diff --git a/.github/workflows/chart-lint-publish.yml b/.github/workflows/chart-lint-publish.yml new file mode 100644 index 00000000..16b2ed75 --- /dev/null +++ b/.github/workflows/chart-lint-publish.yml @@ -0,0 +1,62 @@ +name: Validate / Publish helm charts + +on: + release: + types: [published] + pull_request: + types: [opened, reopened, synchronize] + paths: + - 'helm/**' + workflow_dispatch: + inputs: + IGNORE_CHARTS: + description: 'Provide list of charts to be ignored separated by pipe(|)' + required: false + default: '""' + type: string + CHART_PUBLISH: + description: 'Chart publishing to gh-pages branch' + required: false + default: 'NO' + type: string + options: + - YES + - NO + INCLUDE_ALL_CHARTS: + description: 'Include all charts for Linting/Publishing (YES/NO)' + required: false + default: 'NO' + type: string + options: + - YES + - NO + push: + branches: + - '!release-branch' + - '!master' + - 1.* + - 0.* + - develop + - MOSIP* + - release* + paths: + - './helm/**' + +jobs: + chart-lint-publish: + uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master + with: + CHARTS_DIR: ./helm + CHARTS_URL: https://mosip.github.io/mosip-helm + REPOSITORY: mosip-helm + BRANCH: gh-pages + INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}" + IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}" + CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}" + LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml" + LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml" + LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml" + LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml" + secrets: + TOKEN: ${{ secrets.ACTION_PAT }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} \ No newline at end of file diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 00000000..52aab458 --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,139 @@ +# Keycloak + +## Introduction +An organisation may use any OAuth 2.0 compliant Identity Access Management (IAM) system with MOSIP. Here we provide k8s installation procedure for **Keycloak** which is the default supported IAM with MOSIP. + +- It is recommended to have two seperate installations of keycloak; + 1. One for organisation wide access to Rancher in order to access different clusters there which is already installed [here](../../rancher/keycloak/README.md). It is installed in the rancher cluster the same will be only one throughout the organisation. + 1. Second installation of keycloak will be in the MOSIP cluster as external dependency for every MOSIP cluster. This will be used by MOSIP modules for authentication and authorization. + +## Prerequisites +The `install.sh` script here assumes that configmap `global` is already there in the default namespace. + +## Install +* Use the `install.sh` provided in this directory. This will install Keycloak as bitnami helm chart. +* To further configure `values.yaml` and for any other info, refer [here](https://github.com/bitnami/charts/tree/master/bitnami/keycloak). +``` +$ ./install.sh +``` +* Bitnami keycloak chart here installs postgres too. If you already have an external postgres DB, point to the same while installing. +* For postgres persistence the chart uses default storage class available with the cluster. +* While deleting helm chart note that PVC, PV do not get removed for Statefulset. This also means that passwords will be same as before. Delete them explicity if you need to. CAUTION: all persistent data will be erased if you delete PV. +* To retain data even after PV deletion use a storage class that supports "Retain". On AWS, you may install `gp2-retain` storage class given here and specify the same while installing Keycloak helm chart. + +## Existing Keycloak +* In case you have not installed Keycloak by above method, and already have an instance running, make sure Kubernetes configmap and secret is created in namespace `keycloak` as expected in [keycloak-init](https://github.com/mosip/mosip-helm/blob/develop/charts/keycloak-init/values.yaml): + ``` + keycloak: + host: + existingConfigMap: keycloak-host + key: keycloak-host-url + admin: + userName: + existingConfigMap: keycloak-env-vars + key: KEYCLOAK_ADMIN_USER + secret: + existingSecret: keycloak + key: admin-password + ``` + +## Secret change +In case you change admin password directly from console, then update the secret as well: +``` +$ ./update_secret.sh +``` +You may get the current admin password: +``` +$ ./get_pwd.sh +``` + +## Keycloak docker version +TODO: The keycloak docker version in `values.yaml` is an older version as the version 12.04 (latest bitnami) was crashing for `userinfo` request for client (like mosip-prereg-client). Watch latest bitnami release and upgrade 13+ version when available. + +## Keycloak Init +To populate base data of MOSIP, run Keycloak Init job: +``` +$ ./keycloak_init.sh +``` + +## Frontend URL +- Navigate to keycloak admin console. +- Navigate to `Mosip` realm. +- Configure *Frontend URL* property in *Realm Settings* page. Value for the frontend url should be: `https:///auth`. Eg: `https://iam.sandbox.mosip.net/auth`. +- Save it. + +Automated this as part of keycloak-init + +## Enable Multi Languages in keycloak +- Navigate to the keycloak admin console. +- Navigate to `Mosip` realm. +- Navigate to `Realms Settings` ----> `Themes`. +- Enable `Internationalization Enabled`. +- Set languages in `Supported Locales`. +- Click on `Save`. + ![keycloak-1.png](../../docs/images/keycloak-1.png) +- Confirm via checking languages in `Mosip` admin login page `https://iam.sandbox.xyz.net/auth/admin/mosip/console/`. + ![img.png](../../docs/images/keycloak-2.png) + +TODO: Automate this as part of keycloak-init + +## EXPORT + +### Export from Jboss keycloak 9.0.0 + +* Copy `export.sh` to the console machine of the specific environment and run the `export.sh`.
+ Make sure the console has Kubernetes cluster access. + ```sh + ./export.sh + ``` + ``` + Provide kubernetes cluster config file path : + Provide keycloak namespace ( Default namespace: default ) : + Provide directory location for export files ( Default Location: current directory ) : + Created Export Directory : + Provide "No of users per file" ( Default: 1000, Recommended value: total number of users ) : + ``` +* Press `ctrl+c` once after `Export finished successfully` displayed. + ``` + 18:07:06,903 INFO [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0035: Export finished successfully + ``` +* Copy exports files from console machine to your local. + +### Export from Bitnami keycloak ( Helm/chart Version: 7.1.18 ) +* Set the `KEYCLOAK_EXTRA_ARGS` as an environmental variable in "keycloak" statefulSets to export realm & its users. +* Set the value for `-Dkeycloak.migration.usersPerFile` ( Recommended value: total number of users ) to the below environmental variable value. + ``` + name: KEYCLOAK_EXTRA_ARGS + value: '-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.realmName=mosip -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES -Dkeycloak.migration.usersPerFile= -Dkeycloak.migration.file=/' + ``` +* Wait till the application is up and running. +* Keycloak will be exported to location `/opt/bitnami/keycloak/standalone/keycloak-export/`. +* Copy the `keycloak-export` directory from the above location to your local via the `kubectl cp` command. + +## IMPORT + +### Import to Bitnami Keycloak ( Helm chart version: 7.1.18 ) +* If already existing keycloak is running, set the environmental variable `KEYCLOAK_EXTRA_ARGS=-Dkeycloak.profile.feature.upload_scripts=enabled` to enable the import feature. +* Run `install.sh` to deploy keycloak with the import feature enabled. + ```sh + ./install.sh + ``` + +### Import Realm via Keycloak UI +* Login to keycloak Admin console, Navigate `Master` realm and Click on `Add Realm`. +* Click on the `select file` to Import the keycloak realm. Select keycloak exported realm JSON file. +* Set realm name to `mosip` and click on `create`. + ![keycloak-4.png](../../docs/images/keycloak-4.png) + +### Import Users via Keycloak UI +* Login to keycloak Admin console, Navigate to `Mosip` realm. +* Click on `Import` ---> Select `Exported json file` and click on `Import`. + ![keycloak-3.png](../../docs/images/keycloak-3.png) + +### IMPORT INIT + +* Update realm, roles, clients, & service account client roles details in `import-init-values.yaml`. +* run `import-init.sh` + ```sh + ./import-init.sh + ``` diff --git a/deploy/delete.sh b/deploy/delete.sh new file mode 100755 index 00000000..fc629f87 --- /dev/null +++ b/deploy/delete.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Uninstalls Keycloak +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_keycloak() { + NS=keycloak + while true; do + read -p "Are you sure you want to delete Keyclaok? This is DANGEROUS! (Y/n) " yn + if [ $yn = "Y" ] + then + helm -n $NS delete keycloak + helm -n $NS delete keycloak-init + helm -n $NS delete istio-addons + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_keycloak # calling function diff --git a/deploy/export.sh b/deploy/export.sh new file mode 100755 index 00000000..d942f666 --- /dev/null +++ b/deploy/export.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# Export Keycloak +## Usage: ./export.sh [kubeconfig] + +## script starts from here +function export_keycloak() { + read -p "Provide kubernetes cluster config file path : " K8S_CONFIG + if [ -z "$K8S_CONFIG" ]; then + echo "Cluster config file path not provided; EXITING;"; + exit 1; + fi + if [ ! -f "$K8S_CONFIG" ]; then + echo "Cluster config file $K8S_CONFIG not found; EXITING;"; + exit 1; + fi + + read -p "Provide keycloak namespace ( Default namespace: default ) : " NAMESPACE + if [ -z "$NAMESPACE" ]; then + NAMESPACE=default + fi + + read -p "Provide directory location for export files ( Default Location: current directory ) : " EXPORT_DIR + if [ -z "$EXPORT_DIR" ]; then + EXPORT_DIR="keycloak-export" + fi + mkdir -p $EXPORT_DIR && echo "Created Export Directory : $EXPORT_DIR" + if [ ! -d "$EXPORT_DIR" ]; then + echo "Directory Location $EXPORT_DIR not found; EXITING;"; + exit 1; + fi + + read -p "Provide \"No of users per file\" ( Default: 1000, Recommended value: total number of users ) : " USERS_PER_FILE + if [ -z "$USERS_PER_FILE" ]; then + USERS_PER_FILE=1000 + fi + + export KUBECONFIG=$K8S_CONFIG + + echo " CLUSTER CONFIG FILE : $KUBECONFIG" + echo " NAMESPACE : $NAMESPACE" + echo " EXPORT_DIR : $EXPORT_DIR" + echo " NUMBER OF USERS PER FILE : $USERS_PER_FILE" + + KEYCLOAK_POD_ID=$( kubectl -n $NAMESPACE get pods |awk '( !/init/ && !/postgresql/ ) && /keycloak/{print $1}' | head -1 2>&1); + + echo " KEYCLOAK POD ID : $KEYCLOAK_POD_ID" + + kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- mkdir -p /tmp/keycloak-export/; + + echo "$(tput setaf 3)Press \"CTRL+C\" once after \"Export finished successfully\" is displayed !!! $(tput sgr0)" + + kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- /opt/jboss/tools/docker-entrypoint.sh \ + -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export \ + -Dkeycloak.migration.provider=dir \ + -Dkeycloak.migration.realmName=mosip \ + -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES \ + -Dkeycloak.migration.usersPerFile=$USERS_PER_FILE \ + -Dkeycloak.migration.file=/tmp/keycloak-export/ | grep 'Export finished successfully' + + kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- bash -c "cd tmp/keycloak-export/ && tar -czvf /tmp/keycloak-export.zip ." \ + && echo "Zipped keycloak-export files as keycloak-export.zip inside the keycloak pod !!!" + + kubectl cp $NAMESPACE/$KEYCLOAK_POD_ID:tmp/keycloak-export.zip $EXPORT_DIR.zip \ + && echo "Copied keycloal-export zip file from keycloak pod " + + tar -xvzf $EXPORT_DIR.zip -C $EXPORT_DIR \ + && echo "Unzipped keycloak-export file $EXPORT_DIR" + + echo "Successfully exported keycloak realm data to location : $EXPORT_DIR/mosip-realm.json " + echo "Successfully exported keycloak users data to location : $EXPORT_DIR/mosip-users-*.json" + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +export_keycloak # calling function diff --git a/deploy/import-init-values.yaml b/deploy/import-init-values.yaml new file mode 100644 index 00000000..bc58c7bf --- /dev/null +++ b/deploy/import-init-values.yaml @@ -0,0 +1,509 @@ +keycloak: + realms: |- + del_realms: + - preregistration + mosip: # realm + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - PARTNERMANAGER + - PMS_ADMIN + - PMS_USER + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + client_scopes: + - name: add_oidc_client + description: Scope required to create OIDC client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: update_oidc_client + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: get_certificate + description: Scope required to create OIDC client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: upload_certificate + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: individual_id + description: Scope required to create resident client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: ida_token + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: send_binding_otp + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: wallet_binding + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + + - name: mosip-admin-services-client + mappers: [] + saroles: [] + + - name: mosip-auth-client + mappers: [] + saroles: + - AUTH + + - name: mosip-crereq-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization + + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - name: mosip-misp-client + mappers: [] + saroles: [] + + - name: mosip-partner-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_USER + - PMS_ADMIN + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + + - name: mosip-partnermanager-client + mappers: [] + saroles: + - PARTNERMANAGER + - KEY_MAKER + + - name: mosip-pms-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - ZONAL_ADMIN + - CREATE_SHARE + - DEVICE_PROVIDER + - PARTNER + - PMS_ADMIN + - PMS_USER + - REGISTRATION_PROCESSOR + assign_client_scopes: + - update_oidc_client + - add_oidc_client + - get_certificate + - upload_certificate + - name: mosip-policymanager-client + mappers: [] + saroles: [] + + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_SUPERVISOR + + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - PARTNER + - PARTNER_ADMIN + - PMS_USER + - POLICYMANAGER + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + assign_client_scopes: + - send_binding_otp + - wallet_binding + - name: mosip-resident-client + mappers: [] + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + assign_client_scopes: + - individual_id + - ida_token + + - name: mosip-prereg-client + mappers: [] + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN + + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER + + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + + - name: mpartner-default-digitalcard + mappers: [] + saroles: + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + + - name: mosip-digitalcard-client + saroles: + - CREATE_SHARE + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - uma_authorization + - offline_access + + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access + sa_client_roles: + - realm-management: ## realm-management client id + - view-users # realm-management client roles + - view-clients + - view-realms + - manage-users + users: [] diff --git a/deploy/import-init.sh b/deploy/import-init.sh new file mode 100755 index 00000000..9d5191bf --- /dev/null +++ b/deploy/import-init.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Initialize Imported Keycloak with MOSIP base data +# Usage: +# ./import-init.sh [kube_config_file] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function import_init() { + NS=keycloak + CHART_VERSION=0.0.1-develop + + helm repo add mosip https://mosip.github.io/mosip-helm + helm repo update + + IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + + echo Initializing keycloak + helm -n $NS install keycloak-import mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f import-init-values.yaml --version $CHART_VERSION + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +import_init # calling function + diff --git a/deploy/install.sh b/deploy/install.sh new file mode 100755 index 00000000..1268c6ee --- /dev/null +++ b/deploy/install.sh @@ -0,0 +1,36 @@ +#!/bin/bash +## Point config to your cluster on which you are installing IAM. +## "Usage: ./install.sh [kube_config_file]" + +if [ $# -ge 1 ]; then + export KUBECONFIG=$1 +fi +NS=keycloak +SERVICE_NAME=keycloak + +echo Creating $NS namespace +kubectl create ns $NS + +function installing_keycloak() { + echo Istio label + ## TODO: enable istio injection after testing well. + kubectl label ns $NS istio-injection=disabled --overwrite + helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo update + + echo Installing + helm -n $NS install $SERVICE_NAME mosip/keycloak --version "7.1.18" --set image.repository=mosipqa/mosip-artemis-keycloak --set image.tag=develop --set image.pullPolicy=Always -f values.yaml --wait + + EXTERNAL_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + echo Install Istio gateway, virtual service + helm -n $NS install istio-addons chart/istio-addons --set keycloakExternalHost=$EXTERNAL_HOST --set keycloakInternalHost="$SERVICE_NAME.$NS" --set service=$SERVICE_NAME + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +installing_keycloak # calling function diff --git a/deploy/keycloak_init.sh b/deploy/keycloak_init.sh new file mode 100755 index 00000000..92935074 --- /dev/null +++ b/deploy/keycloak_init.sh @@ -0,0 +1,88 @@ +#!/bin/bash +# Initialize Keycloak with MOSIP base data +# Usage: +# ./keycloak_init.sh [kube_config_file] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +read_user_input(){ + if [ $# -lt 2 ]; then + echo "$(tput setaf 1) Variable & Message arguments not passed to read_user_input function; EXITING $(tput sgr0)"; + exit 1; + fi + DEFAULT='' + if [ $# -gt 2 ]; then + DEFAULT=$3; ## default values for $VAR variable + fi + VAR=$1; ## variable name + MSG=$2; ## message to be printed for the given variable + read -p "Provide $MSG : " $VAR; + TEMP=$( eval "echo \${$VAR}" ); ## save $VAR values to a temporary variable + eval ${VAR}=${TEMP:-$DEFAULT}; ## set $VAR value to $DEFAULT if $TEMP is empty, else set $VAR value to $TEMP + VAR_VALUE=$( eval "echo \${$VAR}" ) + if [ -z $VAR_VALUE ]; then + echo "$(tput setaf 1) $MSG not provided; EXITING $(tput sgr0)"; + exit 1; + fi + + if [[ $# -gt 3 ]]; then + if echo "$VAR_VALUE" | grep -Ev "$4" > /dev/null; then + echo "$(tput setaf 1) Variable $VAR is neither of $4 $(tput sgr0)"; + exit 1; + fi + fi + DEFAULT=''; ## reset `DEFAULT` variable to empty string +} + +function initialize_keycloak() { + NS=keycloak + CHART_VERSION=0.0.1-develop + + helm repo add mosip https://mosip.github.io/mosip-helm + helm repo update + + read_user_input SMTP_HOST "'SMTP host' for keycloak" + read_user_input SMTP_PORT "'SMTP port' for keycloak" + + read_user_input SMTP_FROM_ADDR "'From email address' for keycloak SMTP" + REGEX="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$" + if [[ ! "$SMTP_FROM_ADDR" =~ $REGEX ]] ; then + echo "$(tput setaf 1) Variable SMTP_FROM_ADDR is not a valid email ID; EXITING;$(tput sgr0)" + exit 1; + fi + read_user_input SMTP_STARTTLS "Would you like to enable 'starttls' configuration for SMTP ? (false/true) : [ Default: false ]" false '^(true|false)$' + read_user_input SMTP_AUTH "Would you like to enable \"AUTHENTICATION\" configuration for SMTP ? (true/false) : [ Default: true ]" true '^(true|false)$' + read_user_input SMTP_SSL "Would you like to enable \"SSL\" fro SMTP ? (true/false) : [ Default: true ]" true '^(true|false)$' + SMTP_AUTH_SET="--set keycloak.realms.mosip.realm_config.smtpServer.auth=$SMTP_AUTH" + if [[ $SMTP_AUTH == "true" ]]; then + read_user_input SMTP_USERNAME "Provide SMTP login Username" + read_user_input SMTP_PASSWORD "Provide SMTP login Password" + + SMTP_AUTH_SET="--set keycloak.realms.mosip.realm_config.smtpServer.auth=$SMTP_AUTH \ + --set keycloak.realms.mosip.realm_config.smtpServer.user=$SMTP_USERNAME \ + --set keycloak.realms.mosip.realm_config.smtpServer.password=$SMTP_PASSWORD" + fi + + IAMHOST_URL=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + + echo Initializing keycloak-init + helm -n $NS install keycloak-init mosip/keycloak-init \ + --set keycloak.realms.mosip.realm_config.smtpServer.host="$SMTP_HOST" \ + --set keycloak.realms.mosip.realm_config.smtpServer.port="$SMTP_PORT" \ + --set keycloak.realms.mosip.realm_config.smtpServer.from="$SMTP_FROM_ADDR" \ + --set keycloak.realms.mosip.realm_config.smtpServer.starttls="$SMTP_STARTTLS" \ + --set keycloak.realms.mosip.realm_config.smtpServer.ssl="$SMTP_SSL" \ + $SMTP_AUTH_SET \ + --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAMHOST_URL/auth" --version $CHART_VERSION + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +initialize_keycloak # calling function diff --git a/deploy/update_secret.sh b/deploy/update_secret.sh new file mode 100755 index 00000000..319b7c19 --- /dev/null +++ b/deploy/update_secret.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# If you update admin password via console, call this script to update the secret in kubernetes. +# Usage: +# ./update_secrets.sh [kube_config_file] + +if [ $# -ge 2 ]; then + CLUSTER_CONFIG=$2 +else + CLUSTER_CONFIG=$HOME/.kube/iam_config +fi + +function update_secret() { + alias KK='kubectl --kubeconfig $CLUSTER_CONFIG -n keycloak' + $KK create secret generic keycloak --from-literal=admin-password=$1 --dry-run=client -o yaml | $KK apply -f - + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +update_secret # calling function diff --git a/deploy/upgrade-init-values.yaml b/deploy/upgrade-init-values.yaml new file mode 100644 index 00000000..4060693e --- /dev/null +++ b/deploy/upgrade-init-values.yaml @@ -0,0 +1,350 @@ +keycloak: + realms: |- + del_realms: + - preregistration + mosip: # realm + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - PARTNERMANAGER + - PMS_ADMIN + - PMS_USER + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + - name: mosip-admin-services-client + mappers: [] + saroles: [] + - name: mosip-auth-client + mappers: [] + saroles: + - AUTH + - name: mosip-crereq-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization + + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. + - name: mosip-misp-client + mappers: [] + saroles: [] + - name: mosip-partner-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_USER + - PMS_ADMIN + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - name: mosip-partnermanager-client + mappers: [] + saroles: + - PARTNERMANAGER + - KEY_MAKER + - name: mosip-pms-client + mappers: [] + saroles: + - PARTNER_ADMIN + - name: mosip-policymanager-client + mappers: [] + saroles: [] + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_SUPERVISOR + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - name: mosip-resident-client + mappers: [] + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + - name: mosip-prereg-client + mappers: [] + del_saroles: + - INDIVIDUAL + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - uma_authorization + - offline_access + + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access + sa_client_roles: + - realm-management: ## realm-management client id + - view-users # realm-management client roles + - view-clients + - view-realms + - manage-users + + users: [] diff --git a/deploy/upgrade-init.sh b/deploy/upgrade-init.sh new file mode 100755 index 00000000..8769ea14 --- /dev/null +++ b/deploy/upgrade-init.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Initialize Imported Keycloak with MOSIP base data +# Usage: +# ./import-init.sh [kube_config_file] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function upgrade_init() { + NS=keycloak + CHART_VERSION=0.0.1-develop + + helm repo add mosip https://mosip.github.io/mosip-helm + helm repo update + + IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + + echo Initializing keycloak + helm -n $NS install keycloak-init mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f upgrade-init-values.yaml --version $CHART_VERSION + echo Initializing keycloak + helm -n $NS install keycloak-init mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f import-init-values.yaml --version $CHART_VERSION + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +import_init # calling function diff --git a/deploy/values.yaml b/deploy/values.yaml new file mode 100644 index 00000000..4bf59839 --- /dev/null +++ b/deploy/values.yaml @@ -0,0 +1,47 @@ +# Refrain from fixing docker tags. Instead use the appropriate chart version, while helm install +# Latest Helm chart of Bitnami uses Keycloak 18+ + +service: + type: ClusterIP + +auth: + adminUser: admin + +extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" + #value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.import=/config/realm-mosip.json" + +## Disable ingress as we use Istio +ingress: + enabled: false + hostname: + annotations: + ingress.kubernetes.io/class: nginx + +proxyAddressForwarding: true + +replicaCount: 1 + +# Enable if replicaCount > 1 +serviceDiscovery: + enabled: true + +resources: + limits: {} + # cpu: 250m + # memory: 1Gi + requests: + cpu: 200m + memory: 1000Mi + +rbac: + create: true + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list diff --git a/helm/keycloak-init/.gitignore b/helm/keycloak-init/.gitignore new file mode 100644 index 00000000..ee3892e8 --- /dev/null +++ b/helm/keycloak-init/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/keycloak-init/.helmignore b/helm/keycloak-init/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/keycloak-init/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/keycloak-init/Chart.yaml b/helm/keycloak-init/Chart.yaml new file mode 100644 index 00000000..489e67fe --- /dev/null +++ b/helm/keycloak-init/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: keycloak-init +description: A Helm chart for Kubernetes to initialize Keycloak (updating for test) +type: application +version: 0.0.1-develop +appVersion: 1.2.0 +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x + +home: https://mosip.io +keywords: + - keycloak + - access-management +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/keycloak-init/README.md b/helm/keycloak-init/README.md new file mode 100644 index 00000000..bfd6add8 --- /dev/null +++ b/helm/keycloak-init/README.md @@ -0,0 +1,11 @@ +# Keycloak Init + +* Make sure Keycloak server is running +* Update helm dependencies using: +``` +$ helm dependency update +``` +* Run the helm chart +``` +$ helm install keycloak-init keycloak-init +``` diff --git a/helm/keycloak-init/templates/_helpers.tpl b/helm/keycloak-init/templates/_helpers.tpl new file mode 100644 index 00000000..e8625235 --- /dev/null +++ b/helm/keycloak-init/templates/_helpers.tpl @@ -0,0 +1,69 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "keycloak-init.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "keycloak-init.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keycloak-init.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "keycloak-init.labels" -}} +helm.sh/chart: {{ include "keycloak-init.chart" . }} +{{ include "keycloak-init.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "keycloak-init.selectorLabels" -}} +app.kubernetes.io/name: {{ include "keycloak-init.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "keycloak-init.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "keycloak-init.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return the Keycloak encrypted password +*/}} +{{- define "keycloak.admin.encryptedPassword" -}} +{{- .Values.keycloak.admin.password | b64enc | quote -}} +{{- end -}} diff --git a/helm/keycloak-init/templates/client-secrets.yaml b/helm/keycloak-init/templates/client-secrets.yaml new file mode 100644 index 00000000..7235baa3 --- /dev/null +++ b/helm/keycloak-init/templates/client-secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-secrets + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: postgres + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- range $index, $client := .Values.clientSecrets }} + {{- if $client.secret }} + {{ $client.name }}: {{ $client.secret | b64enc | quote }} + {{- else }} + {{ $client.name }}: {{ randAlphaNum 16 | b64enc | quote }} + {{- end }} + {{- end }} + + diff --git a/helm/keycloak-init/templates/configmap.yaml b/helm/keycloak-init/templates/configmap.yaml new file mode 100644 index 00000000..323022f1 --- /dev/null +++ b/helm/keycloak-init/templates/configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "keycloak-init.fullname" .) }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: keycloak-init + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + +data: + input.yaml: | + {{ .Values.keycloak.realms | toYaml | nindent 4 }} + diff --git a/helm/keycloak-init/templates/job.yaml b/helm/keycloak-init/templates/job.yaml new file mode 100644 index 00000000..86b24f8f --- /dev/null +++ b/helm/keycloak-init/templates/job.yaml @@ -0,0 +1,77 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "keycloak-init.fullname" . }} + labels: + {{- include "keycloak-init.labels" . | nindent 4 }} +spec: + backoffLimit: 0 + template: + metadata: + labels: + {{- include "keycloak-init.selectorLabels" . | nindent 8 }} + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "keycloak-init.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.jobSecurityContext | nindent 8 }} + restartPolicy: Never # This is one time job + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- $globalSecretName := include "common.secrets.name" (dict "existingSecret" .Values.keycloak.existingSecret "context" $) }} + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.keycloak.admin.secret.existingSecret }} + key: {{ .Values.keycloak.admin.secret.key }} + - name: KEYCLOAK_SERVER_URL + valueFrom: + configMapKeyRef: + name: {{ .Values.keycloak.host.existingConfigMap }} + key: {{ .Values.keycloak.host.key }} + - name: KEYCLOAK_ADMIN_USER + valueFrom: + configMapKeyRef: + name: {{ .Values.keycloak.admin.userName.existingConfigMap }} + key: {{ .Values.keycloak.admin.userName.key }} + - name: FRONTEND_URL + value: {{ .Values.frontend }} + - name: INPUT_FILE + value: input.yaml # Must match below file name in the mount + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + - secretRef: + name: keycloak-client-secrets + {{- if .Values.extraEnvVarsCM }} + {{- range .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + {{- range .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ . }} + {{- end }} + {{- end }} + + volumeMounts: + - name: keycloak-init-input + mountPath: /opt/mosip/input/input.yaml # Same as INPUT_DIR/INPUT_FILE in docker + subPath: input.yaml # INPUT_FILE in docker + volumes: + - name: keycloak-init-input + configMap: + name: {{ printf "%s-configuration" (include "keycloak-init.fullname" .) }} + diff --git a/helm/keycloak-init/templates/serviceaccount.yaml b/helm/keycloak-init/templates/serviceaccount.yaml new file mode 100644 index 00000000..94d477d9 --- /dev/null +++ b/helm/keycloak-init/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "keycloak-init.serviceAccountName" . }} + labels: + {{- include "keycloak-init.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/keycloak-init/templates/tests/test-connection.yaml b/helm/keycloak-init/templates/tests/test-connection.yaml new file mode 100644 index 00000000..4a24842a --- /dev/null +++ b/helm/keycloak-init/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "keycloak-init.fullname" . }}-test-connection" + labels: + {{- include "keycloak-init.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "keycloak-init.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm/keycloak-init/values.yaml b/helm/keycloak-init/values.yaml new file mode 100644 index 00000000..611d3c90 --- /dev/null +++ b/helm/keycloak-init/values.yaml @@ -0,0 +1,734 @@ +# Default values for keycloak-init. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: mosipqa/keycloak-init + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: develop + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +jobAnnotations: {} + +jobSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true +# runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m +# memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + + +## It is assumed that these configmaps are created when Keycloak was installed and available in the same namespace +## as this chart +keycloak: + host: + existingConfigMap: keycloak-host + key: keycloak-internal-service-url + admin: + userName: + existingConfigMap: keycloak-env-vars + key: KEYCLOAK_ADMIN_USER + secret: + existingSecret: keycloak + key: admin-password + + realms: + # realm + mosip: + realm_config: + "realm": 'mosip' + "enabled": 'True' + "accessCodeLifespan": 7200 + "accessCodeLifespanLogin": 1800 + "accessCodeLifespanUserAction": 300 + "accessTokenLifespan": 86400 + "accessTokenLifespanForImplicitFlow": 900 + "actionTokenGeneratedByAdminLifespan": 43200 + "actionTokenGeneratedByUserLifespan": 300 + "passwordPolicy": "length(8)" + "resetPasswordAllowed": 'True' + "bruteForceProtected": 'True' + "permanentLockout": 'False' + "maxFailureWaitSeconds": 900 + "minimumQuickLoginWaitSeconds": 60 + "waitIncrementSeconds": 300 + "quickLoginCheckMilliSeconds": 1000 + "maxDeltaTimeSeconds": 600 + "failureFactor": 5 + # "attributes": + # "frontendUrl": '' + "loginTheme": "mosip" + "accountTheme": "mosip" + "adminTheme": "mosip" + "emailTheme": "mosip" + "browserSecurityHeaders": + "contentSecurityPolicy": "frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';" + # "smtpServer": + # "password": "" + # "starttls": "false" + # "auth": "true" + # "port": "465" + # "host": "smtp.gmail.com" + # "from": "" + # "ssl": "true" + # "user": "" + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DIGITALCARD_ADMIN + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_IDENTITY_CREATED_GENERAL + - PUBLISH_IDENTITY_UPDATED_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS + - CARD_DISBURSEMENT_ADMIN + - PMS_ADMIN + - PMS_USER + - SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_ERRORS_GENERAL + - PUBLISH_REMOVE_ID_STATUS_GENERAL + - SUBSCRIBE_REMOVE_ID_STATUS_GENERAL + client_scopes: + - name: add_oidc_client + description: Scope required to create OIDC client + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: update_oidc_client + description: '' + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: get_certificate + description: Scope required to create OIDC client + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: upload_certificate + description: '' + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: individual_id + description: Scope required to create resident client + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: ida_token + description: '' + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: send_binding_otp + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: wallet_binding + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + "Include In Token Scope": on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + + - name: mosip-admin-services-client + mappers: [] + saroles: [] + + - name: mosip-auth-client + mappers: [] + saroles: + - AUTH + + - name: mosip-crereq-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization + + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + + - name: mosip-misp-client + mappers: [] + saroles: [] + + - name: mosip-pms-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PARTNER_ADMIN + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - ZONAL_ADMIN + - DEVICE_PROVIDER + - PARTNER + assign_client_scopes: + - update_oidc_client + - add_oidc_client + - get_certificate + - upload_certificate + + - name: mosip-policymanager-client + mappers: [] + saroles: [] + + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_SUPERVISOR + + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - PARTNER + - PARTNER_ADMIN + - PMS_USER + - POLICYMANAGER + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + assign_client_scopes: + - send_binding_otp + - wallet_binding + + - name: mosip-resident-client + mappers: + - mapper_name: individual_id + mapper_user_attribute: individual_id + token_claim_name: individual_id + - mapper_name: ida_token + mapper_user_attribute: ida_token + token_claim_name: ida_token + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + - SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + assign_client_scopes: + - individual_id + - ida_token + + - name: mosip-prereg-client + mappers: [] + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN + + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER + + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_ERRORS_GENERAL + - PUBLISH_REMOVE_ID_STATUS_GENERAL + + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_IDENTITY_CREATED_GENERAL + - PUBLISH_IDENTITY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_STATUS_GENERAL + + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + + - name: mpartner-default-digitalcard + mappers: [] + saroles: + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - name: mpartner-default-opencrvs + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN + - PARTNER_ADMIN + - uma_authorization + - offline_access + + - name: mosip-digitalcard-client + saroles: + - CREATE_SHARE + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_IDENTITY_CREATED_GENERAL + - PUBLISH_IDENTITY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_STATUS_GENERAL + sa_client_roles: + ## realm-management client id + - realm-management: + # realm-management client roles + - view-users + - view-clients + - view-realm + - manage-users + - name: mpartner-default-template + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_ERRORS_GENERAL + users: [] + +## These will be passed as environments variables to keycloak-init docker. Note the expected naming convention is +## _. If empty secret is passed, it shall be randomly generated +clientSecrets: + - name: mosip_abis_client_secret + secret: "" + - name: mosip_admin_client_secret + secret: "" + - name: mosip_admin_services_client_secret + secret: "" + - name: mosip_auth_client_secret + secret: "" + - name: mosip_crereq_client_secret + secret: "" + - name: mosip_creser_client_secret + secret: "" + - name: mosip_datsha_client_secret + secret: "" + - name: mosip_ida_client_secret + secret: "" + - name: mosip_misp_client_secret + secret: "" + - name: mosip_pms_client_secret + secret: "" + - name: mosip_policymanager_client_secret + secret: "" + - name: mosip_reg_client_secret + secret: "" + - name: mosip_regproc_client_secret + secret: "" + - name: mosip_resident_client_secret + secret: "" + - name: mosip_prereg_client_secret + secret: "" + - name: mosip_creser_idpass_client_secret + secret: "" + - name: mosip_syncdata_client_secret + secret: "" + - name: mosip_deployment_client_secret + secret: "" + - name: mpartner_default_auth_secret + secret: "" + - name: mosip_idrepo_client_secret + secret: "" + - name: mpartner_default_print_secret + secret: "" + - name: mosip_hotlist_client_secret + secret: "" + - name: mpartner_default_mobile_secret + secret: "" + - name: mosip_digitalcard_client_secret + secret: "" + - name: mpartner_default_digitalcard_secret + secret: "" + - name: mosip_testrig_client_secret + secret: "" + - name: mpartner_default_template_secret + secret: "" + +extraEnvVarsSecret: [] +extraEnvVarsCM: []