diff --git a/components/camel-oauth/README.md b/components/camel-oauth/README.md index 73e5b09951c1d..690c1b4f5dac7 100644 --- a/components/camel-oauth/README.md +++ b/components/camel-oauth/README.md @@ -21,33 +21,49 @@ Respective jbang projects live [here|https://github.com/tdiesler/camel-cloud-exa For Kafka we use strimzi kafka-oauth-client directly, which is documented [here|https://github.com/tdiesler/camel-cloud-examples/blob/main/camel-main/kafka-oauth/kafka-oauth-route.yaml]. -## Keycloak as the Identity Provider +## Ingress with Traefik + +An Identity Provider should only be accessed with transport layer security (TLS) in place. This is in the nature +of communicating privacy/security sensitive data over any communication channel. + +Therefore, we place Keycloak behind an TLS terminating proxy (Traefik). It has the advantage that any traffic +(i.e. not only for Keycloak) can be secured at ingress level. + +https://doc.traefik.io/traefik/ -Currently, we use Keycloak as OIDC Provider - Hashicorp Vault is underway. +``` +helm repo add traefik https://traefik.github.io/charts +helm repo update +helm install traefik traefik/traefik +``` -### Keycloak Certificate +## Ingress TLS Certificate ``` # Generate TLS Certificate -openssl req -x509 -newkey rsa:4096 -keyout ./helm/etc/keycloak.key -out ./helm/etc/keycloak.crt -days 365 -nodes -config ./helm/etc/san.cnf +openssl req -x509 -newkey rsa:4096 -keyout ./helm/etc/cluster.key -out ./helm/etc/cluster.crt -days 365 -nodes -config ./helm/etc/san.cnf # Import TLS Certificate to Java Keystore (i.e. trust the certificate) -sudo keytool -import -alias keycloak -file ./helm/etc/keycloak.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit +sudo keytool -import -alias keycloak -file ./helm/etc/cluster.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit # Remove TLS Certificate from Java Keystore sudo keytool -delete -alias keycloak -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit ``` -### Keycloak on Kubernetes +### Verify with TLS access -Deploy Keycloak as Identity Provider +``` +helm upgrade --install traefik-secret ./helm -f ./helm/values-traefik-secret.yaml +helm upgrade --install whoami ./helm -f ./helm/values-whoami.yaml +``` -Admin: admin/admin -User: alice/alice +https://cluster.local/who + +## Keycloak as the Identity Provider -https://keycloak.local:30443/ +Currently, we use Keycloak as OIDC Provider - Hashicorp Vault is underway. -Host 'keycloak.local' should be mapped (/etc/hosts) to your local k8s IP +Keycloak can be configured/deployed via Helm like this... ``` kubectl config use-context docker-desktop \ @@ -58,12 +74,17 @@ kubectl config use-context docker-desktop \ helm uninstall keycloak ``` +https://keycloak.local/kc + +Admin: admin/admin +User: alice/alice + ### Keycloak Admin Tasks -Run this when realm 'camel' if not already imported +Create realm 'camel' if not already imported ``` -kcadm config credentials --server https://keycloak.local:30443 --realm master --user admin --password admin +kcadm config credentials --server https://keycloak.local/kc --realm master --user admin --password admin kcadm create realms -s realm=camel -s enabled=true @@ -92,10 +113,35 @@ kcadm set-password -r camel --userid=${userid} --new-password alice kcadm delete realms/camel -r master ``` -Show client/user configuration +Show realm, client, user configuration ``` +kcadm get realms | jq -r '.[] | select(.realm=="camel")' + kcadm get clients -r camel | jq -r '.[] | select(.clientId=="camel-client")' kcadm get users -r camel | jq -r '.[] | select(.username=="alice")' ``` + +## Kafka on Kubernetes + +### Extract the Keycloak cert + +In this configuration, Keycloak is deployed behind Traefik, which is our TLS terminating proxy. +The domain `keycloak.local` is mapped to an actual IP in `/etc/hosts`. + +``` +echo -n | openssl s_client -connect keycloak.local:443 -servername keycloak.local | openssl x509 > keycloak.crt +cat keycloak.crt | openssl x509 -noout -text +``` + +Deploy a single node Kafka cluster + +``` +kubectl config use-context docker-desktop \ + && helm upgrade --install kafka ./helm -f ./helm/values-kafka.yaml \ + && kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=kafka --timeout=20s \ + && kubectl logs --tail 400 -f -l app.kubernetes.io/name=kafka + +helm uninstall kafka +``` diff --git a/components/camel-oauth/helm/Chart.yaml b/components/camel-oauth/helm/Chart.yaml index e455139ac6962..db75b24655d95 100644 --- a/components/camel-oauth/helm/Chart.yaml +++ b/components/camel-oauth/helm/Chart.yaml @@ -16,6 +16,6 @@ # apiVersion: v2 -name: platform-http-chart +name: camel-oauth-infra description: A Helm chart to deploy Keycloak version: 0.1.0 \ No newline at end of file diff --git a/components/camel-oauth/helm/etc/camel-realm.json b/components/camel-oauth/helm/etc/camel-realm.json index 899d037f6769c..ef300a59d291e 100644 --- a/components/camel-oauth/helm/etc/camel-realm.json +++ b/components/camel-oauth/helm/etc/camel-realm.json @@ -1,2139 +1,241 @@ { - "accessCodeLifespan": 60, - "accessCodeLifespanLogin": 1800, - "accessCodeLifespanUserAction": 300, + "realm": "camel", "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "adminEventsDetailsEnabled": false, - "adminEventsEnabled": false, - "adminPermissionsEnabled": false, - "attributes": { - "cibaAuthRequestedUserHint": "login_hint", - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaExpiresIn": "120", - "cibaInterval": "5", - "oauth2DeviceCodeLifespan": "600", - "oauth2DevicePollingInterval": "5", - "parRequestUriLifespan": "60", - "realmReusableOtpCode": "false" - }, - "authenticationFlows": [ - { - "alias": "Account verification options", - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Verify Existing Account by Re-authentication", - "priority": 20, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Method with which to verity the existing account", - "id": "cae070ea-ddce-46fb-be70-795d59869217", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Browser - Conditional OTP", - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow to determine if the OTP is required for the authentication", - "id": "87907cb4-8369-4f18-9daa-6c834726644b", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Browser - Conditional Organization", - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "organization", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow to determine if the organization identity-first login is to be used", - "id": "37d88d49-79c8-4d3c-8546-bfe103085117", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Direct Grant - Conditional OTP", - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-otp", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow to determine if the OTP is required for the authentication", - "id": "767b935b-6e00-4884-a9f0-90281cf54634", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "First Broker Login - Conditional Organization", - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "idp-add-organization-member", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow to determine if the authenticator that adds organization members is to be used", - "id": "a1182ccd-bda9-40ac-a28f-da1b53c62191", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "First broker login - Conditional OTP", - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow to determine if the OTP is required for the authentication", - "id": "39020d63-f50b-4bab-824a-732d274324a6", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Handle Existing Account", - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Account verification options", - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "id": "1be565ad-e41c-412e-86ff-aa5fff4183c5", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Organization", - "authenticationExecutions": [ - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Browser - Conditional Organization", - "priority": 10, - "requirement": "CONDITIONAL", - "userSetupAllowed": false - } - ], - "builtIn": true, - "id": "a4b5f3f3-cbae-4b14-99a0-d9b3b667543a", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Reset - Conditional OTP", - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "reset-otp", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "id": "b49293c6-ded0-4edc-9a5f-d2c1ae5a3d56", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "User creation or linking", - "authenticationExecutions": [ - { - "authenticator": "idp-create-user-if-unique", - "authenticatorConfig": "create unique user config", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Handle Existing Account", - "priority": 20, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Flow for the existing/non-existing user alternatives", - "id": "1cb7464a-d7c0-459e-b09c-2847984109da", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "Verify Existing Account by Re-authentication", - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "First broker login - Conditional OTP", - "priority": 20, - "requirement": "CONDITIONAL", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Reauthentication of existing account", - "id": "6c7a7a86-da4f-4bea-a59b-6ab3f4e5af66", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "browser", - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "DISABLED", - "userSetupAllowed": false - }, - { - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 25, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Organization", - "priority": 26, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "forms", - "priority": 30, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Browser based authentication", - "id": "d52b496a-d02f-4f43-bea1-db5bb3fd935e", - "providerId": "basic-flow", - "topLevel": true - }, - { - "alias": "clients", - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticator": "client-jwt", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticator": "client-secret-jwt", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 30, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - }, - { - "authenticator": "client-x509", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 40, - "requirement": "ALTERNATIVE", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Base authentication for clients", - "id": "e10bdc41-0c9c-4e66-b7e1-53bedaee3bc2", - "providerId": "client-flow", - "topLevel": true - }, - { - "alias": "direct grant", - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-password", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Direct Grant - Conditional OTP", - "priority": 30, - "requirement": "CONDITIONAL", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "OpenID Connect Resource Owner Grant", - "id": "584d7f63-e86d-44e9-ba87-41bc2303f14a", - "providerId": "basic-flow", - "topLevel": true - }, - { - "alias": "docker auth", - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Used by Docker clients to authenticate against the IDP", - "id": "993a5f27-ecff-4c87-a6fe-89e557484dac", - "providerId": "basic-flow", - "topLevel": true - }, - { - "alias": "first broker login", - "authenticationExecutions": [ - { - "authenticator": "idp-review-profile", - "authenticatorConfig": "review profile config", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "User creation or linking", - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "First Broker Login - Conditional Organization", - "priority": 50, - "requirement": "CONDITIONAL", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "id": "e5c203ab-87bd-4b3a-ac4c-ffe02d0807fb", - "providerId": "basic-flow", - "topLevel": true - }, - { - "alias": "forms", - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Browser - Conditional OTP", - "priority": 20, - "requirement": "CONDITIONAL", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Username, password, otp and other auth forms.", - "id": "dc505ff6-a644-4c67-99a7-f80109adc7bb", - "providerId": "basic-flow", - "topLevel": false - }, - { - "alias": "registration", - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "registration form", - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Registration flow", - "id": "e0eace41-ef5e-4039-804d-78be3279f900", - "providerId": "basic-flow", - "topLevel": true - }, - { - "alias": "registration form", - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "registration-password-action", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 50, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "registration-recaptcha-action", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 60, - "requirement": "DISABLED", - "userSetupAllowed": false - }, - { - "authenticator": "registration-terms-and-conditions", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 70, - "requirement": "DISABLED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Registration form", - "id": "da98451c-b801-4d74-bd38-af81169e1fa9", - "providerId": "form-flow", - "topLevel": false - }, - { - "alias": "reset credentials", - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "reset-credential-email", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 20, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticator": "reset-password", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 30, - "requirement": "REQUIRED", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "autheticatorFlow": true, - "flowAlias": "Reset - Conditional OTP", - "priority": 40, - "requirement": "CONDITIONAL", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "Reset credentials for a user if they forgot their password or something", - "id": "baf2e059-e2ed-4511-8cb9-9bae87ed2079", - "providerId": "basic-flow", - "topLevel": true - }, - { - "alias": "saml ecp", - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "authenticatorFlow": false, - "autheticatorFlow": false, - "priority": 10, - "requirement": "REQUIRED", - "userSetupAllowed": false - } - ], - "builtIn": true, - "description": "SAML ECP Profile Authentication Flow", - "id": "40a31665-a2cd-48cc-b3fb-572e045b9fc5", - "providerId": "basic-flow", - "topLevel": true - } - ], - "authenticatorConfig": [ - { - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - }, - "id": "3ab5456f-5c1c-445d-a772-a986b59b36a9" - }, - { - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - }, - "id": "50608b3e-9f44-41f0-b535-5ef3979167e6" - } - ], - "browserFlow": "browser", - "browserSecurityHeaders": { - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "contentSecurityPolicyReportOnly": "", - "referrerPolicy": "no-referrer", - "strictTransportSecurity": "max-age=31536000; includeSubDomains", - "xContentTypeOptions": "nosniff", - "xFrameOptions": "SAMEORIGIN", - "xRobotsTag": "none", - "xXSSProtection": "1; mode=block" - }, - "bruteForceProtected": false, - "bruteForceStrategy": "MULTIPLE", - "clientAuthenticationFlow": "clients", - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "clientPolicies": { - "policies": [] - }, - "clientProfiles": { - "profiles": [] - }, - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account", - "view-groups" - ] - } - ] - }, - "clientScopes": [ - { - "attributes": { - "display.on.consent.screen": "false", - "include.in.token.scope": "true" - }, - "description": "Microprofile - JWT built-in scope", - "id": "7aaaf3c4-868f-41d2-868d-35eb057cd205", - "name": "microprofile-jwt", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "upn", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "username", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "21cff289-9683-4e5b-a2e1-a6b83c24975a", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "groups", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "multivalued": "true", - "user.attribute": "foo" - }, - "consentRequired": false, - "id": "52c78de5-cfd1-4b44-96d2-522bd0d0f338", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${addressScopeConsentText}", - "display.on.consent.screen": "true", - "include.in.token.scope": "true" - }, - "description": "OpenID Connect built-in scope: address", - "id": "344e25fa-1a59-439a-87a3-9b67b3b939a4", - "name": "address", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "id.token.claim": "true", - "introspection.token.claim": "true", - "user.attribute.country": "country", - "user.attribute.formatted": "formatted", - "user.attribute.locality": "locality", - "user.attribute.postal_code": "postal_code", - "user.attribute.region": "region", - "user.attribute.street": "street", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "d651d31e-11c1-428f-b07a-4e60ed0a9af5", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${phoneScopeConsentText}", - "display.on.consent.screen": "true", - "include.in.token.scope": "true" - }, - "description": "OpenID Connect built-in scope: phone", - "id": "f7e20abd-09bf-4d24-825a-58780fb6b29b", - "name": "phone", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "phone_number", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "phoneNumber", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "425fcb87-d8f4-4021-a198-71af50f6b5ed", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "boolean", - "user.attribute": "phoneNumberVerified", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "54b3ff41-3bde-4b31-aeb9-f17f1a831b4f", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - } - ] - }, - { - "attributes": { - "display.on.consent.screen": "false", - "include.in.token.scope": "false" - }, - "description": "Specific scope for a client enabled for service accounts", - "id": "4435f35a-8bd4-48b2-81a6-28b938a175da", - "name": "service_account", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "clientAddress", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.session.note": "clientAddress" - }, - "consentRequired": false, - "id": "4f2bd9a5-6885-47ae-8bb5-957e6c95eca8", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "client_id", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.session.note": "client_id" - }, - "consentRequired": false, - "id": "4d23d59a-16c1-46b0-9ee0-afbcfeaea959", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "clientHost", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.session.note": "clientHost" - }, - "consentRequired": false, - "id": "91802fe0-be3b-4960-99d3-c3c52dc0c885", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${profileScopeConsentText}", - "display.on.consent.screen": "true", - "include.in.token.scope": "true" - }, - "description": "OpenID Connect built-in scope: profile", - "id": "54fa7985-ca72-45b9-aeab-c31fc11a3455", - "name": "profile", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "profile", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "profile", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "f2d2e2dd-8f19-4730-82fe-d4359f7f6f1b", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "picture", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "picture", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "ebe75f43-8f40-4ca8-b62f-345d36f61a8c", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "gender", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "gender", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "846a582e-86cc-4c9c-9f65-269fed23f6a2", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "zoneinfo", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "zoneinfo", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "04d178f2-c8fa-45d6-b0be-c8acd2e16b3c", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "locale", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "locale", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "e8b997dc-4684-4758-9846-480b6e4e9ca4", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "updated_at", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "long", - "user.attribute": "updatedAt", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "4940a100-c258-49a6-a0fe-7c946b1c4ce3", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "preferred_username", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "username", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "d4a5f0ca-7ffd-4706-ae4b-d8ca928ee599", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "id.token.claim": "true", - "introspection.token.claim": "true", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "7936f5b4-b5e5-4400-b6e0-ed0f23eb43d3", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "family_name", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "lastName", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "f91eeb97-47d3-4b4a-a03e-9610dea8ad26", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "birthdate", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "birthdate", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "388281ea-5d95-4670-b2a3-5230104511a6", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "middle_name", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "middleName", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "57d612d3-698d-47fd-bf7d-9663276c3088", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "given_name", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "firstName", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "253ed51c-994f-4b64-8c24-bc423925a845", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "website", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "website", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "1c152cff-f9c3-4fcd-9394-1c09c4a77e75", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "nickname", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "nickname", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "5c172e81-a500-46fe-be77-6fb6e4e3aedc", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${emailScopeConsentText}", - "display.on.consent.screen": "true", - "include.in.token.scope": "true" - }, - "description": "OpenID Connect built-in scope: email", - "id": "ea20e4dc-8701-4dc5-b4d4-a2a075419685", - "name": "email", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "email_verified", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "boolean", - "user.attribute": "emailVerified", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "57060a43-fe4f-4ed6-80d2-8f500a2ac6a9", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "email", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "email", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "e37af486-8e38-4df8-863d-72f954e109f6", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - } - ] - }, - { - "attributes": { - "display.on.consent.screen": "false", - "include.in.token.scope": "false" - }, - "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", - "id": "eade01bc-3b70-451e-a3e9-a2d2d98d6015", - "name": "acr", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "id.token.claim": "true", - "introspection.token.claim": "true" - }, - "consentRequired": false, - "id": "35cda456-a597-4f96-85e7-991993784768", - "name": "acr loa level", - "protocol": "openid-connect", - "protocolMapper": "oidc-acr-mapper" - } - ] - }, - { - "attributes": { - "display.on.consent.screen": "false" - }, - "description": "Organization Membership", - "id": "4a8b5d37-212e-49dc-8f4a-a611af9ea0e0", - "name": "saml_organization", - "protocol": "saml", - "protocolMappers": [ - { - "config": {}, - "consentRequired": false, - "id": "ffdc0525-b40e-4f9b-98d9-92c67845176d", - "name": "organization", - "protocol": "saml", - "protocolMapper": "saml-organization-membership-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "description": "SAML role list", - "id": "8ca5dd23-6618-4e3d-aaa2-53c4075f3807", - "name": "role_list", - "protocol": "saml", - "protocolMappers": [ - { - "config": { - "attribute.name": "Role", - "attribute.nameformat": "Basic", - "single": "false" - }, - "consentRequired": false, - "id": "8ffb7639-1cb1-4d69-9a31-7804b8e483ea", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${organizationScopeConsentText}", - "display.on.consent.screen": "true", - "include.in.token.scope": "true" - }, - "description": "Additional claims about the organization a subject belongs to", - "id": "20664e6a-1dd1-4bac-9680-dbae402cf691", - "name": "organization", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "organization", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "multivalued": "true" - }, - "consentRequired": false, - "id": "6c462bdf-90c5-44f5-94d2-0002cc167b46", - "name": "organization", - "protocol": "openid-connect", - "protocolMapper": "oidc-organization-membership-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - }, - "description": "OpenID Connect built-in scope: offline_access", - "id": "ed38bfbc-8f29-4f64-935b-5cf06d2215f7", - "name": "offline_access", - "protocol": "openid-connect" - }, - { - "attributes": { - "consent.screen.text": "${rolesScopeConsentText}", - "display.on.consent.screen": "true", - "include.in.token.scope": "false" - }, - "description": "OpenID Connect scope for add user roles to the access token", - "id": "fb84a8f0-1a0b-4fa6-887f-8c2800c6fbd9", - "name": "roles", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "introspection.token.claim": "true", - "jsonType.label": "String", - "multivalued": "true", - "user.attribute": "foo" - }, - "consentRequired": false, - "id": "03ad1d22-79ae-4432-b175-2c1191529b09", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "introspection.token.claim": "true", - "jsonType.label": "String", - "multivalued": "true", - "user.attribute": "foo" - }, - "consentRequired": false, - "id": "d48fa36e-fd7d-41aa-9c89-14a2b3cfc5b1", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper" - }, - { - "config": { - "access.token.claim": "true", - "introspection.token.claim": "true" - }, - "consentRequired": false, - "id": "fdb7d9ca-93db-40cd-a189-299e2dcc4483", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper" - } - ] - }, - { - "attributes": { - "consent.screen.text": "", - "display.on.consent.screen": "false", - "include.in.token.scope": "false" - }, - "description": "OpenID Connect scope for add allowed web origins to the access token", - "id": "3ee41590-b580-4114-a4f9-ae7311699adb", - "name": "web-origins", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "introspection.token.claim": "true" - }, - "consentRequired": false, - "id": "ee56b7f1-a844-48c3-a55e-374b57fe6ca5", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper" - } - ] - }, - { - "attributes": { - "display.on.consent.screen": "false", - "include.in.token.scope": "false" - }, - "description": "OpenID Connect scope for add all basic claims to the token", - "id": "7eacd797-dd65-412a-9fa5-8ba3d4824e64", - "name": "basic", - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "introspection.token.claim": "true" - }, - "consentRequired": false, - "id": "260dd52c-632b-46ef-8210-a3d8351d8523", - "name": "sub", - "protocol": "openid-connect", - "protocolMapper": "oidc-sub-mapper" - }, - { - "config": { - "access.token.claim": "true", - "claim.name": "auth_time", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "long", - "user.session.note": "AUTH_TIME" - }, - "consentRequired": false, - "id": "8e1d4215-9034-46c1-ab66-2c756840452e", - "name": "auth_time", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper" - } - ] - } - ], - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clients": [ - { - "alwaysDisplayInConsole": false, - "attributes": { - "post.logout.redirect.uris": "+", - "realm_client": "false" - }, - "authenticationFlowBindingOverrides": {}, - "baseUrl": "/realms/camel/account/", - "bearerOnly": false, - "clientAuthenticatorType": "client-secret", - "clientId": "account", - "consentRequired": false, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" - ], - "directAccessGrantsEnabled": false, - "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": false, - "id": "f5aaf582-f7c0-4c6c-bcf2-390660090115", - "implicitFlowEnabled": false, - "name": "${client_account}", - "nodeReRegistrationTimeout": 0, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" - ], - "protocol": "openid-connect", - "publicClient": true, - "redirectUris": [ - "/realms/camel/account/*" - ], - "rootUrl": "${authBaseUrl}", - "serviceAccountsEnabled": false, - "standardFlowEnabled": true, - "surrogateAuthRequired": false, - "webOrigins": [] - }, + "ssoSessionMaxLifespan": 32140800, + "ssoSessionIdleTimeout": 32140800, + "enabled": true, + "sslRequired": "external", + "users": [ { - "alwaysDisplayInConsole": false, - "attributes": { - "pkce.code.challenge.method": "S256", - "post.logout.redirect.uris": "+", - "realm_client": "false" - }, - "authenticationFlowBindingOverrides": {}, - "baseUrl": "/realms/camel/account/", - "bearerOnly": false, - "clientAuthenticatorType": "client-secret", - "clientId": "account-console", - "consentRequired": false, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" - ], - "directAccessGrantsEnabled": false, + "username": "alice", "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": false, - "id": "ece35b24-8c9e-4970-9c05-a4dc38d382a7", - "implicitFlowEnabled": false, - "name": "${client_account-console}", - "nodeReRegistrationTimeout": 0, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" - ], - "protocol": "openid-connect", - "protocolMappers": [ + "firstName": "Alice", + "lastName": "Brown", + "email": "alice@example.com", + "credentials": [ { - "config": {}, - "consentRequired": false, - "id": "5acc723e-c018-490d-8b7a-e31c23e673db", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper" + "type": "password", + "value": "alice" } ], - "publicClient": true, - "redirectUris": [ - "/realms/camel/account/*" + "realmRoles": [ + "user" ], - "rootUrl": "${authBaseUrl}", - "serviceAccountsEnabled": false, - "standardFlowEnabled": true, - "surrogateAuthRequired": false, - "webOrigins": [] + "clientRoles": { + "kafka": [ + "kafka-topic:superapp_*:owner" + ] + } }, { - "alwaysDisplayInConsole": false, - "attributes": { - "client.use.lightweight.access.token.enabled": "true", - "realm_client": "false" - }, - "authenticationFlowBindingOverrides": {}, - "bearerOnly": false, - "clientAuthenticatorType": "client-secret", - "clientId": "admin-cli", - "consentRequired": false, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" - ], - "directAccessGrantsEnabled": true, + "username": "admin", "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": true, - "id": "b172229f-58b9-4e19-9f9d-ee91d65fd67e", - "implicitFlowEnabled": false, - "name": "${client_admin-cli}", - "nodeReRegistrationTimeout": 0, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" - ], - "protocol": "openid-connect", - "publicClient": true, - "redirectUris": [], - "serviceAccountsEnabled": false, - "standardFlowEnabled": false, - "surrogateAuthRequired": false, - "webOrigins": [] - }, - { - "alwaysDisplayInConsole": false, - "attributes": { - "realm_client": "true" - }, - "authenticationFlowBindingOverrides": {}, - "bearerOnly": true, - "clientAuthenticatorType": "client-secret", - "clientId": "broker", - "consentRequired": false, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" + "email": "admin@example.com", + "credentials": [ + { + "type": "password", + "value": "admin-password" + } ], - "directAccessGrantsEnabled": false, - "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": false, - "id": "62567bd0-4265-4ae3-a802-6cc2d944a5b7", - "implicitFlowEnabled": false, - "name": "${client_broker}", - "nodeReRegistrationTimeout": 0, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" + "realmRoles": [ + "admin" ], - "protocol": "openid-connect", - "publicClient": false, - "redirectUris": [], - "serviceAccountsEnabled": false, - "standardFlowEnabled": true, - "surrogateAuthRequired": false, - "webOrigins": [] + "clientRoles": { + "realm-management": [ + "realm-admin" + ], + "kafka": [ + "kafka-admin" + ] + } }, { - "alwaysDisplayInConsole": false, - "attributes": { - "client.secret.creation.time": "1739866545", - "post.logout.redirect.uris": "http://127.0.0.1:8080/", - "realm_client": "false" - }, - "authenticationFlowBindingOverrides": {}, - "bearerOnly": false, - "clientAuthenticatorType": "client-secret", - "clientId": "camel-client", - "consentRequired": false, - "defaultClientScopes": [ - "service_account", - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" - ], - "directAccessGrantsEnabled": false, + "username": "service-account-kafka-broker", "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": true, - "id": "528c7a81-f7e2-40d9-9745-5af73e16e2d6", - "implicitFlowEnabled": false, - "nodeReRegistrationTimeout": -1, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" - ], - "protocol": "openid-connect", - "publicClient": false, - "redirectUris": [ - "http://127.0.0.1:8080/auth" - ], - "secret": "camel-client-secret", - "serviceAccountsEnabled": true, - "standardFlowEnabled": true, - "surrogateAuthRequired": false, - "webOrigins": [ - "http://127.0.0.1:8080" - ] + "email": "service-account-kafka-broker@placeholder.org", + "serviceAccountClientId": "kafka-broker", + "clientRoles": { + "kafka" : ["kafka-admin"] + } }, { - "alwaysDisplayInConsole": false, - "attributes": { - "realm_client": "true" - }, - "authenticationFlowBindingOverrides": {}, - "bearerOnly": true, - "clientAuthenticatorType": "client-secret", - "clientId": "realm-management", - "consentRequired": false, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" - ], - "directAccessGrantsEnabled": false, + "username": "service-account-kafka-producer-client", "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": false, - "id": "b517865c-a141-4ff2-8462-d7b55e040dab", - "implicitFlowEnabled": false, - "name": "${client_realm-management}", - "nodeReRegistrationTimeout": 0, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" - ], - "protocol": "openid-connect", - "publicClient": false, - "redirectUris": [], - "serviceAccountsEnabled": false, - "standardFlowEnabled": true, - "surrogateAuthRequired": false, - "webOrigins": [] + "email": "service-account-kafka-producer-client@placeholder.org", + "serviceAccountClientId": "kafka-producer-client" }, { - "alwaysDisplayInConsole": false, - "attributes": { - "client.use.lightweight.access.token.enabled": "true", - "pkce.code.challenge.method": "S256", - "post.logout.redirect.uris": "+", - "realm_client": "false" - }, - "authenticationFlowBindingOverrides": {}, - "baseUrl": "/admin/camel/console/", - "bearerOnly": false, - "clientAuthenticatorType": "client-secret", - "clientId": "security-admin-console", - "consentRequired": false, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "basic", - "email" - ], - "directAccessGrantsEnabled": false, + "username": "service-account-kafka-consumer-client", "enabled": true, - "frontchannelLogout": false, - "fullScopeAllowed": true, - "id": "e92f2b26-aa13-46fe-84e8-3d0e86bed8d4", - "implicitFlowEnabled": false, - "name": "${client_security-admin-console}", - "nodeReRegistrationTimeout": 0, - "notBefore": 0, - "optionalClientScopes": [ - "address", - "phone", - "organization", - "offline_access", - "microprofile-jwt" - ], - "protocol": "openid-connect", - "protocolMappers": [ - { - "config": { - "access.token.claim": "true", - "claim.name": "locale", - "id.token.claim": "true", - "introspection.token.claim": "true", - "jsonType.label": "String", - "user.attribute": "locale", - "userinfo.token.claim": "true" - }, - "consentRequired": false, - "id": "17841641-7b03-43c8-8307-596bd2572ffc", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper" - } - ], - "publicClient": true, - "redirectUris": [ - "/admin/camel/console/*" - ], - "rootUrl": "${authAdminUrl}", - "serviceAccountsEnabled": false, - "standardFlowEnabled": true, - "surrogateAuthRequired": false, - "webOrigins": [ - "+" - ] + "email": "service-account-kafka-consumer-client@placeholder.org", + "serviceAccountClientId": "kafka-consumer-client", + "clientRoles": { + "kafka" : ["kafka-topic:superapp_*:consumer"] + } } ], - "components": { - "org.keycloak.keys.KeyProvider": [ - { - "config": { - "priority": [ - "100" - ] - }, - "id": "0ebda9b5-8bc8-4d8e-897f-b1dbb6b37a92", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {} - }, - { - "config": { - "active": [ - "true" - ], - "algorithm": [ - "RSA-OAEP" - ], - "enabled": [ - "false" - ], - "keySize": [ - "2048" - ], - "priority": [ - "100" - ] - }, - "id": "f52a4515-1e39-4cb4-b51f-4430568e2b90", - "name": "rsa-enc-generated", - "providerId": "rsa-enc-generated", - "subComponents": {} - }, + "roles": { + "realm": [ { - "config": { - "priority": [ - "100" - ] - }, - "id": "2163323c-747b-4ad6-85a2-4e6307fb30fd", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {} + "name": "user", + "description": "User privileges" }, { - "config": { - "algorithm": [ - "HS512" - ], - "priority": [ - "100" - ] - }, - "id": "bec37f80-4e3f-4469-81c6-08f27ee41f28", - "name": "hmac-generated-hs512", - "providerId": "hmac-generated", - "subComponents": {} + "name": "admin", + "description": "Administrator privileges" } ], - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "config": { - "max-clients": [ - "200" - ] - }, - "id": "7774d67c-b440-4477-9ee7-8d1d5239fd80", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subComponents": {}, - "subType": "anonymous" - }, - { - "config": { - "client-uris-must-match": [ - "true" - ], - "host-sending-registration-request-must-match": [ - "true" - ] - }, - "id": "d78cce55-836a-4c91-8e7c-6233b70b4ed0", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subComponents": {}, - "subType": "anonymous" - }, - { - "config": {}, - "id": "bb69f779-b16f-40fc-925b-3c670233a29b", - "name": "Full Scope Disabled", - "providerId": "scope", - "subComponents": {}, - "subType": "anonymous" - }, - { - "config": { - "allow-default-scopes": [ - "true" - ] - }, - "id": "32e6dcdd-874f-4c9d-b31c-2fd869900b6c", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subComponents": {}, - "subType": "authenticated" - }, - { - "config": {}, - "id": "ab34db59-db6f-4037-b896-c98ad1b6a87a", - "name": "Consent Required", - "providerId": "consent-required", - "subComponents": {}, - "subType": "anonymous" - }, - { - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "saml-user-attribute-mapper", - "oidc-usermodel-property-mapper", - "oidc-full-name-mapper", - "oidc-sha256-pairwise-sub-mapper" - ] - }, - "id": "d7fa36e0-89ac-4b1a-8b1f-4cb32af415d8", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subComponents": {}, - "subType": "authenticated" - }, - { - "config": { - "allow-default-scopes": [ - "true" - ] + "client": { + "kafka": [ + { + "name": "kafka-admin", + "description": "Kafka administrator - can perform any action on any Kafka resource", + "clientRole": true }, - "id": "a12a2c6c-531c-4c3b-9254-43fba109cab3", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subComponents": {}, - "subType": "anonymous" - }, - { - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "oidc-full-name-mapper", - "oidc-address-mapper", - "oidc-usermodel-property-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper", - "saml-user-attribute-mapper", - "oidc-usermodel-attribute-mapper" - ] + { + "name": "kafka-topic:superapp_*:owner", + "description": "Owner of topics that begin with 'superapp_' prefix. Can perform any operation on these topics.", + "clientRole": true }, - "id": "03d3362c-0f3c-4d47-a983-1a14cd383bb0", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subComponents": {}, - "subType": "anonymous" - } - ] - }, - "defaultDefaultClientScopes": [ - "role_list", - "saml_organization", - "profile", - "email", - "roles", - "web-origins", - "acr", - "basic" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "address", - "phone", - "microprofile-jwt", - "organization" - ], - "defaultRole": { - "clientRole": false, - "composite": true, - "containerId": "2f6145a3-ea79-4b1e-bf79-ee52fd535391", - "description": "${role_default-roles}", - "id": "ffe65c82-b0e5-4f42-b2cc-3f887563c6a8", - "name": "default-roles-camel" + { + "name": "kafka-topic:superapp_*:consumer", + "description": "Consumer of topics that begin with 'superapp_' prefix. Can perform READ, and DESCRIBE on these topics.", + "clientRole": true + } + ] + } }, - "defaultSignatureAlgorithm": "RS256", - "directGrantFlow": "direct grant", - "dockerAuthenticationFlow": "docker auth", - "duplicateEmailsAllowed": false, - "editUsernameAllowed": false, - "enabled": true, - "enabledEventTypes": [], - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "failureFactor": 30, - "firstBrokerLoginFlow": "first broker login", - "id": "2f6145a3-ea79-4b1e-bf79-ee52fd535391", - "identityProviderMappers": [], - "identityProviders": [], - "internationalizationEnabled": false, - "keycloakVersion": "26.1.2", - "localizationTexts": {}, - "loginWithEmailAllowed": true, - "maxDeltaTimeSeconds": 43200, - "maxFailureWaitSeconds": 900, - "maxTemporaryLockouts": 0, - "minimumQuickLoginWaitSeconds": 60, - "notBefore": 0, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespan": 5184000, - "offlineSessionMaxLifespanEnabled": false, - "organizationsEnabled": false, - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyCodeReusable": false, - "otpPolicyDigits": 6, - "otpPolicyInitialCounter": 0, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpPolicyType": "totp", - "otpSupportedApplications": [ - "totpAppFreeOTPName", - "totpAppGoogleName", - "totpAppMicrosoftAuthenticatorName" - ], - "permanentLockout": false, - "quickLoginCheckMilliSeconds": 1000, - "realm": "camel", - "refreshTokenMaxReuse": 0, - "registrationAllowed": false, - "registrationEmailAsUsername": false, - "registrationFlow": "registration", - "rememberMe": false, - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "config": {}, - "defaultAction": false, - "enabled": true, - "name": "Configure OTP", - "priority": 10, - "providerId": "CONFIGURE_TOTP" - }, - { - "alias": "TERMS_AND_CONDITIONS", - "config": {}, - "defaultAction": false, - "enabled": false, - "name": "Terms and Conditions", - "priority": 20, - "providerId": "TERMS_AND_CONDITIONS" - }, - { - "alias": "UPDATE_PASSWORD", - "config": {}, - "defaultAction": false, - "enabled": true, - "name": "Update Password", - "priority": 30, - "providerId": "UPDATE_PASSWORD" - }, + "scopeMappings": [ { - "alias": "UPDATE_PROFILE", - "config": {}, - "defaultAction": false, - "enabled": true, - "name": "Update Profile", - "priority": 40, - "providerId": "UPDATE_PROFILE" + "client": "kafka-broker", + "roles": [ + "offline_access" + ] }, { - "alias": "VERIFY_EMAIL", - "config": {}, - "defaultAction": false, - "enabled": true, - "name": "Verify Email", - "priority": 50, - "providerId": "VERIFY_EMAIL" + "client": "kafka-producer-client", + "roles": [ + "offline_access" + ] }, { - "alias": "delete_account", - "config": {}, - "defaultAction": false, - "enabled": false, - "name": "Delete Account", - "priority": 60, - "providerId": "delete_account" + "client": "kafka-consumer-client", + "roles": [ + "offline_access" + ] }, { - "alias": "webauthn-register", - "config": {}, - "defaultAction": false, - "enabled": true, - "name": "Webauthn Register", - "priority": 70, - "providerId": "webauthn-register" - }, + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "kafka": [ + { + "client": "kafka-broker", + "roles": [ + "kafka-admin" + ] + }, + { + "client": "kafka-consumer-client", + "roles": [ + "kafka-topic:superapp_*:consumer" + ] + }, + { + "client": "kafka-producer-client", + "roles": [ + "kafka-topic:superapp_*:owner" + ] + } + ] + }, + "clients": [ { - "alias": "webauthn-register-passwordless", - "config": {}, - "defaultAction": false, + "clientId": "camel-client", "enabled": true, - "name": "Webauthn Register Passwordless", - "priority": 80, - "providerId": "webauthn-register-passwordless" + "clientAuthenticatorType": "client-secret", + "secret": "camel-client-secret", + "publicClient": false, + "bearerOnly": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "consentRequired" : false, + "fullScopeAllowed" : false, + "redirectUris": [ + "http://127.0.0.1:8080/auth" + ], + "attributes": { + "post.logout.redirect.uris": "http://127.0.0.1:8080/" + } }, { - "alias": "VERIFY_PROFILE", - "config": {}, - "defaultAction": false, + "clientId": "kafka", "enabled": true, - "name": "Verify Profile", - "priority": 90, - "providerId": "VERIFY_PROFILE" + "publicClient": true, + "bearerOnly": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "consentRequired" : false, + "fullScopeAllowed" : false }, { - "alias": "delete_credential", - "config": {}, - "defaultAction": false, + "clientId": "kafka-broker", "enabled": true, - "name": "Delete Credential", - "priority": 100, - "providerId": "delete_credential" + "clientAuthenticatorType": "client-secret", + "secret": "kafka-broker-secret", + "publicClient": false, + "bearerOnly": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "consentRequired" : false, + "fullScopeAllowed" : false, + "attributes": { + "access.token.lifespan": "32140800" + } }, { - "alias": "update_user_locale", - "config": {}, - "defaultAction": false, - "enabled": true, - "name": "Update User Locale", - "priority": 1000, - "providerId": "update_user_locale" - } - ], - "requiredCredentials": [ - "password" - ], - "resetCredentialsFlow": "reset credentials", - "resetPasswordAllowed": false, - "revokeRefreshToken": false, - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "smtpServer": {}, - "sslRequired": "external", - "ssoSessionIdleTimeout": 1800, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespan": 36000, - "ssoSessionMaxLifespanRememberMe": 0, - "supportedLocales": [], - "userManagedAccessAllowed": false, - "users": [ - { - "createdTimestamp": 1739866545416, - "disableableCredentialTypes": [], - "emailVerified": false, + "clientId": "kafka-producer-client", "enabled": true, - "id": "b69d3c34-dda3-47b6-9ce9-0010f756cde4", - "notBefore": 0, - "requiredActions": [], - "serviceAccountClientId": "camel-client", - "totp": false, - "username": "service-account-camel-client" + "clientAuthenticatorType": "client-secret", + "secret": "kafka-producer-client-secret", + "publicClient": false, + "bearerOnly": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "consentRequired" : false, + "fullScopeAllowed" : false, + "attributes": { + "access.token.lifespan": "36000" + } }, { - "username": "alice", + "clientId": "kafka-consumer-client", "enabled": true, - "email": "alice@example.com", - "emailVerified": true, - "firstName": "Alice", - "lastName": "Brown", - "credentials": [ - { - "type": "password", - "value": "alice" - } - ] + "clientAuthenticatorType": "client-secret", + "secret": "kafka-consumer-client-secret", + "publicClient": false, + "bearerOnly": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "consentRequired" : false, + "fullScopeAllowed" : false, + "attributes": { + "access.token.lifespan": "32140800" + } } - ], - "verifiableCredentialsEnabled": false, - "verifyEmail": false, - "waitIncrementSeconds": 60, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyExtraOrigins": [], - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessExtraOrigins": [], - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256", - "RS256" - ], - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicyRpId": "", - "webAuthnPolicySignatureAlgorithms": [ - "ES256", - "RS256" - ], - "webAuthnPolicyUserVerificationRequirement": "not specified" + ] } diff --git a/components/camel-oauth/helm/etc/cluster.crt b/components/camel-oauth/helm/etc/cluster.crt new file mode 100644 index 0000000000000..df065655ad63a --- /dev/null +++ b/components/camel-oauth/helm/etc/cluster.crt @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIUG1nj2lY4cjhn275nh3491iZZ2eUwDQYJKoZIhvcNAQEL +BQAwaDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 +MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxFDASBgNVBAMM +C0NhbWVsIE9BdXRoMB4XDTI1MDMxMDExNDYyMloXDTI2MDMxMDExNDYyMlowaDEL +MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD +VQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxFDASBgNVBAMMC0NhbWVs +IE9BdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3PDEVJ9z9S9o +99a6wmgf+LdWoRUGM3rsNWXsVEpHavwRlOU4khwNcNUBfdg3ACnzTxIBeUix8VRS +kDEpLRAuK1IVhoLi+vXbDzl58WqZvK4JSb97TzSlt14Ka4twmli9+A85dDcmxhWm +VAL7qloC5oW1p3eB00mIm3XZAoGqudRzLxaE7aNrZ8Alk6/3PFZZpkf36/iA2XsL +C7qvCPlJ5wi/gh18pLcirabNkbLMtkKERmSUL1verUxQdpR9cMl4m5XaWBRWgoQK +r5hAL1GDebwRlHj+0w2WlWbryHGQK0udakB0i4QHirn/Nttm9mOpZv55FFGbRtbh +GpTYVLRfyNreQ1+n76KwDutoRff8NpWv7jr96GX9PrvqI8xgL5Yd3VHsy6ZbZuuF +K6HM5ELXVlietF/1KGhCephC3hVAHDMeCrF8++Graj8Dzu8DS7I61lpvaT6Qbxjv +8Q48A1VgsTXsEoDiloRJt6cAQSXsv+2/xOsjW8lbmWyWslv4Ib+Qzm6EZ/DGVJ2U +Qdpu3iXf+On+ep10fPTCmS/WrX4lNY866pqwnol9ln0kZQG1577l/e3tjjyIOyAE +ua/B0pXwg72zc97cW0ydA9ABsa6zI2CjzOaK+PFLsvJesQD4yklwUL9BnMViHJfS +2Z8f7IIfbcaMJU8D1oj5C7L9B7kScgUCAwEAAaN2MHQwDgYDVR0PAQH/BAQDAgWg +MBMGA1UdJQQMMAoGCCsGAQUFBwMBMC4GA1UdEQQnMCWCDWNsdXN0ZXIubG9jYWyC +DmtleWNsb2FrLmxvY2FshwR/AAABMB0GA1UdDgQWBBSgrQRoOUiJOt+dN8D7Yd+a +PUD72DANBgkqhkiG9w0BAQsFAAOCAgEAAmjrTVBrI9DUyQvVN6VHwv6lgJZvJvTy +7TWgZUqQULo0Ay1B6m8Dp87i5EasjhYljZ5nm4MS92LcTW+ar3K7JAq43MRN8uVy +4TMeNfZGFAWdcaxFZv5s//mnECE72WTDMUDCEAth7pnLFn43nHLYPyMfkmUJ7Yxy ++sSSD+uwFB8hzxx4T65sBuI1MoUSnDOWssHnNlJZN3/Y/ZMyMsomfjvPDqpv2MO8 +kn2wzT/eXQnmhRe0LktlpyU/dLa59+Md31RAP6YWqUGQftnzT6J2a438NxuqKu8v +PdwlNQ2BFI6gHgYlNwB4ayQlbYMgrKSVcEsF2rgoMT4mSOu+LNwL4tks643npC1p +gg7lCoJywjDz8owKGrY1lhz7ZdgnpdgUcefldw7zCXDPSgUnmgpdMXtvwgVa6G13 +pI/lGlb5UTdbR9HtHnEvfz1FWRBZbaupsM1cQ14rJCyn9EEm8jgU0VsS0P9kJxbQ +HUKwLnN7gGtWvtyW6iIkJmN0OUtgaQxJzWYNBguwEGgGDXBbwYoulgvSbqsnUl3V +JhGZ+RIa78r+iaQ4cx2giMtbIH+HmBua7jCNn3ZJtS745kRBb6Sf95HjdSrzEig6 +PkmSt/1wM/s/+BTiZR/XnAz9Lg+DgwqrdcA350PKF5D/RNQSxc2x54jkp9nrUT/M +ztaJIfsNLiY= +-----END CERTIFICATE----- diff --git a/components/camel-oauth/helm/etc/cluster.key b/components/camel-oauth/helm/etc/cluster.key new file mode 100644 index 0000000000000..01a889dc67097 --- /dev/null +++ b/components/camel-oauth/helm/etc/cluster.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDc8MRUn3P1L2j3 +1rrCaB/4t1ahFQYzeuw1ZexUSkdq/BGU5TiSHA1w1QF92DcAKfNPEgF5SLHxVFKQ +MSktEC4rUhWGguL69dsPOXnxapm8rglJv3tPNKW3Xgpri3CaWL34Dzl0NybGFaZU +AvuqWgLmhbWnd4HTSYibddkCgaq51HMvFoTto2tnwCWTr/c8VlmmR/fr+IDZewsL +uq8I+UnnCL+CHXyktyKtps2Rssy2QoRGZJQvW96tTFB2lH1wyXibldpYFFaChAqv +mEAvUYN5vBGUeP7TDZaVZuvIcZArS51qQHSLhAeKuf8222b2Y6lm/nkUUZtG1uEa +lNhUtF/I2t5DX6fvorAO62hF9/w2la/uOv3oZf0+u+ojzGAvlh3dUezLpltm64Ur +oczkQtdWWJ60X/UoaEJ6mELeFUAcMx4KsXz74atqPwPO7wNLsjrWWm9pPpBvGO/x +DjwDVWCxNewSgOKWhEm3pwBBJey/7b/E6yNbyVuZbJayW/ghv5DOboRn8MZUnZRB +2m7eJd/46f56nXR89MKZL9atfiU1jzrqmrCeiX2WfSRlAbXnvuX97e2OPIg7IAS5 +r8HSlfCDvbNz3txbTJ0D0AGxrrMjYKPM5or48Uuy8l6xAPjKSXBQv0GcxWIcl9LZ +nx/sgh9txowlTwPWiPkLsv0HuRJyBQIDAQABAoICABt44KC5Fv0UwROYIq7LrbYK +bf4nlBbQoRBetQ0iE1FNOI5wFiGs1UsDYWUZfnVJwhRB4+cF0AJ2/rEpO7p7uZHv +affIzJpx+aQh/HS1UZpxdXwzEA0gOb7cNaV7uCuo/y4aDoXR2cNlq8HkgRCEkrnB +RH4nUQBJs2/JLouuPeFPdmcTgMHfwRosfT+o8LAS+KDBcCVqR/NC5nO16c/O146f +uthd/EKq9ufqxsLoHaZIDRSHqxlcbgrUY2jrO9HLa3DFKFotZThjXMTKxKhdlWCM +rw7sIJtzpBa9rnHFFS0dANzWWOeEKj/ossBKdboLWGQTHlEVeJ5NV74rZd7actJW +otvI8V9pitXNFBdpM9moad3/R4WzgbmdzO1EAlXEBcVVlUTpCxblzbOKnA87u7Fn +NzBjQl3TVj2exTNkQRZWinhk9jJlNyUVVx6q9B7lary2qqdzAOjtPNozjGhBQOaB +z9gaVZpZgCSIojfkfVXiO2NU3GxMkvpiiZ5XR/+yxxTN4A0EzQpPZgJTkOQ4PNqy +lvjpa8cZM7a+jrvFfcDe69Tq2v4Ng2Dwjk8v9xXf8fdDgf54OrrPl0D+ATUYBznb +DGJVKZ12ceij+jbP62KKfa1R+FEw4avsi7hhaTm99jf9J/ghGvgcL+mXlM3i777f +nX8KQDUSscx2Ja7/iqBBAoIBAQDz9f9BlzKdIjQj3T8Jj8AlQKod5tMy3NJuaYPh +lL44l3uUNODAUXm6OBnSKtwR5NSmad+PslG1R694RpqxjcKMAcPbtRUzANZLxJ0z +GF5LEwrqLGpJ8pB15qApmKmS+Qzffx1r8h/ziy266Xg/gkmN63SdqBihUPbE1crc +lC++1tMKBnainOyByFkdyXbw2y2pE05LVWnryhhsLFotgY0W0I+Ovgz6QqfE79KU +WWMFuFFpchKoe9bKmucfQXnDjWaU++3GRXSSx2nRQfjaRZBAL+z3vJcUXuikwMVd +tEUrq0dj95lCu7RRqRXESWfQu280YoX5ANKGY/j6uLFZtU0RAoIBAQDn1/LSadHi +RHVoA4TtYPgckmABZbcEViN/d2sEOM4fTnvF3gotkgyUVVouZI7XivV2f9zPa6zl +LbfmD9xts/cVolN7UZzgMM3tRYoyM5A1oCwm/ZjGDGu/eUvaqRMGEVJCb0jkITqf +XkBC5WpZs42agPvR90B8eeB2rvBUDwAFWfW1M44yK1HKS9bYAGs5YhEbOyvOSGZp +K0VpvaqsOohPzip1KKr9W3bPmgTM2qd/qal0lAzFXRBqFRQGZSuDnrYsIjJjvEv5 +aA4br8UT0S1ImBIVBKF4z1xQFBL/GxQ0i/UNASdSLHq1r3E/4yHmtpcUNWnwSFaS +Tzufqh35x6W1AoIBAQDL0kC6qfntckAhnp0l/eXIuefnJ4xYOEnPWXSHqV/rpBPp +VOxZgTi0Ll7USl6mzIolptrTEWZWkFe3ozVnFkrt8iOSkg3uGMrxbojvwXI2Quih +kQ4UTgYHmvFBD3zNgCoTJ/6KyzWKokNIn/qJBO8zFP7PITvCuwQQm5XrCBuD07Np +8tB3N6gZHivmSQWIYXYahjipk+j0yFnzNnL5Bf28i+8EkSACjmHglYVXz/59LutF +r7qK7Twc9aIXaPq0OJT18C1Ns4Wbg+OSow2oPuov1lqi9/s5V7oCu9OpYA1SWL1C +dgCj0nLqrtuyrKmBqLdWCuJnkRpSkX/Y6SmzC1ghAoIBAQCXxu/YgB4/GsIhzev/ +2zOSwODJCWW/GQU0NWGB6g5GwIKXDr1rB+nkUdwv8vTwdrArW5ma0MrnXf6+RjPw +PZjMOPCeEte4jTrC0nueUdNex/UfsXWKcic3upjGFVm25zAK/f+iGX7fRjybjsUI +5FsXgslYs50r4D3qdKww24EP/8yzS4UTovhwjyWfUubfMiwwv5P1/7/LqeBPUTOi +fM8wL6/r8yu9oVsunY327k4pbVDaWPHjYwGT8Sii5yiNiiGI0vpaALNcG5rg1TkX +uCEFHUj5KYbsKBQu+HVXPMsFe3p5gP/U8/mBZ9GkGXXgLDjLqgwombLTJbvK0vu8 +wc7hAoIBAQCiUUl9oQhyHJ+Ixu02s+Ym6h5LMAH/I/S7m76LV8x3NSZMepU6jZjd +LnULDsN7ZdbFGCLnjqr6c0xG00bR1ptL4V5yba8xqhCOLXazXUamP2uJISHPSauy +2DT0paNr/2ksBL/pEkv8okA6jpbmCj/y4m48AkE8dWo3HR2kRiv6UXTtzlPrIYBl +2gEBsZOqvuvzsAjzGnL0dZDoqP7/HK6plUHwTlvg15lPJmnbNj0jmtn+3OAVKOws +myUTdDO7p4XkRRGPHedip9SXiVoBVJxmcopHhmYihyyJc1Dk/yxE7KDq5Hnla5XT +nrJv2Z4xG1KIkEOjCOn+klnstOI9tboD +-----END PRIVATE KEY----- diff --git a/components/camel-oauth/helm/etc/keycloak.crt b/components/camel-oauth/helm/etc/keycloak.crt deleted file mode 100644 index 09b59c8d3e351..0000000000000 --- a/components/camel-oauth/helm/etc/keycloak.crt +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFyzCCA7OgAwIBAgIUFVvwaM91yqF60c5zGcXkBfmTRKEwDQYJKoZIhvcNAQEL -BQAwazELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 -MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxFzAVBgNVBAMM -DmtleWNsb2FrLmxvY2FsMB4XDTI1MDIxNzEwNDkxMFoXDTI2MDIxNzEwNDkxMFow -azELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUw -EwYDVQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxFzAVBgNVBAMMDmtl -eWNsb2FrLmxvY2FsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqr5n -fYTJJ+4O7naJ59FPxAlz4vshjpUgLlizDQ3VgL20lS/XDtX/sId50LFTYJiXeh0p -TDPSzVYJr6s5mMfOgLxdgLlp6d2kbj2FVhlDKLdkUnELdro/yLuUbLcwI/brNiTO -JWo5UbneL8RWuwsOCSI0YHiKX3T+xq3S6fZ2Sp7pZeiNoMXsDKh6t9TQRtvOwTPz -z6DWSpeEEfNpx4HsSp0DMkL+sEnxbX0eDBGsQbCr3NEvxFttZoASpXkvTEmbPs9n -Ebm7LYRjthIbGUfRP1DMPBR1RcFhqNpwERGAzhTe+2FLlSFNjsKo3JNyo+hhCUhW -Z773qacai3lZO3oNt514Ic/NzsHuG1+Ge4VXWjyVUqjBkxXzrwvWO6AuVAwJOnWo -w9ys3r3M622/KB6SWtdC1WkRlRc9dt9G8WceRv4LAUv5qt7dmS8+pq0UTBoLn5DS -2TJBwlSkpi5vWEIUeKRl/qUfKzRr/sDLMjC/qrlsWPkFS9+ooFsWBtuGNz29T0b7 -gXGplA05hy5QM/biLxWLK0SgqpQ/znIOAT93i4f/cM1EfleF8yFqELd+LzfHlJka -2CQfOY0cwsKKUPdbLlMt/VddvNILN84RrtbbwwJ55poRiBSfx1lkODw5sm4lTPF8 -f8XOo8wwlmoVkn9rJlqkq5xZBlAsIW+8dwt8vA8CAwEAAaNnMGUwDgYDVR0PAQH/ -BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBaCDmtleWNsb2Fr -LmxvY2FshwR/AAABMB0GA1UdDgQWBBQ6xZaBawT/6XxXK5bMcJNqyE7OgjANBgkq -hkiG9w0BAQsFAAOCAgEAXGk3i4C8tmcqgR48ziU6WIE/lFcOfcd8ITahdCvrgMLv -yUYO/POS24fi+djWmMvBYojiOPuvY8EyKyg2+CSAfmMRxcZIQHHz8EG8awzZwzVf -IamGKo2rVdB/p3wgut9EreGkHQ9jpPM0TFwT/ei4GULjYIrhcqjDNyOCtGaIn5Qt -Mm3IghOLfrEj7WYwNSBhpC++hd6Q7FXKwa41Dgar6GKjDn2QHEgPGks225MX+WPl -ZbCdJO9+Heez3UejDJ484ZuxgxpbMgG2Uq1knaE+K5yIbk2h/GlX0nceMb0r7Wbb -53IennDQEZETG2k3tMSF4ez2WLHOP993T7zZVs5Wfl7hpQZ7yA4LteOPFCE0KcfC -zj0Svz+w5Iu5GSbVUpG6qSxl5S/xEVsUYwZJvlKfz4reentd8Z717fhaxtaUZxKm -SoCkMVbAwiolBVgeOkvpasXd1q+rrwCEJYjUK9T5hThTXtQThKii0FgE3n91JAnC -Is/dCvLDea8SYlpiyVpaC6sxFtZr99GDE+Vj9radPAJWQl2XO5o5uiCdvqVugXvy -p2N3HJAQdklSEkUcl7xE73sGjfI1Wpdi/KYiFsiLmm/+hymug7S0Ll9X6mHbakvk -nEZlZVWg0HXYhpI+LsUPCca+qEOxOEwqNKtL0CKjfcyYhOn18pRHCQr7AFJeZYs= ------END CERTIFICATE----- diff --git a/components/camel-oauth/helm/etc/keycloak.key b/components/camel-oauth/helm/etc/keycloak.key deleted file mode 100644 index 154101357fbda..0000000000000 --- a/components/camel-oauth/helm/etc/keycloak.key +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCqvmd9hMkn7g7u -donn0U/ECXPi+yGOlSAuWLMNDdWAvbSVL9cO1f+wh3nQsVNgmJd6HSlMM9LNVgmv -qzmYx86AvF2AuWnp3aRuPYVWGUMot2RScQt2uj/Iu5RstzAj9us2JM4lajlRud4v -xFa7Cw4JIjRgeIpfdP7GrdLp9nZKnull6I2gxewMqHq31NBG287BM/PPoNZKl4QR -82nHgexKnQMyQv6wSfFtfR4MEaxBsKvc0S/EW21mgBKleS9MSZs+z2cRubsthGO2 -EhsZR9E/UMw8FHVFwWGo2nAREYDOFN77YUuVIU2Owqjck3Kj6GEJSFZnvveppxqL -eVk7eg23nXghz83Owe4bX4Z7hVdaPJVSqMGTFfOvC9Y7oC5UDAk6dajD3Kzevczr -bb8oHpJa10LVaRGVFz1230bxZx5G/gsBS/mq3t2ZLz6mrRRMGgufkNLZMkHCVKSm -Lm9YQhR4pGX+pR8rNGv+wMsyML+quWxY+QVL36igWxYG24Y3Pb1PRvuBcamUDTmH -LlAz9uIvFYsrRKCqlD/Ocg4BP3eLh/9wzUR+V4XzIWoQt34vN8eUmRrYJB85jRzC -wopQ91suUy39V1280gs3zhGu1tvDAnnmmhGIFJ/HWWQ4PDmybiVM8Xx/xc6jzDCW -ahWSf2smWqSrnFkGUCwhb7x3C3y8DwIDAQABAoICAD5z+b+4J6nS0iRYOHYSIhaH -DJvsFqikFErPh+KQ+lSmTxy4jHWxQd6slxqGGgS9m75/VyE33XXc8BsQyrb+8qI1 -BBB3AW4Y87GdEB3fjKiid/ANyE8rrfP65L3lPZcSFJPP35Vg5sllbodTThQJZZ9i -ovzcamSjEyPR5dFNJJSDzsRHTTKO4pn4sDZ4gZxBfz09BwOdhXRwOk8klT7z312l -U8t5JNaPnV7agniQqEy41gwlec7dUEVLOEbNbkb9r2rIix85K+VoxN4Ofln/YmLB -54pcQ075/oI4MACWQeJfUPZq7q4EKe27du+DgU3BzGiMTIqTF9y2sidtAf4W1VgH -1Pi4dIhcy4wKTVY7vu1dHjJfLgScecHUc09OXqBz1ChCJ+N4Wm1Ft0GawWIP8W23 -BuoWZXuCJYvN7QUPhypNQe+v2tlI0E0VxWMU25SPB7zs4ugXZxhqagDOEuUIb61T -zSGQTCdJuapFQr+wm1UEdBYTnSKezIM3vToQ/tAviRgGv8r0nYSMBgaO/A3OIHWW -RiPVlPvTDf+A3f97atuEKnr84gs8ONEISneN+tDdWIgZKscnhIO/77IAyBO913rT -ZInnUUwizpIbg3D30hWnr+QF6R3/wZ49OcA6P4TS4KjFexuaMxnQsr/Rpxr85vXn -SFx+hYXaOPyuDpOQRJXBAoIBAQDoXAC7rODhRCX6vgEVFhwFJYGIS5dTV5kcsfAx -QXBads8m7W+XmNHBLE5qqs1Lrta1gWzM0beZeuN5+NX+zT4f/ey6TSVFy78jA033 -xYZCD64tq04aTwAIVSzl6GbGESFH7NbuIOiCYvK1YYgEeJb+ShVXq/JES17b0v6P -bfN0CJIqBgaXXNv6k+niJeyYgoXKkBLyM4C1yUq2yG0CPnoFfJjA9VXqtmioDwae -uSM330Dgjeu0/X2Ie7NvkPHIuyF15P/tlqIw/4JBSVG1JR58hsmzS62lMuargIki -ufiY3PXZOmaAEt0BUL/rIBS/chTIrO9nKCpXZYHUkLMGbEnPAoIBAQC8HZIDdfco -58L/2/e7qlT9Yhlxfdnb0dj8Ibfb2vzGSekqaON7j2P5U8GHqevGxIy38XFwWI6P -Df/KmcEeUSHwH5PbwZR+bz0HTxa//ZxU9h4ovt1WVcTnXAOqXSSoBTktIHbvW0K+ -q2UBHMCqSzFQqN3KNLkC9TerX5zH0PpsIstJSnKsX5kwDpzoWXOjURTquFkRiQmj -aHW+NsS2r6sp/XJRbPUWKctyMJXY5zuuY0jIeuS1tFZyg89NOk6tlZJwDYeKmpqK -NKu1QGT/5DIYsbBf7FkSg4M4ebPfj5LDi1tcEscTVISLl9vfwIUn68DpbGS37WC4 -Az7uTTZOdjnBAoIBAQDWBbBTLaixNUE6VPrQPl4uy14leWL4TC5mxOs1o03mtZqX -A4qO+x7xLGtKSurv9ComYwEhI2ZWg1+1wGLz4H6BnzUGYPqc8E+s42VUfGbuwFyy -CiDVkMC57CJ/3fGULMEX6+oIytz/BD8EnMJZQ+3oabqA14s+JqJIHm+FE0R0M1TW -SliV4N1qUAXU3ROxYj/z1YLt/kxmpPMhqzjlIUDpftuAmDm8CKobakOxvVvYIdYz -P+XE/tw6853SfJKITv1CB11IrT/Vm/ORSQRusrMDBnAQqvtVt63KeIlYKC34N0Zo -ASfafgV9KbCs1Q7nTCAiu0+EF/XwLDpK3cFYgDP3AoIBAQCCrewcGVvcf7v38AAV -z0sBRp+0NqAcU5fv9yB5S5Rjzz555ql40XC66JM9wi33Q90Zf1G1oN9Pw4LZZJxC -ikwQOm+FruGQP4hexnNgZjau0ta6qXSrICQMMOCe/duUGSTSE4Zr2rLwL7KX5jh1 -VIzqopSIfr2zr1O/6kjIioUcj8M2o9ArrLGHL++SfWmWn6HvOKcvRkp6yPtaa0OW -QUyfe+Bpbk6H2frp1ZSTPHc6OuB53N162M9g9+4PkRzM+2XiD5QEFkibD+HkpNpE -5WpjuzRyPobWFKQYnHr3KA7lZq7NtIG1DPaS3qiwtFYMGHtH7LO/Ddktm5uhAeRi -90BBAoIBADc3wftpVYj2shAmU+0SSxYRHSXPb3Kgha/vrihNHLvp2ZwBp//6jXuk -5ZpNgwe8T3Z6VAfvD1RXgvmb1GQviHCmtzsKVjgJnsxj8sOvpMBAvzupg6fxjG5R -nJX9Vpks4TEunhnIWWGibEvbu7KKQXl/Wy9XDQdEsX9sjwnW5e0uAstWngHRFJOY -u1KF4yfH/XhbKFLqku4s/xtNd/rAijfxs/k0BA5r+JVdoJ6ZykEe3hBRTp1DJ725 -hfg4yNcELG25uwcvaTeKnph1TqdFRwC37Kb+QNNG7GYpB+g7QsH4fLFAuZRVYHxo -NllR/NTnsleE+4jwx8GMlvFvto+9/aw= ------END PRIVATE KEY----- diff --git a/components/camel-oauth/helm/etc/san.cnf b/components/camel-oauth/helm/etc/san.cnf index 110a13cd86df8..9a04e08acf395 100644 --- a/components/camel-oauth/helm/etc/san.cnf +++ b/components/camel-oauth/helm/etc/san.cnf @@ -10,7 +10,7 @@ ST = State L = City O = Organization OU = Unit -CN = keycloak.local +CN = Camel OAuth [ v3_req ] keyUsage = critical, digitalSignature, keyEncipherment @@ -18,5 +18,6 @@ extendedKeyUsage = serverAuth subjectAltName = @alt_names [ alt_names ] -DNS.1 = keycloak.local +DNS.1 = cluster.local +DNS.2 = keycloak.local IP.1 = 127.0.0.1 diff --git a/components/camel-oauth/helm/scripts/functions.sh b/components/camel-oauth/helm/scripts/functions.sh new file mode 100644 index 0000000000000..a8568d41c993a --- /dev/null +++ b/components/camel-oauth/helm/scripts/functions.sh @@ -0,0 +1,34 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +wait_for_url() { + URL=$1 + MSG=$2 + + if [[ $URL == https* ]]; then + CMD="curl -k -sL -o /dev/null -w %{http_code} $URL" + else + CMD="curl -sL -o /dev/null -w %{http_code} $URL" + fi + + until [ "200" == "`$CMD`" ] + do + echo "$MSG ($URL)" + sleep 2 + done +} diff --git a/components/camel-oauth/helm/scripts/simple_kafka_config.sh b/components/camel-oauth/helm/scripts/simple_kafka_config.sh new file mode 100644 index 0000000000000..c724e62694a7e --- /dev/null +++ b/components/camel-oauth/helm/scripts/simple_kafka_config.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +declare -A props + +to_property_name() { + key=$1 + echo ${key:6} | tr _ . | tr [:upper:] [:lower:] +} + +pop_value() { + key=$1 + fallback=$2 + + if [ -z ${props[$key]+x} ] ; then + echo $fallback + else + echo ${props[$key]} + fi + unset props[$key] +} + +# +# This function allows you to encode as KAFKA_* env vars property names that contain characters invalid for env var names +# You can use: +# KAFKA_LISTENER_NAME_CLIENT_SCRAM__2DSHA__2D256_SASL_JAAS_CONFIG=something +# +# Which will first be converted to: +# KAFKA_LISTENER_NAME_CLIENT_SCRAM%2DSHA%2D256_SASL_JAAS_CONFIG=something +# +# And then to: +# KAFKA_LISTENER_NAME_CLIENT_SCRAM-SHA-256_SASL_JAAS_CONFIG=something +# +unescape() { + if [[ "$1" != "" ]]; then + echo "$1" | sed -e "s@__@\%@g" -e "s@+@ @g;s@%@\\\\x@g" | xargs -0 printf "%b" + fi +} + +unset IFS +for var in $(compgen -e); do + if [[ $var == KAFKA_* ]]; then + + case $var in + KAFKA_DEBUG|KAFKA_OPTS|KAFKA_VERSION|KAFKA_HOME|KAFKA_CHECKSUM|KAFKA_LOG4J_OPTS|KAFKA_HEAP_OPTS|KAFKA_JVM_PERFORMANCE_OPTS|KAFKA_GC_LOG_OPTS|KAFKA_JMX_OPTS) ;; + *) + props[$(to_property_name $(unescape $var))]=${!var} + ;; + esac + fi +done + +# +# Generate output +# + +if [[ "$1" == "--kraft" ]]; then + # + # Output kraft version of server.properties + # + echo "#" + echo "# strimzi.properties (kraft)" + echo "#" + + echo process.roles=`pop_value process.roles broker,controller` + echo node.id=`pop_value node.id 1` + echo log.dirs=`pop_value log.dirs /tmp/kraft-combined-logs` + +elif [[ "$1" == "" ]]; then + echo "#" + echo "# strimzi.properties" + echo "#" + + echo broker.id=`pop_value broker.id 0` + echo log.dirs=`pop_value log.dirs /tmp/kafka-logs` + echo group.initial.rebalance.delay.ms=`pop_value group.initial.rebalance.delay.ms 0` +else + echo "Unsupported argument: $1" + exit 1 +fi + +echo num.network.threads=`pop_value num.network.threads 3` +echo num.io.threads=`pop_value num.io.threads 8` +echo socket.send.buffer.bytes=`pop_value socket.send.buffer.bytes 102400` +echo socket.receive.buffer.bytes=`pop_value socket.receive.buffer.bytes 102400` +echo socket.request.max.bytes=`pop_value socket.request.max.bytes 104857600` +echo num.partitions=`pop_value num.partitions 1` +echo num.recovery.threads.per.data.dir=`pop_value num.recovery.threads.per.data.dir 1` +echo offsets.topic.replication.factor=`pop_value offsets.topic.replication.factor 1` +echo transaction.state.log.replication.factor=`pop_value transaction.state.log.replication.factor 1` +echo transaction.state.log.min.isr=`pop_value transaction.state.log.min.isr 1` +echo log.retention.hours=`pop_value log.retention.hours 168` +echo log.segment.bytes=`pop_value log.segment.bytes 1073741824` +echo log.retention.check.interval.ms=`pop_value log.retention.check.interval.ms 300000` + +# +# Add what remains of KAFKA_* env vars +# +for K in "${!props[@]}" +do + echo $K=`pop_value $K` +done + +echo diff --git a/components/camel-oauth/helm/scripts/start.sh b/components/camel-oauth/helm/scripts/start.sh new file mode 100644 index 0000000000000..7995bd1184977 --- /dev/null +++ b/components/camel-oauth/helm/scripts/start.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -e + +# Get the directory where the start.sh script is located +SCRIPT_DIR=$(dirname "$(realpath "$0")") + +# source ${SCRIPT_DIR}/functions.sh + +if [ "$SERVER_PROPERTIES_FILE" == "" ]; then + echo "Generating a new strimzi.properties file using ENV vars" + ${SCRIPT_DIR}/simple_kafka_config.sh $1 | tee /tmp/strimzi.properties +else + echo "Using provided server.properties file: $SERVER_PROPERTIES_FILE" + cp $SERVER_PROPERTIES_FILE /tmp/strimzi.properties +fi + +if [[ "$1" == "--kraft" ]]; then + KAFKA_CLUSTER_ID="$(/opt/kafka/bin/kafka-storage.sh random-uuid)" + /opt/kafka/bin/kafka-storage.sh format -t $KAFKA_CLUSTER_ID -c /tmp/strimzi.properties +fi + +# add Strimzi kafka-oauth-* jars and their dependencies to classpath +# export CLASSPATH="/opt/kafka/libs/strimzi/*:$CLASSPATH" + +exec /opt/kafka/bin/kafka-server-start.sh /tmp/strimzi.properties diff --git a/components/camel-oauth/helm/templates/kafka.yaml b/components/camel-oauth/helm/templates/kafka.yaml new file mode 100644 index 0000000000000..1da36e56fdcc8 --- /dev/null +++ b/components/camel-oauth/helm/templates/kafka.yaml @@ -0,0 +1,176 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- with .Values.deployments.kafka }} +--- + +# Kafka Scripts ConfigMap +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kafka-scripts +data: + functions.sh: |- + {{- $.Files.Get "scripts/functions.sh" | nindent 4 }} + simple_kafka_config.sh: |- + {{- $.Files.Get "scripts/simple_kafka_config.sh" | nindent 4 }} + start.sh: |- + {{- $.Files.Get "scripts/start.sh" | nindent 4 }} + +# Kafka Deployment +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kafka + labels: + app.kubernetes.io/name: kafka +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kafka + template: + metadata: + labels: + app.kubernetes.io/name: kafka + spec: + initContainers: + - name: kafka-init + image: busybox + command: ["sh", "-c", "cp /tmp/kafka/scripts/* /opt/kafka/scripts/ && chmod +x /opt/kafka/scripts/*.sh"] + volumeMounts: + - name: kafka-scripts-configmap + mountPath: /tmp/kafka/scripts + - name: kafka-scripts + mountPath: /opt/kafka/scripts + containers: + - name: kafka + image: quay.io/strimzi/kafka:latest-kafka-3.9.0 + command: [ "/opt/kafka/scripts/start.sh", "--kraft" ] + ports: + - containerPort: 9091 + - containerPort: 9092 + - containerPort: 9093 + - containerPort: 9094 + env: + # KRaft settings + - name: KAFKA_NODE_ID + value: "0" + - name: KAFKA_PROCESS_ROLES + value: "broker,controller" + - name: KAFKA_CONTROLLER_QUORUM_VOTERS + value: "0@kafka:9091" + + # Listeners & Security + - name: KAFKA_LISTENERS + value: "CONTROLLER://:9091,INTERNPLAIN://:9092,INTERNSECURE://:9093,EXTERNSECURE://:9194" + - name: KAFKA_ADVERTISED_LISTENERS + value: "INTERNPLAIN://:9092,INTERNSECURE://kafka:9093,EXTERNSECURE://127.0.0.1:{{ $.Values.kafkaNodePort }}" + - name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP + value: "CONTROLLER:PLAINTEXT,INTERNPLAIN:PLAINTEXT,INTERNSECURE:SASL_PLAINTEXT,EXTERNSECURE:SASL_PLAINTEXT" + - name: KAFKA_CONTROLLER_LISTENER_NAMES + value: "CONTROLLER" + - name: KAFKA_INTER_BROKER_LISTENER_NAME + value: "INTERNPLAIN" + + - name: KAFKA_LISTENER_NAME_INTERNSECURE_SASL_ENABLED_MECHANISMS + value: "OAUTHBEARER" + - name: KAFKA_LISTENER_NAME_EXTERNSECURE_SASL_ENABLED_MECHANISMS + value: "OAUTHBEARER" + + - name: KAFKA_LISTENER_NAME_INTERNSECURE_OAUTHBEARER_SASL_JAAS_CONFIG + value: |- + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required + oauth.jwks.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/certs" + oauth.token.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/token" + oauth.check.issuer=false + unsecuredLoginStringClaim_sub="unused"; + - name: KAFKA_LISTENER_NAME_EXTERNSECURE_OAUTHBEARER_SASL_JAAS_CONFIG + value: |- + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required + oauth.jwks.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/certs" + oauth.token.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/token" + oauth.check.issuer=false + unsecuredLoginStringClaim_sub="unused"; + + - name: KAFKA_LISTENER_NAME_INTERNSECURE_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS + value: "io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler" + - name: KAFKA_LISTENER_NAME_EXTERNSECURE_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS + value: "io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler" + + - name: KAFKA_PRINCIPAL_BUILDER_CLASS + value: "io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder" + + volumeMounts: + - name: kafka-logs + mountPath: /opt/kafka/logs + - name: kafka-scripts + mountPath: /opt/kafka/scripts + securityContext: + runAsUser: 1001 # The UID of the kafka user + runAsGroup: 0 # The GID of the root group (since kafka is in root group) + volumes: + - name: kafka-scripts-configmap + configMap: + name: kafka-scripts + - name: kafka-logs + emptyDir: {} + - name: kafka-scripts + emptyDir: {} + +# Kafka Internal Services +--- +apiVersion: v1 +kind: Service +metadata: + name: kafka + labels: + app.kubernetes.io/name: kafka +spec: + ports: + - name: ctrl + port: 9091 + targetPort: 9091 + - name: plain + port: 9092 + targetPort: 9092 + - name: secure + port: 9093 + targetPort: 9093 + selector: + app.kubernetes.io/name: kafka + +# Kafka External Services +--- +apiVersion: v1 +kind: Service +metadata: + name: kafka-extern + labels: + app.kubernetes.io/name: kafka-extern +spec: + type: NodePort + ports: + - port: 9094 + targetPort: 9094 + nodePort: {{ $.Values.kafkaNodePort }} + selector: + app.kubernetes.io/name: kafka +--- +{{- end }} diff --git a/components/camel-oauth/helm/templates/keycloak.yaml b/components/camel-oauth/helm/templates/keycloak.yaml index 94ffd0c57c418..3dbcc32a6e7a3 100644 --- a/components/camel-oauth/helm/templates/keycloak.yaml +++ b/components/camel-oauth/helm/templates/keycloak.yaml @@ -29,25 +29,9 @@ metadata: app.kubernetes.io/release: {{ $.Release.Name }} app.kubernetes.io/revision: '{{ $.Release.Revision }}' data: - demo-realm.json: |- + camel-realm.json: |- {{- $.Files.Get "etc/camel-realm.json" | nindent 4 }} -# Keycloak TLS Secret ---- -apiVersion: v1 -kind: Secret -metadata: - name: keycloak-tls - labels: - app.kubernetes.io/name: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/release: {{ $.Release.Name }} - app.kubernetes.io/revision: '{{ $.Release.Revision }}' -type: kubernetes.io/tls -data: - tls.crt: {{ $.Files.Get "etc/keycloak.crt" | b64enc }} - tls.key: {{ $.Files.Get "etc/keycloak.key" | b64enc }} - # Keycloak Deployment --- apiVersion: apps/v1 @@ -77,10 +61,11 @@ spec: image: quay.io/keycloak/keycloak:{{ .version }} args: - "start-dev" - - "--https-port=8443" - - "--https-certificate-file=/etc/x509/https/tls.crt" - - "--https-certificate-key-file=/etc/x509/https/tls.key" - "--import-realm" + - "--http-enabled=true" + - "--http-relative-path=/kc" + - "--proxy-headers=xforwarded" + - "--proxy-protocol-enabled=false" env: - name: KC_BOOTSTRAP_ADMIN_USERNAME value: admin @@ -88,18 +73,11 @@ spec: value: admin ports: - containerPort: 8080 - - containerPort: 8443 volumeMounts: - - name: keycloak-tls - mountPath: /etc/x509/https - readOnly: true - name: keycloak-realm-config mountPath: /opt/keycloak/data/import readOnly: true volumes: - - name: keycloak-tls - secret: - secretName: keycloak-tls - name: keycloak-realm-config configMap: name: keycloak-realm-config @@ -113,15 +91,48 @@ metadata: labels: app.kubernetes.io/name: keycloak spec: - type: NodePort ports: - name: http port: 8080 - nodePort: {{ .nodePortHttp }} - - name: https - port: 8443 - nodePort: {{ .nodePortHttps }} selector: app.kubernetes.io/name: keycloak + +# Keycloak Ingress Http +#--- +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: keycloak-http +# labels: +# app.kubernetes.io/name: keycloak-http +#spec: +# entryPoints: +# - web +# routes: +# - match: PathPrefix(`/kc`) +# kind: Rule +# services: +# - name: keycloak +# port: 8080 + +# Keycloak Ingress Https +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: keycloak-https + labels: + app.kubernetes.io/name: keycloak-https +spec: + entryPoints: + - websecure + routes: + - match: PathPrefix(`/kc`) + kind: Rule + services: + - name: keycloak + port: 8080 + tls: + secretName: traefik-tls --- {{- end }} diff --git a/components/camel-oauth/helm/templates/traefik-secret.yaml b/components/camel-oauth/helm/templates/traefik-secret.yaml new file mode 100644 index 0000000000000..9763ed228ae70 --- /dev/null +++ b/components/camel-oauth/helm/templates/traefik-secret.yaml @@ -0,0 +1,37 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- with .Values.deployments.traefik }} + +# Traefik TLS Secret +--- +apiVersion: v1 +kind: Secret +metadata: + name: traefik-tls + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/release: {{ $.Release.Name }} + app.kubernetes.io/revision: '{{ $.Release.Revision }}' +type: kubernetes.io/tls +data: + tls.crt: {{ $.Files.Get "etc/cluster.crt" | b64enc }} + tls.key: {{ $.Files.Get "etc/cluster.key" | b64enc }} + +--- +{{- end }} diff --git a/components/camel-oauth/helm/templates/whoami.yaml b/components/camel-oauth/helm/templates/whoami.yaml new file mode 100644 index 0000000000000..c4a49b0f14e8e --- /dev/null +++ b/components/camel-oauth/helm/templates/whoami.yaml @@ -0,0 +1,93 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- with .Values.deployments.whoami }} + +# Whoami Deployment +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: whoami + labels: + app.kubernetes.io/name: whoami +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: whoami + template: + metadata: + labels: + app.kubernetes.io/name: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + ports: + - containerPort: 80 + +# Whoami Service +--- +apiVersion: v1 +kind: Service +metadata: + name: whoami +spec: + ports: + - name: web + port: 80 + targetPort: 80 + selector: + app.kubernetes.io/name: whoami + +# Whoami IngressRoute +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: whoami + labels: + app.kubernetes.io/name: whoami +spec: + entryPoints: + - web + - websecure + routes: + - match: PathPrefix(`/who`) + kind: Rule + services: + - name: whoami + port: 80 + middlewares: + - name: strip-prefix-who + tls: + secretName: traefik-tls + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: strip-prefix-who + labels: + app.kubernetes.io/name: whoami +spec: + stripPrefix: + prefixes: + - /who +--- +{{- end }} diff --git a/components/camel-oauth/helm/values-kafka.yaml b/components/camel-oauth/helm/values-kafka.yaml new file mode 100644 index 0000000000000..eba9e046dfc3c --- /dev/null +++ b/components/camel-oauth/helm/values-kafka.yaml @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +kafkaNodePort: 30094 + +deployments: + kafka: + name: "kafka" diff --git a/components/camel-oauth/helm/values-traefik-secret.yaml b/components/camel-oauth/helm/values-traefik-secret.yaml new file mode 100644 index 0000000000000..456168bbbdadc --- /dev/null +++ b/components/camel-oauth/helm/values-traefik-secret.yaml @@ -0,0 +1,21 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +deployments: + + traefik: + name: "traefik-secret" diff --git a/components/camel-oauth/helm/values-whoami.yaml b/components/camel-oauth/helm/values-whoami.yaml new file mode 100644 index 0000000000000..ea21c35fbd4a9 --- /dev/null +++ b/components/camel-oauth/helm/values-whoami.yaml @@ -0,0 +1,22 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +deployments: + + whoami: + name: "whoami" +