diff --git a/.gcp.env b/.gcp.env
index 1ec2a730..920b01fd 100644
--- a/.gcp.env
+++ b/.gcp.env
@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.9
+SENTRIUS_VERSION=1.0.15
SENTRIUS_SSH_VERSION=1.0.2
-SENTRIUS_KEYCLOAK_VERSION=1.0.2
-SENTRIUS_AGENT_VERSION=1.0.10
\ No newline at end of file
+SENTRIUS_KEYCLOAK_VERSION=1.0.4
+SENTRIUS_AGENT_VERSION=1.0.11
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 25cbaf1d..f3056b56 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,4 +15,4 @@ RUN apt-get update && apt-get install -y curl
# Command to run the app
-CMD ["java", "-jar", "/app/sentrius.jar", "--spring.config.location=/config/application.properties", "--dynamic.properties.path=/config/dynamic.properties"]
+CMD ["java", "-jar", "/app/sentrius.jar", "--spring.config.location=/config/api-application.properties", "--dynamic.properties.path=/config/dynamic.properties"]
diff --git a/analyagents/pom.xml b/analyagents/pom.xml
index 004f916c..dee6c11c 100644
--- a/analyagents/pom.xml
+++ b/analyagents/pom.xml
@@ -48,6 +48,12 @@
junit-jupiter-params
test
+
+
+ org.springframework.boot
+ spring-boot-starter-actuator
+ ${spring.boot.version}
+
org.postgresql
postgresql
diff --git a/analyagents/src/main/resources/application.properties b/analyagents/src/main/resources/application.properties
index eb3438e2..af5a66b9 100644
--- a/analyagents/src/main/resources/application.properties
+++ b/analyagents/src/main/resources/application.properties
@@ -59,4 +59,6 @@ spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/realms/sentrius
spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
# for testing analytics agents
-agents.session-analytics.enabled=true
\ No newline at end of file
+agents.session-analytics.enabled=true
+management.endpoints.web.exposure.include=health
+management.endpoint.health.show-details=always
\ No newline at end of file
diff --git a/api/pom.xml b/api/pom.xml
index 7a3388bf..421e153c 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -63,6 +63,17 @@
${spring.boot.version}
+
+ org.springframework.boot
+ spring-boot-starter-actuator
+ ${spring.boot.version}
+
+
+ org.springframework.boot
+ spring-boot-starter-webflux
+ ${spring.boot.version}
+
+
org.springframework.boot
spring-boot-devtools
diff --git a/api/src/main/java/io/sentrius/sso/config/HttpsRedirectConfig.java b/api/src/main/java/io/sentrius/sso/config/HttpsRedirectConfig.java
new file mode 100644
index 00000000..4ffb391d
--- /dev/null
+++ b/api/src/main/java/io/sentrius/sso/config/HttpsRedirectConfig.java
@@ -0,0 +1,29 @@
+package io.sentrius.sso.config;
+
+import java.net.URI;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.server.WebFilter;
+
+@Configuration
+public class HttpsRedirectConfig {
+
+ @Value("${https.redirect.enabled:true}") // Default is true
+ private boolean httpsRedirectEnabled;
+
+ @Bean
+ public WebFilter httpsRedirectFilter() {
+ return (exchange, chain) -> {
+ if (httpsRedirectEnabled &&
+ exchange.getRequest().getHeaders().containsKey("X-Forwarded-Proto") &&
+ "http".equals(exchange.getRequest().getHeaders().getFirst("X-Forwarded-Proto"))) {
+ URI httpsUri = exchange.getRequest()
+ .getURI()
+ .resolve(exchange.getRequest().getURI().toString().replace("http://", "https://"));
+ return exchange.getResponse().setComplete();
+ }
+ return chain.filter(exchange);
+ };
+ }
+}
\ No newline at end of file
diff --git a/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java b/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java
index 3a7eaa23..fe6591c9 100644
--- a/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java
+++ b/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java
@@ -42,56 +42,10 @@ public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- /* http
- .authorizeRequests(authorize -> authorize
- .requestMatchers("/sso/v1/**", "/api/v1/**").authenticated() // Pages that need authentication
- .requestMatchers("/node/**", "/js/**", "/css/**", "/images/**", "/error", "/sso/login", "/api/v1/login/authenticate").permitAll() // Public endpoints
- .anyRequest().authenticated() // Other pages need authentication
- )
- .logout(logout -> logout
- .logoutSuccessUrl("/sso/login?logout") // Redirect after logout
- )
- .sessionManagement(session -> session
- .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
- )
- .oauth2Login(oauth2 -> oauth2 // Enable OAuth2 login
- .loginPage("/oauth2/authorization/keycloak") // Redirect to Keycloak
- )
- .oauth2ResourceServer(oauth2 -> oauth2
- .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak()))
- )
- .csrf(csrf -> csrf
- .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
- )
-
- .cors(Customizer.withDefaults())
- .exceptionHandling(exception -> exception
- .accessDeniedPage("/error") // Handle access denied with error page
- );*/
- /*
http
- .authorizeRequests(authorize -> authorize
- .requestMatchers("/sso/v1/**", "/api/v1/**").authenticated()
- .requestMatchers("/node/**", "/js/**", "/css/**", "/images/**", "/error", "/sso/login", "/api/v1/login/authenticate").permitAll()
- .anyRequest().authenticated()
- )
- .sessionManagement(session -> session
- .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
- )
- .oauth2Login(oauth2 -> oauth2
- .loginPage("/oauth2/authorization/keycloak")
- )
- .oauth2ResourceServer(oauth2 -> oauth2
- .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak()))
- )
- .csrf(csrf -> csrf
- .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
- )
- .cors(Customizer.withDefaults())
- .exceptionHandling(exception -> exception
- .accessDeniedPage("/error")
- );*/
- http.authorizeHttpRequests(auth -> auth.requestMatchers("/**").fullyAuthenticated())
+ .authorizeHttpRequests(auth -> auth.
+ requestMatchers("/actuator/**").permitAll() // Public endpoints
+ .requestMatchers("/**").fullyAuthenticated())
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak()))
)
@@ -104,12 +58,6 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
return http.build();
}
- /*
- @Bean
- public JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties) {
- return JwtDecoders.fromIssuerLocation("http://localhost:8180/realms/sentrius");
- }
-*/
@Bean
public JwtAuthenticationConverter jwtAuthenticationConverterForKeycloak() {
JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
diff --git a/api/src/main/java/io/sentrius/sso/controllers/api/RuleApiController.java b/api/src/main/java/io/sentrius/sso/controllers/api/RuleApiController.java
index 08020db5..4015a222 100644
--- a/api/src/main/java/io/sentrius/sso/controllers/api/RuleApiController.java
+++ b/api/src/main/java/io/sentrius/sso/controllers/api/RuleApiController.java
@@ -77,7 +77,7 @@ public ResponseEntity> listRules(HttpServletRequest request
boolean canEditRules = AccessUtil.canAccess(user, RuleAccessEnum.CAN_EDIT_RULES);
boolean canDeleteRules = AccessUtil.canAccess(user, RuleAccessEnum.CAN_MANAGE_RULES);
if (AccessUtil.canAccess(user, ApplicationAccessEnum.CAN_MANAGE_APPLICATION)) {
-
+ log.info("User can manage rules {}", user.getAuthorizationType());
for(ProfileRule rule: ruleService.getAllRules()) {
var dto = new ProfileRuleDTO(rule, rule.getHostGroups().stream().toList(), canViewRules, canEditRules,
canDeleteRules);
@@ -85,6 +85,7 @@ public ResponseEntity> listRules(HttpServletRequest request
log.info("Adding {}", dto);
}
} else {
+ log.info("User can manage own rules");
var groups = hostGroupService.getAllHostGroups(user);
for (HostGroup group : groups) {
for(ProfileRule rule : group.getRules()) {
diff --git a/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java b/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
index ce991517..8b68fafd 100644
--- a/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
+++ b/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
@@ -29,6 +29,7 @@
import io.sentrius.sso.core.model.dto.UserTypeDTO;
import io.sentrius.sso.core.model.hostgroup.HostGroup;
import io.sentrius.sso.core.model.security.UserType;
+import io.sentrius.sso.core.model.security.enums.ApplicationAccessEnum;
import io.sentrius.sso.core.model.security.enums.AutomationAccessEnum;
import io.sentrius.sso.core.model.security.enums.RuleAccessEnum;
import io.sentrius.sso.core.model.security.enums.SSHAccessEnum;
@@ -337,6 +338,10 @@ protected List createUserTypes(List sideEffects, InstallCo
builder.ztAccessTokenAccess(ZeroTrustAccessTokenEnum.of(List.of(type.getZtAccessTokenAccess())));
}
+ if (null != type.getApplicationAccess()){
+ builder.applicationAccess(ApplicationAccessEnum.of(List.of(type.getApplicationAccess())));
+ }
+
UserType newType = builder.userTypeName(type.getUserTypeName()).build();
userTypeRepository.findByUserTypeName(type.getUserTypeName())
.ifPresentOrElse(
diff --git a/api/src/main/resources/application.properties b/api/src/main/resources/application.properties
index bdbf2c96..b90ec691 100644
--- a/api/src/main/resources/application.properties
+++ b/api/src/main/resources/application.properties
@@ -72,4 +72,7 @@ spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.
spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/realms/sentrius
-spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
\ No newline at end of file
+spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
+
+management.endpoints.web.exposure.include=health
+management.endpoint.health.show-details=always
\ No newline at end of file
diff --git a/api/src/main/resources/templates/sso/errors/list_errors.html b/api/src/main/resources/templates/sso/errors/list_errors.html
index 34fa7b39..21f593e2 100755
--- a/api/src/main/resources/templates/sso/errors/list_errors.html
+++ b/api/src/main/resources/templates/sso/errors/list_errors.html
@@ -111,7 +111,7 @@
-
+
Errors
diff --git a/core/src/main/java/io/sentrius/sso/core/services/RuleService.java b/core/src/main/java/io/sentrius/sso/core/services/RuleService.java
index 9c5c5f4f..ceb44e74 100644
--- a/core/src/main/java/io/sentrius/sso/core/services/RuleService.java
+++ b/core/src/main/java/io/sentrius/sso/core/services/RuleService.java
@@ -32,7 +32,9 @@ public void deleteRule(ProfileRule rule) {
public ProfileRule saveRule(ProfileRule rule) {
try {
log.info("Saving rule with id: {}", rule.getId());
- return ruleRepository.save(rule);
+ var newRule = ruleRepository.save(rule);
+ log.info("Saving rule with id: {}", newRule.getId());
+ return newRule;
} catch (Exception e) {
log.error("Error while saving Rule", e);
throw new RuntimeException("Failed to save Rule", e);
diff --git a/docker/keycloak/Dockerfile b/docker/keycloak/Dockerfile
index 6d3e1949..11eae5da 100644
--- a/docker/keycloak/Dockerfile
+++ b/docker/keycloak/Dockerfile
@@ -19,5 +19,5 @@ COPY ./realms/sentrius-realm.json /opt/keycloak/data/import/sentrius-realm.json
RUN ls -l /opt/keycloak/data/import/sentrius-realm.json
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
-CMD ["start-dev", "--proxy=passthrough", "--import-realm"]
+CMD ["start-dev", "--proxy=passthrough", "--import-realm", "--health-enabled=true"]
diff --git a/docker/keycloak/realms/sentrius-realm.json b/docker/keycloak/realms/sentrius-realm.json
index b2de8013..32164353 100644
--- a/docker/keycloak/realms/sentrius-realm.json
+++ b/docker/keycloak/realms/sentrius-realm.json
@@ -7,9 +7,9 @@
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0",
- "rootUrl": "http://sentrius-keycloak:30080/",
- "baseUrl": "http://sentrius-keycloak:30080/",
- "redirectUris": ["http://sentrius-keycloak:30080/*"],
+ "rootUrl": "${ROOT_URL}",
+ "baseUrl": "${ROOT_URL}",
+ "redirectUris": ["${REDIRECT_URIS}/*"],
"protocol": "openid-connect"
}
],
diff --git a/docker/sentrius-agent/Dockerfile b/docker/sentrius-agent/Dockerfile
index dd154a91..789755a1 100644
--- a/docker/sentrius-agent/Dockerfile
+++ b/docker/sentrius-agent/Dockerfile
@@ -14,4 +14,4 @@ RUN apt-get update && apt-get install -y curl
# Command to run the app
-CMD ["java", "-jar", "/app/agent.jar", "--spring.config.location=/config/application.properties"]
+CMD ["java", "-jar", "/app/agent.jar", "--spring.config.location=/config/agent-application.properties"]
diff --git a/ops-scripts/gcp/base.sh b/ops-scripts/gcp/base.sh
index e2c7aefc..7d0b5403 100755
--- a/ops-scripts/gcp/base.sh
+++ b/ops-scripts/gcp/base.sh
@@ -1,4 +1,5 @@
#!/bin/bash
NAMESPACE=sentrius
CLUSTER=sentrius-autopilot-cluster-1
-REGION=us-east1
\ No newline at end of file
+REGION=us-east1
+ZONE=sentrius-cloud
\ No newline at end of file
diff --git a/ops-scripts/gcp/create-subdomain.sh b/ops-scripts/gcp/create-subdomain.sh
new file mode 100644
index 00000000..c6cf9d8e
--- /dev/null
+++ b/ops-scripts/gcp/create-subdomain.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+
+TENANT=$1
+
+gcloud dns record-sets transaction start --zone=${ZONE}
+gcloud dns record-sets transaction add --zone=${ZONE} \
+ --name=${TENANT}.sentrius.cloud. \
+ --type=CNAME \
+ --ttl=300 \
+ app-loadbalancer.region.cloud.goog &&
+gcloud dns record-sets transaction execute --zone=${ZONE}
diff --git a/ops-scripts/gcp/deploy-helm.sh b/ops-scripts/gcp/deploy-helm.sh
new file mode 100755
index 00000000..e607a107
--- /dev/null
+++ b/ops-scripts/gcp/deploy-helm.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+source ${SCRIPT_DIR}/../../.gcp.env
+
+TENANT=$1
+
+if [[ -z "$TENANT" ]]; then
+ echo "Must provide single argument for tenant name" 1>&2
+ exit 1
+fi
+
+# Check if namespace exists
+kubectl get namespace ${TENANT} >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ echo "Namespace ${TENANT} does not exist. Creating..."
+ kubectl create namespace ${TENANT} || { echo "Failed to create namespace ${TENANT}"; exit 1; }
+fi
+
+
+
+helm upgrade --install sentrius ./sentrius-gcp-chart --namespace ${TENANT} \
+ --set tenant=${TENANT} \
+ --set subdomain=${TENANT}.sentrius.cloud \
+ --set sentrius.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius \
+ --set sentrius.image.tag=${SENTRIUS_VERSION} \
+ --set ssh.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-ssh \
+ --set ssh.image.tag=${SENTRIUS_SSH_VERSION} \
+ --set keycloak.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-keycloak \
+ --set keycloak.image.tag=${SENTRIUS_KEYCLOAK_VERSION} \
+ --set sentriusagent.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-agent \
+ --set sentriusagent.image.tag=${SENTRIUS_AGENT_VERSION} || { echo "Failed to deploy Sentrius with Helm"; exit 1; }
+
+
+# Wait for LoadBalancer IPs to be ready
+echo "Waiting for LoadBalancer IPs to be assigned..."
+RETRIES=30
+SLEEP_INTERVAL=10
+
+for ((i=1; i<=RETRIES; i++)); do
+ # Retrieve LoadBalancer IP
+ # Retrieve LoadBalancer IP
+ INGRESS_IP=$(kubectl get ingress managed-cert-ingress-${TENANT} -n ${TENANT} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
+
+ if [[ -n "$INGRESS_IP" ]]; then
+ echo "INGRESS_IP IP: $INGRESS_IP"
+ break
+ fi
+
+ echo "Attempt $i: Waiting for IPs to be assigned..."
+ sleep $SLEEP_INTERVAL
+done
+
+if [[ -z "$INGRESS_IP" ]]; then
+ echo "Failed to retrieve LoadBalancer IPs after $((RETRIES * SLEEP_INTERVAL)) seconds."
+ exit 1
+fi
+
+# Check if subdomain exists
+if gcloud dns record-sets list --zone=${ZONE} --name=${TENANT}.sentrius.cloud. | grep -q ${TENANT}.sentrius.cloud.; then
+ echo "Subdomain ${TENANT}.sentrius.cloud already exists. Skipping creation."
+else
+ echo "Creating subdomain ${TENANT}.sentrius.cloud..."
+ gcloud dns record-sets transaction start --zone=${ZONE}
+
+ gcloud dns record-sets transaction add --zone=${ZONE} \
+ --name=${TENANT}.sentrius.cloud. \
+ --type=A \
+ --ttl=300 \
+ $INGRESS_IP
+
+ gcloud dns record-sets transaction add --zone=${ZONE} \
+ --name=keycloak.${TENANT}.sentrius.cloud. \
+ --type=A \
+ --ttl=300 \
+ $INGRESS_IP
+
+ gcloud dns record-sets transaction execute --zone=${ZONE}
+fi
\ No newline at end of file
diff --git a/ops-scripts/gcp/destroy-tenant.sh b/ops-scripts/gcp/destroy-tenant.sh
new file mode 100755
index 00000000..35e4c07f
--- /dev/null
+++ b/ops-scripts/gcp/destroy-tenant.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+source ${SCRIPT_DIR}/base.sh
+source ${SCRIPT_DIR}/../../.gcp.env
+
+TENANT=$1
+
+if [[ -z "$TENANT" ]]; then
+ echo "Must provide single argument for tenant name" 1>&2
+ exit 1
+fi
+
+# Check if namespace exists
+kubectl get namespace ${TENANT} >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ echo "Namespace ${TENANT} does not exist. Nothing to delete."
+else
+ echo "Deleting Kubernetes namespace ${TENANT}..."
+ kubectl delete namespace ${TENANT} --wait || echo "Failed to delete namespace ${TENANT}"
+fi
+
+# Uninstall Helm release
+echo "Uninstalling Helm release for tenant ${TENANT}..."
+helm uninstall sentrius --namespace ${TENANT} || echo "Helm release not found for tenant ${TENANT}"
+
+# Delete DNS records
+echo "Deleting DNS records for tenant ${TENANT}..."
+gcloud dns record-sets transaction start --zone=${ZONE}
+
+# Retrieve DNS record details
+TENANT_RECORD=$(gcloud dns record-sets list --zone=${ZONE} --name=${TENANT}.sentrius.cloud. --format="value(rrdatas[0],ttl,type)")
+KEYCLOAK_RECORD=$(gcloud dns record-sets list --zone=${ZONE} --name=keycloak.${TENANT}.sentrius.cloud. --format="value(rrdatas[0],ttl,type)")
+
+# Delete tenant DNS record
+if [[ -n "$TENANT_RECORD" ]]; then
+ read -r TENANT_RRDATA TENANT_TTL TENANT_TYPE <<< "$TENANT_RECORD"
+ gcloud dns record-sets transaction remove --zone=${ZONE} \
+ --name=${TENANT}.sentrius.cloud. \
+ --type=$TENANT_TYPE \
+ --ttl=$TENANT_TTL \
+ $TENANT_RRDATA || echo "Failed to remove DNS record for ${TENANT}.sentrius.cloud"
+else
+ echo "No DNS record found for ${TENANT}.sentrius.cloud"
+fi
+
+# Delete Keycloak DNS record
+if [[ -n "$KEYCLOAK_RECORD" ]]; then
+ read -r KEYCLOAK_RRDATA KEYCLOAK_TTL KEYCLOAK_TYPE <<< "$KEYCLOAK_RECORD"
+ gcloud dns record-sets transaction remove --zone=${ZONE} \
+ --name=keycloak.${TENANT}.sentrius.cloud. \
+ --type=$KEYCLOAK_TYPE \
+ --ttl=$KEYCLOAK_TTL \
+ $KEYCLOAK_RRDATA || echo "Failed to remove DNS record for keycloak.${TENANT}.sentrius.cloud"
+else
+ echo "No DNS record found for keycloak.${TENANT}.sentrius.cloud"
+fi
+
+# Execute the DNS record transaction
+gcloud dns record-sets transaction execute --zone=${ZONE} || echo "No DNS changes applied."
+
+echo "All resources for tenant ${TENANT} have been deleted."
diff --git a/ops-scripts/gcp/remove-subdomain.sh b/ops-scripts/gcp/remove-subdomain.sh
new file mode 100644
index 00000000..fa7f4b20
--- /dev/null
+++ b/ops-scripts/gcp/remove-subdomain.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+
+DOMAIN=$1
+
+gcloud dns record-sets transaction start --zone=${ZONE}
+gcloud dns record-sets transaction remove --zone=${ZONE} \
+ --name=${DOMAIN}.sentrius.cloud --type=A --ttl=300
+gcloud dns record-sets transaction execute --zone=${ZONE}
diff --git a/ops-scripts/gcp/depoloy-helm.sh b/ops-scripts/gcp/test-helm.sh
similarity index 61%
rename from ops-scripts/gcp/depoloy-helm.sh
rename to ops-scripts/gcp/test-helm.sh
index 93255033..9b1ba269 100755
--- a/ops-scripts/gcp/depoloy-helm.sh
+++ b/ops-scripts/gcp/test-helm.sh
@@ -6,7 +6,25 @@ SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
source ${SCRIPT_DIR}/base.sh
source ${SCRIPT_DIR}/../../.gcp.env
-helm upgrade --install sentrius ./sentrius-gcp-chart --namespace ${NAMESPACE} \
+TENANT=$1
+
+if [[ -z "$TENANT" ]]; then
+ echo "Must provide single argument for tenant name" 1>&2
+ exit 1
+fi
+
+# Check if namespace exists
+kubectl get namespace ${TENANT} >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ echo "Namespace ${TENANT} does not exist. Creating..."
+ kubectl create namespace ${TENANT} || { echo "Failed to create namespace ${TENANT}"; exit 1; }
+fi
+
+
+
+helm template ${TENANT} ./sentrius-gcp-chart/ --values sentrius-gcp-chart/values.yaml \
+ --set tenant=${TENANT} \
+ --set subdomain=${TENANT}.sentrius.cloud \
--set sentrius.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius \
--set sentrius.image.tag=${SENTRIUS_VERSION} \
--set ssh.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-ssh \
diff --git a/pom.xml b/pom.xml
index 8c8d378a..8792f1ad 100644
--- a/pom.xml
+++ b/pom.xml
@@ -94,10 +94,6 @@
spring-boot-devtools
true
-
- org.springframework.boot
- spring-boot-starter-actuator
-
io.hypersistence
hypersistence-utils-hibernate-60
@@ -163,6 +159,11 @@
spring-boot-starter-actuator
${spring.boot.version}
+
+ org.springframework.boot
+ spring-boot-starter-webflux
+ ${spring.boot.version}
+
org.springframework.boot
spring-boot-starter-security
diff --git a/sentrius-gcp-chart/templates/agent-deployment.yaml b/sentrius-gcp-chart/templates/agent-deployment.yaml
index ee7901d6..c39dd149 100644
--- a/sentrius-gcp-chart/templates/agent-deployment.yaml
+++ b/sentrius-gcp-chart/templates/agent-deployment.yaml
@@ -17,11 +17,7 @@ spec:
initContainers:
- name: wait-for-postgres
image: busybox
- command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres.{{ .Release.Namespace }}.svc.cluster.local 5432; do echo waiting for postgres; sleep 2; done;' ]
- - name: wait-for-keycloak
- image: busybox
- command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-keycloak.{{ .Release.Namespace }}.svc.cluster.local
- 30081; do echo waiting for postgres; sleep 2; done;' ]
+ command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres 5432; do echo waiting for postgres; sleep 2; done;' ]
containers:
- name: sentrius-agent
image: "{{ .Values.sentriusagent.image.repository }}:{{ .Values.sentriusagent.image.tag }}"
diff --git a/sentrius-gcp-chart/templates/configmap.yaml b/sentrius-gcp-chart/templates/configmap.yaml
index a76b1136..5914a85b 100644
--- a/sentrius-gcp-chart/templates/configmap.yaml
+++ b/sentrius-gcp-chart/templates/configmap.yaml
@@ -5,7 +5,130 @@ metadata:
labels:
{{- include "sentrius.labels" . | nindent 4 }}
data:
- application.properties: |
- {{ .Values.sentrius.config.application | nindent 4 }}
+ agent-application.properties: |
+ keystore.file=sso.jceks
+ keystore.password=${KEYSTORE_PASSWORD}
+ keystore.alias=KEYBOX-ENCRYPTION_KEY
+ keystore.algorithm=AES
+ spring.main.web-application-type=servlet
+ spring.thymeleaf.enabled=true
+ spring.freemarker.enabled=false
+ #flyway configuration
+ spring.flyway.enabled=true
+ spring.datasource.url=jdbc:postgresql://sentrius-postgres:5432/sentrius
+ spring.datasource.username=${SPRING_DATASOURCE_USERNAME}
+ spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
+ spring.datasource.driver-class-name=org.postgresql.Driver
+ # Connection pool settings
+ spring.datasource.hikari.maximum-pool-size=10
+ spring.datasource.hikari.minimum-idle=5
+ spring.datasource.hikari.idle-timeout=30000
+ spring.datasource.hikari.max-lifetime=1800000
+ # Hibernate settings (optional, for JPA)
+ spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
+ # Disable automatic schema generation in production
+ spring.jpa.hibernate.ddl-auto=none
+ # Ensure this path matches your project structure
+ #spring.flyway.locations=classpath:db/migration/
+ spring.flyway.baseline-on-migrate=true
+ # Thymeleaf settings
+ spring.thymeleaf.prefix=classpath:/templates/
+ spring.thymeleaf.suffix=.html
+ #spring.datasource.url=jdbc:h2:mem:testdb
+ logging.level.org.springframework.web=INFO
+ logging.level.org.springframework.security=INFO
+ logging.level.io.sentrius=DEBUG
+ logging.level.org.thymeleaf=INFO
+ spring.thymeleaf.servlet.produce-partial-output-while-processing=false
+ spring.servlet.multipart.enabled=true
+ spring.servlet.multipart.max-file-size=10MB
+ spring.servlet.multipart.max-request-size=10MB
+ server.error.whitelabel.enabled=false
+ dynamic.properties.path=/config/dynamic.properties
+ keycloak.realm=sentrius
+ # Keycloak configuration
+ spring.security.oauth2.client.registration.keycloak.client-id="{{ .Values.sentrius.oauth2.client_id }}"
+ spring.security.oauth2.client.registration.keycloak.client-secret="{{ .Values.sentrius.oauth2.client_secret }}"
+ spring.security.oauth2.client.registration.keycloak.authorization-grant-type="{{ .Values.sentrius.oauth2.authorization_grant_type }}"
+ spring.security.oauth2.client.registration.keycloak.redirect-uri=https://{{ .Values.subdomain }}/login/oauth2/code/keycloak
+ spring.security.oauth2.client.registration.keycloak.scope="{{ .Values.sentrius.oauth2.scope }}"
+ spring.security.oauth2.resourceserver.jwt.issuer-uri=https://keycloak.{{ .Values.subdomain }}/realms/sentrius
+ spring.security.oauth2.client.provider.keycloak.issuer-uri=https://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius
+ agents.session-analytics.enabled=true
+ api-application.properties: |
+ keystore.file=sso.jceks
+ keystore.password=${KEYSTORE_PASSWORD}
+ keystore.alias=KEYBOX-ENCRYPTION_KEY
+ keystore.algorithm=AES
+ spring.main.web-application-type=servlet
+ spring.thymeleaf.enabled=true
+ spring.freemarker.enabled=false
+ #flyway configuration
+ spring.flyway.enabled=true
+ spring.datasource.url=jdbc:postgresql://sentrius-postgres:5432/sentrius
+ spring.datasource.username=${SPRING_DATASOURCE_USERNAME}
+ spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
+ spring.datasource.driver-class-name=org.postgresql.Driver
+ # Connection pool settings
+ spring.datasource.hikari.maximum-pool-size=10
+ spring.datasource.hikari.minimum-idle=5
+ spring.datasource.hikari.idle-timeout=30000
+ spring.datasource.hikari.max-lifetime=1800000
+ # Hibernate settings (optional, for JPA)
+ spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
+ # Disable automatic schema generation in production
+ spring.jpa.hibernate.ddl-auto=none
+ # Ensure this path matches your project structure
+ #spring.flyway.locations=classpath:db/migration/
+ spring.flyway.baseline-on-migrate=true
+ # Thymeleaf settings
+ spring.thymeleaf.prefix=classpath:/templates/
+ spring.thymeleaf.suffix=.html
+ #spring.datasource.url=jdbc:h2:mem:testdb
+ logging.level.org.springframework.web=INFO
+ logging.level.org.springframework.security=INFO
+ logging.level.io.sentrius=DEBUG
+ logging.level.org.thymeleaf=INFO
+ spring.thymeleaf.servlet.produce-partial-output-while-processing=false
+ spring.servlet.multipart.enabled=true
+ spring.servlet.multipart.max-file-size=10MB
+ spring.servlet.multipart.max-request-size=10MB
+ server.error.whitelabel.enabled=false
+ dynamic.properties.path=/config/dynamic.properties
+ keycloak.realm=sentrius
+ management.endpoints.web.exposure.include=health
+ management.endpoint.health.show-details=always
+ # Keycloak configuration
+ spring.security.oauth2.client.registration.keycloak.client-id={{ .Values.sentrius.oauth2.client_id }}
+ spring.security.oauth2.client.registration.keycloak.client-secret={{ .Values.sentrius.oauth2.client_secret }}
+ spring.security.oauth2.client.registration.keycloak.authorization-grant-type={{ .Values.sentrius.oauth2.authorization_grant_type }}
+ spring.security.oauth2.client.registration.keycloak.redirect-uri=https://{{ .Values.subdomain }}/login/oauth2/code/keycloak
+ spring.security.oauth2.client.registration.keycloak.scope={{ .Values.sentrius.oauth2.scope }}
+ spring.security.oauth2.resourceserver.jwt.issuer-uri=https://keycloak.{{ .Values.subdomain }}/realms/sentrius
+ spring.security.oauth2.client.provider.keycloak.issuer-uri=https://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius
+ server.forward-headers-strategy=native
+ https.redirect.enabled=true
dynamic.properties: |
- {{ .Values.sentrius.config.dynamic | nindent 4 }}
+ auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
+ twopartyapproval.option.LOCKING_SYSTEMS=true
+ requireProfileForLogin=true
+ maxJitDurationMs=1440000
+ sshEnabled=true
+ systemLogoName=Sentrius
+ AccessTokenAuditor.rule.4=io.sentrius.sso.automation.auditing.rules.OpenAISessionRule;Malicious AI Monitoring
+ AccessTokenAuditor.rule.5=io.sentrius.sso.automation.auditing.rules.TwoPartyAIMonitor;AI Second Party Monitor
+ allowProxies=true
+ AccessTokenAuditor.rule.2=io.sentrius.sso.automation.auditing.rules.DeletePrevention;Delete Prevention
+ AccessTokenAuditor.rule.3=io.sentrius.sso.automation.auditing.rules.TwoPartySessionRule;Require Second Party Monitoring
+ AccessTokenAuditor.rule.0=io.sentrius.sso.automation.auditing.rules.CommandEvaluator;Restricted Commands
+ terminalsInNewTab=false
+ auditFlushIntervalMs=5000
+ AccessTokenAuditor.rule.1=io.sentrius.sso.automation.auditing.rules.AllowedCommandsRule;Approved Commands
+ knownHostsPath=/home/marc/.ssh/known_hosts
+ systemLogoPathLarge=/images/sentrius_large.jpg
+ maxJitUses=1
+ systemLogoPathSmall=/images/sentrius_small.png
+ enableInternalAudit=true
+ twopartyapproval.require.explanation.LOCKING_SYSTEMS=false
+ canApproveOwnJITs=false
+ yamlConfiguration=/app/exampleInstallWithTypes.yml
diff --git a/sentrius-gcp-chart/templates/deployment.yaml b/sentrius-gcp-chart/templates/deployment.yaml
index c551c946..861c0d41 100644
--- a/sentrius-gcp-chart/templates/deployment.yaml
+++ b/sentrius-gcp-chart/templates/deployment.yaml
@@ -17,11 +17,7 @@ spec:
initContainers:
- name: wait-for-postgres
image: busybox
- command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres.{{ .Release.Namespace }}.svc.cluster.local 5432; do echo waiting for postgres; sleep 2; done;' ]
- - name: wait-for-keycloak
- image: busybox
- command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-keycloak.{{ .Release.Namespace }}.svc.cluster.local
- 30081; do echo waiting for postgres; sleep 2; done;' ]
+ command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres 5432; do echo waiting for postgres; sleep 2; done;' ]
containers:
- name: sentrius
image: "{{ .Values.sentrius.image.repository }}:{{ .Values.sentrius.image.tag }}"
diff --git a/sentrius-gcp-chart/templates/ingress.yaml b/sentrius-gcp-chart/templates/ingress.yaml
new file mode 100644
index 00000000..a89a55f9
--- /dev/null
+++ b/sentrius-gcp-chart/templates/ingress.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: managed-cert-ingress-{{ .Values.tenant }}
+ namespace: {{ .Values.tenant }}
+ annotations:
+ kubernetes.io/ingress.class: gce
+ kubernetes.io/ingress.allow-http: "false"
+ ingress.kubernetes.io/force-ssl-redirect: "true"
+ ingress.kubernetes.io/redirect-http-to-https: "true"
+ networking.gke.io/managed-certificates: wildcard-cert
+spec:
+ rules:
+ - host: keycloak.{{ .Values.tenant }}.sentrius.cloud
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: {{ .Release.Name }}-keycloak
+ port:
+ number: 8081
+ - host: {{ .Values.tenant }}.sentrius.cloud
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: {{ .Release.Name }}-sentrius
+ port:
+ number: 8080
diff --git a/sentrius-gcp-chart/templates/keycloak-deployment.yaml b/sentrius-gcp-chart/templates/keycloak-deployment.yaml
index 7fdd24f4..d2b76ee9 100644
--- a/sentrius-gcp-chart/templates/keycloak-deployment.yaml
+++ b/sentrius-gcp-chart/templates/keycloak-deployment.yaml
@@ -22,10 +22,10 @@ spec:
image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}"
imagePullPolicy: "{{ .Values.keycloak.image.pullPolicy }}"
ports:
- - containerPort: 30081
+ - containerPort: 8081
env:
- name: KC_HTTP_PORT
- value: "30081"
+ value: "8081"
- name: KEYCLOAK_ADMIN
value: {{ .Values.keycloak.adminUser }}
- name: KEYCLOAK_ADMIN_PASSWORD
@@ -41,12 +41,22 @@ spec:
- name: KC_DB_PASSWORD
value: {{ .Values.keycloak.db.password }}
- name: KC_HOSTNAME
- value: {{ .Values.keycloak.hostname }}:30081
+ value: keycloak.{{ .Values.subdomain }}
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KEYCLOAK_LOGLEVEL
value: DEBUG
- name: ROOT_LOGLEVEL
value: DEBUG
+ - name: ROOT_URL
+ value: https://{{ .Values.subdomain }}/
+ - name: REDIRECT_URIS
+ value: https://{{ .Values.subdomain }}
+ - name: PROXY_ADDRESS_FORWARDING
+ value: "true"
+ - name: KC_HOSTNAME_STRICT_HTTPS
+ value: "false"
+ - name: KC_HTTP_ENABLED
+ value: "true"
command: [ "/opt/keycloak/bin/kc.sh" ]
- args: [ "start-dev", "--proxy=edge", "--import-realm"]
+ args: [ "start-dev", "--proxy=edge", "--import-realm", "--health-enabled=true"]
diff --git a/sentrius-gcp-chart/templates/keycloak-healthcheck.yaml b/sentrius-gcp-chart/templates/keycloak-healthcheck.yaml
new file mode 100644
index 00000000..77649f46
--- /dev/null
+++ b/sentrius-gcp-chart/templates/keycloak-healthcheck.yaml
@@ -0,0 +1,13 @@
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+ name: keycloak-backend-config
+ namespace: {{ .Values.tenant }}
+spec:
+ healthCheck:
+ checkIntervalSec: 10
+ timeoutSec: 5
+ healthyThreshold: 2
+ unhealthyThreshold: 2
+ requestPath: /health/ready
+ port: 8081
diff --git a/sentrius-gcp-chart/templates/keycloak-service.yaml b/sentrius-gcp-chart/templates/keycloak-service.yaml
index f74362e9..04d2e5bc 100644
--- a/sentrius-gcp-chart/templates/keycloak-service.yaml
+++ b/sentrius-gcp-chart/templates/keycloak-service.yaml
@@ -2,14 +2,18 @@ apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-keycloak
+ namespace: {{ .Values.tenant }}
+ annotations:
+ cloud.google.com/backend-config: '{"default": "keycloak-backend-config"}'
labels:
app: keycloak
release: {{ .Release.Name }}
+
spec:
- type: LoadBalancer
+ type: ClusterIP
ports:
- name: http
- port: 80
+ port: {{ .Values.keycloak.port }}
targetPort: {{ .Values.keycloak.port }} # Replace with the internal port Keycloak listens to
selector:
app: keycloak
diff --git a/sentrius-gcp-chart/templates/managed-cert.yaml b/sentrius-gcp-chart/templates/managed-cert.yaml
new file mode 100644
index 00000000..aff201a0
--- /dev/null
+++ b/sentrius-gcp-chart/templates/managed-cert.yaml
@@ -0,0 +1,8 @@
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+ name: wildcard-cert
+spec:
+ domains:
+ - "{{ .Values.tenant }}.sentrius.cloud"
+ - "keycloak.{{ .Values.tenant }}.sentrius.cloud"
diff --git a/sentrius-gcp-chart/templates/sentrius-healthcheck.yaml b/sentrius-gcp-chart/templates/sentrius-healthcheck.yaml
new file mode 100644
index 00000000..745978a7
--- /dev/null
+++ b/sentrius-gcp-chart/templates/sentrius-healthcheck.yaml
@@ -0,0 +1,13 @@
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+ name: sentrius-backend-config
+ namespace: {{ .Values.tenant }}
+spec:
+ healthCheck:
+ checkIntervalSec: 10
+ timeoutSec: 5
+ healthyThreshold: 2
+ unhealthyThreshold: 2
+ requestPath: /actuator/health
+ port: 8080
diff --git a/sentrius-gcp-chart/templates/service.yaml b/sentrius-gcp-chart/templates/service.yaml
index 0a76aa23..04a7add3 100644
--- a/sentrius-gcp-chart/templates/service.yaml
+++ b/sentrius-gcp-chart/templates/service.yaml
@@ -2,13 +2,16 @@ apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-sentrius
+ namespace: {{ .Values.tenant }}
+ annotations:
+ cloud.google.com/backend-config: '{"default": "sentrius-backend-config"}'
labels:
app: sentrius
spec:
- type: LoadBalancer
+ type: ClusterIP
ports:
- name: http
- port: 80
+ port: {{ .Values.sentrius.port }}
targetPort: {{ .Values.sentrius.port }} # Port used inside the container
selector:
app: sentrius
\ No newline at end of file
diff --git a/sentrius-gcp-chart/values.yaml b/sentrius-gcp-chart/values.yaml
index 31e71459..ffad6ae1 100644
--- a/sentrius-gcp-chart/values.yaml
+++ b/sentrius-gcp-chart/values.yaml
@@ -2,6 +2,10 @@
replicaCount: 1
namespace: default
+
+tenant: sentrius-demo
+subdomain: "{{ .Values.tenant }}.sentrius.cloud"
+
# Sentrius configuration
sentrius:
image:
@@ -16,80 +20,13 @@ sentrius:
SPRING_DATASOURCE_PASSWORD: password
KEYSTORE_PASSWORD: sentrius
resources: {}
- config:
- application: |
- keystore.file=sso.jceks
- keystore.password=${KEYSTORE_PASSWORD}
- keystore.alias=KEYBOX-ENCRYPTION_KEY
- keystore.algorithm=AES
- spring.main.web-application-type=servlet
- spring.thymeleaf.enabled=true
- spring.freemarker.enabled=false
- #flyway configuration
- spring.flyway.enabled=true
- spring.datasource.url=jdbc:postgresql://sentrius-postgres:5432/sentrius
- spring.datasource.username=${SPRING_DATASOURCE_USERNAME}
- spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
- spring.datasource.driver-class-name=org.postgresql.Driver
- # Connection pool settings
- spring.datasource.hikari.maximum-pool-size=10
- spring.datasource.hikari.minimum-idle=5
- spring.datasource.hikari.idle-timeout=30000
- spring.datasource.hikari.max-lifetime=1800000
- # Hibernate settings (optional, for JPA)
- spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
- # Disable automatic schema generation in production
- spring.jpa.hibernate.ddl-auto=none
- # Ensure this path matches your project structure
- #spring.flyway.locations=classpath:db/migration/
- spring.flyway.baseline-on-migrate=true
- # Thymeleaf settings
- spring.thymeleaf.prefix=classpath:/templates/
- spring.thymeleaf.suffix=.html
- #spring.datasource.url=jdbc:h2:mem:testdb
- logging.level.org.springframework.web=INFO
- logging.level.org.springframework.security=INFO
- logging.level.io.sentrius=DEBUG
- logging.level.org.thymeleaf=INFO
- spring.thymeleaf.servlet.produce-partial-output-while-processing=false
- spring.servlet.multipart.enabled=true
- spring.servlet.multipart.max-file-size=10MB
- spring.servlet.multipart.max-request-size=10MB
- server.error.whitelabel.enabled=false
- dynamic.properties.path=/config/dynamic.properties
- keycloak.realm=sentrius
- # keycloak configuration
- spring.security.oauth2.client.registration.keycloak.client-id=sentrius-api
- spring.security.oauth2.client.registration.keycloak.client-secret=nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0
- spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
- spring.security.oauth2.client.registration.keycloak.redirect-uri=http://sentrius-keycloak:30080/login/oauth2/code/keycloak
- spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
- spring.security.oauth2.resourceserver.jwt.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
- spring.security.oauth2.client.provider.keycloak.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
- dynamic: |
- auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
- twopartyapproval.option.LOCKING_SYSTEMS=true
- requireProfileForLogin=true
- maxJitDurationMs=1440000
- sshEnabled=true
- systemLogoName=Sentrius
- AccessTokenAuditor.rule.4=io.sentrius.sso.automation.auditing.rules.OpenAISessionRule;Malicious AI Monitoring
- AccessTokenAuditor.rule.5=io.sentrius.sso.automation.auditing.rules.TwoPartyAIMonitor;AI Second Party Monitor
- allowProxies=true
- AccessTokenAuditor.rule.2=io.sentrius.sso.automation.auditing.rules.DeletePrevention;Delete Prevention
- AccessTokenAuditor.rule.3=io.sentrius.sso.automation.auditing.rules.TwoPartySessionRule;Require Second Party Monitoring
- AccessTokenAuditor.rule.0=io.sentrius.sso.automation.auditing.rules.CommandEvaluator;Restricted Commands
- terminalsInNewTab=false
- auditFlushIntervalMs=5000
- AccessTokenAuditor.rule.1=io.sentrius.sso.automation.auditing.rules.AllowedCommandsRule;Approved Commands
- knownHostsPath=/home/marc/.ssh/known_hosts
- systemLogoPathLarge=/images/sentrius_large.jpg
- maxJitUses=1
- systemLogoPathSmall=/images/sentrius_small.png
- enableInternalAudit=true
- twopartyapproval.require.explanation.LOCKING_SYSTEMS=false
- canApproveOwnJITs=false
- yamlConfiguration=/app/exampleInstallWithTypes.yml
+ oauth2:
+ client_id: sentrius-api
+ client_secret: nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0
+ authorization_grant_type: authorization_code
+ redirect_uri: http://{{ .Values.subdomain }}/login/oauth2/code/keycloak
+ scope: openid,profile,email
+ issuer_uri: http://keycloak.{{ .Values.subdomain }}/realms/sentrius
sentriusagent:
service:
@@ -99,6 +36,13 @@ sentriusagent:
repository: sentrius-agent
pullPolicy: IfNotPresent
port: 8080
+ oauth2:
+ client_id: sentrius-api
+ client_secret: nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0
+ authorization_grant_type: authorization_code
+ redirect-uri: http://{{ .Values.subdomain }}/login/oauth2/code/keycloak
+ scope: openid,profile,email
+ issuer-uri: http://keycloak.{{ .Values.subdomain }}/realms/sentrius
ssh:
port: 22
env:
@@ -108,55 +52,7 @@ sentriusagent:
resources: {}
config:
application: |
- keystore.file=sso.jceks
- keystore.password=${KEYSTORE_PASSWORD}
- keystore.alias=KEYBOX-ENCRYPTION_KEY
- keystore.algorithm=AES
- spring.main.web-application-type=servlet
- spring.thymeleaf.enabled=true
- spring.freemarker.enabled=false
- #flyway configuration
- spring.flyway.enabled=true
- spring.datasource.url=jdbc:postgresql://sentrius-postgres:5432/sentrius
- spring.datasource.username=${SPRING_DATASOURCE_USERNAME}
- spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
- spring.datasource.driver-class-name=org.postgresql.Driver
- # Connection pool settings
- spring.datasource.hikari.maximum-pool-size=10
- spring.datasource.hikari.minimum-idle=5
- spring.datasource.hikari.idle-timeout=30000
- spring.datasource.hikari.max-lifetime=1800000
- # Hibernate settings (optional, for JPA)
- spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
- # Disable automatic schema generation in production
- spring.jpa.hibernate.ddl-auto=none
- # Ensure this path matches your project structure
- #spring.flyway.locations=classpath:db/migration/
- spring.flyway.baseline-on-migrate=true
- # Thymeleaf settings
- spring.thymeleaf.prefix=classpath:/templates/
- spring.thymeleaf.suffix=.html
- #spring.datasource.url=jdbc:h2:mem:testdb
- logging.level.org.springframework.web=INFO
- logging.level.org.springframework.security=INFO
- logging.level.io.sentrius=DEBUG
- logging.level.org.thymeleaf=INFO
- spring.thymeleaf.servlet.produce-partial-output-while-processing=false
- spring.servlet.multipart.enabled=true
- spring.servlet.multipart.max-file-size=10MB
- spring.servlet.multipart.max-request-size=10MB
- server.error.whitelabel.enabled=false
- dynamic.properties.path=/config/dynamic.properties
- keycloak.realm=sentrius
- # keycloak configuration
- spring.security.oauth2.client.registration.keycloak.client-id=sentrius-api
- spring.security.oauth2.client.registration.keycloak.client-secret=nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0
- spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
- spring.security.oauth2.client.registration.keycloak.redirect-uri=http://sentrius-keycloak:30080/login/oauth2/code/keycloak
- spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
- spring.security.oauth2.resourceserver.jwt.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
- spring.security.oauth2.client.provider.keycloak.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
- agents.session-analytics.enabled=true
+
# PostgreSQL configuration
postgres:
@@ -186,19 +82,6 @@ secrets:
password: cGFzc3dvcmQ= # password
keystorePassword: c2VudHJpdXM= # sentrius
-# Service settings
-service:
- type: NodePort
- nodePort: 30080
-
-
-
-# MetalLB (optional)
-metallb:
- enabled: true
- addressPool:
- - 192.168.122.100-192.168.122.110
-
keycloak:
image:
repository: sentrius-keycloak
@@ -206,12 +89,13 @@ keycloak:
host: keycloak.default.svc.cluster.local
adminUser: admin
adminPassword: admin
- port: 8080
+ port: 8081
db:
image: postgres:15
user: keycloak
password: password
database: keycloak
replicas: 1
- hostname: sentrius-keycloak
+ #hostname: sentrius-keycloak
+