+  browserFlow: browsers
 {{- end }}
@@ -1,5 +1,5 @@
 {{- if and .Values.sso.enabled -}}
-{{- $oidcIssueUrl := printf "%s/auth/realms/%s" .Values.sso.keycloakUrl (default .Release.Namespace .Values.sso.realmName) -}}
+{{- $oidcIssueUrl := printf "%s/realms/%s" .Values.sso.keycloakUrl (default .Release.Namespace .Values.sso.realmName) -}}
 {{- $domains := printf ".%s" .Values.global.dnsWildCard -}}
 apiVersion: v1
 kind: ConfigMap