From c6117f33db99639cc8696185dd93da9d6c1d65de Mon Sep 17 00:00:00 2001 From: PRAFUL RAKHADE <99539100+prafulrakhade@users.noreply.github.com> Date: Wed, 4 Dec 2024 19:14:24 +0530 Subject: [PATCH] [MOSIP-35490] moved required helm and deploy scripts to modular repo Signed-off-by: techno-467 --- .github/workflows/chart-lint-publish.yml | 62 +++ deploy/README.md | 139 +++++++ deploy/delete.sh | 32 ++ deploy/export.sh | 80 ++++ deploy/import-init-values.yaml | 509 +++++++++++++++++++++++ deploy/import-init.sh | 31 ++ deploy/install.sh | 36 ++ deploy/update_secret.sh | 24 ++ deploy/upgrade-init-values.yaml | 350 ++++++++++++++++ deploy/upgrade-init.sh | 32 ++ deploy/values.yaml | 47 +++ 11 files changed, 1342 insertions(+) create mode 100644 .github/workflows/chart-lint-publish.yml create mode 100644 deploy/README.md create mode 100755 deploy/delete.sh create mode 100755 deploy/export.sh create mode 100644 deploy/import-init-values.yaml create mode 100755 deploy/import-init.sh create mode 100755 deploy/install.sh create mode 100755 deploy/update_secret.sh create mode 100644 deploy/upgrade-init-values.yaml create mode 100755 deploy/upgrade-init.sh create mode 100644 deploy/values.yaml diff --git a/.github/workflows/chart-lint-publish.yml b/.github/workflows/chart-lint-publish.yml new file mode 100644 index 00000000..16b2ed75 --- /dev/null +++ b/.github/workflows/chart-lint-publish.yml @@ -0,0 +1,62 @@ +name: Validate / Publish helm charts + +on: + release: + types: [published] + pull_request: + types: [opened, reopened, synchronize] + paths: + - 'helm/**' + workflow_dispatch: + inputs: + IGNORE_CHARTS: + description: 'Provide list of charts to be ignored separated by pipe(|)' + required: false + default: '""' + type: string + CHART_PUBLISH: + description: 'Chart publishing to gh-pages branch' + required: false + default: 'NO' + type: string + options: + - YES + - NO + INCLUDE_ALL_CHARTS: + description: 'Include all charts for Linting/Publishing (YES/NO)' + required: false + default: 'NO' + type: string + options: + - YES + - NO + push: + branches: + - '!release-branch' + - '!master' + - 1.* + - 0.* + - develop + - MOSIP* + - release* + paths: + - './helm/**' + +jobs: + chart-lint-publish: + uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master + with: + CHARTS_DIR: ./helm + CHARTS_URL: https://mosip.github.io/mosip-helm + REPOSITORY: mosip-helm + BRANCH: gh-pages + INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}" + IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}" + CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}" + LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml" + LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml" + LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml" + LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml" + secrets: + TOKEN: ${{ secrets.ACTION_PAT }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} \ No newline at end of file diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 00000000..52aab458 --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,139 @@ +# Keycloak + +## Introduction +An organisation may use any OAuth 2.0 compliant Identity Access Management (IAM) system with MOSIP. Here we provide k8s installation procedure for **Keycloak** which is the default supported IAM with MOSIP. + +- It is recommended to have two seperate installations of keycloak; + 1. One for organisation wide access to Rancher in order to access different clusters there which is already installed [here](../../rancher/keycloak/README.md). It is installed in the rancher cluster the same will be only one throughout the organisation. + 1. Second installation of keycloak will be in the MOSIP cluster as external dependency for every MOSIP cluster. This will be used by MOSIP modules for authentication and authorization. + +## Prerequisites +The `install.sh` script here assumes that configmap `global` is already there in the default namespace. + +## Install +* Use the `install.sh` provided in this directory. This will install Keycloak as bitnami helm chart. +* To further configure `values.yaml` and for any other info, refer [here](https://github.com/bitnami/charts/tree/master/bitnami/keycloak). +``` +$ ./install.sh +``` +* Bitnami keycloak chart here installs postgres too. If you already have an external postgres DB, point to the same while installing. +* For postgres persistence the chart uses default storage class available with the cluster. +* While deleting helm chart note that PVC, PV do not get removed for Statefulset. This also means that passwords will be same as before. Delete them explicity if you need to. CAUTION: all persistent data will be erased if you delete PV. +* To retain data even after PV deletion use a storage class that supports "Retain". On AWS, you may install `gp2-retain` storage class given here and specify the same while installing Keycloak helm chart. + +## Existing Keycloak +* In case you have not installed Keycloak by above method, and already have an instance running, make sure Kubernetes configmap and secret is created in namespace `keycloak` as expected in [keycloak-init](https://github.com/mosip/mosip-helm/blob/develop/charts/keycloak-init/values.yaml): + ``` + keycloak: + host: + existingConfigMap: keycloak-host + key: keycloak-host-url + admin: + userName: + existingConfigMap: keycloak-env-vars + key: KEYCLOAK_ADMIN_USER + secret: + existingSecret: keycloak + key: admin-password + ``` + +## Secret change +In case you change admin password directly from console, then update the secret as well: +``` +$ ./update_secret.sh +``` +You may get the current admin password: +``` +$ ./get_pwd.sh +``` + +## Keycloak docker version +TODO: The keycloak docker version in `values.yaml` is an older version as the version 12.04 (latest bitnami) was crashing for `userinfo` request for client (like mosip-prereg-client). Watch latest bitnami release and upgrade 13+ version when available. + +## Keycloak Init +To populate base data of MOSIP, run Keycloak Init job: +``` +$ ./keycloak_init.sh +``` + +## Frontend URL +- Navigate to keycloak admin console. +- Navigate to `Mosip` realm. +- Configure *Frontend URL* property in *Realm Settings* page. Value for the frontend url should be: `https:///auth`. Eg: `https://iam.sandbox.mosip.net/auth`. +- Save it. + +Automated this as part of keycloak-init + +## Enable Multi Languages in keycloak +- Navigate to the keycloak admin console. +- Navigate to `Mosip` realm. +- Navigate to `Realms Settings` ----> `Themes`. +- Enable `Internationalization Enabled`. +- Set languages in `Supported Locales`. +- Click on `Save`. + ![keycloak-1.png](../../docs/images/keycloak-1.png) +- Confirm via checking languages in `Mosip` admin login page `https://iam.sandbox.xyz.net/auth/admin/mosip/console/`. + ![img.png](../../docs/images/keycloak-2.png) + +TODO: Automate this as part of keycloak-init + +## EXPORT + +### Export from Jboss keycloak 9.0.0 + +* Copy `export.sh` to the console machine of the specific environment and run the `export.sh`.
+ Make sure the console has Kubernetes cluster access. + ```sh + ./export.sh + ``` + ``` + Provide kubernetes cluster config file path : + Provide keycloak namespace ( Default namespace: default ) : + Provide directory location for export files ( Default Location: current directory ) : + Created Export Directory : + Provide "No of users per file" ( Default: 1000, Recommended value: total number of users ) : + ``` +* Press `ctrl+c` once after `Export finished successfully` displayed. + ``` + 18:07:06,903 INFO [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0035: Export finished successfully + ``` +* Copy exports files from console machine to your local. + +### Export from Bitnami keycloak ( Helm/chart Version: 7.1.18 ) +* Set the `KEYCLOAK_EXTRA_ARGS` as an environmental variable in "keycloak" statefulSets to export realm & its users. +* Set the value for `-Dkeycloak.migration.usersPerFile` ( Recommended value: total number of users ) to the below environmental variable value. + ``` + name: KEYCLOAK_EXTRA_ARGS + value: '-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.realmName=mosip -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES -Dkeycloak.migration.usersPerFile= -Dkeycloak.migration.file=/' + ``` +* Wait till the application is up and running. +* Keycloak will be exported to location `/opt/bitnami/keycloak/standalone/keycloak-export/`. +* Copy the `keycloak-export` directory from the above location to your local via the `kubectl cp` command. + +## IMPORT + +### Import to Bitnami Keycloak ( Helm chart version: 7.1.18 ) +* If already existing keycloak is running, set the environmental variable `KEYCLOAK_EXTRA_ARGS=-Dkeycloak.profile.feature.upload_scripts=enabled` to enable the import feature. +* Run `install.sh` to deploy keycloak with the import feature enabled. + ```sh + ./install.sh + ``` + +### Import Realm via Keycloak UI +* Login to keycloak Admin console, Navigate `Master` realm and Click on `Add Realm`. +* Click on the `select file` to Import the keycloak realm. Select keycloak exported realm JSON file. +* Set realm name to `mosip` and click on `create`. + ![keycloak-4.png](../../docs/images/keycloak-4.png) + +### Import Users via Keycloak UI +* Login to keycloak Admin console, Navigate to `Mosip` realm. +* Click on `Import` ---> Select `Exported json file` and click on `Import`. + ![keycloak-3.png](../../docs/images/keycloak-3.png) + +### IMPORT INIT + +* Update realm, roles, clients, & service account client roles details in `import-init-values.yaml`. +* run `import-init.sh` + ```sh + ./import-init.sh + ``` diff --git a/deploy/delete.sh b/deploy/delete.sh new file mode 100755 index 00000000..fc629f87 --- /dev/null +++ b/deploy/delete.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Uninstalls Keycloak +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_keycloak() { + NS=keycloak + while true; do + read -p "Are you sure you want to delete Keyclaok? This is DANGEROUS! (Y/n) " yn + if [ $yn = "Y" ] + then + helm -n $NS delete keycloak + helm -n $NS delete keycloak-init + helm -n $NS delete istio-addons + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_keycloak # calling function diff --git a/deploy/export.sh b/deploy/export.sh new file mode 100755 index 00000000..d942f666 --- /dev/null +++ b/deploy/export.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# Export Keycloak +## Usage: ./export.sh [kubeconfig] + +## script starts from here +function export_keycloak() { + read -p "Provide kubernetes cluster config file path : " K8S_CONFIG + if [ -z "$K8S_CONFIG" ]; then + echo "Cluster config file path not provided; EXITING;"; + exit 1; + fi + if [ ! -f "$K8S_CONFIG" ]; then + echo "Cluster config file $K8S_CONFIG not found; EXITING;"; + exit 1; + fi + + read -p "Provide keycloak namespace ( Default namespace: default ) : " NAMESPACE + if [ -z "$NAMESPACE" ]; then + NAMESPACE=default + fi + + read -p "Provide directory location for export files ( Default Location: current directory ) : " EXPORT_DIR + if [ -z "$EXPORT_DIR" ]; then + EXPORT_DIR="keycloak-export" + fi + mkdir -p $EXPORT_DIR && echo "Created Export Directory : $EXPORT_DIR" + if [ ! -d "$EXPORT_DIR" ]; then + echo "Directory Location $EXPORT_DIR not found; EXITING;"; + exit 1; + fi + + read -p "Provide \"No of users per file\" ( Default: 1000, Recommended value: total number of users ) : " USERS_PER_FILE + if [ -z "$USERS_PER_FILE" ]; then + USERS_PER_FILE=1000 + fi + + export KUBECONFIG=$K8S_CONFIG + + echo " CLUSTER CONFIG FILE : $KUBECONFIG" + echo " NAMESPACE : $NAMESPACE" + echo " EXPORT_DIR : $EXPORT_DIR" + echo " NUMBER OF USERS PER FILE : $USERS_PER_FILE" + + KEYCLOAK_POD_ID=$( kubectl -n $NAMESPACE get pods |awk '( !/init/ && !/postgresql/ ) && /keycloak/{print $1}' | head -1 2>&1); + + echo " KEYCLOAK POD ID : $KEYCLOAK_POD_ID" + + kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- mkdir -p /tmp/keycloak-export/; + + echo "$(tput setaf 3)Press \"CTRL+C\" once after \"Export finished successfully\" is displayed !!! $(tput sgr0)" + + kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- /opt/jboss/tools/docker-entrypoint.sh \ + -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export \ + -Dkeycloak.migration.provider=dir \ + -Dkeycloak.migration.realmName=mosip \ + -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES \ + -Dkeycloak.migration.usersPerFile=$USERS_PER_FILE \ + -Dkeycloak.migration.file=/tmp/keycloak-export/ | grep 'Export finished successfully' + + kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- bash -c "cd tmp/keycloak-export/ && tar -czvf /tmp/keycloak-export.zip ." \ + && echo "Zipped keycloak-export files as keycloak-export.zip inside the keycloak pod !!!" + + kubectl cp $NAMESPACE/$KEYCLOAK_POD_ID:tmp/keycloak-export.zip $EXPORT_DIR.zip \ + && echo "Copied keycloal-export zip file from keycloak pod " + + tar -xvzf $EXPORT_DIR.zip -C $EXPORT_DIR \ + && echo "Unzipped keycloak-export file $EXPORT_DIR" + + echo "Successfully exported keycloak realm data to location : $EXPORT_DIR/mosip-realm.json " + echo "Successfully exported keycloak users data to location : $EXPORT_DIR/mosip-users-*.json" + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +export_keycloak # calling function diff --git a/deploy/import-init-values.yaml b/deploy/import-init-values.yaml new file mode 100644 index 00000000..bc58c7bf --- /dev/null +++ b/deploy/import-init-values.yaml @@ -0,0 +1,509 @@ +keycloak: + realms: |- + del_realms: + - preregistration + mosip: # realm + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - PARTNERMANAGER + - PMS_ADMIN + - PMS_USER + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + client_scopes: + - name: add_oidc_client + description: Scope required to create OIDC client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: update_oidc_client + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: get_certificate + description: Scope required to create OIDC client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: upload_certificate + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: individual_id + description: Scope required to create resident client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: ida_token + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: send_binding_otp + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: wallet_binding + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + + - name: mosip-admin-services-client + mappers: [] + saroles: [] + + - name: mosip-auth-client + mappers: [] + saroles: + - AUTH + + - name: mosip-crereq-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization + + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - name: mosip-misp-client + mappers: [] + saroles: [] + + - name: mosip-partner-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_USER + - PMS_ADMIN + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + + - name: mosip-partnermanager-client + mappers: [] + saroles: + - PARTNERMANAGER + - KEY_MAKER + + - name: mosip-pms-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - ZONAL_ADMIN + - CREATE_SHARE + - DEVICE_PROVIDER + - PARTNER + - PMS_ADMIN + - PMS_USER + - REGISTRATION_PROCESSOR + assign_client_scopes: + - update_oidc_client + - add_oidc_client + - get_certificate + - upload_certificate + - name: mosip-policymanager-client + mappers: [] + saroles: [] + + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_SUPERVISOR + + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - PARTNER + - PARTNER_ADMIN + - PMS_USER + - POLICYMANAGER + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + assign_client_scopes: + - send_binding_otp + - wallet_binding + - name: mosip-resident-client + mappers: [] + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + assign_client_scopes: + - individual_id + - ida_token + + - name: mosip-prereg-client + mappers: [] + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN + + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER + + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + + - name: mpartner-default-digitalcard + mappers: [] + saroles: + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + + - name: mosip-digitalcard-client + saroles: + - CREATE_SHARE + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - uma_authorization + - offline_access + + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access + sa_client_roles: + - realm-management: ## realm-management client id + - view-users # realm-management client roles + - view-clients + - view-realms + - manage-users + users: [] diff --git a/deploy/import-init.sh b/deploy/import-init.sh new file mode 100755 index 00000000..9d5191bf --- /dev/null +++ b/deploy/import-init.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Initialize Imported Keycloak with MOSIP base data +# Usage: +# ./import-init.sh [kube_config_file] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function import_init() { + NS=keycloak + CHART_VERSION=0.0.1-develop + + helm repo add mosip https://mosip.github.io/mosip-helm + helm repo update + + IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + + echo Initializing keycloak + helm -n $NS install keycloak-import mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f import-init-values.yaml --version $CHART_VERSION + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +import_init # calling function + diff --git a/deploy/install.sh b/deploy/install.sh new file mode 100755 index 00000000..1268c6ee --- /dev/null +++ b/deploy/install.sh @@ -0,0 +1,36 @@ +#!/bin/bash +## Point config to your cluster on which you are installing IAM. +## "Usage: ./install.sh [kube_config_file]" + +if [ $# -ge 1 ]; then + export KUBECONFIG=$1 +fi +NS=keycloak +SERVICE_NAME=keycloak + +echo Creating $NS namespace +kubectl create ns $NS + +function installing_keycloak() { + echo Istio label + ## TODO: enable istio injection after testing well. + kubectl label ns $NS istio-injection=disabled --overwrite + helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo update + + echo Installing + helm -n $NS install $SERVICE_NAME mosip/keycloak --version "7.1.18" --set image.repository=mosipqa/mosip-artemis-keycloak --set image.tag=develop --set image.pullPolicy=Always -f values.yaml --wait + + EXTERNAL_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + echo Install Istio gateway, virtual service + helm -n $NS install istio-addons chart/istio-addons --set keycloakExternalHost=$EXTERNAL_HOST --set keycloakInternalHost="$SERVICE_NAME.$NS" --set service=$SERVICE_NAME + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +installing_keycloak # calling function diff --git a/deploy/update_secret.sh b/deploy/update_secret.sh new file mode 100755 index 00000000..319b7c19 --- /dev/null +++ b/deploy/update_secret.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# If you update admin password via console, call this script to update the secret in kubernetes. +# Usage: +# ./update_secrets.sh [kube_config_file] + +if [ $# -ge 2 ]; then + CLUSTER_CONFIG=$2 +else + CLUSTER_CONFIG=$HOME/.kube/iam_config +fi + +function update_secret() { + alias KK='kubectl --kubeconfig $CLUSTER_CONFIG -n keycloak' + $KK create secret generic keycloak --from-literal=admin-password=$1 --dry-run=client -o yaml | $KK apply -f - + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +update_secret # calling function diff --git a/deploy/upgrade-init-values.yaml b/deploy/upgrade-init-values.yaml new file mode 100644 index 00000000..4060693e --- /dev/null +++ b/deploy/upgrade-init-values.yaml @@ -0,0 +1,350 @@ +keycloak: + realms: |- + del_realms: + - preregistration + mosip: # realm + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - PARTNERMANAGER + - PMS_ADMIN + - PMS_USER + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + - name: mosip-admin-services-client + mappers: [] + saroles: [] + - name: mosip-auth-client + mappers: [] + saroles: + - AUTH + - name: mosip-crereq-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization + + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. + - name: mosip-misp-client + mappers: [] + saroles: [] + - name: mosip-partner-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_USER + - PMS_ADMIN + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - name: mosip-partnermanager-client + mappers: [] + saroles: + - PARTNERMANAGER + - KEY_MAKER + - name: mosip-pms-client + mappers: [] + saroles: + - PARTNER_ADMIN + - name: mosip-policymanager-client + mappers: [] + saroles: [] + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_SUPERVISOR + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - name: mosip-resident-client + mappers: [] + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + - name: mosip-prereg-client + mappers: [] + del_saroles: + - INDIVIDUAL + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - uma_authorization + - offline_access + + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access + sa_client_roles: + - realm-management: ## realm-management client id + - view-users # realm-management client roles + - view-clients + - view-realms + - manage-users + + users: [] diff --git a/deploy/upgrade-init.sh b/deploy/upgrade-init.sh new file mode 100755 index 00000000..8769ea14 --- /dev/null +++ b/deploy/upgrade-init.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Initialize Imported Keycloak with MOSIP base data +# Usage: +# ./import-init.sh [kube_config_file] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function upgrade_init() { + NS=keycloak + CHART_VERSION=0.0.1-develop + + helm repo add mosip https://mosip.github.io/mosip-helm + helm repo update + + IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + + echo Initializing keycloak + helm -n $NS install keycloak-init mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f upgrade-init-values.yaml --version $CHART_VERSION + echo Initializing keycloak + helm -n $NS install keycloak-init mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f import-init-values.yaml --version $CHART_VERSION + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +import_init # calling function diff --git a/deploy/values.yaml b/deploy/values.yaml new file mode 100644 index 00000000..4bf59839 --- /dev/null +++ b/deploy/values.yaml @@ -0,0 +1,47 @@ +# Refrain from fixing docker tags. Instead use the appropriate chart version, while helm install +# Latest Helm chart of Bitnami uses Keycloak 18+ + +service: + type: ClusterIP + +auth: + adminUser: admin + +extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" + #value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.import=/config/realm-mosip.json" + +## Disable ingress as we use Istio +ingress: + enabled: false + hostname: + annotations: + ingress.kubernetes.io/class: nginx + +proxyAddressForwarding: true + +replicaCount: 1 + +# Enable if replicaCount > 1 +serviceDiscovery: + enabled: true + +resources: + limits: {} + # cpu: 250m + # memory: 1Gi + requests: + cpu: 200m + memory: 1000Mi + +rbac: + create: true + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list