fix: identity config things

defenseunicorns · Dec 9, 2024 · f1b3cb8 · f1b3cb8
1 parent 777387b
commit f1b3cb8
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 16 deletions.
diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
@@ -28,7 +28,7 @@ spec:
         {{- end }}
        {{- if not .Values.devMode }}
       annotations:
-        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}        
+        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}
       {{- end }}
     spec:
       securityContext:
@@ -52,13 +52,16 @@ spec:
               mountPath: /opt/keycloak/themes
             - name: conf
               mountPath: /opt/keycloak/conf
+          envFrom:
+            - secretRef:
+                name: {{ include "keycloak.fullname" . }}-realm-env
       containers:
         - name: keycloak
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-          command: 
+          command:
             - "/opt/keycloak/bin/kc.sh"
           args:
             {{- if .Values.devMode }}
@@ -128,14 +131,13 @@ spec:
             - name: KC_CACHE_STACK
               value: kubernetes
             - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE
-              value: "false"               
+              value: "false"
             # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
             # https://www.keycloak.org/server/caching
             - name: JAVA_OPTS_APPEND
               value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local
-
             # Postgres database configuration
-            - name: KC_DB 
+            - name: KC_DB
               value: postgres
             - name: KC_DB_URL_HOST
               valueFrom:

diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
@@ -27,17 +27,26 @@ realm: uds
 # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
 realmInitEnv:
   GOOGLE_IDP_ENABLED: false
-#   GOOGLE_IDP_ID: ""
-#   GOOGLE_IDP_SIGNING_CERT: ""
-#   GOOGLE_IDP_NAME_ID_FORMAT: ""
-#   GOOGLE_IDP_CORE_ENTITY_ID: ""
-#   GOOGLE_IDP_ADMIN_GROUP: ""
-#   GOOGLE_IDP_AUDITOR_GROUP: ""
-#   PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
-#   EMAIL_VERIFICATION_ENABLED: true
-#   OTP_ENABLED: true
-#   TERMS_AND_CONDITIONS_ENABLED: true
-#   REALM_X509_OCSP_FAIL_OPEN: true
+  # GOOGLE_IDP_ID: ""
+  # GOOGLE_IDP_SIGNING_CERT: ""
+  # GOOGLE_IDP_NAME_ID_FORMAT: ""
+  # GOOGLE_IDP_CORE_ENTITY_ID: ""
+  # GOOGLE_IDP_ADMIN_GROUP: ""
+  # GOOGLE_IDP_AUDITOR_GROUP: ""
+  # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
+  # EMAIL_VERIFICATION_ENABLED: true
+  # OTP_ENABLED: true
+  # TERMS_AND_CONDITIONS_ENABLED: true
+  # X509_OCSP_FAIL_OPEN: true
+  # ENABLE_SOCIAL_LOGIN: false
+  # ENABLE_X509_LOGIN: false
+  # ENABLE_USERNAME_PASSWORD_AUTH: false
+  # ENABLE_REGISTER_BUTTON: false
+  # ENABLE_REGISTRATION_FIELDS: false
+  # deny_username_password: "DISABLED"
+  # reset_credential_flow: "REQUIRED"
+  # registration_form: "REQUIRED"
+  # otp_enabled: true
 
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login