diff --git a/charts/management-portal/Chart.yaml b/charts/management-portal/Chart.yaml index 18505687..12889b99 100644 --- a/charts/management-portal/Chart.yaml +++ b/charts/management-portal/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.1.13" description: A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base. name: management-portal -version: 1.6.3 +version: 1.7.0 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/management-portal diff --git a/charts/management-portal/README.md b/charts/management-portal/README.md index 597003e8..ecce7f92 100644 --- a/charts/management-portal/README.md +++ b/charts/management-portal/README.md @@ -3,7 +3,7 @@ # management-portal [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/management-portal)](https://artifacthub.io/packages/helm/radar-base/management-portal) -![Version: 1.6.3](https://img.shields.io/badge/Version-1.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.13](https://img.shields.io/badge/AppVersion-2.1.13-informational?style=flat-square) +![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.13](https://img.shields.io/badge/AppVersion-2.1.13-informational?style=flat-square) A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base. @@ -91,23 +91,27 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant | postgres.host | string | `nil` | host name of the postgres db | | postgres.port | string | `nil` | post of the postgres db | | postgres.database | string | `nil` | database name | -| postgres.urlSecret | object | `{"key":"jdbc-uri","name":"radar-cloudnative-postgresql-managementportal"}` | Kubernetes secret containing the database JDBC Connection url (disables use of 'host', 'port' and 'database' values). | +| postgres.urlSecret | object | `{"key":"jdbc-uri","name":null}` | Kubernetes secret containing the database JDBC Connection url (disables use of 'host', 'port' and 'database' values). Set to empty/null to use chart's own secret created from postgres.url value Otherwise e.g. name: radar-cloudnative-postgresql-managementportal | | postgres.user | string | `nil` | database user | -| postgres.userSecret | object | `{"key":"username","name":"radar-cloudnative-postgresql-managementportal"}` | Kubernetes secret containing the database username (disables use of 'user' value). | +| postgres.userSecret | object | `{"key":"username","name":null}` | Kubernetes secret containing the database username (disables use of 'user' value). Set to empty/null to use chart's own secret created from postgres.user value Otherwise e.g. name: radar-cloudnative-postgresql-managementportal | | postgres.password | string | `nil` | password of the database user | -| postgres.passwordSecret | object | `{"key":"password","name":"radar-cloudnative-postgresql-managementportal"}` | Kubernetes secret containing the database password (disables use of 'password' value). | +| postgres.passwordSecret | object | `{"key":"password","name":null}` | Kubernetes secret containing the database password (disables use of 'password' value). Set to empty/null to use chart's own secret created from postgres.password value Otherwise e.g. name: radar-cloudnative-postgresql-managementportal | | postgres.connection_parameters | string | `""` | Additional JDBC connection parameters e.g. sslmode=verify-full. Ignored when using 'urlSecret'. | | postgres.ssl.enabled | bool | `false` | set to true if the connecting to postgres using SSL | | postgres.ssl.keystore | string | `""` | base64 encoded certificate needed to connect to the PostgreSQL With helmfile, this can be set in a production.yaml.gotmpl file by setting keystore: {{ readFile "certificate.pem" | b64enc | quote }} or with SOPS keystore: {{ exec "sops" (list "-d" "certificate.pem") | b64enc | quote }} | | server_name | string | `"localhost"` | domain name of the server | | catalogue_server | string | `"catalog-server"` | Hostname of the catalogue-server | +| identity_server.internal | bool | `true` | Whether the IDP is the MP's internal IDP | +| identity_server.public_url | string | `"http://radar-kratos-public"` | The publicly accessible server URL for the IDP; needed when deviating from http(s)://server_name/kratos | +| identity_server.admin_url | string | `"http://radar-kratos-admin"` | The admin server URL for the IDP used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides | +| identity_server.user_activation_flow_type | string | `"verification"` | The user activation flow type to use for Management Portal (e.g., recovery, verification) | +| identity_server.user_activation_method | string | `"link"` | The user activation method to use for Management Portal (e.g., link, code) | | identity_server.admin_email | string | `"admin@example.com"` | The admin email to link to the admin service account. This account should only be used to set up admin-users | -| identity_server.server_url | string | `nil` | The publicly accessible server URL for the IDP; needed when deviating from http(s)://server_name/kratos | -| identity_server.server_admin_url | string | `"http://radar-kratos-admin"` | The admin server URL for the IDP used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides | -| identity_server.login_url | string | `nil` | The publicly accessible login URL for the IDP; needed when deviating from http(s)://server_name/kratos-ui | -| authserver.server_url | string | `"http://radar-hydra:4444"` | The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth | -| authserver.server_admin_url | string | `"http://radar-hydra:4445"` | The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides | -| authserver.login_url | string | `"http://localhost:4444"` | The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login | +| authserver.internal | bool | `true` | Whether the authserver is the MP's internal authserver | +| authserver.token_url | string | `"http://radar-hydra-public:4444/oauth2/token"` | The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth | +| authserver.admin_url | string | `"http://radar-hydra-admin:4445"` | The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides | +| authserver.auth_url | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra/oauth2/auth"` | The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login | +| authserver.jwks_url | string | `"http://radar-hydra-admin:4445/admin/keys/hydra.jwt.access-token"` | The JWKS URL for the authserver; needed when deviating from http(s)://server_name/auth/jwks | | managementportal.catalogue_server_enable_auto_import | bool | `false` | set to true, if automatic source-type import from catalogue server should be enabled | | managementportal.common_privacy_policy_url | string | `"http://info.thehyve.nl/radar-cns-privacy-policy"` | Override with a publicly resolvable url of the privacy-policy url for your set-up. This can be overridden on a project basis as well. | | managementportal.oauth_checking_key_aliases_0 | string | `"radarbase-managementportal-ec"` | Keystore alias to sign JWT tokens from Management Portal | @@ -115,6 +119,8 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant | managementportal.oauth_require_aal2 | bool | `true` | Whether or not to require AAL2 level authentication (i.e. MFA) | | managementportal.frontend_client_secret | string | `"xxx"` | OAuth2 Client secret of the Management Portal frontend application | | managementportal.common_admin_password | string | `"xxx"` | Admin password of the default admin user created by the system | +| managementportal.oauth_clients_file | string | `"/secrets/oauth_client_details.csv"` | The file where the OAuth2 client details are stored | +| managementportal.base_url | string | `""` | Base URL managementportal calls from inside the application container | | smtp.enabled | bool | `false` | set to true, if SMTP server should be enabled. Required to be true for production setup | | smtp.host | string | `"smtp"` | Hostname of the SMTP server | | smtp.port | int | `25` | Port of the SMTP server | diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 8a7da231..7293ff1f 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -58,18 +58,33 @@ spec: - name: SPRING_DATASOURCE_URL valueFrom: secretKeyRef: - name: {{ .Values.postgres.urlSecret.name | default $secretName }} - key: {{ .Values.postgres.urlSecret.key | default "databaseUrl" }} +{{- if .Values.postgres.urlSecret.name }} + name: {{ .Values.postgres.urlSecret.name }} + key: {{ .Values.postgres.urlSecret.key | default "jdbc-uri" }} +{{- else }} + name: {{ $secretName }} + key: postgres_url +{{- end }} - name: SPRING_DATASOURCE_USERNAME valueFrom: secretKeyRef: - name: {{ .Values.postgres.userSecret.name | default $secretName }} - key: {{ .Values.postgres.userSecret.key | default "databaseUser" }} +{{- if .Values.postgres.userSecret.name }} + name: {{ .Values.postgres.userSecret.name }} + key: {{ .Values.postgres.userSecret.key | default "username" }} +{{- else }} + name: {{ $secretName }} + key: postgresql_user +{{- end }} - name: SPRING_DATASOURCE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgres.passwordSecret.name | default $secretName }} - key: {{ .Values.postgres.passwordSecret.key | default "databasePassword" }} +{{- if .Values.postgres.passwordSecret.name }} + name: {{ .Values.postgres.passwordSecret.name }} + key: {{ .Values.postgres.passwordSecret.key | default "password" }} +{{- else }} + name: {{ $secretName }} + key: postgresql_password +{{- end }} - name: SPRING_DATASOURCE_HIKARI_CONNECTION_TIMEOUT value: "15000" - name: SPRING_DATASOURCE_HIKARI_VALIDATION_TIMEOUT @@ -81,34 +96,48 @@ spec: - name: MANAGEMENTPORTAL_COMMON_BASEURL value: {{ printf "%s://%s" .Values.advertised_protocol .Values.server_name }} - name: MANAGEMENTPORTAL_COMMON_MANAGEMENT_PORTAL_BASE_URL + {{- if .Values.managementportal.base_url }} + value: {{ .Values.managementportal.base_url }} + {{- else }} value: {{ printf "%s://%s/managementportal" .Values.advertised_protocol .Values.server_name }} + {{- end }} + - name: MANAGEMENTPORTAL_FRONTEND_CLIENTID + value: "ManagementPortalapp" - name: MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ $secretName }} key: managementportal_frontend_client_secret - - name: MANAGEMENTPORTAL_OAUTH_CLIENTS_FILE - value: /secrets/oauth_client_details.csv - name: MANAGEMENTPORTAL_CATALOGUE_SERVER_ENABLE_AUTO_IMPORT value: "{{ .Values.managementportal.catalogue_server_enable_auto_import }}" + - name: MANAGEMENTPORTAL_OAUTH_CLIENTS_FILE + value: "{{ .Values.managementportal.oauth_clients_file }}" - name: MANAGEMENTPORTAL_OAUTH_REQUIRE_AAL2 value: "{{ .Values.managementportal.oauth_require_aal2 }}" - name: MANAGEMENTPORTAL_CATALOGUE_SERVER_SERVER_URL value: http://{{ .Values.catalogue_server }}:9010/source-types - - name: MANAGEMENTPORTAL_IDENTITY_SERVER_ADMIN_EMAIL + - name: MANAGEMENTPORTAL_IDENTITYSERVER_ADMINEMAIL value: {{ .Values.identity_server.admin_email }} - - name: MANAGEMENTPORTAL_IDENTITY_SERVER_SERVER_URL - value: {{ $idpServerUrl }} - - name: MANAGEMENTPORTAL_IDENTITY_SERVER_LOGIN_URL - value: {{ $idpLoginUrl }} - - name: MANAGEMENTPORTAL_IDENTITY_SERVER_SERVER_ADMIN_URL - value: {{ .Values.identity_server.server_admin_url }} - - name: MANAGEMENTPORTAL_AUTHSERVER_SERVERURL - value: {{ $idpServerUrl }} - - name: MANAGEMENTPORTAL_AUTHSERVER_LOGINURL - value: {{ $idpLoginUrl }} - - name: MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL - value: {{ .Values.authserver.server_admin_url | quote }} + - name: MANAGEMENTPORTAL_IDENTITYSERVER_PUBLICURL + value: {{ tpl .Values.identity_server.public_url . }} + - name: MANAGEMENTPORTAL_IDENTITYSERVER_ADMINURL + value: {{ tpl .Values.identity_server.admin_url . }} + - name: MANAGEMENTPORTAL_IDENTITYSERVER_INTERNAL + value: {{ .Values.identity_server.internal | quote }} + - name: MANAGEMENTPORTAL_IDENTITYSERVER_USER_ACTIVATION_FLOW_TYPE + value: {{ .Values.identity_server.user_activation_flow_type | quote }} + - name: MANAGEMENTPORTAL_IDENTITYSERVER_USER_ACTIVATION_METHOD + value: {{ .Values.identity_server.user_activation_method | quote }} + - name: MANAGEMENTPORTAL_AUTHSERVER_TOKENURL + value: {{ tpl .Values.authserver.token_url . }} + - name: MANAGEMENTPORTAL_AUTHSERVER_AUTHURL + value: {{ tpl .Values.authserver.auth_url . }} + - name: MANAGEMENTPORTAL_AUTHSERVER_INTERNAL + value: {{ .Values.authserver.internal | quote }} + - name: MANAGEMENTPORTAL_AUTHSERVER_ADMINURL + value: {{ tpl .Values.authserver.admin_url . }} + - name: MANAGEMENTPORTAL_AUTHSERVER_JWKSURL + value: {{ tpl .Values.authserver.jwks_url . }} - name: MANAGEMENTPORTAL_COMMON_ADMIN_PASSWORD valueFrom: secretKeyRef: @@ -138,14 +167,12 @@ spec: secretKeyRef: name: {{ $secretName }} key: smtpPassword - {{ end }} - - name: SPRING_MAIL_FROM - value: {{ .Values.smtp.from | quote }} + {{- end }} - name: SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH value: "{{ .Values.smtp.auth }}" - name: SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE value: {{ .Values.smtp.starttls | quote }} - {{ end }} + {{- end }} {{- with .Values.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} @@ -200,21 +227,26 @@ spec: volumeMounts: - name: config mountPath: /config/ + {{- if .Values.authserver.internal }} - name: secrets-config mountPath: /secrets/ + # Otherwise: Unable to read header from OAuth clients file: java.nio.file.NoSuchFileException: /mp-includes/config/oauth_client_details.csv + {{- end }} - name: keystore mountPath: /mp-includes/config/ {{- if .Values.postgres.ssl.enabled }} - name: postgres-root-cert mountPath: /root/.postgresql/ - {{ end }} + {{- end }} volumes: - name: config configMap: name: {{ include "management-portal.fullname" . }} + {{- if .Values.authserver.internal }} - name: secrets-config secret: secretName: {{ include "management-portal.fullname" . }}-config + {{- end }} - name: keystore secret: secretName: {{ include "management-portal.fullname" . }}-keystore @@ -222,7 +254,7 @@ spec: - name: postgres-root-cert secret: secretName: {{ include "management-portal.fullname" . }}-root-cert - {{ end }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/management-portal/templates/ingress.yaml b/charts/management-portal/templates/ingress.yaml index e470f935..1a8a3239 100644 --- a/charts/management-portal/templates/ingress.yaml +++ b/charts/management-portal/templates/ingress.yaml @@ -24,13 +24,13 @@ spec: tls: - hosts: {{- range $hosts }} - - {{ . | quote }} + - {{ ( tpl . $ ) | quote }} {{- end }} secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} + - host: {{ ( tpl . $ ) | quote }} http: paths: - path: {{ $path | quote }} diff --git a/charts/management-portal/templates/secrets-config.yaml b/charts/management-portal/templates/secrets-config.yaml index 57e13947..6fe0e379 100644 --- a/charts/management-portal/templates/secrets-config.yaml +++ b/charts/management-portal/templates/secrets-config.yaml @@ -13,9 +13,9 @@ client_id;resource_ids;client_secret;scope;authorized_grant_types;redirect_uri;a {{- range $index, $redirect_uri := $client.redirect_uri -}} {{- if gt $index 0 -}},{{- end -}} {{- if regexMatch "^/" $redirect_uri -}} - https://{{ $.Values.server_name }}{{ $redirect_uri }} + {{ $.Values.advertised_protocol }}://{{ $.Values.server_name }}{{ $redirect_uri }} {{- else -}} - {{ $redirect_uri }} + {{ tpl $redirect_uri $ }} {{- end -}} {{- end -}}; {{- $client.authorities | default "" }}; @@ -26,7 +26,8 @@ client_id;resource_ids;client_secret;scope;authorized_grant_types;redirect_uri;a {{- end -}} {{- end -}} {{- end -}} -{{- end}} +{{- end }} +{{- if .Values.authserver.internal }} apiVersion: v1 kind: Secret metadata: @@ -38,3 +39,4 @@ metadata: {{- end }} data: oauth_client_details.csv: {{ include "oauth-clients-details.csv" . | b64enc | quote }} +{{- end }} diff --git a/charts/management-portal/templates/secrets.yaml b/charts/management-portal/templates/secrets.yaml index 766c19a9..878528ad 100644 --- a/charts/management-portal/templates/secrets.yaml +++ b/charts/management-portal/templates/secrets.yaml @@ -9,17 +9,24 @@ metadata: {{- end }} type: Opaque data: - {{- if and .Values.postgres.url (not .Values.postgres.urlSecret) }} + {{- if and .Values.postgres.url (not .Values.postgres.urlSecret.name) }} {{- if .Values.postgres.connection_parameters }} postgres_url: {{ printf "%s?%s" .Values.postgres.url .Values.postgres.connection_parameters | b64enc | quote }} - {{- else -}} + {{- else }} postgres_url: {{ .Values.postgres.url | b64enc | quote }} {{- end }} + {{- else if and .Values.postgres.host .Values.postgres.port .Values.postgres.database (not .Values.postgres.urlSecret.name) }} + {{- $baseUrl := printf "jdbc:postgresql://%s:%v/%s" .Values.postgres.host .Values.postgres.port .Values.postgres.database }} + {{- if .Values.postgres.connection_parameters }} + postgres_url: {{ printf "%s?%s" $baseUrl .Values.postgres.connection_parameters | b64enc | quote }} + {{- else }} + postgres_url: {{ $baseUrl | b64enc | quote }} + {{- end }} {{- end }} - {{- if and .Values.postgres.user (not .Values.postgres.userSecret) }} + {{- if and .Values.postgres.user (not .Values.postgres.userSecret.name) }} postgresql_user: {{ .Values.postgres.user | b64enc | quote }} {{- end }} - {{- if and .Values.postgres.password (not .Values.postgres.passwordSecret) }} + {{- if and .Values.postgres.password (not .Values.postgres.passwordSecret.name) }} postgresql_password: {{ .Values.postgres.password | b64enc | quote }} {{- end }} managementportal_frontend_client_secret: {{ .Values.managementportal.frontend_client_secret | b64enc | quote }} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index 1b662e6e..c8812b32 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -244,6 +244,18 @@ networkpolicy: podSelector: matchLabels: app.kubernetes.io/name: '{{ .Values.postgres.host | default "radar-cloudnative-postgresql-cluster" | trunc 63 | trimSuffix "-" }}' + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: hydra + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: kratos - to: - namespaceSelector: matchLabels: @@ -275,22 +287,28 @@ postgres: database: # -- Kubernetes secret containing the database JDBC Connection url # (disables use of 'host', 'port' and 'database' values). + # Set to empty/null to use chart's own secret created from postgres.url value + # Otherwise e.g. name: radar-cloudnative-postgresql-managementportal urlSecret: - name: radar-cloudnative-postgresql-managementportal + name: key: jdbc-uri # -- database user user: # -- Kubernetes secret containing the database username # (disables use of 'user' value). + # Set to empty/null to use chart's own secret created from postgres.user value + # Otherwise e.g. name: radar-cloudnative-postgresql-managementportal userSecret: - name: radar-cloudnative-postgresql-managementportal + name: key: username # -- password of the database user password: # -- Kubernetes secret containing the database password # (disables use of 'password' value). + # Set to empty/null to use chart's own secret created from postgres.password value + # Otherwise e.g. name: radar-cloudnative-postgresql-managementportal passwordSecret: - name: radar-cloudnative-postgresql-managementportal + name: key: password # -- Additional JDBC connection parameters e.g. sslmode=verify-full. @@ -314,22 +332,36 @@ catalogue_server: catalog-server # Settings pertaining to the identity provider (IDP) identity_server: - # -- The admin email to link to the admin service account. This account should only be used to set up admin-users - admin_email: admin@example.com + # -- Whether the IDP is the MP's internal IDP + internal: true + + # Set the following values if the IDP is external to the cluster (i.e. Ory Kratos) + # -- The publicly accessible server URL for the IDP; needed when deviating from http(s)://server_name/kratos - server_url: + public_url: http://radar-kratos-public # -- The admin server URL for the IDP used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides - server_admin_url: http://radar-kratos-admin - # -- The publicly accessible login URL for the IDP; needed when deviating from http(s)://server_name/kratos-ui - login_url: + admin_url: http://radar-kratos-admin + # -- The user activation flow type to use for Management Portal (e.g., recovery, verification) + user_activation_flow_type: "verification" + # -- The user activation method to use for Management Portal (e.g., link, code) + user_activation_method: "link" + # -- The admin email to link to the admin service account. This account should only be used to set up admin-users + admin_email: admin@example.com authserver: + # -- Whether the authserver is the MP's internal authserver + internal: true + + # Set the following values if the authserver is external to the cluster (i.e. Ory Hydra) + # -- The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth - server_url: http://radar-hydra:4444 + token_url: http://radar-hydra-public:4444/oauth2/token # -- The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides - server_admin_url: http://radar-hydra:4445 + admin_url: http://radar-hydra-admin:4445 # -- The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login - login_url: http://localhost:4444 + auth_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra/oauth2/auth' + # -- The JWKS URL for the authserver; needed when deviating from http(s)://server_name/auth/jwks + jwks_url: http://radar-hydra-admin:4445/admin/keys/hydra.jwt.access-token managementportal: # -- set to true, if automatic source-type import from catalogue server should be enabled @@ -346,6 +378,10 @@ managementportal: frontend_client_secret: xxx # -- Admin password of the default admin user created by the system common_admin_password: xxx + # -- The file where the OAuth2 client details are stored + oauth_clients_file: /secrets/oauth_client_details.csv + # -- Base URL managementportal calls from inside the application container + base_url: '' # Configurations of the SMTP server to send activation emails from Management Portal smtp: @@ -608,7 +644,7 @@ oauth_clients: access_token_validity: 900 refresh_token_validity: 78000 redirect_uri: - - http://dashboard.localhost/login/generic_oauth + - '{{ .Values.advertised_protocol }}://dashboard.{{ .Values.server_name }}/login/generic_oauth' autoapprove: - USER.READ diff --git a/charts/radar-fitbit-connector/README.md b/charts/radar-fitbit-connector/README.md index 940a8a34..f4a0e520 100644 --- a/charts/radar-fitbit-connector/README.md +++ b/charts/radar-fitbit-connector/README.md @@ -96,9 +96,9 @@ A Helm chart for RADAR-base fitbit connector. This application collects data fro | fitbit_api_url | string | `"https://api.fitbit.com"` | Fitbit API URL. | | fitbit_api_client | string | `""` | Fitbit API client id. | | fitbit_api_secret | string | `""` | Fitbit API client secret. | -| oauthClientId | string | `"radar_fitbit_connector"` | OAuth2 client id from Management Portal | -| oauthClientSecret | string | `"secret"` | OAuth2 client secret from Management Portal | -| auth_url | string | `"http://management-portal:8080/managementportal/oauth/token"` | OAuth2 Auth URL for connector client to get access tokens | +| oauthClientId | string | `"radar_fitbit_connector"` | OAuth2 client id from Hydra | +| oauthClientSecret | string | `"secret"` | OAuth2 client secret from Hydra | +| auth_url | string | `"http://radar-hydra-public:4444/oauth2/token"` | OAuth2 Auth URL for connector client to get access tokens | | managementportal_url | string | `"http://management-portal:8080/managementportal"` | URL of Management Portal. This will be used to create URLs to access Management Portal | | includeIntradayData | bool | `true` | Set to true, if intraday access data should be collected by the connector. This will be set in connector.properties. | | user_repository_class | string | `"ServiceUserRepository"` | Class of the user repository to use. This should be a class that implements the UserRepository interface. | diff --git a/charts/radar-fitbit-connector/values.yaml b/charts/radar-fitbit-connector/values.yaml index f541c9d0..a1fe135e 100644 --- a/charts/radar-fitbit-connector/values.yaml +++ b/charts/radar-fitbit-connector/values.yaml @@ -204,6 +204,12 @@ networkpolicy: podSelector: matchLabels: app.kubernetes.io/name: 'management-portal' + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: 'radar-hydra' - to: - namespaceSelector: matchLabels: @@ -247,12 +253,12 @@ fitbit_api_client: "" # -- Fitbit API client secret. fitbit_api_secret: "" -# -- OAuth2 client id from Management Portal +# -- OAuth2 client id from Hydra oauthClientId: radar_fitbit_connector -# -- OAuth2 client secret from Management Portal +# -- OAuth2 client secret from Hydra oauthClientSecret: secret # -- OAuth2 Auth URL for connector client to get access tokens -auth_url: http://management-portal:8080/managementportal/oauth/token +auth_url: http://radar-hydra-public:4444/oauth2/token # -- URL of Management Portal. This will be used to create URLs to access Management Portal managementportal_url: http://management-portal:8080/managementportal # -- Set to true, if intraday access data should be collected by the connector. This will be set in connector.properties. diff --git a/charts/radar-gateway/README.md b/charts/radar-gateway/README.md index f56b1276..d92d587c 100644 --- a/charts/radar-gateway/README.md +++ b/charts/radar-gateway/README.md @@ -118,8 +118,7 @@ A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming partici | cc.apiSecret | string | `"ccApiSecret"` | Confluent Cloud cluster API secret | | cc.schemaRegistryApiKey | string | `"srApiKey"` | Confluent Cloud schema registry API key | | cc.schemaRegistryApiSecret | string | `"srApiSecret"` | Confluent Cloud schema registry API secret | -| public_key_endpoints_enabled | bool | `false` | Enables config of public key endpoints for token verification This config option is implemented to fix a compatibility issue with radar-gateway. It can be removed when the publicKeyUrls config option is merged to master. | -| public_key_endpoints | list | `[]` | List of public key endpoints for token verification | +| public_key_endpoints | list | `["http://radar-hydra-public:4444/.well-known/jwks.json"]` | List of public key endpoints for token verification | | serverName | string | `"localhost"` | Resolvable server name, needed to find the advertised URL and callback URL | | sentry.dsn | string | `nil` | DSN (Data Source Name) of the sentry server | | sentry.level | string | `"ERROR"` | Log level for sentry (TRACE, DEBUG, INFO, WARN, or ERROR) | diff --git a/charts/radar-gateway/templates/configmap.yaml b/charts/radar-gateway/templates/configmap.yaml index 43dc0008..18df9fe7 100644 --- a/charts/radar-gateway/templates/configmap.yaml +++ b/charts/radar-gateway/templates/configmap.yaml @@ -61,7 +61,6 @@ data: checkSourceId: {{ .Values.checkSourceId }} {{- if or .Values.public_key_endpoints_enabled .Values.public_key_endpoints }} publicKeyUrls: - - {{ printf "%s://%s/managementportal/oauth/token_key" .Values.advertised_protocol .Values.serverName | quote }} {{- range .Values.public_key_endpoints }} - {{ . | quote }} {{ end -}} diff --git a/charts/radar-gateway/values.yaml b/charts/radar-gateway/values.yaml index bb5bfe95..96aaae24 100644 --- a/charts/radar-gateway/values.yaml +++ b/charts/radar-gateway/values.yaml @@ -311,11 +311,8 @@ cc: schemaRegistryApiSecret: srApiSecret # -- Enables config of public key endpoints for token verification -# This config option is implemented to fix a compatibility issue with radar-gateway. -# It can be removed when the publicKeyUrls config option is merged to master. -public_key_endpoints_enabled: false # -- List of public key endpoints for token verification -public_key_endpoints: [] +public_key_endpoints: ["http://radar-hydra-public:4444/.well-known/jwks.json"] # -- Resolvable server name, needed to find the advertised URL and callback URL serverName: localhost diff --git a/charts/radar-home/Chart.yaml b/charts/radar-home/Chart.yaml index 9f10c03d..b5b0000d 100644 --- a/charts/radar-home/Chart.yaml +++ b/charts/radar-home/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "0.1.7" description: RADAR-base home page. name: radar-home -version: 0.5.4 +version: 0.6.0 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-home diff --git a/charts/radar-home/README.md b/charts/radar-home/README.md index 0b05f110..f0f17ad6 100644 --- a/charts/radar-home/README.md +++ b/charts/radar-home/README.md @@ -3,7 +3,7 @@ # radar-home [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-home)](https://artifacthub.io/packages/helm/radar-base/radar-home) -![Version: 0.5.4](https://img.shields.io/badge/Version-0.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.7](https://img.shields.io/badge/AppVersion-0.1.7-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.7](https://img.shields.io/badge/AppVersion-0.1.7-informational?style=flat-square) RADAR-base home page. @@ -48,12 +48,14 @@ RADAR-base home page. | service.type | string | `"ClusterIP"` | Kubernetes Service type | | service.port | int | `8080` | Port | | disable_tls | bool | `false` | Reconfigure Ingress to not force TLS | +| server_name | string | `"localhost"` | Hostname for the home service | +| advertised_protocol | string | `"https"` | The protocol in advertised URIs (https, http) | | ingress.enabled | bool | `true` | Enable ingress controller resource | | ingress.annotations | object | check values.yaml | Annotations that define default ingress class, certificate issuer | | ingress.path | string | `"/"` | Path within the url structure | | ingress.pathType | string | `"ImplementationSpecific"` | Ingress Path type | | ingress.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | -| ingress.hosts | list | `["localhost"]` | Hosts to accept requests from | +| ingress.hosts | list | `["{{ .Values.server_name }}"]` | Hosts to accept requests from | | ingress.tls.secretName | string | `"radar-base-tls"` | TLS Secret Name | | resources.limits | object | `{"cpu":"200m"}` | CPU/Memory resource limits | | resources.requests | object | `{"cpu":"10m","memory":"5Mi"}` | CPU/Memory resource requests | @@ -84,16 +86,16 @@ RADAR-base home page. | startupProbe.failureThreshold | int | `30` | Failure threshold for startupProbe | | networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | | s3.enabled | bool | `false` | Enable link to S3 | -| s3.url | string | `nil` | URL to S3 | +| s3.url | string | `"{{ .Values.advertised_protocol }}://s3.{{ .Values.server_name }}/login"` | URL to S3 | | dashboard.enabled | bool | `false` | Enable link to dashboard | -| dashboard.url | string | `nil` | URL to dashboard | +| dashboard.url | string | `"{{ .Values.advertised_protocol }}://dashboard.{{ .Values.server_name }}"` | URL to dashboard | | appConfig.enabled | bool | `false` | Enable link to app-config service | | uploadPortal.enabled | bool | `false` | Enable link to upload portal | | restAuthorizer.enabled | bool | `false` | Enable link to rest source authorizer | | monitoring.enabled | bool | `false` | Enable link to the monitoring stack, usually Prometheus | -| monitoring.url | string | `nil` | URL to the monitoring stack, usually Prometheus | +| monitoring.url | string | `"{{ .Values.advertised_protocol }}://grafana.{{ .Values.server_name }}/login"` | URL to the monitoring stack, usually Prometheus | | logging.enabled | bool | `false` | Enable link to the logging stack, usually Graylog | -| logging.url | string | `nil` | URL to the monitoring stack, usually Graylog | +| logging.url | string | `"{{ .Values.advertised_protocol }}://graylog.{{ .Values.server_name }}"` | URL to the monitoring stack, usually Graylog | | podDisruptionBudget.enabled | bool | `true` | Enable Pod Disruption Budget | | podDisruptionBudget.minAvailable | int | `1` | Minimum number of pods that must be available during disruptions | | podDisruptionBudget.maxUnavailable | string | `nil` | Maximum number of pods that can be unavailable during disruptions | diff --git a/charts/radar-home/templates/deployment.yaml b/charts/radar-home/templates/deployment.yaml index fd102333..8ce82e81 100644 --- a/charts/radar-home/templates/deployment.yaml +++ b/charts/radar-home/templates/deployment.yaml @@ -51,7 +51,7 @@ spec: - name: S3_ENABLED value: "true" - name: S3_URL - value: {{ .Values.s3.url | quote }} + value: {{ tpl .Values.s3.url . | quote }} {{- end }} {{- if .Values.restAuthorizer.enabled }} - name: REST_AUTHORIZER_ENABLED @@ -61,7 +61,7 @@ spec: - name: DASHBOARD_ENABLED value: "true" - name: DASHBOARD_URL - value: {{ .Values.dashboard.url | quote }} + value: {{ tpl .Values.dashboard.url . | quote }} {{- end }} {{- if .Values.uploadPortal.enabled }} - name: UPLOAD_PORTAL_ENABLED @@ -77,7 +77,7 @@ spec: {{- end }} {{- if .Values.logging.url }} - name: GRAYLOG_URL - value: {{ .Values.logging.url | quote }} + value: {{ tpl .Values.logging.url . | quote }} {{- end }} {{- if .Values.monitoring.enabled }} - name: MONITOR_ENABLED @@ -85,7 +85,7 @@ spec: {{- end }} {{- if .Values.monitoring.url }} - name: MONITOR_URL - value: {{ .Values.monitoring.url | quote }} + value: {{ tpl .Values.monitoring.url . | quote }} {{- end }} {{- with .Values.extraEnvVars }} {{- toYaml . | nindent 10 }} diff --git a/charts/radar-home/templates/ingress.yaml b/charts/radar-home/templates/ingress.yaml index 460be382..7048b90e 100644 --- a/charts/radar-home/templates/ingress.yaml +++ b/charts/radar-home/templates/ingress.yaml @@ -25,13 +25,13 @@ spec: tls: - hosts: {{- range $hosts }} - - {{ . | quote }} + - {{ tpl . $ | quote }} {{- end }} secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} + - host: {{ tpl . $ | quote }} http: paths: - path: {{ $path | quote }} diff --git a/charts/radar-home/values.yaml b/charts/radar-home/values.yaml index 44a86d10..725318bc 100644 --- a/charts/radar-home/values.yaml +++ b/charts/radar-home/values.yaml @@ -41,6 +41,10 @@ service: # -- Reconfigure Ingress to not force TLS disable_tls: false +# -- Hostname for the home service +server_name: localhost +# -- The protocol in advertised URIs (https, http) +advertised_protocol: https ingress: # -- Enable ingress controller resource @@ -57,7 +61,7 @@ ingress: ingressClassName: nginx # -- Hosts to accept requests from hosts: - - localhost + - '{{ .Values.server_name }}' tls: # -- TLS Secret Name secretName: radar-base-tls @@ -173,13 +177,13 @@ s3: # -- Enable link to S3 enabled: false # -- URL to S3 - url: + url: '{{ .Values.advertised_protocol }}://s3.{{ .Values.server_name }}/login' dashboard: # -- Enable link to dashboard enabled: false # -- URL to dashboard - url: + url: '{{ .Values.advertised_protocol }}://dashboard.{{ .Values.server_name }}' appConfig: # -- Enable link to app-config service @@ -197,13 +201,13 @@ monitoring: # -- Enable link to the monitoring stack, usually Prometheus enabled: false # -- URL to the monitoring stack, usually Prometheus - url: + url: '{{ .Values.advertised_protocol }}://grafana.{{ .Values.server_name }}/login' logging: # -- Enable link to the logging stack, usually Graylog enabled: false # -- URL to the monitoring stack, usually Graylog - url: + url: '{{ .Values.advertised_protocol }}://graylog.{{ .Values.server_name }}' # Pod Disruption Budget configuration podDisruptionBudget: diff --git a/charts/radar-hydra/Chart.yaml b/charts/radar-hydra/Chart.yaml index 50a12fce..9d14c4a5 100644 --- a/charts/radar-hydra/Chart.yaml +++ b/charts/radar-hydra/Chart.yaml @@ -6,7 +6,7 @@ home: https://radar-base.org icon: http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-hydra -version: 0.2.2 +version: 0.3.0 maintainers: - email: pim@thehyve.nl name: Pim van Nierop diff --git a/charts/radar-hydra/README.md b/charts/radar-hydra/README.md index 8278ed56..fe236b8c 100644 --- a/charts/radar-hydra/README.md +++ b/charts/radar-hydra/README.md @@ -3,7 +3,7 @@ # radar-hydra [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-hydra)](https://artifacthub.io/packages/helm/radar-base/radar-hydra) -![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square) A ORY Hydra Helm chart for RADAR-base. ORY Hydra is a cloud native Identity and User Management system. @@ -43,3 +43,235 @@ Consult the [documentation](https://artifacthub.io/packages/helm/ory/hydra) of t | hydra | object | check `values.yaml` | Ory Hydra configuration | | hydra.server_name | string | `"localhost"` | Hostname for the Kratos service | | hydra.advertised_protocol | string | `"https"` | Protocol for the Kratos service (allowed values: http, https) | +| hydra_server_url | string | `"http://radar-hydra-public:4444"` | | +| hydra_admin_url | string | `"http://radar-hydra-admin:4445/admin"` | | +| oauth_clients.ManagementPortalapp.enable | bool | `true` | | +| oauth_clients.ManagementPortalapp.redirectUris[0] | string | `"{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/managementportal/api/redirect/login"` | | +| oauth_clients.ManagementPortalapp.grantTypes[0] | string | `"authorization_code"` | | +| oauth_clients.ManagementPortalapp.grantTypes[1] | string | `"refresh_token"` | | +| oauth_clients.ManagementPortalapp.responseTypes[0] | string | `"code"` | | +| oauth_clients.ManagementPortalapp.responseTypes[1] | string | `"id_token"` | | +| oauth_clients.ManagementPortalapp.client_secret | string | `""` | | +| oauth_clients.ManagementPortalapp.scope | string | `"SOURCEDATA.CREATE SOURCETYPE.UPDATE SOURCETYPE.DELETE AUTHORITY.UPDATE MEASUREMENT.DELETE PROJECT.READ AUDIT.CREATE USER.DELETE AUTHORITY.DELETE SUBJECT.DELETE MEASUREMENT.UPDATE SOURCEDATA.UPDATE SUBJECT.READ USER.UPDATE SOURCETYPE.CREATE AUTHORITY.READ USER.CREATE SOURCE.CREATE SOURCE.READ SUBJECT.CREATE ROLE.UPDATE ROLE.READ MEASUREMENT.READ PROJECT.UPDATE PROJECT.DELETE ROLE.DELETE SOURCE.DELETE SOURCETYPE.READ ROLE.CREATE SOURCEDATA.DELETE SUBJECT.UPDATE SOURCE.UPDATE PROJECT.CREATE AUDIT.READ MEASUREMENT.CREATE AUDIT.DELETE AUDIT.UPDATE AUTHORITY.CREATE USER.READ SOURCEDATA.READ ORGANIZATION.READ ORGANIZATION.CREATE ORGANIZATION.UPDATE OAUTHCLIENTS.READ OAUTHCLIENTS.CREATE OAUTHCLIENTS.UPDATE"` | | +| oauth_clients.ManagementPortalapp.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.ManagementPortalapp.allowed_cors_origins[0] | string | `"http://localhost:3000"` | | +| oauth_clients.ManagementPortalapp.skip_consent | bool | `true` | | +| oauth_clients.ManagementPortalapp.skip_logout_consent | bool | `false` | | +| oauth_clients.pRMT.enable | bool | `false` | | +| oauth_clients.pRMT.audience[0] | string | `"res_gateway"` | | +| oauth_clients.pRMT.audience[1] | string | `"res_ManagementPortal"` | | +| oauth_clients.pRMT.audience[2] | string | `"res_appconfig"` | | +| oauth_clients.pRMT.client_secret | string | `""` | | +| oauth_clients.pRMT.scope[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.pRMT.scope[1] | string | `"PROJECT.READ"` | | +| oauth_clients.pRMT.scope[2] | string | `"ROLE.READ"` | | +| oauth_clients.pRMT.scope[3] | string | `"SOURCE.READ"` | | +| oauth_clients.pRMT.scope[4] | string | `"SOURCEDATA.READ"` | | +| oauth_clients.pRMT.scope[5] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.pRMT.scope[6] | string | `"SUBJECT.READ"` | | +| oauth_clients.pRMT.scope[7] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.pRMT.scope[8] | string | `"USER.READ"` | | +| oauth_clients.pRMT.grantTypes[0] | string | `"refresh_token"` | | +| oauth_clients.pRMT.grantTypes[1] | string | `"authorization_code"` | | +| oauth_clients.pRMT.access_token_validity | int | `43200` | | +| oauth_clients.pRMT.refresh_token_validity | int | `7948800` | | +| oauth_clients.pRMT.additional_information | string | `"{\"dynamic_registration\": true}"` | | +| oauth_clients.pRMT.tokenEndpointAuthMethod | string | `"client_secret_post"` | | +| oauth_clients.aRMT.enable | bool | `false` | | +| oauth_clients.aRMT.audience[0] | string | `"res_gateway"` | | +| oauth_clients.aRMT.audience[1] | string | `"res_ManagementPortal"` | | +| oauth_clients.aRMT.audience[2] | string | `"res_appconfig"` | | +| oauth_clients.aRMT.audience[3] | string | `"res_AppServer"` | | +| oauth_clients.aRMT.audience[4] | string | `"res_DataDashboardAPI"` | | +| oauth_clients.aRMT.client_secret | string | `""` | | +| oauth_clients.aRMT.scope[0] | string | `"MEASUREMENT.READ"` | | +| oauth_clients.aRMT.scope[1] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.aRMT.scope[2] | string | `"PROJECT.READ"` | | +| oauth_clients.aRMT.scope[3] | string | `"ROLE.READ"` | | +| oauth_clients.aRMT.scope[4] | string | `"SOURCE.READ"` | | +| oauth_clients.aRMT.scope[5] | string | `"SOURCEDATA.READ"` | | +| oauth_clients.aRMT.scope[6] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.aRMT.scope[7] | string | `"SUBJECT.READ"` | | +| oauth_clients.aRMT.scope[8] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.aRMT.scope[9] | string | `"USER.READ"` | | +| oauth_clients.aRMT.grantTypes[0] | string | `"refresh_token"` | | +| oauth_clients.aRMT.grantTypes[1] | string | `"authorization_code"` | | +| oauth_clients.aRMT.access_token_validity | int | `43200` | | +| oauth_clients.aRMT.refresh_token_validity | int | `7948800` | | +| oauth_clients.aRMT.additional_information | string | `"{\"dynamic_registration\": true}"` | | +| oauth_clients.aRMT.tokenEndpointAuthMethod | string | `"client_secret_post"` | | +| oauth_clients.aRMT.redirectUris[0] | string | `"{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/managementportal/api/redirect/login"` | | +| oauth_clients.SEP.enable | bool | `false` | | +| oauth_clients.SEP.audience[0] | string | `"res_gateway"` | | +| oauth_clients.SEP.audience[1] | string | `"res_ManagementPortal"` | | +| oauth_clients.SEP.audience[2] | string | `"res_appconfig"` | | +| oauth_clients.SEP.audience[3] | string | `"res_AppServer"` | | +| oauth_clients.SEP.audience[4] | string | `"res_DataDashboardAPI"` | | +| oauth_clients.SEP.audience[5] | string | `"res_restAuthorizer"` | | +| oauth_clients.SEP.client_secret | string | `""` | | +| oauth_clients.SEP.scope[0] | string | `"PROJECT.READ"` | | +| oauth_clients.SEP.scope[1] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.SEP.scope[2] | string | `"SUBJECT.READ"` | | +| oauth_clients.SEP.scope[3] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.SEP.scope[4] | string | `"SUBJECT.CREATE"` | | +| oauth_clients.SEP.scope[5] | string | `"USER.READ"` | | +| oauth_clients.SEP.grantTypes[0] | string | `"refresh_token"` | | +| oauth_clients.SEP.grantTypes[1] | string | `"authorization_code"` | | +| oauth_clients.SEP.grantTypes[2] | string | `"client_credentials"` | | +| oauth_clients.SEP.access_token_validity | int | `43200` | | +| oauth_clients.SEP.refresh_token_validity | int | `7948800` | | +| oauth_clients.SEP.additional_information | string | `"{\"dynamic_registration\": true}"` | | +| oauth_clients.SEP.redirectUris[0] | string | `"{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/managementportal/api/redirect/login"` | | +| oauth_clients.THINC-IT.enable | bool | `false` | | +| oauth_clients.THINC-IT.audience[0] | string | `"res_gateway"` | | +| oauth_clients.THINC-IT.audience[1] | string | `"res_ManagementPortal"` | | +| oauth_clients.THINC-IT.audience[2] | string | `"res_appconfig"` | | +| oauth_clients.THINC-IT.client_secret | string | `""` | | +| oauth_clients.THINC-IT.scope[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.THINC-IT.scope[1] | string | `"PROJECT.READ"` | | +| oauth_clients.THINC-IT.scope[2] | string | `"ROLE.READ"` | | +| oauth_clients.THINC-IT.scope[3] | string | `"SOURCE.READ"` | | +| oauth_clients.THINC-IT.scope[4] | string | `"SOURCEDATA.READ"` | | +| oauth_clients.THINC-IT.scope[5] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.THINC-IT.scope[6] | string | `"SUBJECT.READ"` | | +| oauth_clients.THINC-IT.scope[7] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.THINC-IT.scope[8] | string | `"USER.READ"` | | +| oauth_clients.THINC-IT.grantTypes[0] | string | `"refresh_token"` | | +| oauth_clients.THINC-IT.grantTypes[1] | string | `"authorization_code"` | | +| oauth_clients.THINC-IT.access_token_validity | int | `43200` | | +| oauth_clients.THINC-IT.refresh_token_validity | int | `7948800` | | +| oauth_clients.THINC-IT.additional_information | string | `"{\"dynamic_registration\": true}"` | | +| oauth_clients.radar_redcap_integrator.enable | bool | `false` | | +| oauth_clients.radar_redcap_integrator.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_redcap_integrator.client_secret | string | `""` | | +| oauth_clients.radar_redcap_integrator.scope[0] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_redcap_integrator.scope[1] | string | `"SUBJECT.CREATE"` | | +| oauth_clients.radar_redcap_integrator.scope[2] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_redcap_integrator.scope[3] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.radar_redcap_integrator.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_redcap_integrator.access_token_validity | int | `900` | | +| oauth_clients.radar_upload_backend.enable | bool | `false` | | +| oauth_clients.radar_upload_backend.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_upload_backend.client_secret | string | `""` | | +| oauth_clients.radar_upload_backend.scope[0] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_upload_backend.scope[1] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_upload_backend.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_upload_backend.access_token_validity | int | `900` | | +| oauth_clients.radar_upload_backend.additional_information | string | `"{\"dynamic_registration\": true}"` | | +| oauth_clients.radar_upload_connect.enable | bool | `false` | | +| oauth_clients.radar_upload_connect.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_upload_connect.audience[1] | string | `"res_upload"` | | +| oauth_clients.radar_upload_connect.client_secret | string | `""` | | +| oauth_clients.radar_upload_connect.scope[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.radar_upload_connect.scope[1] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_upload_connect.scope[2] | string | `"SOURCE.READ"` | | +| oauth_clients.radar_upload_connect.scope[3] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.radar_upload_connect.scope[4] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_upload_connect.scope[5] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.radar_upload_connect.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_upload_connect.access_token_validity | int | `900` | | +| oauth_clients.radar_upload_frontend.enable | bool | `false` | | +| oauth_clients.radar_upload_frontend.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_upload_frontend.audience[1] | string | `"res_upload"` | | +| oauth_clients.radar_upload_frontend.client_secret | string | `""` | | +| oauth_clients.radar_upload_frontend.scope[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.radar_upload_frontend.scope[1] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_upload_frontend.scope[2] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.radar_upload_frontend.scope[3] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_upload_frontend.grantTypes[0] | string | `"authorization_code"` | | +| oauth_clients.radar_upload_frontend.access_token_validity | int | `900` | | +| oauth_clients.radar_upload_frontend.redirectUris[0] | string | `"{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/upload/login"` | | +| oauth_clients.radar_upload_frontend.redirectUris[1] | string | `"/upload/login"` | | +| oauth_clients.radar_rest_sources_auth_backend.enable | bool | `false` | | +| oauth_clients.radar_rest_sources_auth_backend.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_rest_sources_auth_backend.audience[1] | string | `"res_upload"` | | +| oauth_clients.radar_rest_sources_auth_backend.client_secret | string | `""` | | +| oauth_clients.radar_rest_sources_auth_backend.scope[0] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_rest_sources_auth_backend.scope[1] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_rest_sources_auth_backend.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_rest_sources_auth_backend.access_token_validity | int | `900` | | +| oauth_clients.radar_rest_sources_auth_backend.tokenEndpointAuthMethod | string | `"client_secret_post"` | | +| oauth_clients.radar_rest_sources_authorizer.enable | bool | `false` | | +| oauth_clients.radar_rest_sources_authorizer.audience[0] | string | `"res_restAuthorizer"` | | +| oauth_clients.radar_rest_sources_authorizer.client_secret | string | `""` | | +| oauth_clients.radar_rest_sources_authorizer.scope[0] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_rest_sources_authorizer.scope[1] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.radar_rest_sources_authorizer.scope[2] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_rest_sources_authorizer.scope[3] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.radar_rest_sources_authorizer.scope[4] | string | `"SUBJECT.CREATE"` | | +| oauth_clients.radar_rest_sources_authorizer.grantTypes[0] | string | `"authorization_code"` | | +| oauth_clients.radar_rest_sources_authorizer.access_token_validity | int | `900` | | +| oauth_clients.radar_rest_sources_authorizer.redirectUris[0] | string | `"{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/rest-sources/authorizer/login"` | | +| oauth_clients.radar_rest_sources_authorizer.tokenEndpointAuthMethod | string | `"client_secret_post"` | | +| oauth_clients.radar_fitbit_connector.enable | bool | `false` | | +| oauth_clients.radar_fitbit_connector.audience[0] | string | `"res_restAuthorizer"` | | +| oauth_clients.radar_fitbit_connector.client_secret | string | `""` | | +| oauth_clients.radar_fitbit_connector.scope[0] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_fitbit_connector.scope[1] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.radar_fitbit_connector.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_fitbit_connector.access_token_validity | int | `900` | | +| oauth_clients.radar_fitbit_connector.tokenEndpointAuthMethod | string | `"client_secret_post"` | | +| oauth_clients.radar_appconfig.enable | bool | `false` | | +| oauth_clients.radar_appconfig.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_appconfig.audience[1] | string | `"res_appconfig"` | | +| oauth_clients.radar_appconfig.client_secret | string | `""` | | +| oauth_clients.radar_appconfig.scope[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.radar_appconfig.scope[1] | string | `"OAUTHCLIENTS.READ"` | | +| oauth_clients.radar_appconfig.scope[2] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_appconfig.scope[3] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.radar_appconfig.scope[4] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_appconfig.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_appconfig.access_token_validity | int | `900` | | +| oauth_clients.appconfig_frontend.enable | bool | `false` | | +| oauth_clients.appconfig_frontend.audience[0] | string | `"res_appconfig"` | | +| oauth_clients.appconfig_frontend.client_secret | string | `""` | | +| oauth_clients.appconfig_frontend.scope[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.appconfig_frontend.scope[1] | string | `"OAUTHCLIENTS.READ"` | | +| oauth_clients.appconfig_frontend.scope[2] | string | `"PROJECT.CREATE"` | | +| oauth_clients.appconfig_frontend.scope[3] | string | `"PROJECT.READ"` | | +| oauth_clients.appconfig_frontend.scope[4] | string | `"PROJECT.UPDATE"` | | +| oauth_clients.appconfig_frontend.scope[5] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.appconfig_frontend.scope[6] | string | `"SUBJECT.READ"` | | +| oauth_clients.appconfig_frontend.scope[7] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.appconfig_frontend.grantTypes[0] | string | `"authorization_code"` | | +| oauth_clients.appconfig_frontend.grantTypes[1] | string | `"refresh_token"` | | +| oauth_clients.appconfig_frontend.access_token_validity | int | `900` | | +| oauth_clients.appconfig_frontend.refresh_token_validity | int | `78000` | | +| oauth_clients.appconfig_frontend.redirectUris[0] | string | `"/appconfig/login"` | | +| oauth_clients.appconfig_frontend.autoapprove[0] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.appconfig_frontend.autoapprove[1] | string | `"OAUTHCLIENTS.READ"` | | +| oauth_clients.appconfig_frontend.autoapprove[2] | string | `"PROJECT.CREATE"` | | +| oauth_clients.appconfig_frontend.autoapprove[3] | string | `"PROJECT.READ"` | | +| oauth_clients.appconfig_frontend.autoapprove[4] | string | `"PROJECT.UPDATE"` | | +| oauth_clients.appconfig_frontend.autoapprove[5] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.appconfig_frontend.autoapprove[6] | string | `"SUBJECT.READ"` | | +| oauth_clients.appconfig_frontend.autoapprove[7] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.grafana_dashboard.enable | bool | `false` | | +| oauth_clients.grafana_dashboard.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.grafana_dashboard.client_secret | string | `""` | | +| oauth_clients.grafana_dashboard.scope[0] | string | `"USER.READ"` | | +| oauth_clients.grafana_dashboard.grantTypes[0] | string | `"authorization_code"` | | +| oauth_clients.grafana_dashboard.grantTypes[1] | string | `"refresh_token"` | | +| oauth_clients.grafana_dashboard.access_token_validity | int | `900` | | +| oauth_clients.grafana_dashboard.refresh_token_validity | int | `78000` | | +| oauth_clients.grafana_dashboard.redirectUris[0] | string | `"{{ .Values.hydra.advertised_protocol }}://dashboard.{{ .Values.hydra.server_name }}/login/generic_oauth"` | | +| oauth_clients.grafana_dashboard.autoapprove[0] | string | `"USER.READ"` | | +| oauth_clients.radar_push_endpoint.enable | bool | `false` | | +| oauth_clients.radar_push_endpoint.audience[0] | string | `"res_restAuthorizer"` | | +| oauth_clients.radar_push_endpoint.client_secret | string | `""` | | +| oauth_clients.radar_push_endpoint.scope[0] | string | `"SOURCETYPE.READ"` | | +| oauth_clients.radar_push_endpoint.scope[1] | string | `"SUBJECT.UPDATE"` | | +| oauth_clients.radar_push_endpoint.scope[2] | string | `"MEASUREMENT.READ"` | | +| oauth_clients.radar_push_endpoint.scope[3] | string | `"MEASUREMENT.CREATE"` | | +| oauth_clients.radar_push_endpoint.scope[4] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_push_endpoint.scope[5] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_push_endpoint.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_push_endpoint.access_token_validity | int | `900` | | +| oauth_clients.radar_data_dashboard_backend.enable | bool | `false` | | +| oauth_clients.radar_data_dashboard_backend.audience[0] | string | `"res_ManagementPortal"` | | +| oauth_clients.radar_data_dashboard_backend.client_secret | string | `""` | | +| oauth_clients.radar_data_dashboard_backend.scope[0] | string | `"PROJECT.READ"` | | +| oauth_clients.radar_data_dashboard_backend.scope[1] | string | `"SUBJECT.READ"` | | +| oauth_clients.radar_data_dashboard_backend.scope[2] | string | `"MEASUREMENT.READ"` | | +| oauth_clients.radar_data_dashboard_backend.grantTypes[0] | string | `"client_credentials"` | | +| oauth_clients.radar_data_dashboard_backend.access_token_validity | int | `900` | | diff --git a/charts/radar-hydra/charts/hydra-0.53.0.tgz b/charts/radar-hydra/charts/hydra-0.53.0.tgz index 61e4e291..6b99fc2d 100644 Binary files a/charts/radar-hydra/charts/hydra-0.53.0.tgz and b/charts/radar-hydra/charts/hydra-0.53.0.tgz differ diff --git a/charts/radar-hydra/templates/hydra-clients-job-rbac.yaml b/charts/radar-hydra/templates/hydra-clients-job-rbac.yaml new file mode 100644 index 00000000..48f8b04d --- /dev/null +++ b/charts/radar-hydra/templates/hydra-clients-job-rbac.yaml @@ -0,0 +1,59 @@ +# ServiceAccount for hydra-clients-job +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-hydra-clients-job-sa + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: radar-hydra + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: hydra-clients-job + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation +automountServiceAccountToken: true + +--- +# Role for hydra-clients-job +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-hydra-clients-job-role + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: radar-hydra + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: hydra-clients-job + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + +--- +# RoleBinding for hydra-clients-job +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-hydra-clients-job-rolebinding + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: radar-hydra + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: hydra-clients-job + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-hydra-clients-job-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ .Release.Name }}-hydra-clients-job-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/radar-hydra/templates/hydra-clients-job.yaml b/charts/radar-hydra/templates/hydra-clients-job.yaml new file mode 100644 index 00000000..dab9e5f8 --- /dev/null +++ b/charts/radar-hydra/templates/hydra-clients-job.yaml @@ -0,0 +1,75 @@ +{{/*Using a container that runs a client setup script after Hydra is ready, allowing setting fixed client ID, as an alternative to init containers looking up dynamic client uuid created when using Hydra client template (as init containers may not be possible in all cases.*/}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-hydra-clients-setup + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + template: + spec: + serviceAccountName: {{ .Release.Name }}-hydra-clients-job-sa + restartPolicy: OnFailure + containers: + - name: hydra-client-manager + # Official, minimal curl image that includes /bin/sh + image: curlimages/curl:8.15.0 + command: ["sh","-eu","-c"] + args: + - | + echo "Waiting for Hydra Admin API to be available..." + until curl -s -f -o /dev/null "{{ .Values.hydra_server_url }}/health/ready"; do + echo "Hydra not ready yet, waiting 5 seconds..." + sleep 5 + done + echo "Hydra is ready! Proceeding to create/update clients." + + {{- range $name, $client := .Values.oauth_clients }} + {{- if (default false $client.enable) }} + + echo "Processing client: {{ $name }}" + CLIENT_ID="{{ $name }}" + + # Build the JSON payload (remove any comments; JSON can't contain '# ...') + JSON_PAYLOAD=$(cat <<'EOF' + { + "client_id": "{{ $name }}", + "client_name": "{{ $name }}", + "client_secret": "{{ $client.client_secret | default "secret" }}" + {{- if $client.grantTypes }}, "grant_types": {{ $client.grantTypes | toJson }}{{- end }} + {{- if $client.responseTypes }}, "response_types": {{ $client.responseTypes | toJson }}{{- end }} + {{- if kindIs "string" $client.scope }}, "scope": "{{ $client.scope }}"{{ else if $client.scope }}, "scope": "{{ join " " $client.scope }}"{{ end }} + {{- if $client.audience }}, "audience": {{ $client.audience | toJson }}{{- else if $client.resource_ids }}, "audience": {{ $client.resource_ids | toJson }}{{- end }} + {{- if $client.redirectUris }}, "redirect_uris": [{{- range $e := $client.redirectUris }}{{- tpl $e $ | toJson }}{{- end }}] + {{- end }} + {{- if $client.allowed_cors_origins }}, "allowed_cors_origins": {{ $client.allowed_cors_origins | toJson }}{{- end }} + {{- if hasKey $client "skip_consent" }}, "skip_consent": {{ $client.skip_consent | default false }}{{- end }} + {{- if hasKey $client "skip_logout_consent" }}, "skip_logout_consent": {{ $client.skip_logout_consent | default false }}{{- end }} + , "token_endpoint_auth_method": "{{ default "client_secret_basic" $client.tokenEndpointAuthMethod }}" + } + EOF + ) + + HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "{{ $.Values.hydra_admin_url }}/clients/${CLIENT_ID}") + + if [ "$HTTP_STATUS" = "200" ]; then + echo "Client '${CLIENT_ID}' exists, updating it..." + METHOD="PUT" + URL="{{ $.Values.hydra_admin_url }}/clients/${CLIENT_ID}" + else + echo "Client '${CLIENT_ID}' does not exist, creating it..." + METHOD="POST" + URL="{{ $.Values.hydra_admin_url }}/clients" + fi + + printf '%s' "$JSON_PAYLOAD" | curl -sS -X "${METHOD}" --fail -H "Content-Type: application/json" -d @- "${URL}" + echo "Successfully processed client '{{ $name }}'." + echo "---" + + {{- end }} + {{- end }} + + echo "All clients processed successfully." diff --git a/charts/radar-hydra/values.yaml b/charts/radar-hydra/values.yaml index f1988fa0..9b59c230 100644 --- a/charts/radar-hydra/values.yaml +++ b/charts/radar-hydra/values.yaml @@ -9,7 +9,7 @@ hydra: ingress: admin: - enabled: true + enabled: false className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod @@ -44,16 +44,22 @@ hydra: config: # Leave empty to use the DSN environmental variable. dsn: + secrets: + system: + cookie: urls: self: + admin: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/admin/hydra/' issuer: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra/' - login: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/login' - consent: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra-ui/consent' + public: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra/' + login: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/oauth-login' + consent: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/consent' + logout: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/logout' log: level: debug format: text - leak_sensitive_values: false + leak_sensitive_values: true strategies: access_token: jwt @@ -61,10 +67,14 @@ hydra: scope_claim: both oauth2: - allowed_top_level_claims: [scope, roles, authorities, sources, user_name] + allowed_top_level_claims: [scope, roles, authorities, sources, user_name, email] mirror_top_level_claims: false client_credentials: default_grant_allowed_scope: true + grant: + refresh_token: + # Set grace period. Omit the line below to disable. + rotation_grace_period: 300s serve: public: @@ -82,3 +92,336 @@ hydra: secretKeyRef: name: radar-cloudnative-postgresql-hydra key: uri + + maester: + enabled: false + +hydra_server_url: "http://radar-hydra-public:4444" +hydra_admin_url: "http://radar-hydra-admin:4445/admin" + +oauth_clients: + ManagementPortalapp: + enable: true + redirectUris: + - '{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/managementportal/api/redirect/login' + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + - id_token + client_secret: "" + scope: SOURCEDATA.CREATE SOURCETYPE.UPDATE SOURCETYPE.DELETE AUTHORITY.UPDATE MEASUREMENT.DELETE PROJECT.READ AUDIT.CREATE USER.DELETE AUTHORITY.DELETE SUBJECT.DELETE MEASUREMENT.UPDATE SOURCEDATA.UPDATE SUBJECT.READ USER.UPDATE SOURCETYPE.CREATE AUTHORITY.READ USER.CREATE SOURCE.CREATE SOURCE.READ SUBJECT.CREATE ROLE.UPDATE ROLE.READ MEASUREMENT.READ PROJECT.UPDATE PROJECT.DELETE ROLE.DELETE SOURCE.DELETE SOURCETYPE.READ ROLE.CREATE SOURCEDATA.DELETE SUBJECT.UPDATE SOURCE.UPDATE PROJECT.CREATE AUDIT.READ MEASUREMENT.CREATE AUDIT.DELETE AUDIT.UPDATE AUTHORITY.CREATE USER.READ SOURCEDATA.READ ORGANIZATION.READ ORGANIZATION.CREATE ORGANIZATION.UPDATE OAUTHCLIENTS.READ OAUTHCLIENTS.CREATE OAUTHCLIENTS.UPDATE + audience: + - res_ManagementPortal + allowed_cors_origins: + - http://localhost:3000 + skip_consent: true + skip_logout_consent: false + + pRMT: + enable: false + audience: + - res_gateway + - res_ManagementPortal + - res_appconfig + client_secret: "" + scope: + - MEASUREMENT.CREATE + - PROJECT.READ + - ROLE.READ + - SOURCE.READ + - SOURCEDATA.READ + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + - USER.READ + grantTypes: + - refresh_token + - authorization_code + access_token_validity: 43200 + refresh_token_validity: 7948800 + additional_information: '{"dynamic_registration": true}' + tokenEndpointAuthMethod: client_secret_post + + aRMT: + enable: false + audience: + - res_gateway + - res_ManagementPortal + - res_appconfig + - res_AppServer + - res_DataDashboardAPI + client_secret: "" + scope: + - MEASUREMENT.READ + - MEASUREMENT.CREATE + - PROJECT.READ + - ROLE.READ + - SOURCE.READ + - SOURCEDATA.READ + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + - USER.READ + grantTypes: + - refresh_token + - authorization_code + access_token_validity: 43200 + refresh_token_validity: 7948800 + additional_information: '{"dynamic_registration": true}' + tokenEndpointAuthMethod: client_secret_post + redirectUris: + - '{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/managementportal/api/redirect/login' + + SEP: + enable: false + audience: + - res_gateway + - res_ManagementPortal + - res_appconfig + - res_AppServer + - res_DataDashboardAPI + - res_restAuthorizer + client_secret: "" + scope: + - PROJECT.READ + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + - SUBJECT.CREATE + - USER.READ + grantTypes: + - refresh_token + - authorization_code + - client_credentials + access_token_validity: 43200 + refresh_token_validity: 7948800 + additional_information: '{"dynamic_registration": true}' + redirectUris: + - '{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/managementportal/api/redirect/login' + + THINC-IT: + enable: false + audience: + - res_gateway + - res_ManagementPortal + - res_appconfig + client_secret: "" + scope: + - MEASUREMENT.CREATE + - PROJECT.READ + - ROLE.READ + - SOURCE.READ + - SOURCEDATA.READ + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + - USER.READ + grantTypes: + - refresh_token + - authorization_code + access_token_validity: 43200 + refresh_token_validity: 7948800 + additional_information: '{"dynamic_registration": true}' + + radar_redcap_integrator: + enable: false + audience: + - res_ManagementPortal + client_secret: "" + scope: + - PROJECT.READ + - SUBJECT.CREATE + - SUBJECT.READ + - SUBJECT.UPDATE + grantTypes: + - client_credentials + access_token_validity: 900 + + radar_upload_backend: + enable: false + audience: + - res_ManagementPortal + client_secret: "" + scope: + - PROJECT.READ + - SUBJECT.READ + grantTypes: + - client_credentials + access_token_validity: 900 + additional_information: '{"dynamic_registration": true}' + + radar_upload_connect: + enable: false + audience: + - res_ManagementPortal + - res_upload + client_secret: "" + scope: + - MEASUREMENT.CREATE + - PROJECT.READ + - SOURCE.READ + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + grantTypes: + - client_credentials + access_token_validity: 900 + + radar_upload_frontend: + enable: false + audience: + - res_ManagementPortal + - res_upload + client_secret: "" + scope: + - MEASUREMENT.CREATE + - PROJECT.READ + - SOURCETYPE.READ + - SUBJECT.READ + grantTypes: + - authorization_code + access_token_validity: 900 + redirectUris: + - '{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/upload/login' + - /upload/login + + radar_rest_sources_auth_backend: + enable: false + audience: + - res_ManagementPortal + - res_upload + client_secret: "" + scope: + - PROJECT.READ + - SUBJECT.READ + grantTypes: + - client_credentials + access_token_validity: 900 + # This is considered less secure, better to send client secret in Auth header, which requires changing code on the auth backend side + tokenEndpointAuthMethod: client_secret_post + + radar_rest_sources_authorizer: + enable: false + audience: + - res_restAuthorizer + client_secret: "" + scope: + - PROJECT.READ + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + - SUBJECT.CREATE + grantTypes: + - authorization_code + access_token_validity: 900 + redirectUris: + - '{{ .Values.hydra.advertised_protocol }}://{{ .Values.hydra.server_name }}/rest-sources/authorizer/login' + tokenEndpointAuthMethod: client_secret_post + + radar_fitbit_connector: + enable: false + audience: + - res_restAuthorizer + client_secret: "" + scope: + - SUBJECT.READ + - MEASUREMENT.CREATE + grantTypes: + - client_credentials + access_token_validity: 900 + tokenEndpointAuthMethod: client_secret_post + + radar_appconfig: + enable: false + audience: + - res_ManagementPortal + - res_appconfig + client_secret: "" + scope: + - MEASUREMENT.CREATE + - OAUTHCLIENTS.READ + - PROJECT.READ + - SOURCETYPE.READ + - SUBJECT.READ + grantTypes: + - client_credentials + access_token_validity: 900 + + appconfig_frontend: + enable: false + audience: + - res_appconfig + client_secret: "" + scope: + - MEASUREMENT.CREATE + - OAUTHCLIENTS.READ + - PROJECT.CREATE + - PROJECT.READ + - PROJECT.UPDATE + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + grantTypes: + - authorization_code + - refresh_token + access_token_validity: 900 + refresh_token_validity: 78000 + redirectUris: + - /appconfig/login + autoapprove: + - MEASUREMENT.CREATE + - OAUTHCLIENTS.READ + - PROJECT.CREATE + - PROJECT.READ + - PROJECT.UPDATE + - SOURCETYPE.READ + - SUBJECT.READ + - SUBJECT.UPDATE + + grafana_dashboard: + enable: false + audience: + - res_ManagementPortal + client_secret: "" + scope: + - USER.READ + grantTypes: + - authorization_code + - refresh_token + access_token_validity: 900 + refresh_token_validity: 78000 + redirectUris: + - '{{ .Values.hydra.advertised_protocol }}://dashboard.{{ .Values.hydra.server_name }}/login/generic_oauth' + autoapprove: + - USER.READ + + radar_push_endpoint: + enable: false + audience: + - res_restAuthorizer + client_secret: "" + scope: + - SOURCETYPE.READ + - SUBJECT.UPDATE + - MEASUREMENT.READ + - MEASUREMENT.CREATE + - PROJECT.READ + - SUBJECT.READ + grantTypes: + - client_credentials + access_token_validity: 900 + + radar_data_dashboard_backend: + enable: false + audience: + - res_ManagementPortal + client_secret: "" + scope: + - PROJECT.READ + - SUBJECT.READ + - MEASUREMENT.READ + grantTypes: + - client_credentials + access_token_validity: 900 diff --git a/charts/radar-kafka/templates/kafka.yaml b/charts/radar-kafka/templates/kafka.yaml index e251014f..62a4a78d 100644 --- a/charts/radar-kafka/templates/kafka.yaml +++ b/charts/radar-kafka/templates/kafka.yaml @@ -78,11 +78,13 @@ spec: - mode: remove-brokers template: name: {{ template "common.names.fullname" . }}-rebalance-template - {{- with .Values.kafka.cruiseControl.javaOptions }} - jvmOptions: {{ toYaml . | nindent 6 | trim }} + {{- if .Values.kafka.cruiseControl.javaOptions }} + javaOptions: + {{- toYaml .Values.kafka.cruiseControl.javaOptions | nindent 6 }} {{- end }} - {{- with .Values.kafka.cruiseControl.resources }} - resources: {{ toYaml . | nindent 6 | trim }} + {{- if .Values.kafka.cruiseControl.resources }} + resources: + {{ toYaml .Values.kafka.cruiseControl.resources | nindent 6 }} {{- end }} {{- end }} {{ if .Values.metrics.enabled }} diff --git a/charts/radar-kratos/Chart.yaml b/charts/radar-kratos/Chart.yaml index 06593b24..ef06b3c0 100644 --- a/charts/radar-kratos/Chart.yaml +++ b/charts/radar-kratos/Chart.yaml @@ -6,7 +6,7 @@ home: https://radar-base.org icon: http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-kratos -version: 0.1.2 +version: 0.1.3 maintainers: - email: pim@thehyve.nl name: Pim van Nierop diff --git a/charts/radar-kratos/README.md b/charts/radar-kratos/README.md index 52d30a99..355d2c77 100644 --- a/charts/radar-kratos/README.md +++ b/charts/radar-kratos/README.md @@ -3,7 +3,7 @@ # radar-kratos [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-kratos)](https://artifacthub.io/packages/helm/radar-base/radar-kratos) -![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.3.0](https://img.shields.io/badge/AppVersion-v1.3.0-informational?style=flat-square) +![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.3.0](https://img.shields.io/badge/AppVersion-v1.3.0-informational?style=flat-square) A ORY Kratos Helm chart for RADAR-base. ORY Kratos is a cloud native Identity and User Management system. @@ -44,4 +44,4 @@ Consult the [documentation](https://artifacthub.io/packages/helm/ory/kratos) of | kratos.server_name | string | `"localhost"` | Hostname for the Kratos service | | kratos.advertised_protocol | string | `"https"` | Protocol for the Kratos service (allowed values: http, https) | | kratos.kratos.automigration | object | `{"enabled":true}` | Enables database migration | -| kratos.kratos.identitySchemas | object | `{"identity.default.schema.json":"{\n \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n \"$id\": \"default\",\n \"title\": \"user\",\n \"type\": \"object\",\n \"properties\": {\n \"traits\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"type\": \"string\",\n \"format\": \"email\",\n \"title\": \"E-Mail\",\n \"minLength\": 5,\n \"ory.sh/kratos\": {\n \"credentials\": {\n \"password\": {\n \"identifier\": true\n },\n \"totp\": {\n \"account_name\": true\n }\n },\n \"verification\": {\n \"via\": \"email\"\n },\n \"recovery\": {\n \"via\": \"email\"\n }\n }\n }\n },\n \"required\": [ \"email\" ]\n }\n },\n \"additionalProperties\": false\n}\n","identity.user.schema.json":"{\n \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n \"$id\": \"user\",\n \"title\": \"user\",\n \"type\": \"object\",\n \"properties\": {\n \"traits\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"type\": \"string\",\n \"format\": \"email\",\n \"title\": \"E-Mail\",\n \"minLength\": 5,\n \"ory.sh/kratos\": {\n \"credentials\": {\n \"password\": {\n \"identifier\": true\n },\n \"totp\": {\n \"account_name\": true\n }\n },\n \"verification\": {\n \"via\": \"email\"\n },\n \"recovery\": {\n \"via\": \"email\"\n }\n }\n }\n },\n \"required\": [ \"email\" ]\n }\n },\n \"additionalProperties\": false\n}\n"}` | You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument. | +| kratos.kratos.identitySchemas | object | `{"identity.schema.admin.json":"{\n \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n \"$id\": \"admin\",\n \"title\": \"admin\",\n \"type\": \"object\",\n \"properties\": {\n \"traits\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"type\": \"string\",\n \"format\": \"email\",\n \"title\": \"E-Mail\",\n \"minLength\": 5,\n \"ory.sh/kratos\": {\n \"credentials\": {\n \"password\": {\n \"identifier\": true\n },\n \"totp\": {\n \"account_name\": true\n }\n },\n \"verification\": {\n \"via\": \"email\"\n },\n \"recovery\": {\n \"via\": \"email\"\n }\n }\n }\n },\n \"required\": [\"email\"]\n }\n },\n \"additionalProperties\": false\n}\n","identity.schema.researcher.json":"{\n \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n \"$id\": \"researcher\",\n \"title\": \"researcher\",\n \"type\": \"object\",\n \"properties\": {\n \"traits\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"type\": \"string\",\n \"format\": \"email\",\n \"title\": \"E-Mail\",\n \"minLength\": 5,\n \"ory.sh/kratos\": {\n \"credentials\": {\n \"password\": {\n \"identifier\": true\n },\n \"totp\": {\n \"account_name\": true\n }\n },\n \"verification\": {\n \"via\": \"email\"\n },\n \"recovery\": {\n \"via\": \"email\"\n }\n }\n }\n },\n \"required\": [\"email\"]\n }\n },\n \"additionalProperties\": false\n}\n","identity.schema.subject.json":"{\n \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n \"$id\": \"subject\",\n \"title\": \"subject\",\n \"type\": \"object\",\n \"properties\": {\n \"traits\": {\n \"type\": \"object\",\n \"properties\": {\n \"email\": {\n \"type\": \"string\",\n \"format\": \"email\",\n \"title\": \"E-Mail\",\n \"minLength\": 5,\n \"ory.sh/kratos\": {\n \"credentials\": {\n \"password\": {\n \"identifier\": true\n },\n \"totp\": {\n \"account_name\": true\n }\n },\n \"verification\": {\n \"via\": \"email\"\n },\n \"recovery\": {\n \"via\": \"email\"\n }\n }\n }\n },\n \"required\": [\"email\"]\n }\n },\n \"additionalProperties\": false\n}\n"}` | You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument. | diff --git a/charts/radar-kratos/charts/kratos-0.52.1.tgz b/charts/radar-kratos/charts/kratos-0.52.1.tgz index 251e288a..f1775a39 100644 Binary files a/charts/radar-kratos/charts/kratos-0.52.1.tgz and b/charts/radar-kratos/charts/kratos-0.52.1.tgz differ diff --git a/charts/radar-kratos/values.yaml b/charts/radar-kratos/values.yaml index 96dede41..f45c3bf9 100644 --- a/charts/radar-kratos/values.yaml +++ b/charts/radar-kratos/values.yaml @@ -13,16 +13,16 @@ kratos: className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: /admin/$2 hosts: - host: '{{ .Values.server_name }}' paths: - - path: "/admin/kratos/?(.*)" + - path: "/admin/kratos(/|$)(.*)" pathType: ImplementationSpecific tls: - - hosts: + - secretName: radar-base-tls + hosts: - '{{ .Values.server_name }}' - secretName: radar-base-tls - public: enabled: true className: "nginx" @@ -35,9 +35,9 @@ kratos: - path: "/kratos/?(.*)" pathType: ImplementationSpecific tls: - - hosts: + - secretName: kratos-public-tls + hosts: - '{{ .Values.server_name }}' - secretName: kratos-public-tls kratos: # -- Enables database migration @@ -46,11 +46,11 @@ kratos: # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument. identitySchemas: - "identity.user.schema.json": | + "identity.schema.admin.json": | { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "user", - "title": "user", + "$id": "admin", + "title": "admin", "type": "object", "properties": { "traits": { @@ -79,16 +79,16 @@ kratos: } } }, - "required": [ "email" ] + "required": ["email"] } }, "additionalProperties": false } - "identity.default.schema.json": | + "identity.schema.researcher.json": | { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "default", - "title": "user", + "$id": "researcher", + "title": "researcher", "type": "object", "properties": { "traits": { @@ -117,7 +117,45 @@ kratos: } } }, - "required": [ "email" ] + "required": ["email"] + } + }, + "additionalProperties": false + } + "identity.schema.subject.json": | + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "subject", + "title": "subject", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 5, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + }, + "totp": { + "account_name": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + } + }, + "required": ["email"] } }, "additionalProperties": false @@ -133,18 +171,39 @@ kratos: cookie: ## -- If false, cookie is removed when the browser is closed --## persistent: false - courier: smtp: from_address: radar@thehyve.nl - + templates: + verification_code: + valid: + email: + body: + html: base64://SGksPGJyPjxicj5QbGVhc2XCoHZlcmlmecKgeW91csKgYWNjb3VudMKgYnnCoGVudGVyaW5nwqB0aGXCoGZvbGxvd2luZ8KgY29kZTo8YnI+PGgyPnt7IC5WZXJpZmljYXRpb25Db2RlIH19PC9oMj48YnI+PGEgaHJlZj17eyAuVmVyaWZpY2F0aW9uVVJMIH19Pnt7IC5WZXJpZmljYXRpb25VUkwgfX08L2E+ + plaintext: base64://SGksIFBsZWFzZcKgdmVyaWZ5wqB5b3VywqBhY2NvdW50wqBiecKgZW50ZXJpbmfCoHRoZcKgZm9sbG93aW5nwqBjb2RlOiB7eyAuVmVyaWZpY2F0aW9uQ29kZSB9fSB7eyAuVmVyaWZpY2F0aW9uVVJMIH19 + recovery: + valid: + email: + body: + # HTML Body: "Hi,

Please click the link below to set your password:

Set Password" + html: base64://SGksPGJyPjxicj5QbGVhc2UgY2xpY2sgdGhlIGxpbmsgYmVsb3cgdG8gc2V0IHlvdXIgcGFzc3dvcmQ6PGJyPjxicj48YSBocmVmPSJ7eyAuUmVjb3ZlcnlVUkwgfX0iPlNldCBQYXNzd29yZDwvYT4= + # Plain Text Body: "Hi, Please click the following link to set your password: {{ .RecoveryURL }}" + plaintext: base64://SGksLCBQbGVhc2UgY2xpY2sgdGhlIGZvbGxvd2luZyBsaW5rIHRvIHNldCB5b3VyIHBhc3N3b3JkOiB7eyAuUmVjb3ZlcnlVUkwgfX0= + recovery_code: + valid: + email: + body: + # HTML Body: "Hi,

Please click the link below to set your password:

Set Password" + html: base64://SGksPGJyPjxicj5QbGVhc2UgY2xpY2sgdGhlIGxpbmsgYmVsb3cgdG8gc2V0IHlvdXIgcGFzc3dvcmQ6PGJyPjxicj48YSBocmVmPSJ7eyAuUmVjb3ZlcnlVUkwgfX0iPlNldCBQYXNzd29yZDwvYT4= + # Plain Text Body: "Hi, Please click the following link to set your password: {{ .RecoveryURL }}" + plaintext: base64://SGksLCBQbGVhc2UgY2xpY2sgdGhlIGZvbGxvd2luZyBsaW5rIHRvIHNldCB5b3VyIHBhc3N3b3JkOiB7eyAuUmVjb3ZlcnlVUkwgfX0= serve: public: base_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos/' cors: enabled: true allowed_origins: - - '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/' + - '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/' allowed_methods: - POST - GET @@ -184,86 +243,121 @@ kratos: issuer: Radar enabled: true link: + config: + lifespan: 1h + enabled: true + code: + config: + lifespan: 1h enabled: true flows: error: - ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/error' + ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/error' settings: - ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/settings' + ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/account/settings' required_aal: highest_available recovery: enabled: true - ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/recovery' - use: link + ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/recovery' + use: code verification: # our current flow necessitates that users reset their password after they activate an account in managementportal, # this works as verification - ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/verification' - enabled: false - use: link + ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/verification' + enabled: true + use: code after: - default_browser_return_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui' + default_browser_return_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/login' + hooks: + - hook: web_hook + config: + method: POST + url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/managementportal/api/webhook/kratos/subjects/activate' + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg== + response: + ignore: true logout: after: - default_browser_return_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/login' + default_browser_return_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/login' login: - ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/login' + ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/login' registration: - ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui/registration' + ui_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/study/auth/registration' after: password: hooks: + - hook: web_hook + config: + method: POST + url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/managementportal/api/webhook/kratos/subjects' + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eTogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5IGVsc2UgbnVsbCwKICAgIHBheWxvYWQ6IGlmIHN0ZC5vYmplY3RIYXMoY3R4LCAiZmxvdyIpICYmIHN0ZC5vYmplY3RIYXMoY3R4LmZsb3csICJ0cmFuc2llbnRfcGF5bG9hZCIpIHRoZW4gY3R4LmZsb3cudHJhbnNpZW50X3BheWxvYWQgZWxzZSBudWxsLAogICAgY29va2llczogY3R4LnJlcXVlc3RfY29va2llcwp9Cg== + response: + ignore: true - hook: session oidc: hooks: - hook: session identity: - default_schema_id: user + default_schema_id: subject schemas: - # identitySchemas: - - id: user - url: file:///etc/config/identity.user.schema.json + - id: subject + url: file:///etc/config/identity.schema.subject.json + - id: researcher + url: file:///etc/config/identity.schema.researcher.json + - id: admin + url: file:///etc/config/identity.schema.admin.json log: level: debug format: text leak_sensitive_values: true + oauth2_provider: + url: http://radar-hydra-admin + # Register cloudnativepg secret to be used by Kratos. deployment: extraEnv: - - name: DSN + - name: POSTGRES_URI valueFrom: secretKeyRef: name: radar-cloudnative-postgresql-kratos key: uri + - name: DSN + value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4" statefulSet: extraEnv: - - name: DSN + - name: POSTGRES_URI valueFrom: secretKeyRef: name: radar-cloudnative-postgresql-kratos key: uri + - name: DSN + value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4" job: extraEnv: - - name: DSN + - name: POSTGRES_URI valueFrom: secretKeyRef: name: radar-cloudnative-postgresql-kratos key: uri + - name: DSN + value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4" cronjob: cleanup: extraEnv: - - name: DSN + - name: POSTGRES_URI valueFrom: secretKeyRef: name: radar-cloudnative-postgresql-kratos key: uri + - name: DSN + value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4" diff --git a/charts/radar-rest-sources-authorizer/Chart.yaml b/charts/radar-rest-sources-authorizer/Chart.yaml index be7c8397..79352550 100644 --- a/charts/radar-rest-sources-authorizer/Chart.yaml +++ b/charts/radar-rest-sources-authorizer/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: "4.4.11" +appVersion: "4.4.13" description: A Helm chart for the front-end application of RADAR-base Rest Sources Authorizer which is a portal to authorize the Fitbit connector to read data from Fitbit accounts. name: radar-rest-sources-authorizer version: 2.3.1 diff --git a/charts/radar-rest-sources-authorizer/README.md b/charts/radar-rest-sources-authorizer/README.md index c7adb261..50b6bb6b 100644 --- a/charts/radar-rest-sources-authorizer/README.md +++ b/charts/radar-rest-sources-authorizer/README.md @@ -3,7 +3,7 @@ # radar-rest-sources-authorizer [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-rest-sources-authorizer)](https://artifacthub.io/packages/helm/radar-base/radar-rest-sources-authorizer) -![Version: 2.3.1](https://img.shields.io/badge/Version-2.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.11](https://img.shields.io/badge/AppVersion-4.4.11-informational?style=flat-square) +![Version: 2.3.1](https://img.shields.io/badge/Version-2.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.13](https://img.shields.io/badge/AppVersion-4.4.13-informational?style=flat-square) A Helm chart for the front-end application of RADAR-base Rest Sources Authorizer which is a portal to authorize the Fitbit connector to read data from Fitbit accounts. diff --git a/charts/radar-rest-sources-backend/Chart.yaml b/charts/radar-rest-sources-backend/Chart.yaml index 7d206a11..2ec46f17 100644 --- a/charts/radar-rest-sources-backend/Chart.yaml +++ b/charts/radar-rest-sources-backend/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "4.4.13" description: A Helm chart for the backend application of RADAR-base Rest Sources Authorizer name: radar-rest-sources-backend -version: 1.5.8 +version: 1.6.0 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-rest-sources-backend diff --git a/charts/radar-rest-sources-backend/README.md b/charts/radar-rest-sources-backend/README.md index d53a9e98..1467325c 100644 --- a/charts/radar-rest-sources-backend/README.md +++ b/charts/radar-rest-sources-backend/README.md @@ -3,7 +3,7 @@ # radar-rest-sources-backend [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-rest-sources-backend)](https://artifacthub.io/packages/helm/radar-base/radar-rest-sources-backend) -![Version: 1.5.8](https://img.shields.io/badge/Version-1.5.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.13](https://img.shields.io/badge/AppVersion-4.4.13-informational?style=flat-square) +![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.13](https://img.shields.io/badge/AppVersion-4.4.13-informational?style=flat-square) A Helm chart for the backend application of RADAR-base Rest Sources Authorizer @@ -100,7 +100,6 @@ A Helm chart for the backend application of RADAR-base Rest Sources Authorizer | postgres.ssl.keystorepassword | string | `"keystorepassword"` | | | redis.uri | string | `"redis://radar-redis-replication-master:6379"` | URI of the redis database | | serverName | string | `"localhost"` | Resolvable server name, needed to find the advertised URL and callback URL | -| managementportal_url | string | `"http://management-portal:8080/managementportal"` | URL of the Management Portal | | client_secret | string | `"secret"` | OAuth2 client secret of the radar-rest-sources-backend client from Management Portal | | public_key_endpoints | list | `["http://radar-hydra-public:4444/.well-known/jwks.json"]` | List of public key endpoints for token verification | | auth_url | string | `"http://radar-hydra-public:4444/oauth2/token"` | Auth url for MP client | diff --git a/charts/radar-rest-sources-backend/templates/configmap.yaml b/charts/radar-rest-sources-backend/templates/configmap.yaml index a5e4a52b..0a5a925b 100644 --- a/charts/radar-rest-sources-backend/templates/configmap.yaml +++ b/charts/radar-rest-sources-backend/templates/configmap.yaml @@ -21,9 +21,7 @@ data: {{- end }} auth: - # Management Portal URL - managementPortalUrl: {{ .Values.managementportal_url }} - # OAuth2 Auth URL for MP Client + # OAuth2 Auth URL authUrl: {{ .Values.auth_url }} # OAuth2 Client id of rest sources authorizer backend clientId: radar_rest_sources_auth_backend diff --git a/charts/radar-rest-sources-backend/values.yaml b/charts/radar-rest-sources-backend/values.yaml index 8ef76aa2..b003f0af 100644 --- a/charts/radar-rest-sources-backend/values.yaml +++ b/charts/radar-rest-sources-backend/values.yaml @@ -281,16 +281,13 @@ redis: # -- Resolvable server name, needed to find the advertised URL and callback URL serverName: localhost -# -- URL of the Management Portal -managementportal_url: http://management-portal:8080/managementportal - # -- OAuth2 client secret of the radar-rest-sources-backend client from Management Portal client_secret: secret # -- List of public key endpoints for token verification public_key_endpoints: - http://radar-hydra-public:4444/.well-known/jwks.json - # - https://localhost/managementportal/oauth/token_key +# - http://management-portal:8080/managementportal/oauth/token_key # -- Auth url for MP client auth_url: http://radar-hydra-public:4444/oauth2/token diff --git a/charts/radar-self-enrolment-ui/Chart.yaml b/charts/radar-self-enrolment-ui/Chart.yaml index 8bd318cb..c09705db 100644 --- a/charts/radar-self-enrolment-ui/Chart.yaml +++ b/charts/radar-self-enrolment-ui/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "0.0.1" +appVersion: "0.1.0" description: A Helm chart for RADAR-base Self Enrolment UI name: radar-self-enrolment-ui -version: 0.3.1 +version: 0.4.0 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-self-enrolment-ui diff --git a/charts/radar-self-enrolment-ui/README.md b/charts/radar-self-enrolment-ui/README.md index 0bf8fecf..6ca56f07 100644 --- a/charts/radar-self-enrolment-ui/README.md +++ b/charts/radar-self-enrolment-ui/README.md @@ -2,7 +2,7 @@ # radar-self-enrolment-ui -![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) A Helm chart for RADAR-base Self Enrolment UI @@ -55,7 +55,7 @@ A Helm chart for RADAR-base Self Enrolment UI | advertised_protocol | string | `"https"` | The protocol in URIs (https, http) | | ingress.enabled | bool | `true` | Enable ingress controller resource | | ingress.annotations | object | check values.yaml | Annotations that define default ingress class, certificate issuer | -| ingress.path | string | `"/kratos-ui(/|$)(.*)"` | Path within the url structure | +| ingress.path | string | `"/study(/|$)(.*)"` | Path within the url structure | | ingress.pathType | string | `"ImplementationSpecific"` | Ingress Path type | | ingress.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | | ingress.hosts | list | `["{{ .Values.server_name }}"]` | Hosts to accept requests from | @@ -76,7 +76,7 @@ A Helm chart for RADAR-base Self Enrolment UI | podSecurityContext.runAsGroup | int | `10000` | | | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.resources | object | `{}` | | -| deployment.extraEnv | list | `[{"name":"HYDRA_ADMIN_URL","value":"http://radar-hydra-admin"}]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected - name: FOO value: BAR | +| deployment.extraEnv | string | `nil` | Array of extra envs to be passed to the deployment. Kubernetes format is expected - name: FOO value: BAR | | deployment.extraVolumes | list | `[]` | If you want to mount external volume For example, mount a secret containing Certificate root CA to verify database TLS connection. | | deployment.extraVolumeMounts | list | `[]` | | | deployment.nodeSelector | object | `{}` | Node labels for pod assignment. | @@ -103,26 +103,35 @@ A Helm chart for RADAR-base Self Enrolment UI | readinessProbe.successThreshold | int | `1` | Success threshold for readinessProbe | | readinessProbe.failureThreshold | int | `3` | Failure threshold for readinessProbe | | customStartupProbe | object | `{}` | Custom startupProbe that overrides the default one | -| startupProbe.enabled | bool | `true` | Enable startupProbe | +| startupProbe.enabled | bool | `false` | Enable startupProbe | | startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe | | startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe | | startupProbe.timeoutSeconds | int | `10` | Timeout seconds for startupProbe | | startupProbe.successThreshold | int | `1` | Success threshold for startupProbe | | startupProbe.failureThreshold | int | `30` | Failure threshold for startupProbe | | networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | -| kratosAdminUrl | string | `"http://kratos-admin:80/admin"` | Set this to ORY Kratos's Admin URL | -| kratosPublicUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL | -| kratosBrowserUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL accessible from the outside world. | -| hydraAdminUrl | string | `"http://radar-hydra-admin"` | Set this to ORY Hydra's Admin URL | -| hydraPublicUrl | string | `"http://radar-hydra-public:4444"` | Set this to ORY Hydra's public URL | -| restSourceBackendUrl | string | `"http://radar-rest-sources-backend:8080/rest-sources/backend"` | Set this to the REST source backend service URL | -| gatewayUrl | string | `"http://radar-gateway:8080"` | Set this to the RADAR Gateway service URL | -| armtClientId | string | `"aRMT"` | Client ID for ARMT authentication | -| armtClientSecret | string | `""` | Client secret for ARMT authentication | -| sepClientId | string | `"SEP"` | Client ID for SEP authentication | -| sepClientSecret | string | `""` | Client secret for SEP authentication | -| githubAuthToken | string | `""` | GitHub authentication token for API access (leave empty if not used) | -| basePath | string | `"/kratos-ui"` | The basePath | +| basePath | string | `"study"` | | +| auth.armt.clientId | string | `"aRMT"` | | +| auth.armt.clientSecret | string | `""` | | +| auth.armt.redirectUri | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/armt"` | | +| auth.prmt.clientId | string | `"pRMT"` | | +| auth.prmt.clientSecret | string | `""` | | +| auth.prmt.redirectUri | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/prmt"` | | +| auth.sep.clientId | string | `"SEP"` | | +| auth.sep.clientSecret | string | `""` | | +| auth.sep.redirectUri | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/sep"` | | +| kratos.internalUrl | string | `"http://radar-kratos-public:80"` | | +| kratos.adminUrl | string | `"http://radar-kratos-admin/admin"` | | +| hydra.internalUrl | string | `"http://radar-hydra-public:4444"` | | +| hydra.adminUrl | string | `"http://radar-hydra-admin:4445/admin"` | | +| hydra.browserUrl | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra"` | | +| rest_sources_auth.backendUrl | string | `"http://radar-rest-sources-backend:8080/rest-sources/backend"` | | +| rest_sources_auth.frontendUrl | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/rest-sources/authorizer/"` | | +| github.authToken | string | `""` | | +| github.repository | string | `"radar-self-enrolment-definitions"` | | +| gatewayUrl | string | `"http://radar-gateway:8080"` | | +| studyDefinitionRepository | string | `"LOCAL"` | | +| managementportal_url | string | `"http://management-portal:8080/managementportal"` | | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | ---------------------------------------------- diff --git a/charts/radar-self-enrolment-ui/templates/deployment.yaml b/charts/radar-self-enrolment-ui/templates/deployment.yaml index a153f22f..559cf2d8 100644 --- a/charts/radar-self-enrolment-ui/templates/deployment.yaml +++ b/charts/radar-self-enrolment-ui/templates/deployment.yaml @@ -38,36 +38,61 @@ spec: image: {{ template "radar-self-enrolment-ui.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} env: + # Kratos configuration - name: KRATOS_INTERNAL_URL - value: {{ .Values.kratosPublicUrl | quote }} + value: {{ .Values.kratos.internalUrl | quote }} - name: KRATOS_ADMIN_URL - value: {{ .Values.kratosAdminUrl | quote }} + value: {{ .Values.kratos.adminUrl | quote }} + + # Hydra configuration - name: HYDRA_ADMIN_URL - value: {{ .Values.hydraAdminUrl | quote }} + value: {{ .Values.hydra.adminUrl | quote }} - name: HYDRA_PUBLIC_URL - value: {{ .Values.hydraPublicUrl | quote }} + value: {{ .Values.hydra.internalUrl | quote }} + - name: NEXT_PUBLIC_HYDRA_PUBLIC_URL + value: {{ tpl .Values.hydra.browserUrl . | quote }} + + # REST source authorizer - name: RSA_BACKEND_URL - value: {{ .Values.restSourceBackendUrl | quote }} - - name: BASE_PATH + value: {{ .Values.rest_sources_auth.backendUrl | quote }} + - name: RSA_FRONTEND_URL + value: {{ tpl .Values.rest_sources_auth.frontendUrl . | quote }} + + # Base path configuration + - name: BASEPATH value: {{ .Values.basePath | quote }} - - name: SECURITY_MODE - value: {{ .Values.securityMode | quote }} + + # Authentication clients (ARMT, PRMT, SEP) - name: ARMT_CLIENT_ID - value: {{ .Values.armtClientId | quote }} + value: {{ .Values.auth.armt.clientId | quote }} - name: ARMT_CLIENT_SECRET - value: {{ .Values.armtClientSecret | quote }} + value: {{ .Values.auth.armt.clientSecret | quote }} + - name: PRMT_CLIENT_ID + value: {{ .Values.auth.prmt.clientId | quote }} + - name: PRMT_CLIENT_SECRET + value: {{ .Values.auth.prmt.clientSecret | quote }} - name: SEP_CLIENT_ID - value: {{ .Values.sepClientId | quote }} + value: {{ .Values.auth.sep.clientId | quote }} - name: SEP_CLIENT_SECRET - value: {{ .Values.sepClientSecret | quote }} + value: {{ .Values.auth.sep.clientSecret | quote }} + + # Public redirect URIs - name: NEXT_PUBLIC_ARMT_REDIRECT_URI - value: {{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/armt + value: {{ tpl .Values.auth.armt.redirectUri . | quote }} + - name: NEXT_PUBLIC_PRMT_REDIRECT_URI + value: {{ tpl .Values.auth.prmt.redirectUri . | quote }} - name: NEXT_PUBLIC_SEP_REDIRECT_URI - value: {{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/sep + value: {{ tpl .Values.auth.sep.redirectUri . | quote }} + + # GitHub and backend configuration - name: GITHUB_AUTH_TOKEN - value: {{ .Values.githubAuthToken | quote }} + value: {{ .Values.github.authToken | quote }} - name: GATEWAY_URL value: {{ .Values.gatewayUrl | quote }} + - name: STUDY_DEFINITION_REPOSITORY + value: {{ .Values.studyDefinitionRepository | quote }} + - name: MP_CONFIG_BASE_URL + value: {{ .Values.managementportal_url | quote }} - name: COOKIE_SECRET valueFrom: secretKeyRef: diff --git a/charts/radar-self-enrolment-ui/values.yaml b/charts/radar-self-enrolment-ui/values.yaml index 661ed691..c265eab2 100644 --- a/charts/radar-self-enrolment-ui/values.yaml +++ b/charts/radar-self-enrolment-ui/values.yaml @@ -81,7 +81,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # -- Path within the url structure - path: "/kratos-ui(/|$)(.*)" + path: "/study(/|$)(.*)" # -- Ingress Path type pathType: ImplementationSpecific # -- IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) @@ -137,8 +137,6 @@ deployment: # - name: FOO # value: BAR extraEnv: - - name: HYDRA_ADMIN_URL - value: http://radar-hydra-admin # -- If you want to mount external volume # For example, mount a secret containing Certificate root CA to verify database # TLS connection. @@ -231,7 +229,7 @@ customStartupProbe: {} startupProbe: # -- Enable startupProbe - enabled: true + enabled: false # -- Initial delay seconds for startupProbe initialDelaySeconds: 5 # -- Period seconds for startupProbe @@ -264,13 +262,31 @@ networkpolicy: kubernetes.io/metadata.name: '{{ .Release.Namespace }}' podSelector: matchLabels: - app.kubernetes.io/name: kratos-admin + app.kubernetes.io/name: kratos - namespaceSelector: matchLabels: kubernetes.io/metadata.name: '{{ .Release.Namespace }}' podSelector: matchLabels: app.kubernetes.io/name: hydra + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: management-portal + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: radar-rest-sources-backend + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: radar-gateway - to: - namespaceSelector: matchLabels: @@ -284,44 +300,57 @@ networkpolicy: - port: 53 protocol: TCP -# -- Set this to ORY Kratos's Admin URL -kratosAdminUrl: "http://kratos-admin:80/admin" - -# -- Set this to ORY Kratos's public URL -kratosPublicUrl: "https://localhost/kratos" - -# -- Set this to ORY Kratos's public URL accessible from the outside world. -kratosBrowserUrl: "https://localhost/kratos" - -# -- Set this to ORY Hydra's Admin URL -hydraAdminUrl: "http://radar-hydra-admin" - -# -- Set this to ORY Hydra's public URL -hydraPublicUrl: "http://radar-hydra-public:4444" - -# -- Set this to the REST source backend service URL -restSourceBackendUrl: "http://radar-rest-sources-backend:8080/rest-sources/backend" - -# -- Set this to the RADAR Gateway service URL +# Application specific configuration + +# Base path for the application +basePath: "study" + +auth: + armt: + # Client credentials for ARMT authentication + clientId: "aRMT" + clientSecret: "" + redirectUri: "{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/armt" + prmt: + # Client credentials for PRMT authentication + clientId: "pRMT" + clientSecret: "" + redirectUri: "{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/prmt" + sep: + # Client credentials for SEP frontend authentication + clientId: "SEP" + clientSecret: "" + redirectUri: "{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/{{ .Values.basePath }}/connect/sep" + +kratos: + # Kratos urls + internalUrl: "http://radar-kratos-public:80" + adminUrl: "http://radar-kratos-admin/admin" + +hydra: + # Hydra urls + internalUrl: "http://radar-hydra-public:4444" + adminUrl: "http://radar-hydra-admin:4445/admin" + browserUrl: "{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra" + +rest_sources_auth: + # Rest source auth urls + backendUrl: "http://radar-rest-sources-backend:8080/rest-sources/backend" + frontendUrl: "{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/rest-sources/authorizer/" + +github: + # Github authentication token + authToken: "" + # Github repository name + repository: "radar-self-enrolment-definitions" + +# Gateway url gatewayUrl: "http://radar-gateway:8080" -# -- Client ID for ARMT authentication -armtClientId: "aRMT" - -# -- Client secret for ARMT authentication -armtClientSecret: "" - -# -- Client ID for SEP authentication -sepClientId: "SEP" - -# -- Client secret for SEP authentication -sepClientSecret: "" - -# -- GitHub authentication token for API access (leave empty if not used) -githubAuthToken: "" +# Study definition repository (GITHUB, LOCAL) +studyDefinitionRepository: "LOCAL" -# -- The basePath -basePath: "/kratos-ui" +managementportal_url: http://management-portal:8080/managementportal test: # -- use a busybox image from another repository