Gitiles
Code Review Sign In
gerrit.nordix.org / onap / oom / 4c0b307d0dcd4220ccf84f7d002c4cf436e4984d / . / kubernetes / authentication / templates / _utils.tpl
blob: 806f96164afbc0560c0610be64fa63126e423bb3 [file] [log] [blame]
{{/*
# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
{{/*
Renders a value that contains template.
Usage:
{{ include "auth.realm" ( dict "dot" . "realm" .Values.path.to.realm) }}
*/}}
{{- define "auth.realm" -}}
{{- $dot := default . .dot -}}
{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
realm: {{ $realm.name }}
{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }}
id: {{ $realm.name }}
accessTokenLifespan: 1900
registrationAllowed: false
resetPasswordAllowed: true
enabled: true
{{ if $realm.themes }}
{{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }}
{{ if $realm.themes.admin }}adminTheme: {{ $realm.themes.admin }}{{ end }}
{{ if $realm.themes.account }}accountTheme: {{ $realm.themes.account }}{{ end }}
{{ if $realm.themes.email }}emailTheme: {{ $realm.themes.email }}{{ end }}
{{- end }}
{{- if $realm.accessControl }}
{{ include "auth._roles" $realm }}
{{- end }}
{{ include "auth._clients" (dict "dot" $dot "realm" $realm) }}
{{ include "auth._clientScopes" $realm }}
{{ include "auth._defaultClientScopes" $realm }}
{{ include "auth._groups" $realm }}
{{ include "auth._users" $realm }}
{{ include "auth._identity" $realm }}
{{ include "auth._identityMapper" $realm }}
{{ include "auth._smtpServer" $realm }}
{{ include "auth._attributes" (dict "dot" $dot "realm" $realm) }}
{{- end -}}
{{/*
Renders the roles section in a realm.
Usage:
{{ include "auth._roles" ( dict "dot" .Values) }}
*/}}
{{- define "auth._roles" -}}
{{- $realm := default . .dot -}}
roles:
realm:
{{- range $index, $role := $realm.accessControl.assignableRoles }}
- name: "{{ $role.name }}"
description: "{{ $role.description }}"
{{- if $role.associatedAccessRoles }}
composite: true
composites:
client:
{{- range $key, $accessRole := $realm.accessControl.accessRoles }}
{{ $client := index $realm.clients $key -}}
{{ $client.clientId }}:
{{- range $index2, $associatedRole := $role.associatedAccessRoles }}
- {{ $associatedRole }}
{{- end }}
{{- end }}
{{- else }}
composite: false
{{- end }}
clientRole: false
containerId: "{{ $realm.name }}"
attributes: {}
{{- end }}
- name: "user"
composite: false
clientRole: false
containerId: "{{ $realm.name }}"
attributes: {}
- name: "admin"
composite: false
clientRole: false
containerId: "{{ $realm.name }}"
attributes: {}
- name: "offline_access"
description: "${role_offline-access}"
composite: false
clientRole: false
containerId: "{{ $realm.name }}"
attributes: {}
- name: "uma_authorization"
description: "${role_uma_authorization}"
composite: false
clientRole: false
containerId: "{{ $realm.name }}"
attributes: {}
- name: "default-roles-{{ $realm.name }}"
description: "${role_default-roles}"
composite: true
composites:
realm:
- "offline_access"
- "uma_authorization"
client:
account:
- "view-profile"
- "manage-account"
clientRole: false
containerId: "{{ $realm.name }}"
attributes: {}
{{- if $realm.accessControl.accessRoles }}
client:
{{- range $key, $accessRole := $realm.accessControl.accessRoles }}
{{ $client := index $realm.clients $key -}}
{{ $client.clientId }}:
{{- range $index, $role := get $realm.accessControl.accessRoles $key }}
- name: "{{ $role.name }}"
description: "Allows to perform {{ $role.methodsAllowed }} operations for {{ $role.name }} component"
composite: false
clientRole: false
containerId: "{{ $client.clientId }}"
attributes: {}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Renders the clients section in a realm.
Usage:
{{ include "auth._clients" ( dict "dot" . "realm" $realm ) }}
*/}}
{{- define "auth._clients" -}}
{{- $dot := default . .dot -}}
{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
clients:
{{- range $index, $client := $realm.clients }}
- clientId: "{{ $client.clientId }}"
{{- if $client.name }}
name: "{{ $client.name }}"
{{- end }}
{{- if $client.description }}
description: "{{ $client.description }}"
{{- end }}
{{- if $client.rootUrl }}
rootUrl: {{ tpl $client.rootUrl $dot }}
{{- end }}
{{- if $client.adminUrl }}
adminUrl: {{ tpl $client.adminUrl $dot }}
{{- end }}
{{- if $client.baseUrl }}
baseUrl: {{ tpl $client.baseUrl $dot }}
{{- end }}
surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }}
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }}
{{- if $client.secret }}
secret: "{{ $client.secret }}"
{{- end }}
{{- if $client.redirectUris }}
redirectUris:
{{- range $index2, $url := $client.redirectUris }}
- {{ tpl $url $dot }}
{{- end }}
{{- else }}
redirectUris: []
{{- end }}
{{- if $client.webOrigins }}
webOrigins:
{{- range $index3, $web := $client.webOrigins }}
- {{ $web | quote }}
{{- end }}
{{- else }}
webOrigins: []
{{- end }}
notBefore: 0
bearerOnly: {{ default false $client.bearerOnly }}
consentRequired: {{ default false $client.consentRequired }}
standardFlowEnabled: {{ default true $client.standardFlowEnabled }}
implicitFlowEnabled: {{ default false $client.implicitFlowEnabled }}
directAccessGrantsEnabled: {{ default true $client.directAccessGrantsEnabled }}
serviceAccountsEnabled: {{ default false $client.serviceAccountsEnabled }}
publicClient: {{ default false $client.publicClient }}
frontchannelLogout: {{ default false $client.frontchannelLogout }}
protocol: "{{ default "openid-connect" $client.protocol }}"
{{- if $client.attributes }}
attributes:
{{- range $key,$value := $client.attributes }}
{{ $key }}: {{ tpl $value $dot }}
{{- end }}
{{- end }}
authenticationFlowBindingOverrides: {}
fullScopeAllowed: true
nodeReRegistrationTimeout: -1
protocolMappers:
{{- if $client.protocolMappers }}
{{- range $index2, $mapper := $client.protocolMappers }}
- name: {{ $mapper.name }}
protocol: "openid-connect"
protocolMapper: {{ $mapper.protocolMapper }}
consentRequired: false
config:
{{ toYaml $mapper.config | nindent 10 }}
{{- end }}
{{- end }}
defaultClientScopes:
{{- if $client.defaultClientScopes }}
{{- range $index2, $scope := $client.defaultClientScopes }}
- {{ $scope }}
{{- end }}
{{- else }}
- web-origins
- profile
- acr
- email
{{- end }}
optionalClientScopes:
{{- if $client.optionalClientScopes }}
{{- range $index2, $scope := $client.optionalClientScopes }}
- {{ $scope }}
{{- end }}
{{- else }}
- address
- phone
- offline_access
- microprofile-jwt
{{- end }}
{{- end }}
{{- end }}
{{/*
Renders the defaulDefaultClientScopes section in a realm.
Usage:
{{ include "auth._defaultClientScopes" ( dict "dot" .Values) }}
*/}}
{{- define "auth._defaultClientScopes" -}}
{{- $dot := default . .dot -}}
{{- if $dot.defaultClientScopes }}
defaultDefaultClientScopes:
{{- range $index, $scope := $dot.defaultClientScopes }}
- {{ $scope }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Renders the clientScopes section in a realm.
Usage:
{{ include "auth._clientScopes" ( dict "dot" .Values) }}
*/}}
{{- define "auth._clientScopes" -}}
{{- $dot := default . .dot -}}
clientScopes:
{{- if $dot.additionalClientScopes }}
{{- range $index, $scope := $dot.additionalClientScopes }}
- name: {{ $scope.name }}
description: "{{ default "" $scope.description }}"
protocol: openid-connect
attributes:
include.in.token.scope: 'false'
display.on.consent.screen: 'true'
gui.order: ''
consent.screen.text: "${rolesScopeConsentText}"
protocolMappers:
{{- if $scope.protocolMappers }}
{{- range $index2, $mapper := $scope.protocolMappers }}
- name: {{ $mapper.name }}
protocol: "openid-connect"
protocolMapper: {{ $mapper.protocolMapper }}
consentRequired: false
config:
{{ toYaml $mapper.config | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
- name: roles
description: OpenID Connect scope for add user roles to the access token
protocol: openid-connect
attributes:
include.in.token.scope: 'false'
display.on.consent.screen: 'true'
consent.screen.text: "${rolesScopeConsentText}"
protocolMappers:
- name: audience resolve
protocol: openid-connect
protocolMapper: oidc-audience-resolve-mapper
consentRequired: false
config: {}
- name: realm roles
protocol: openid-connect
protocolMapper: oidc-usermodel-realm-role-mapper
consentRequired: false
config:
user.attribute: foo
access.token.claim: 'true'
claim.name: realm_access.roles
jsonType.label: String
multivalued: 'true'
- name: client roles
protocol: openid-connect
protocolMapper: oidc-usermodel-client-role-mapper
consentRequired: false
config:
user.attribute: foo
access.token.claim: 'true'
claim.name: resource_access.${client_id}.roles
jsonType.label: String
multivalued: 'true'
- name: groups
description: Membership to a group
protocol: openid-connect
attributes:
include.in.token.scope: 'true'
display.on.consent.screen: 'true'
gui.order: ''
consent.screen.text: ''
protocolMappers:
- name: groups
protocol: openid-connect
protocolMapper: oidc-group-membership-mapper
consentRequired: false
config:
full.path: 'false'
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: groups
userinfo.token.claim: 'true'
- name: acr
description: OpenID Connect scope for add acr (authentication context class reference)
to the token
protocol: openid-connect
attributes:
include.in.token.scope: 'false'
display.on.consent.screen: 'false'
protocolMappers:
- name: acr loa level
protocol: openid-connect
protocolMapper: oidc-acr-mapper
consentRequired: false
config:
id.token.claim: 'true'
access.token.claim: 'true'
- name: profile
description: 'OpenID Connect built-in scope: profile'
protocol: openid-connect
attributes:
include.in.token.scope: 'true'
display.on.consent.screen: 'true'
consent.screen.text: "${profileScopeConsentText}"
protocolMappers:
- name: profile
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: profile
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: profile
jsonType.label: String
- name: given name
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: firstName
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: given_name
jsonType.label: String
- name: website
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: website
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: website
jsonType.label: String
- name: zoneinfo
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: zoneinfo
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: zoneinfo
jsonType.label: String
- name: locale
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: locale
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: locale
jsonType.label: String
- name: gender
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: gender
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: gender
jsonType.label: String
- name: family name
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: lastName
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: family_name
jsonType.label: String
- name: username
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: username
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: preferred_username
jsonType.label: String
- name: middle name
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: middleName
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: middle_name
jsonType.label: String
- name: birthdate
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: birthdate
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: birthdate
jsonType.label: String
- name: updated at
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: updatedAt
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: updated_at
jsonType.label: long
- name: full name
protocol: openid-connect
protocolMapper: oidc-full-name-mapper
consentRequired: false
config:
id.token.claim: 'true'
access.token.claim: 'true'
userinfo.token.claim: 'true'
- name: nickname
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: nickname
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: nickname
jsonType.label: String
- name: picture
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: picture
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: picture
jsonType.label: String
- name: address
description: 'OpenID Connect built-in scope: address'
protocol: openid-connect
attributes:
include.in.token.scope: 'true'
display.on.consent.screen: 'true'
consent.screen.text: "${addressScopeConsentText}"
protocolMappers:
- name: address
protocol: openid-connect
protocolMapper: oidc-address-mapper
consentRequired: false
config:
user.attribute.formatted: formatted
user.attribute.country: country
user.attribute.postal_code: postal_code
userinfo.token.claim: 'true'
user.attribute.street: street
id.token.claim: 'true'
user.attribute.region: region
access.token.claim: 'true'
user.attribute.locality: locality
- name: web-origins
description: OpenID Connect scope for add allowed web origins to the access token
protocol: openid-connect
attributes:
include.in.token.scope: 'false'
display.on.consent.screen: 'false'
consent.screen.text: ''
protocolMappers:
- name: allowed web origins
protocol: openid-connect
protocolMapper: oidc-allowed-origins-mapper
consentRequired: false
config: {}
- name: phone
description: 'OpenID Connect built-in scope: phone'
protocol: openid-connect
attributes:
include.in.token.scope: 'true'
display.on.consent.screen: 'true'
consent.screen.text: "${phoneScopeConsentText}"
protocolMappers:
- name: phone number verified
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: phoneNumberVerified
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: phone_number_verified
jsonType.label: boolean
- name: phone number
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: phoneNumber
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: phone_number
jsonType.label: String
- name: offline_access
description: 'OpenID Connect built-in scope: offline_access'
protocol: openid-connect
attributes:
consent.screen.text: "${offlineAccessScopeConsentText}"
display.on.consent.screen: 'true'
- name: role_list
description: SAML role list
protocol: saml
attributes:
consent.screen.text: "${samlRoleListScopeConsentText}"
display.on.consent.screen: 'true'
protocolMappers:
- name: role list
protocol: saml
protocolMapper: saml-role-list-mapper
consentRequired: false
config:
single: 'false'
attribute.nameformat: Basic
attribute.name: Role
- name: microprofile-jwt
description: Microprofile - JWT built-in scope
protocol: openid-connect
attributes:
include.in.token.scope: 'true'
display.on.consent.screen: 'false'
protocolMappers:
- name: upn
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: username
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: upn
jsonType.label: String
- name: groups
protocol: openid-connect
protocolMapper: oidc-usermodel-realm-role-mapper
consentRequired: false
config:
multivalued: 'true'
user.attribute: foo
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: groups
jsonType.label: String
- name: email
description: 'OpenID Connect built-in scope: email'
protocol: openid-connect
attributes:
include.in.token.scope: 'true'
display.on.consent.screen: 'true'
consent.screen.text: "${emailScopeConsentText}"
protocolMappers:
- name: email
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: email
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: email
jsonType.label: String
- name: email verified
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
consentRequired: false
config:
userinfo.token.claim: 'true'
user.attribute: emailVerified
id.token.claim: 'true'
access.token.claim: 'true'
claim.name: email_verified
jsonType.label: boolean
{{- end }}
{{/*
Renders the groups section in a realm.
Usage:
{{ include "auth._groups" ( dict "dot" .Values) }}
*/}}
{{- define "auth._groups" -}}
{{- $dot := default . .dot -}}
{{- if $dot.groups }}
groups:
{{- range $index, $group := $dot.groups }}
- name: "{{ $group.name }}"
path: "{{ $group.path }}"
attributes: {}
{{- if $group.roles }}
realmRoles:
{{- range $index2, $groupRole := $group.roles }}
- "{{ $groupRole }}"
{{- end }}
{{- else }}
realmRoles: []
{{- end }}
clientRoles: {}
subGroups: []
{{- end }}
{{- else }}
groups: []
{{- end }}
{{- end }}
{{/*
Renders the users section in a realm.
Usage:
{{ include "auth._users" ( dict "dot" .Values) }}
*/}}
{{- define "auth._users" -}}
{{- $dot := default . .dot -}}
{{- if $dot.initialUsers }}
users:
{{- range $index, $user := $dot.initialUsers }}
- username: "{{ $user.username }}"
enabled: true
totp: false
email: "{{ default "" $user.email }}"
emailVerified: "{{ default true $user.emailVerified }}"
firstName: "{{ default "" $user.firstName }}"
lastName: "{{ default "" $user.lastName }}"
{{- if $user.attributes }}
attributes:
{{ toYaml $user.attributes | nindent 6 }}
{{- else }}
attributes: {}
{{- end }}
{{- if $user.password }}
credentials:
- type: "password"
temporary: false
value: "{{ $user.password }}"
{{- end }}
{{- if $user.credentials }}
credentials:
{{ toYaml $user.credentials | nindent 6 }}
{{- end }}
disableableCredentialTypes: []
requiredActions: []
{{- if $user.realmRoles }}
realmRoles:
{{- range $index2, $realmRole := $user.realmRoles }}
- "{{ $realmRole }}"
{{- end }}
{{- else }}
realmRoles: [ "default-roles-{{ $dot.name }}" ]
{{- end }}
{{- if $user.clientRoles }}
clientRoles:
{{ toYaml $user.clientRoles | nindent 6 }}
{{- end }}
notBefore: 0
groups: {{ $user.groups | toJson }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Renders the identityProviders section in a realm.
Usage:
{{ include "auth._identity" ( dict "dot" .Values) }}
*/}}
{{- define "auth._identity" -}}
{{- $dot := default . .dot -}}
{{- if $dot.identityProviders }}
identityProviders:
{{- range $index, $provider := $dot.identityProviders }}
- alias: {{ $provider.name }}
displayName: {{ $provider.displayName }}
providerId: oidc
enabled: true
updateProfileFirstLoginMode: "on"
trustEmail: true
storeToken: true
addReadTokenRoleOnCreate: true
authenticateByDefault: false
linkOnly: false
firstBrokerLoginFlowAlias: "first broker login"
config:
{{ toYaml $provider.config | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Renders the identityProviderMappers section in a realm.
Usage:
{{ include "auth._identityMapper" ( dict "dot" .Values) }}
*/}}
{{- define "auth._identityMapper" -}}
{{- $dot := default . .dot -}}
{{- if $dot.identityProviderMappers }}
identityProviderMappers:
{{- range $index, $mapper := $dot.identityProviderMappers }}
- name: {{ $mapper.name }}
identityProviderAlias: {{ $mapper.identityProviderAlias }}
identityProviderMapper: {{ $mapper.identityProviderMapper }}
config:
{{ toYaml $mapper.config | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Renders the smtpServer section in a realm.
Usage:
{{ include "auth._smtpServer" ( dict "dot" .Values) }}
*/}}
{{- define "auth._smtpServer" -}}
{{- $dot := default . .dot -}}
{{- if $dot.smtpServer }}
smtpServer:
{{ toYaml $dot.smtpServer | nindent 2 }}
{{- end }}
{{- end }}
{{/*
Renders the attributes section in a realm.
Usage:
{{ include "auth._attributes" ( dict "dot" . "realm" $realm ) }}
*/}}
{{- define "auth._attributes" -}}
{{- $dot := default . .dot -}}
{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
attributes:
frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }}
acr.loa.map: "{\"ABC\":\"5\"}"
{{- end }}