drop external keycloak in favor of generic oidc issuer

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

Author: butonic

charts/opencloud/README.md

@@ -224,6 +224,8 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `global.domain.wopi` | Domain for WOPI server | `wopiserver.opencloud.test` |
 | `global.tls.enabled` | Enable TLS (set to false when using gateway TLS termination externally) | `false` |
 | `global.tls.secretName` | secretName for TLS certificate | `""` |
+| `global.oidc.issuer` | OpenID Connect Issuer URL | `""` generated to use the internal keycloak|
+| `global.oidc.clientId` | OpenID Connect Client ID used by OpenCloud | `"web"` |
 | `global.storage.storageClass` | Storage class for persistent volumes | `""` |
 | `global.image.registry` | Global registry override for all images (e.g., `my-registry.com`) | `""` |
 | `global.image.pullPolicy` | Global pull policy override for all images (`Always`, `IfNotPresent`, `Never`) | `""` |
@@ -275,7 +277,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 
 ### Keycloak Settings
 
-Keycloak configuration follows the standardized internal/external pattern (see issue #64).
+By default the chart deploys an internal keycloak. It can be disabled and replaced with an external IdP.
 
 #### Internal Keycloak
 
@@ -295,29 +297,20 @@ Keycloak configuration follows the standardized internal/external pattern (see i
 
 > **Note**: When using internal Keycloak with multiple OpenCloud replicas (`opencloud.replicas > 1`), you must use an external shared database or LDAP. The embedded IDM does not support replication. See [issue #53](https://github.com/opencloud-eu/helm/issues/53) for details.
 
-#### External Keycloak
-
-| Parameter | Description | Default |
-| --------- | ----------- | ------- |
-| `keycloak.external.enabled` | Enable external Keycloak | `false` |
-| `keycloak.external.url` | External Keycloak URL (without /realms/...) | `""` |
-| `keycloak.external.realm` | External Keycloak realm | `openCloud` |
-| `keycloak.external.clientId` | External Keycloak client ID | `web` |
-
-#### Example: Using External Keycloak
+#### Example: Using External IDP
 
 ```yaml
+global:
+  oidc:
+    issuer: "https://idp.example.com/realms/openCloud"
+    clientId: "opencloud-web"
+
 keycloak:
   internal:
     enabled: false
-  external:
-    enabled: true
-    url: "https://keycloak.example.com"
-    realm: "my-realm"
-    clientId: "opencloud-web"
 ```
 
-**Note**: Only one of `keycloak.internal.enabled` or `keycloak.external.enabled` should be set to `true`.
+**Note**: If `keycloak.internal.enabled` is `true`, the `global.oidc.issuer` should be left empty to not override the generated issuer URL.
 
 ### PostgreSQL Settings
 

charts/opencloud/templates/gateway/keycloak-https-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.httpRoute.enabled .Values.keycloak.enabled (not .Values.keycloak.external.enabled) }}
+{{- if and .Values.httpRoute.enabled .Values.keycloak.internal.enabled }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:

charts/opencloud/templates/opencloud/deployment.yaml

@@ -200,26 +200,25 @@ spec:
             - name: NOTIFICATIONS_SMTP_ENCRYPTION
               value: "{{ .Values.opencloud.smtp.encryption }}"
             {{- end }}
-            {{- if or .Values.keycloak.internal.enabled .Values.keycloak.external.enabled }}
-            # Keycloak IDP specific configuration
+            {{- if or .Values.keycloak.internal.enabled .Values.global.oidc.issuer }}
+            # IDP specific configuration
             - name: PROXY_AUTOPROVISION_ACCOUNTS
               value: "true"
+            # user properties are edited in the idp, so we hate to make them readonly
+            - name: FRONTEND_READONLY_USER_ATTRIBUTES
+              value: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
             - name: PROXY_ROLE_ASSIGNMENT_DRIVER
               value: "oidc"
             - name: OC_OIDC_ISSUER
-              {{- if .Values.keycloak.external.enabled }}
-              value: "{{ .Values.keycloak.external.url }}/realms/{{ .Values.keycloak.external.realm }}"
+              {{- if .Values.global.oidc.issuer }}
+              value: {{ .Values.global.oidc.issuer | quote }}
               {{- else }}
-              value: "https://{{ include "opencloud.keycloak.domain" . }}/realms/{{ .Values.keycloak.internal.realm }}"
+              value: {{ printf "https://%s/realms/%s" (include "opencloud.keycloak.domain" .) .Values.keycloak.internal.realm | quote }}
               {{- end }}
             - name: PROXY_OIDC_REWRITE_WELLKNOWN
               value: "true"
             - name: WEB_OIDC_CLIENT_ID
-              {{- if .Values.keycloak.external.enabled }}
-              value: "{{ .Values.keycloak.external.clientId }}"
-              {{- else }}
-              value: "web"
-              {{- end }}
+              value: {{ .Values.global.oidc.clientId | quote}}
             - name: PROXY_USER_OIDC_CLAIM
               value: "preferred_username"
             - name: PROXY_USER_CS3_CLAIM
@@ -230,16 +229,15 @@ spec:
               value: "false"
             - name: GRAPH_USERNAME_MATCH
               value: "none"
-            # Additional OIDC settings from docker-compose
             - name: PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM
               value: "roles"
             - name: PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD
               value: "jwt"
             - name: WEB_OIDC_METADATA_URL
-              {{- if .Values.keycloak.external.enabled }}
-              value: "{{ .Values.keycloak.external.url }}/realms/{{ .Values.keycloak.external.realm }}/.well-known/openid-configuration"
+              {{- if .Values.global.oidc.issuer }}
+              value: {{ printf "%s/.well-known/openid-configuration" .Values.global.oidc.issuer | quote }}
               {{- else }}
-              value: "https://{{ include "opencloud.keycloak.domain" . }}/realms/{{ .Values.keycloak.internal.realm }}/.well-known/openid-configuration"
+              value: {{ printf "https://%s/realms/%s/.well-known/openid-configuration" (include "opencloud.keycloak.domain" .) .Values.keycloak.internal.realm | quote }}
               {{- end }}
             - name: WEB_OIDC_SCOPE
               value: "openid profile email groups roles"

charts/opencloud/values.yaml

@@ -47,11 +47,19 @@ global:
     # secretName for TLS certificate
     secretName: ""
 
+  oidc:
+    # OpenID Connect issuer URL. If set, overrides the default Keycloak internal issuer URL.
+    # This is useful for external OIDC providers or custom Keycloak configurations.
+    # Example: https://keycloak.opencloud.test/realms/openCloud
+    issuer: ""
+    # OIDC client ID for OpenCloud
+    clientId: "web"
+
   # Global storage settings
   storage:
     # Storage class for persistent volumes
     storageClass: ""
-  
+
   # Global image settings
   image:
     # Global registry override - if set, it will override all image registries
@@ -126,17 +134,6 @@ keycloak:
       maxAge: "3600"
     # Resources
     resources: {}
-  
-  # External Keycloak connection
-  external:
-    # Enable external Keycloak
-    enabled: false
-    # External Keycloak URL (without /realms/...)
-    url: ""
-    # External Keycloak realm
-    realm: "openCloud"
-    # External Keycloak client ID
-    clientId: "web"
 
 # PostgreSQL settings for Keycloak
 postgres: