fix: set correct accessTokenLifespan

Signed-off-by: aaronschweig <aaron.schweig@gmail.com>
openmfp · Feb 1, 2025 · e64cbea · e64cbea
1 parent 9ed39bf
commit e64cbea
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 65 deletions.
diff --git a/charts/keycloak/templates/crossplane/realm.yaml b/charts/keycloak/templates/crossplane/realm.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ .Values.crossplane.realm.name}}
 spec:
   forProvider:
-    accessCodeLifespan: 1h
+    accessTokenLifespan: 1h
     attributes:
       organizationsEnabled: "true"
     displayName: {{ .Values.crossplane.realm.displayName }}

diff --git a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap
@@ -95,65 +95,6 @@ matches the snapshot:
       providerConfigRef:
         name: keycloak-provider-config
   7: |
-    apiVersion: oidc.keycloak.crossplane.io/v1alpha1
-    kind: IdentityProvider
-    metadata:
-      name: sap
-    spec:
-      forProvider:
-        alias: sap
-        authorizationUrl: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/authorize
-        clientId: 82b4c72c-ff99-4df6-ba4f-fb634d1fc491
-        clientSecretSecretRef:
-          key: client-secret
-          name: sap-client-secret
-          namespace: openmfp-system
-        defaultScopes: openid email profile
-        hideOnLoginPage: true
-        issuer: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/v2.0
-        realmRef:
-          name: openmfp
-        tokenUrl: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/token
-        trustEmail: true
-      providerConfigRef:
-        name: keycloak-provider-config
-  8: |
-    apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1
-    kind: IdentityProviderMapper
-    metadata:
-      name: lastname
-    spec:
-      forProvider:
-        extraConfig:
-          Claim: last_name
-          UserAttribute: lastName
-          syncMode: INHERIT
-        identityProviderAlias: sap
-        identityProviderMapper: oidc-user-attribute-idp-mapper
-        name: last_name
-        realmRef:
-          name: openmfp
-      providerConfigRef:
-        name: keycloak-provider-config
-  9: |
-    apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1
-    kind: IdentityProviderMapper
-    metadata:
-      name: firstname
-    spec:
-      forProvider:
-        extraConfig:
-          Claim: first_name
-          UserAttribute: firstName
-          syncMode: INHERIT
-        identityProviderAlias: sap
-        identityProviderMapper: oidc-user-attribute-idp-mapper
-        name: first_name
-        realmRef:
-          name: openmfp
-      providerConfigRef:
-        name: keycloak-provider-config
-  10: |
     apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
     kind: ClientScope
     metadata:
@@ -166,7 +107,7 @@ matches the snapshot:
           name: openmfp
       providerConfigRef:
         name: keycloak-provider-config
-  11: |
+  8: |
     apiVersion: keycloak.crossplane.io/v1beta1
     kind: ProviderConfig
     metadata:
@@ -179,7 +120,7 @@ matches the snapshot:
           name: keycloak-provider-config
           namespace: openmfp-system
         source: Secret
-  12: |
+  9: |
     apiVersion: v1
     kind: Secret
     metadata:
@@ -194,14 +135,14 @@ matches the snapshot:
           "url": "http://keycloak-http.openmfp-system.svc.cluster.local:8080",
           "realm": "master"
         }
-  13: |
+  10: |
     apiVersion: realm.keycloak.crossplane.io/v1alpha1
     kind: Realm
     metadata:
       name: openmfp
     spec:
       forProvider:
-        accessCodeLifespan: 1h
+        accessTokenLifespan: 1h
         attributes:
           organizationsEnabled: "true"
         displayName: OpenMFP

diff --git a/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap b/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap
@@ -9,7 +9,7 @@ matches the snapshot:
       data:
         - remoteRef:
             conversionStrategy: Default
-            key: dxp-core-team/manual-secrets/keycloak-admin
+            key: null
             property: password
           secretKey: secret
       refreshInterval: 10m

diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
@@ -0,0 +1,130 @@
+istio:
+  virtualservice:
+    # -- istio virtual service hosts
+    hosts: [auth.openmfp.org]
+
+# -- debug mode
+debug: false
+
+crossplane:
+  # -- toggle to enable/disable crossplane
+  enabled: false
+
+  # -- crossplane provider config
+  providerConfig:
+    # -- name of the client
+    name: keycloak-provider-config
+    # -- client namespace
+    namespace: openmfp-system
+
+  # -- crossplane realm config
+  realm:
+    # -- realm name
+    name: openmfp
+    # -- realm display name
+    displayName: OpenMFP
+    # -- realm registration allowed
+    registrationAllowed: false
+
+  clients:
+    openmfp:
+      # -- name of the client
+      name: OpenMFP
+      # -- valid redirect uris for the client
+      validRedirectUris:
+        # -- keycloak callback url
+        - http://localhost:8000/callback*
+  trustedAudiences: []
+
+  identityProviders: {}
+
+# -- configuration passed to the child 'keyclaok' chart
+# https://github.com/bitnami/charts/tree/main/bitnami/keycloak
+keycloak:
+  # -- keycloak environment variables (raw)
+  extraEnvVars: |
+    - name: KEYCLOAK_USER
+      value: keycloak-admin
+    - name: KEYCLOAK_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: keycloak-admin
+          key: secret
+  # -- configuration for the postgresql sub-chart
+  postgresql:
+    # -- authorization configuration
+    auth:
+      # -- existing secret name
+      existingSecret: ""
+      secretKeys:
+        # -- user password key
+        userPasswordKey: password
+        # -- admin password key
+        adminPasswordKey: password
+
+keycloakConfig:
+  # -- url of the keycloak server
+  url: http://keycloak-http.openmfp-system.svc.cluster.local:8080
+  userRegistration:
+    # -- toggle to enable/disable user registration
+    enabled: true
+  # -- redirect urls
+  redirectUrls: []
+  # -- realm configuration
+  realm:
+    # -- realm name
+    name: master
+  # -- client configuration
+  client:
+    # -- client name
+    name: openmfp
+    # -- target secret options
+    targetSecret:
+      # -- secret name
+      name: portal-client-secret-openmfp
+      # -- secret namespace
+      namespace: openmfp-system
+    # -- token lifespan
+    tokenLifespan: 3600
+  # -- admin user configuration
+  admin:
+    username:
+      # -- username
+      value: keycloak-admin
+    # -- admin password
+    password:
+      valueFrom:
+        secretKeyRef:
+          # -- name of the secret containing the password
+          name: keycloak-admin
+          # -- key of the password in the secret
+          key: secret
+
+# -- service configuration
+service:
+  # -- service name
+  name: keycloak
+  # -- service port
+  port: 8080
+
+# -- domain configuration
+domain:
+  # -- domain name
+  name: openmfp.org
+  # -- path prefix
+  pathPrefix: ""
+
+# -- job configuration
+job:
+  # -- job ServiceAccount name
+  serviceAccount: keycloak-client-creation
+  # -- custom job annotations
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+
+# -- external secrets configuration
+externalSecrets:
+  # -- keycloak admin secret
+  keycloakAdminRemoteRef: ""
+  # -- postgres admin secret
+  postgres-adminRemoteRef: ""