diff --git a/deploy/import-init-values.yaml b/deploy/import-init-values.yaml index bc58c7b..8a0c641 100644 --- a/deploy/import-init-values.yaml +++ b/deploy/import-init-values.yaml @@ -1,509 +1,561 @@ -keycloak: - realms: |- - del_realms: - - preregistration - mosip: # realm - roles: - - Default - - ABIS_PARTNER - - SDK_PARTNER +del_realms: + - preregistration +mosip: + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - PARTNERMANAGER + - PMS_ADMIN + - PMS_USER + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + client_scopes: + - name: add_oidc_client + description: Scope required to create OIDC client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: update_oidc_client + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: get_certificate + description: Scope required to create OIDC client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: upload_certificate + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: individual_id + description: Scope required to create resident client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: ida_token + description: '' + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "true", + include.in.token.scope: "true" + } + - name: send_binding_otp + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + - name: wallet_binding + description: Scope required to create mpartner-default-mobile client + protocol: openid-connect + Include In Token Scope : on + attributes: { + display.on.consent.screen: "false", + include.in.token.scope: "true" + } + + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + + - name: mosip-admin-services-client + mappers: [] + saroles: [] + + - name: mosip-auth-client + mappers: [] + saroles: - AUTH - - AUTH_PARTNER - - BIOMETRIC_READ - - CENTRAL_ADMIN - - CENTRAL_APPROVER - - CREATE_SHARE + + - name: mosip-crereq-client + mappers: [] + saroles: - CREDENTIAL_ISSUANCE - - CREDENTIAL_PARTNER - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization + + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR - DATA_READ - - DEVICE_PROVIDER - DOCUMENT_READ - - FTM_PROVIDER + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST - GLOBAL_ADMIN - ID_AUTHENTICATION - - ID_REPOSITORY - - INDIVIDUAL - - KEY_MAKER - - MASTERDATA_ADMIN - - METADATA_READ - - MISP - - MISP_PARTNER - - offline_access - - ONLINE_VERIFICATION_PARTNER - - PARTNER + - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - name: mosip-misp-client + mappers: [] + saroles: [] + + - name: mosip-partner-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_USER + - PMS_ADMIN - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + + - name: mosip-partnermanager-client + mappers: [] + saroles: - PARTNERMANAGER - - PMS_ADMIN - - PMS_USER - - POLICYMANAGER - - PREREG - - PRE_REGISTRATION - - PRE_REGISTRATION_ADMIN - - PRINT_PARTNER - - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL - - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - KEY_MAKER + + - name: mosip-pms-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_OIDC_CLIENT_CREATED_GENERAL + - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL - PUBLISH_APIKEY_APPROVED_GENERAL - PUBLISH_APIKEY_UPDATED_GENERAL - - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL - - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL - - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - PUBLISH_MASTERDATA_TITLES_GENERAL - PUBLISH_MISP_LICENSE_GENERATED_GENERAL - PUBLISH_MISP_LICENSE_UPDATED_GENERAL - - PUBLISH_MOSIP_HOTLIST_GENERAL - PUBLISH_PARTNER_UPDATED_GENERAL - PUBLISH_POLICY_UPDATED_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL - - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - ZONAL_ADMIN + - CREATE_SHARE + - DEVICE_PROVIDER + - PARTNER + - PMS_ADMIN + - PMS_USER + - REGISTRATION_PROCESSOR + assign_client_scopes: + - update_oidc_client + - add_oidc_client + - get_certificate + - upload_certificate + - name: mosip-policymanager-client + mappers: [] + saroles: [] + + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN - REGISTRATION_ADMIN - REGISTRATION_OFFICER - REGISTRATION_OPERATOR - - REGISTRATION_PROCESSOR - REGISTRATION_SUPERVISOR - - RESIDENT - - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_APIKEY_APPROVED_GENERAL - - SUBSCRIBE_APIKEY_UPDATED_GENERAL - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL - - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - SUBSCRIBE_MASTERDATA_TITLES_GENERAL - - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL - - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL - - SUBSCRIBE_MOSIP_HOTLIST_GENERAL - - SUBSCRIBE_PARTNER_UPDATED_GENERAL - - SUBSCRIBE_POLICY_UPDATED_GENERAL - - SUBSCRIBE_REMOVE_ID_INDIVIDUAL - - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL - - uma_authorization - - ZONAL_ADMIN - - ZONAL_APPROVER - - HOTLIST_ADMIN + + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - PARTNER + - PARTNER_ADMIN + - PMS_USER + - POLICYMANAGER + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - SUBSCRIBE_IDENTITY_CREATED_GENERAL - - SUBSCRIBE_IDENTITY_UPDATED_GENERAL - - PUBLISH_OIDC_CLIENT_CREATED_GENERAL - - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL - - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL - - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL - client_scopes: - - name: add_oidc_client - description: Scope required to create OIDC client - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "false", - include.in.token.scope: "true" - } - - name: update_oidc_client - description: '' - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "false", - include.in.token.scope: "true" - } - - name: get_certificate - description: Scope required to create OIDC client - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "false", - include.in.token.scope: "true" - } - - name: upload_certificate - description: '' - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "false", - include.in.token.scope: "true" - } - - name: individual_id - description: Scope required to create resident client - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "true", - include.in.token.scope: "true" - } - - name: ida_token - description: '' - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "true", - include.in.token.scope: "true" - } - - name: send_binding_otp - description: Scope required to create mpartner-default-mobile client - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "false", - include.in.token.scope: "true" - } - - name: wallet_binding - description: Scope required to create mpartner-default-mobile client - protocol: openid-connect - Include In Token Scope : on - attributes: { - display.on.consent.screen: "false", - include.in.token.scope: "true" - } - - clients: - - name: mosip-abis-client - mappers: [] - saroles: [] - - - name: mosip-admin-client - mappers: [] - saroles: - - MASTERDATA_ADMIN - - GLOBAL_ADMIN - - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - offline_access - - PUBLISH_MOSIP_HOTLIST_GENERAL - - uma_authorization - - PUBLISH_MASTERDATA_TITLES_GENERAL - - - name: mosip-admin-services-client - mappers: [] - saroles: [] - - - name: mosip-auth-client - mappers: [] - saroles: - - AUTH - - - name: mosip-crereq-client - mappers: [] - saroles: - - CREDENTIAL_ISSUANCE - - CREDENTIAL_REQUEST - - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL - - offline_access - - uma_authorization - - - name: mosip-creser-client - mappers: [] - saroles: - - CREDENTIAL_ISSUANCE - - REGISTRATION_PROCESSOR - - POLICYMANAGER - - CREATE_SHARE - - offline_access - - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL - - uma_authorization - - name: mosip-creser-idpass-client - mappers: [] - saroles: - - REGISTRATION_PROCESSOR - - DATA_READ - - DOCUMENT_READ - - BIOMETRIC_READ - - METADATA_READ - - CREATE_SHARE - - CREDENTIAL_REQUEST - - - name: mosip-datsha-client - mappers: [] - saroles: - - CREATE_SHARE - - REGISTRATION_PROCESSOR - - POLICYMANAGER - - - name: mosip-ida-client - mappers: [] - saroles: - - CREDENTIAL_REQUEST - - GLOBAL_ADMIN - - ID_AUTHENTICATION - - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. - - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL - - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL - - name: mosip-misp-client - mappers: [] - saroles: [] - - - name: mosip-partner-client - mappers: - - mapper_name: phoneNumber - mapper_user_attribute: phoneNumber - token_claim_name: phoneNumber - - mapper_name: organizationName - mapper_user_attribute: organizationName - token_claim_name: organizationName - - mapper_name: partnerType - mapper_user_attribute: partnerType - token_claim_name: partnerType - - mapper_name: addressTest - mapper_user_attribute: address - token_claim_name: addressTest - saroles: - - REGISTRATION_PROCESSOR - - CREATE_SHARE - - PMS_USER - - PMS_ADMIN - - PARTNER_ADMIN - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_MISP_LICENSE_UPDATED_GENERAL - - PUBLISH_PARTNER_UPDATED_GENERAL - - PUBLISH_MISP_LICENSE_GENERATED_GENERAL - - PUBLISH_APIKEY_APPROVED_GENERAL - - PUBLISH_APIKEY_UPDATED_GENERAL - - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_POLICY_UPDATED_GENERAL - - - name: mosip-partnermanager-client - mappers: [] - saroles: - - PARTNERMANAGER - - KEY_MAKER - - name: mosip-pms-client - mappers: - - mapper_name: phoneNumber - mapper_user_attribute: phoneNumber - token_claim_name: phoneNumber - - mapper_name: organizationName - mapper_user_attribute: organizationName - token_claim_name: organizationName - - mapper_name: partnerType - mapper_user_attribute: partnerType - token_claim_name: partnerType - - mapper_name: addressTest - mapper_user_attribute: address - token_claim_name: addressTest - saroles: - - PARTNER_ADMIN - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_OIDC_CLIENT_CREATED_GENERAL - - PUBLISH_OIDC_CLIENT_UPDATED_GENERAL - - PUBLISH_APIKEY_APPROVED_GENERAL - - PUBLISH_APIKEY_UPDATED_GENERAL - - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_MISP_LICENSE_GENERATED_GENERAL - - PUBLISH_MISP_LICENSE_UPDATED_GENERAL - - PUBLISH_PARTNER_UPDATED_GENERAL - - PUBLISH_POLICY_UPDATED_GENERAL - - ZONAL_ADMIN - - CREATE_SHARE - - DEVICE_PROVIDER - - PARTNER - - PMS_ADMIN - - PMS_USER - - REGISTRATION_PROCESSOR - assign_client_scopes: - - update_oidc_client - - add_oidc_client - - get_certificate - - upload_certificate - - name: mosip-policymanager-client - mappers: [] - saroles: [] - - - name: mosip-reg-client - mappers: [] - saroles: - - GLOBAL_ADMIN - - REGISTRATION_ADMIN - - REGISTRATION_OFFICER - - REGISTRATION_OPERATOR - - REGISTRATION_SUPERVISOR + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + assign_client_scopes: + - send_binding_otp + - wallet_binding - - name: mosip-regproc-client - mappers: [] - saroles: - - REGISTRATION_PROCESSOR - - DATA_READ - - DOCUMENT_READ - - BIOMETRIC_READ - - METADATA_READ - - CREATE_SHARE - - CREDENTIAL_REQUEST - - PARTNER - - PARTNER_ADMIN - - PMS_USER - - POLICYMANAGER - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - name: mosip-resident-client + mappers: [] + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + assign_client_scopes: + - individual_id + - ida_token - - name: mpartner-default-mobile - mappers: [] - saroles: - - CREDENTIAL_PARTNER - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - assign_client_scopes: - - send_binding_otp - - wallet_binding - - name: mosip-resident-client - mappers: [] - saroles: - - RESIDENT - - PARTNER_ADMIN - - CREDENTIAL_REQUEST - - offline_access - - uma_authorization - assign_client_scopes: - - individual_id - - ida_token + - name: mosip-prereg-client + mappers: [] + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN - - name: mosip-prereg-client - mappers: [] - saroles: - - PREREG - - REGISTRATION_PROCESSOR - - PRE_REGISTRATION_ADMIN - - name: mosip-creser-idpass-client - mappers: [] - saroles: - - REGISTRATION_PROCESSOR - - DATA_READ - - DOCUMENT_READ - - BIOMETRIC_READ - - METADATA_READ - - CREATE_SHARE - - CREDENTIAL_REQUEST + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER - - name: mosip-syncdata-client - mappers: [] - saroles: - - REGISTRATION_ADMIN - - GLOBAL_ADMIN - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - REGISTRATION_SUPERVISOR - - REGISTRATION_OFFICER + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL + - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL - - name: mpartner-default-auth - mappers: - - mapper_name: langCode - mapper_user_attribute: langCode - token_claim_name: langCode - saroles: - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL - - SUBSCRIBE_POLICY_UPDATED_GENERAL - - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL - - CREDENTIAL_REQUEST - - SUBSCRIBE_MOSIP_HOTLIST_GENERAL - - PUBLISH_ANONYMOUS_PROFILE_GENERAL - - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_REMOVE_ID_INDIVIDUAL - - SUBSCRIBE_MASTERDATA_TITLES_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL - - ID_AUTHENTICATION - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - SUBSCRIBE_PARTNER_UPDATED_GENERAL - - offline_access - - SUBSCRIBE_APIKEY_APPROVED_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - uma_authorization - - SUBSCRIBE_APIKEY_UPDATED_GENERAL - - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL - - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL - - SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL - - SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL - - name: mosip-idrepo-client - mappers: [] - saroles: - - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL - - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL - - ID_REPOSITORY - - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL - - offline_access - - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL - - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL - - uma_authorization - - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER - - name: mpartner-default-print - mappers: [] - saroles: - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - CREATE_SHARE - - PRINT_PARTNER + - name: mpartner-default-digitalcard + mappers: [] + saroles: + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - name: mpartner-default-digitalcard - mappers: [] - saroles: - - SUBSCRIBE_IDENTITY_CREATED_GENERAL - - SUBSCRIBE_IDENTITY_UPDATED_GENERAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - CREATE_SHARE - - PRINT_PARTNER - - CREDENTIAL_REQUEST - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - name: mosip-digitalcard-client + saroles: + - CREATE_SHARE + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_IDENTITY_CREATED_GENERAL + - SUBSCRIBE_IDENTITY_UPDATED_GENERAL - - name: mosip-digitalcard-client - saroles: - - CREATE_SHARE - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - SUBSCRIBE_IDENTITY_CREATED_GENERAL - - SUBSCRIBE_IDENTITY_UPDATED_GENERAL + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL - - name: mosip-hotlist-client - saroles: - - HOTLIST_ADMIN - - uma_authorization - - offline_access - - PUBLISH_MOSIP_HOTLIST_GENERAL + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - uma_authorization + - offline_access - # Used only for initial deployment purposes. Maybe deleted from installation later. - - name: mosip-deployment-client - saroles: - - ID_AUTHENTICATION - - GLOBAL_ADMIN # TODO: do we need this? - - PARTNER_ADMIN - - uma_authorization - - offline_access + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access + sa_client_roles: + - realm-management: ## realm-management client id + - view-users # realm-management client roles + - view-clients + - view-realm + - manage-users - - name: mosip-testrig-client - saroles: - - ID_AUTHENTICATION - - GLOBAL_ADMIN # TODO: do we need this? - - PARTNER_ADMIN - - REGISTRATION_PROCESSOR - - CREATE_SHARE - - PMS_ADMIN - - PMS_USER - - uma_authorization - - offline_access - sa_client_roles: - - realm-management: ## realm-management client id - - view-users # realm-management client roles - - view-clients - - view-realms - - manage-users - users: [] + users: [] +## These will be passed as environments variables to keycloak-init docker. Note the expected naming convention is +## _. If empty secret is passed, it shall be randomly generated +## IMPORTANT: When running import or upgrade: +## - To preserve existing secrets: Update 'secret' field with the current secret value from your Keycloak +## - To generate new random secrets: Leave 'secret' field as empty string ("") +clientSecrets: + - name: mosip_abis_client_secret + secret: "" + - name: mosip_admin_client_secret + secret: "" + - name: mosip_admin_services_client_secret + secret: "" + - name: mosip_auth_client_secret + secret: "" + - name: mosip_crereq_client_secret + secret: "" + - name: mosip_creser_client_secret + secret: "" + - name: mosip_datsha_client_secret + secret: "" + - name: mosip_ida_client_secret + secret: "" + - name: mosip_misp_client_secret + secret: "" + - name: mosip_partner_client_secret + secret: "" + - name: mosip_partnermanager_client_secret + secret: "" + - name: mosip_pms_client_secret + secret: "" + - name: mosip_policymanager_client_secret + secret: "" + - name: mosip_reg_client_secret + secret: "" + - name: mosip_regproc_client_secret + secret: "" + - name: mosip_resident_client_secret + secret: "" + - name: mosip_prereg_client_secret + secret: "" + - name: mosip_creser_idpass_client_secret + secret: "" + - name: mosip_syncdata_client_secret + secret: "" + - name: mosip_deployment_client_secret + secret: "" + - name: mpartner_default_auth_secret + secret: "" + - name: mosip_idrepo_client_secret + secret: "" + - name: mpartner_default_print_secret + secret: "" + - name: mosip_hotlist_client_secret + secret: "" + - name: mpartner_default_mobile_secret + secret: "" + - name: mosip_digitalcard_client_secret + secret: "" + - name: mpartner_default_digitalcard_secret + secret: "" + - name: mosip_testrig_client_secret + secret: "" \ No newline at end of file diff --git a/deploy/import-init.sh b/deploy/import-init.sh index 9d5191b..fb327ba 100755 --- a/deploy/import-init.sh +++ b/deploy/import-init.sh @@ -10,14 +10,19 @@ fi function import_init() { NS=keycloak CHART_VERSION=0.0.1-develop + KEYCLOAK_SERVICE_NAME=keycloak helm repo add mosip https://mosip.github.io/mosip-helm helm repo update - IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + IAM_HOST=$(kubectl get cm global -o jsonpath='{.data.mosip-iam-external-host}') echo Initializing keycloak - helm -n $NS install keycloak-import mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f import-init-values.yaml --version $CHART_VERSION + helm -n $NS install keycloak-import mosip/keycloak-init \ + --set keycloakExternalHost="$IAM_HOST" \ + --set keycloakInternalHost="$KEYCLOAK_SERVICE_NAME.$NS" \ + --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAM_HOST/auth" \ + -f import-init-values.yaml --version $CHART_VERSION return 0 } diff --git a/deploy/upgrade-init-values.yaml b/deploy/upgrade-init-values.yaml index 4060693..f721c2f 100644 --- a/deploy/upgrade-init-values.yaml +++ b/deploy/upgrade-init-values.yaml @@ -1,350 +1,394 @@ -keycloak: - realms: |- - del_realms: - - preregistration - mosip: # realm - roles: - - Default - - ABIS_PARTNER - - SDK_PARTNER - - AUTH - - AUTH_PARTNER - - BIOMETRIC_READ - - CENTRAL_ADMIN - - CENTRAL_APPROVER - - CREATE_SHARE - - CREDENTIAL_ISSUANCE - - CREDENTIAL_PARTNER - - CREDENTIAL_REQUEST - - DATA_READ - - DEVICE_PROVIDER - - DOCUMENT_READ - - FTM_PROVIDER - - GLOBAL_ADMIN - - ID_AUTHENTICATION - - ID_REPOSITORY - - INDIVIDUAL - - KEY_MAKER - - MASTERDATA_ADMIN - - METADATA_READ - - MISP - - MISP_PARTNER - - offline_access - - ONLINE_VERIFICATION_PARTNER - - PARTNER - - PARTNER_ADMIN - - PARTNERMANAGER - - PMS_ADMIN - - PMS_USER - - POLICYMANAGER - - PREREG - - PRE_REGISTRATION - - PRE_REGISTRATION_ADMIN - - PRINT_PARTNER - - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL - - PUBLISH_ANONYMOUS_PROFILE_GENERAL - - PUBLISH_APIKEY_APPROVED_GENERAL - - PUBLISH_APIKEY_UPDATED_GENERAL - - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL - - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL - - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL - - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - PUBLISH_MASTERDATA_TITLES_GENERAL - - PUBLISH_MISP_LICENSE_GENERATED_GENERAL - - PUBLISH_MISP_LICENSE_UPDATED_GENERAL - - PUBLISH_MOSIP_HOTLIST_GENERAL - - PUBLISH_PARTNER_UPDATED_GENERAL - - PUBLISH_POLICY_UPDATED_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL - - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL - - REGISTRATION_ADMIN - - REGISTRATION_OFFICER - - REGISTRATION_OPERATOR - - REGISTRATION_PROCESSOR - - REGISTRATION_SUPERVISOR - - RESIDENT - - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_APIKEY_APPROVED_GENERAL - - SUBSCRIBE_APIKEY_UPDATED_GENERAL - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL - - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - SUBSCRIBE_MASTERDATA_TITLES_GENERAL - - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL - - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL - - SUBSCRIBE_MOSIP_HOTLIST_GENERAL - - SUBSCRIBE_PARTNER_UPDATED_GENERAL - - SUBSCRIBE_POLICY_UPDATED_GENERAL - - SUBSCRIBE_REMOVE_ID_INDIVIDUAL - - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL - - uma_authorization - - ZONAL_ADMIN - - ZONAL_APPROVER - - HOTLIST_ADMIN - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - clients: - - name: mosip-abis-client - mappers: [] - saroles: [] - - name: mosip-admin-client - mappers: [] - saroles: - - MASTERDATA_ADMIN - - GLOBAL_ADMIN - - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - offline_access - - PUBLISH_MOSIP_HOTLIST_GENERAL - - uma_authorization - - PUBLISH_MASTERDATA_TITLES_GENERAL - - name: mosip-admin-services-client - mappers: [] - saroles: [] - - name: mosip-auth-client - mappers: [] - saroles: - - AUTH - - name: mosip-crereq-client - mappers: [] - saroles: - - CREDENTIAL_ISSUANCE - - CREDENTIAL_REQUEST - - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL - - offline_access - - uma_authorization +del_realms: + - preregistration +mosip: # realm + roles: + - Default + - ABIS_PARTNER + - SDK_PARTNER + - AUTH + - AUTH_PARTNER + - BIOMETRIC_READ + - CENTRAL_ADMIN + - CENTRAL_APPROVER + - CREATE_SHARE + - CREDENTIAL_ISSUANCE + - CREDENTIAL_PARTNER + - CREDENTIAL_REQUEST + - DATA_READ + - DEVICE_PROVIDER + - DOCUMENT_READ + - FTM_PROVIDER + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - ID_REPOSITORY + - INDIVIDUAL + - KEY_MAKER + - MASTERDATA_ADMIN + - METADATA_READ + - MISP + - MISP_PARTNER + - offline_access + - ONLINE_VERIFICATION_PARTNER + - PARTNER + - PARTNER_ADMIN + - PARTNERMANAGER + - PMS_ADMIN + - PMS_USER + - POLICYMANAGER + - PREREG + - PRE_REGISTRATION + - PRE_REGISTRATION_ADMIN + - PRINT_PARTNER + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - PUBLISH_MASTERDATA_TITLES_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_MOSIP_HOTLIST_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_PROCESSOR + - REGISTRATION_SUPERVISOR + - RESIDENT + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - uma_authorization + - ZONAL_ADMIN + - ZONAL_APPROVER + - HOTLIST_ADMIN + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + clients: + - name: mosip-abis-client + mappers: [] + saroles: [] + - name: mosip-admin-client + mappers: [] + saroles: + - MASTERDATA_ADMIN + - GLOBAL_ADMIN + - PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + - uma_authorization + - PUBLISH_MASTERDATA_TITLES_GENERAL + - name: mosip-admin-services-client + mappers: [] + saroles: [] + - name: mosip-auth-client + mappers: [] + saroles: + - AUTH + - name: mosip-crereq-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - CREDENTIAL_REQUEST + - SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL + - offline_access + - uma_authorization - - name: mosip-creser-client - mappers: [] - saroles: - - CREDENTIAL_ISSUANCE - - REGISTRATION_PROCESSOR - - POLICYMANAGER - - CREATE_SHARE - - offline_access - - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL - - uma_authorization - - name: mosip-creser-idpass-client - mappers: [] - saroles: - - REGISTRATION_PROCESSOR - - DATA_READ - - DOCUMENT_READ - - BIOMETRIC_READ - - METADATA_READ - - CREATE_SHARE - - CREDENTIAL_REQUEST - - name: mosip-datsha-client - mappers: [] - saroles: - - CREATE_SHARE - - REGISTRATION_PROCESSOR - - POLICYMANAGER + - name: mosip-creser-client + mappers: [] + saroles: + - CREDENTIAL_ISSUANCE + - REGISTRATION_PROCESSOR + - POLICYMANAGER + - CREATE_SHARE + - offline_access + - PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL + - uma_authorization + - name: mosip-creser-idpass-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mosip-datsha-client + mappers: [] + saroles: + - CREATE_SHARE + - REGISTRATION_PROCESSOR + - POLICYMANAGER - - name: mosip-ida-client - mappers: [] - saroles: - - CREDENTIAL_REQUEST - - GLOBAL_ADMIN - - ID_AUTHENTICATION - - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. - - name: mosip-misp-client - mappers: [] - saroles: [] - - name: mosip-partner-client - mappers: - - mapper_name: phoneNumber - mapper_user_attribute: phoneNumber - token_claim_name: phoneNumber - - mapper_name: organizationName - mapper_user_attribute: organizationName - token_claim_name: organizationName - - mapper_name: partnerType - mapper_user_attribute: partnerType - token_claim_name: partnerType - - mapper_name: addressTest - mapper_user_attribute: address - token_claim_name: addressTest - saroles: - - REGISTRATION_PROCESSOR - - CREATE_SHARE - - PMS_USER - - PMS_ADMIN - - PARTNER_ADMIN - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_MISP_LICENSE_UPDATED_GENERAL - - PUBLISH_PARTNER_UPDATED_GENERAL - - PUBLISH_MISP_LICENSE_GENERATED_GENERAL - - PUBLISH_APIKEY_APPROVED_GENERAL - - PUBLISH_APIKEY_UPDATED_GENERAL - - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_POLICY_UPDATED_GENERAL - - name: mosip-partnermanager-client - mappers: [] - saroles: - - PARTNERMANAGER - - KEY_MAKER - - name: mosip-pms-client - mappers: [] - saroles: - - PARTNER_ADMIN - - name: mosip-policymanager-client - mappers: [] - saroles: [] - - name: mosip-reg-client - mappers: [] - saroles: - - GLOBAL_ADMIN - - REGISTRATION_ADMIN - - REGISTRATION_OFFICER - - REGISTRATION_OPERATOR - - REGISTRATION_SUPERVISOR - - name: mosip-regproc-client - mappers: [] - saroles: - - REGISTRATION_PROCESSOR - - DATA_READ - - DOCUMENT_READ - - BIOMETRIC_READ - - METADATA_READ - - CREATE_SHARE - - CREDENTIAL_REQUEST - - name: mpartner-default-mobile - mappers: [] - saroles: - - CREDENTIAL_PARTNER - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - name: mosip-resident-client - mappers: [] - saroles: - - RESIDENT - - PARTNER_ADMIN - - CREDENTIAL_REQUEST - - offline_access - - uma_authorization - - name: mosip-prereg-client - mappers: [] - del_saroles: - - INDIVIDUAL - saroles: - - PREREG - - REGISTRATION_PROCESSOR - - PRE_REGISTRATION_ADMIN - - name: mosip-creser-idpass-client - mappers: [] - saroles: - - REGISTRATION_PROCESSOR - - DATA_READ - - DOCUMENT_READ - - BIOMETRIC_READ - - METADATA_READ - - CREATE_SHARE - - CREDENTIAL_REQUEST - - name: mosip-syncdata-client - mappers: [] - saroles: - - REGISTRATION_ADMIN - - GLOBAL_ADMIN - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - REGISTRATION_SUPERVISOR - - REGISTRATION_OFFICER - - name: mpartner-default-auth - mappers: - - mapper_name: langCode - mapper_user_attribute: langCode - token_claim_name: langCode - saroles: - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL - - SUBSCRIBE_POLICY_UPDATED_GENERAL - - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL - - CREDENTIAL_REQUEST - - SUBSCRIBE_MOSIP_HOTLIST_GENERAL - - PUBLISH_ANONYMOUS_PROFILE_GENERAL - - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_REMOVE_ID_INDIVIDUAL - - SUBSCRIBE_MASTERDATA_TITLES_GENERAL - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL - - ID_AUTHENTICATION - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - SUBSCRIBE_PARTNER_UPDATED_GENERAL - - offline_access - - SUBSCRIBE_APIKEY_APPROVED_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL - - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL - - uma_authorization - - SUBSCRIBE_APIKEY_UPDATED_GENERAL - - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL - - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL - - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL - - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL - - name: mosip-idrepo-client - mappers: [] - saroles: - - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL - - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL - - ID_REPOSITORY - - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL - - offline_access - - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL - - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL - - uma_authorization - - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL - - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL - - name: mpartner-default-print - mappers: [] - saroles: - - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL - - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL - - CREATE_SHARE - - PRINT_PARTNER - - name: mosip-hotlist-client - saroles: - - HOTLIST_ADMIN - - uma_authorization - - offline_access - - PUBLISH_MOSIP_HOTLIST_GENERAL - # Used only for initial deployment purposes. Maybe deleted from installation later. - - name: mosip-deployment-client - saroles: - - ID_AUTHENTICATION - - GLOBAL_ADMIN # TODO: do we need this? - - PARTNER_ADMIN - - uma_authorization - - offline_access + - name: mosip-ida-client + mappers: [] + saroles: + - CREDENTIAL_REQUEST + - GLOBAL_ADMIN + - ID_AUTHENTICATION + - PARTNERMANAGER # Added only for cert upload using postman during install. Not required otherwise. + - name: mosip-misp-client + mappers: [] + saroles: [] + - name: mosip-partner-client + mappers: + - mapper_name: phoneNumber + mapper_user_attribute: phoneNumber + token_claim_name: phoneNumber + - mapper_name: organizationName + mapper_user_attribute: organizationName + token_claim_name: organizationName + - mapper_name: partnerType + mapper_user_attribute: partnerType + token_claim_name: partnerType + - mapper_name: addressTest + mapper_user_attribute: address + token_claim_name: addressTest + saroles: + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_USER + - PMS_ADMIN + - PARTNER_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_MISP_LICENSE_UPDATED_GENERAL + - PUBLISH_PARTNER_UPDATED_GENERAL + - PUBLISH_MISP_LICENSE_GENERATED_GENERAL + - PUBLISH_APIKEY_APPROVED_GENERAL + - PUBLISH_APIKEY_UPDATED_GENERAL + - PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_POLICY_UPDATED_GENERAL + - name: mosip-partnermanager-client + mappers: [] + saroles: + - PARTNERMANAGER + - KEY_MAKER + - name: mosip-pms-client + mappers: [] + saroles: + - PARTNER_ADMIN + - name: mosip-policymanager-client + mappers: [] + saroles: [] + - name: mosip-reg-client + mappers: [] + saroles: + - GLOBAL_ADMIN + - REGISTRATION_ADMIN + - REGISTRATION_OFFICER + - REGISTRATION_OPERATOR + - REGISTRATION_SUPERVISOR + - name: mosip-regproc-client + mappers: [] + saroles: + - REGISTRATION_PROCESSOR + - DATA_READ + - DOCUMENT_READ + - BIOMETRIC_READ + - METADATA_READ + - CREATE_SHARE + - CREDENTIAL_REQUEST + - name: mpartner-default-mobile + mappers: [] + saroles: + - CREDENTIAL_PARTNER + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - name: mosip-resident-client + mappers: [] + saroles: + - RESIDENT + - PARTNER_ADMIN + - CREDENTIAL_REQUEST + - offline_access + - uma_authorization + - name: mosip-prereg-client + mappers: [] + del_saroles: + - INDIVIDUAL + saroles: + - PREREG + - REGISTRATION_PROCESSOR + - PRE_REGISTRATION_ADMIN + - name: mosip-syncdata-client + mappers: [] + saroles: + - REGISTRATION_ADMIN + - GLOBAL_ADMIN + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - REGISTRATION_SUPERVISOR + - REGISTRATION_OFFICER + - name: mpartner-default-auth + mappers: + - mapper_name: langCode + mapper_user_attribute: langCode + token_claim_name: langCode + saroles: + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL + - SUBSCRIBE_POLICY_UPDATED_GENERAL + - SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL + - CREDENTIAL_REQUEST + - SUBSCRIBE_MOSIP_HOTLIST_GENERAL + - PUBLISH_ANONYMOUS_PROFILE_GENERAL + - SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_REMOVE_ID_INDIVIDUAL + - SUBSCRIBE_MASTERDATA_TITLES_GENERAL + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL + - ID_AUTHENTICATION + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_PARTNER_UPDATED_GENERAL + - offline_access + - SUBSCRIBE_APIKEY_APPROVED_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL + - SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL + - uma_authorization + - SUBSCRIBE_APIKEY_UPDATED_GENERAL + - SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL + - SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL + - name: mosip-idrepo-client + mappers: [] + saroles: + - PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL + - SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL + - ID_REPOSITORY + - PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL + - offline_access + - PUBLISH_REMOVE_ID_ALL_INDIVIDUAL + - PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL + - uma_authorization + - PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL + - PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL + - name: mpartner-default-print + mappers: [] + saroles: + - SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL + - PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL + - CREATE_SHARE + - PRINT_PARTNER + - name: mosip-hotlist-client + saroles: + - HOTLIST_ADMIN + - uma_authorization + - offline_access + - PUBLISH_MOSIP_HOTLIST_GENERAL + # Used only for initial deployment purposes. Maybe deleted from installation later. + - name: mosip-deployment-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - uma_authorization + - offline_access - - name: mosip-testrig-client - saroles: - - ID_AUTHENTICATION - - GLOBAL_ADMIN # TODO: do we need this? - - PARTNER_ADMIN - - REGISTRATION_PROCESSOR - - CREATE_SHARE - - PMS_ADMIN - - PMS_USER - - uma_authorization - - offline_access - sa_client_roles: - - realm-management: ## realm-management client id - - view-users # realm-management client roles - - view-clients - - view-realms - - manage-users + - name: mosip-testrig-client + saroles: + - ID_AUTHENTICATION + - GLOBAL_ADMIN # TODO: do we need this? + - PARTNER_ADMIN + - REGISTRATION_PROCESSOR + - CREATE_SHARE + - PMS_ADMIN + - PMS_USER + - uma_authorization + - offline_access - users: [] + users: [] +## These will be passed as environments variables to keycloak-init docker. Note the expected naming convention is +## _. If empty secret is passed, it shall be randomly generated +## IMPORTANT: When running import or upgrade: +## - To preserve existing secrets: Update 'secret' field with the current secret value from your Keycloak +## - To generate new random secrets: Leave 'secret' field as empty string ("") +clientSecrets: + - name: mosip_abis_client_secret + secret: "" + - name: mosip_admin_client_secret + secret: "" + - name: mosip_admin_services_client_secret + secret: "" + - name: mosip_auth_client_secret + secret: "" + - name: mosip_crereq_client_secret + secret: "" + - name: mosip_creser_client_secret + secret: "" + - name: mosip_datsha_client_secret + secret: "" + - name: mosip_ida_client_secret + secret: "" + - name: mosip_misp_client_secret + secret: "" + - name: mosip_partner_client_secret + secret: "" + - name: mosip_partnermanager_client_secret + secret: "" + - name: mosip_pms_client_secret + secret: "" + - name: mosip_policymanager_client_secret + secret: "" + - name: mosip_reg_client_secret + secret: "" + - name: mosip_regproc_client_secret + secret: "" + - name: mosip_resident_client_secret + secret: "" + - name: mosip_prereg_client_secret + secret: "" + - name: mosip_creser_idpass_client_secret + secret: "" + - name: mosip_syncdata_client_secret + secret: "" + - name: mosip_deployment_client_secret + secret: "" + - name: mpartner_default_auth_secret + secret: "" + - name: mosip_idrepo_client_secret + secret: "" + - name: mpartner_default_print_secret + secret: "" + - name: mosip_hotlist_client_secret + secret: "" + - name: mpartner_default_mobile_secret + secret: "" + - name: mosip_digitalcard_client_secret + secret: "" + - name: mpartner_default_digitalcard_secret + secret: "" + - name: mosip_testrig_client_secret + secret: "" \ No newline at end of file diff --git a/deploy/upgrade-init.sh b/deploy/upgrade-init.sh index 8769ea1..3b1eacc 100755 --- a/deploy/upgrade-init.sh +++ b/deploy/upgrade-init.sh @@ -10,16 +10,35 @@ fi function upgrade_init() { NS=keycloak CHART_VERSION=0.0.1-develop + KEYCLOAK_SERVICE_NAME=keycloak helm repo add mosip https://mosip.github.io/mosip-helm helm repo update - IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host}) + IAM_HOST=$(kubectl get cm global -o jsonpath='{.data.mosip-iam-external-host}') - echo Initializing keycloak - helm -n $NS install keycloak-init mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f upgrade-init-values.yaml --version $CHART_VERSION - echo Initializing keycloak - helm -n $NS install keycloak-init mosip/keycloak-init --set frontend=https://$IAM_HOST/auth -f import-init-values.yaml --version $CHART_VERSION + echo Initializing keycloak with upgrade values + helm -n $NS upgrade --install keycloak-init-upgrade mosip/keycloak-init \ + --set keycloakExternalHost="$IAM_HOST" \ + --set keycloakInternalHost="$KEYCLOAK_SERVICE_NAME.$NS" \ + --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAM_HOST/auth" \ + -f upgrade-init-values.yaml --version $CHART_VERSION --wait + + echo Waiting for upgrade job to complete... + if ! kubectl wait --for=condition=complete --timeout=600s -n $NS job -l app.kubernetes.io/instance=keycloak-init-upgrade; then + echo "$(tput setaf 1)ERROR: Keycloak upgrade job failed to complete. Aborting import process.$(tput sgr0)" + exit 1 + fi + + echo Cleaning up upgrade release + helm -n $NS uninstall keycloak-init-upgrade + + echo Initializing keycloak with import values + helm -n $NS upgrade --install keycloak-init-import mosip/keycloak-init \ + --set keycloakExternalHost="$IAM_HOST" \ + --set keycloakInternalHost="$KEYCLOAK_SERVICE_NAME.$NS" \ + --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAM_HOST/auth" \ + -f import-init-values.yaml --version $CHART_VERSION --wait return 0 } @@ -29,4 +48,4 @@ set -o errexit ## set -e : exit the script if any statement returns a non-true set -o nounset ## set -u : exit the script if you try to use an uninitialised variable set -o errtrace # trace ERR through 'time command' and other functions set -o pipefail # trace ERR through pipes -import_init # calling function +upgrade_init # calling function diff --git a/keycloak-artemis/Dockerfile b/keycloak-artemis/Dockerfile index d9511a1..e2fdf33 100644 --- a/keycloak-artemis/Dockerfile +++ b/keycloak-artemis/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/bitnami/keycloak:16.1.1 +FROM docker.io/mosipid/keycloak:16.1.1 USER root @@ -34,4 +34,4 @@ RUN . /usr/sbin/install_packages acl ca-certificates curl gzip libaio1 libc6 pro USER 1001 ENTRYPOINT [ "/opt/bitnami/scripts/keycloak/entrypoint.sh" ] -CMD [ "/opt/bitnami/scripts/keycloak/run.sh" ] +CMD [ "/opt/bitnami/scripts/keycloak/run.sh" ] \ No newline at end of file diff --git a/keycloak-init/keycloak_init.py b/keycloak-init/keycloak_init.py index 9303d4f..beeefda 100755 --- a/keycloak-init/keycloak_init.py +++ b/keycloak-init/keycloak_init.py @@ -725,7 +725,7 @@ def main(): secret_env_name = '%s_secret' % client['name'] secret_env_name = secret_env_name.replace('-', '_') # Compatible with environment variables secret = os.environ.get(secret_env_name) - if secret is None: # Env variable not found + if not secret or not secret.strip(): # Env variable not found or empty print('\n\tSecret environment variable %s not found, generating' % secret_env_name) secret = secrets.token_urlsafe(16)