From 779cb607d35afaf7dcc855bf3d0a5b1c74b896ac Mon Sep 17 00:00:00 2001 From: Radim Kubis Date: Fri, 26 Jan 2024 23:15:39 +0100 Subject: [PATCH] backup of code --- certs/myTrustStore.jks | Bin 0 -> 1270 bytes certs/tls.crt | 41 + certs2/myTrustStore.jks | Bin 0 -> 1286 bytes certs2/tls.crt | 41 + kafka-oauth/manual.txt | 17 + kubefiles/apicurio/oauthkafka_registry.yaml | 63 + .../keycloak/keycloak_oauth_kafka-realm.yaml | 1855 ++++++++++ kubefiles/keycloak/keycloak_oauth_kafka.yaml | 26 + pom.xml | 4 +- run571.sh | 11 + run572.sh | 11 + run575.sh | 11 + run576.sh | 11 + run577.sh | 11 + run578.sh | 11 + run579.sh | 11 + run580.sh | 11 + run_oauth.sh | 11 + scripts/install.yaml | 4 +- .../framework/ApicurioRegistryUtils.java | 19 + .../systemtests/framework/Constants.java | 5 + .../systemtests/framework/DatabaseUtils.java | 12 + .../systemtests/framework/KafkaUtils.java | 8 + .../systemtests/framework/KeycloakUtils.java | 83 + .../systemtests/platform/Kubernetes.java | 12 + .../ApicurioRegistryResourceType.java | 146 + .../resources/DeploymentResourceType.java | 70 +- .../resources/KafkaResourceType.java | 98 + .../resources/RouteResourceType.java | 17 + .../systemtests/registryinfra/resources/x | 27 + .../systemtests/TestBaseOAuthKafka.java | 150 + .../apicurio/registry/systemtests/TestIt.java | 50 + .../oauthkafka/BundleOAuthKafkaTests.java | 25 + .../oauthkafka/OAuthKafkaTests.java | 15 + .../OLMClusterWideOAuthKafkaTests.java | 16 + .../OLMNamespacedOAuthKafkaTests.java | 16 + .../oauthkafka/OLMOAuthKafkaTests.java | 26 + src/test/resources/adminOverrideClaimData.csv | 25 +- src/test/resources/ar.yaml | 22 + src/test/resources/cert.pem | 21 + src/test/resources/cert2.pem | 19 + src/test/resources/deployment.yaml | 101 + src/test/resources/deployment2.yaml | 101 + .../resources/deployment_with_truststore.yaml | 124 + src/test/resources/final_registry.yaml | 125 + src/test/resources/fixed_deployment.yaml | 118 + src/test/resources/generated.yaml | 58 + src/test/resources/kafka-oauth-realm.json | 3068 +++++++++++++++++ src/test/resources/kafka.yaml | 60 + src/test/resources/kafka1.yaml | 67 + src/test/resources/keystore.jks | Bin 0 -> 2718 bytes src/test/resources/oauth-kafka.yaml | 25 + src/test/resources/pod.yaml | 166 + src/test/resources/registry-ga.yaml | 63 + src/test/resources/registry.yaml | 53 + src/test/resources/router-certs-default.yaml | 26 + src/test/resources/secret.yaml | 23 + src/test/resources/success_deployment.yaml | 115 + 58 files changed, 7302 insertions(+), 23 deletions(-) create mode 100644 certs/myTrustStore.jks create mode 100644 certs/tls.crt create mode 100644 certs2/myTrustStore.jks create mode 100644 certs2/tls.crt create mode 100644 kafka-oauth/manual.txt create mode 100644 kubefiles/apicurio/oauthkafka_registry.yaml create mode 100644 kubefiles/keycloak/keycloak_oauth_kafka-realm.yaml create mode 100644 kubefiles/keycloak/keycloak_oauth_kafka.yaml create mode 100755 run571.sh create mode 100755 run572.sh create mode 100755 run575.sh create mode 100755 run576.sh create mode 100755 run577.sh create mode 100755 run578.sh create mode 100755 run579.sh create mode 100755 run580.sh create mode 100755 run_oauth.sh create mode 100644 src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/x create mode 100644 src/test/java/io/apicurio/registry/systemtests/TestBaseOAuthKafka.java create mode 100644 src/test/java/io/apicurio/registry/systemtests/TestIt.java create mode 100644 src/test/java/io/apicurio/registry/systemtests/oauthkafka/BundleOAuthKafkaTests.java create mode 100644 src/test/java/io/apicurio/registry/systemtests/oauthkafka/OAuthKafkaTests.java create mode 100644 src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMClusterWideOAuthKafkaTests.java create mode 100644 src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMNamespacedOAuthKafkaTests.java create mode 100644 src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMOAuthKafkaTests.java create mode 100644 src/test/resources/ar.yaml create mode 100644 src/test/resources/cert.pem create mode 100644 src/test/resources/cert2.pem create mode 100644 src/test/resources/deployment.yaml create mode 100644 src/test/resources/deployment2.yaml create mode 100644 src/test/resources/deployment_with_truststore.yaml create mode 100644 src/test/resources/final_registry.yaml create mode 100644 src/test/resources/fixed_deployment.yaml create mode 100644 src/test/resources/generated.yaml create mode 100644 src/test/resources/kafka-oauth-realm.json create mode 100644 src/test/resources/kafka.yaml create mode 100644 src/test/resources/kafka1.yaml create mode 100644 src/test/resources/keystore.jks create mode 100644 src/test/resources/oauth-kafka.yaml create mode 100644 src/test/resources/pod.yaml create mode 100644 src/test/resources/registry-ga.yaml create mode 100644 src/test/resources/registry.yaml create mode 100644 src/test/resources/router-certs-default.yaml create mode 100644 src/test/resources/secret.yaml create mode 100644 src/test/resources/success_deployment.yaml diff --git a/certs/myTrustStore.jks b/certs/myTrustStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..16d63d0f2863898fa6552b552c4fd9dfea89c9ee GIT binary patch literal 1270 zcmV&LNQU+thDZTr0|Wso1Q6p6eE$pWgT~Jf`<~NrqIQ6S1MnC5w(dg!pz196oMag6Rjv)M zEdQa!J&R$==U=%*{aUBdDOgPK)A59pbR_Xr<67>rd@tp0?#9p}Tc3OiHaDnzl40)b z@hjQ-v|D`NITdxxo~V*tuFga}c}jN5*l1N*6%4)SGzo8&6v}eiN!b&tb4&_c*`=I| z;#QpMuwozIdp{Sk(>ewYi zoRVAEH(!RA+;c$T-dWq4!&9*Z=gyvQqS>yJsxt$_t_f<6{2}gtv&kfF$eN=k80L~K z%weV0pa8a-0wrz^(2{a(A##hp75U#N!xvZinDXswF^k_4^G>?07F-B&+xPm-KzZ@^ zVl5g1-kK0{*|~#uvr4B^tDcI!2i{^dzh8-Ua3r(@Mt_vZ1(%2wKc4ymphO^sT z1lIo;2ua1zKk>+tp+ISppV3kqu_ytY+TH1G<;Uz2O8irzUN!>#Ndm>cnv<68j~;O( z<23tTF}6W(4r4!l?_784+j4~`B3<&Sf#;g-*4o{YwM7Jg2ov#`^vS~rUaiomudPtN z?y~EI0HkJDeKidyre_D0Qf{$d3euZ=arI>^Lgze?n7yDoSh|1{$;<&77}@Y_+$bn^ zYDfABE&^i3iU))MU#@NL&j>17W1E~hS%4`;CId~25?oeje}R}82_8y5=8VQ#3C{XG zHxG+9H2px}D{HJ149A4ICiMso!fv=e9D>}`3;1=Z#55zH<$)egQS>%+&CeQ|nd0RyaNE*a7>{|?Vy3b^YK0SqmK^qRt+NVPk~VVWz(x< zhUDlt6qxZ~d~jw$u;mh@A~$ibtJeWjBijE-TIpa~%X}MAFopKySy%9L9{gw;X7~I- zN)j+lFflL<1_@w>NC9O71OfpC00bcJN?b7ATZYeM?we~*uqHF30G3Ur))vSG_AN9j g3K7i&6x%sM=J*+DQoYqVdQyx=_>j?r(*gn~5TX807ytkO literal 0 HcmV?d00001 diff --git a/certs/tls.crt b/certs/tls.crt new file mode 100644 index 000000000..f317e5cd8 --- /dev/null +++ b/certs/tls.crt @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDizCCAnOgAwIBAgIIbCgyQe4A1wcwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE +AwwbaW5ncmVzcy1vcGVyYXRvckAxNzAxMTY0MjAzMB4XDTIzMTEyODA5MzY0MloX +DTI1MTEyNzA5MzY0M1owNTEzMDEGA1UEAwwqKi5hcHBzLnJrdWI0MTQuYXBpY3Vy +aW8uaW50ZWdyYXRpb24tcWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA34xMtBnzenONKu3wiyETT3Q9n2ecKaPn4phSvNtspJB36hdWnBGhJ5ML +4jUYqew1NcWTDL0sUAcsrFb0LugFwImZdxTgTgn91c16cFh4KSKMQ6E+1EKRHymB +Xb2PYp0jtgao/KKvBH+GaZbG51gHvWxKHv/mQzsXLFW5WN6GMJY0z5LdHbi31Pm7 +npBepdOedM/EyW57tZVX+8ONtPm2tIuc/zw8iSp0F9Le1dHDl/qyCotympP1j7O4 +JArDVztDhuFUP+R41lX5xgpc98oXygak5VvWst4Wc1V04k5YRmbeZe3/F7OHQnwP +Yvxdhagnoda5bIhSYpIfwv5OxkarIwIDAQABo4GtMIGqMA4GA1UdDwEB/wQEAwIF +oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS3 +WSHWWFFI5K1tDEtdQ3UjlslUBTAfBgNVHSMEGDAWgBRinspIUYrHpXOuYpZgkUpN +ThiZajA1BgNVHREELjAsgioqLmFwcHMucmt1YjQxNC5hcGljdXJpby5pbnRlZ3Jh +dGlvbi1xZS5jb20wDQYJKoZIhvcNAQELBQADggEBADSTGmYyffVvLqGxoNbxNEG8 +wmCK+82AgsYO5kuOhLHDVyRlVOzRzTHnCeRQ3pg6rz9FNWFNFl30TgLWD60OYJ9U +v84PkuqcXVPvK689/1qp3JFLfh0bQACZfxkYdiOte/BgYanFz1EvG4flP/qA8+aE +wNvhCHPX2jOi+ufqINMwETSAg51Il7GK3NA1ucK3xUwDWSDOIPA/MO4sSmyCqvCy +kOYC53nxEiJrxLRCOw6pUzcTEGN7kA+u7wbjcJL+CWy009G1D5+p34Qx+V8MYWl4 +IJxY6p5dxBjEyOLlpbngel+mj0VOjEUuC5BrPQZGBti+tMznsKvPEM9fwHpFan4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy +ZXNzLW9wZXJhdG9yQDE3MDExNjQyMDMwHhcNMjMxMTI4MDkzNjQyWhcNMjUxMTI3 +MDkzNjQzWjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3MDExNjQyMDMw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpw8/3KqebP9wVJU4gT4rI +aOHfZ4B6kNNEwky+UWHWOIFkgcuhKS+NKdNLCDg2jy/Nga/wWqCUXJ660HaoYcyy +o2UtA+qBeXWePh+nay+cvUu9iw+jDMdoxg4auJBuMMMDZNUFZ75ujSZa9oKBKmfp +I8Kpch5Tse5TsQIrf3dJTcTr2je7sH7pz+GeCMGavo3oycfdduvqG8dQ5oHDLOKc +ojmQstld5UcXw9ZmGLskfYi+b6npYDhEDY/VMKRmSIqKtkMWlN6aaHL7znFPP475 +h/8nmssU9ZAIpZkyri5q3ZXS3yKBEhnImpFwAxVkX/7rs4bffCjwq8MSt7pV6/ul +AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G +A1UdDgQWBBRinspIUYrHpXOuYpZgkUpNThiZajANBgkqhkiG9w0BAQsFAAOCAQEA +xNG8Gtc1ob/85ZooP2wzEdTpDA0ScjmncfdOmZLTz7ZvJ25ufdpgVmwZ9D3/561G +qR3TjiaJTCgQyr6fMxR7Um75NV7IuQDfu4LlRSpliZ05g9USCu3porNpU/q9NfGz +NJ7mMEqox20UYgDv6zS3QvcVAcoN1XHyp8QXnI0CzFuzb1GzVTdpkd1ii/Pzrfbx +jWk3tqonsTf9Q4C99fL0zcj9FTrCS/vK4rdNN7HdEpg3KD8V1ujPtPIYSJEJNEmK +cbDCYjQJsuyv5qWv2n3Ud4vpVJHMoLU2ftQHYGQgKhRbVUmqSIBYco4GlupeTsd2 +wCAgzum89JOPfnyGmIsJSQ== +-----END CERTIFICATE----- + diff --git a/certs2/myTrustStore.jks b/certs2/myTrustStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..f8b6ab965fba9865586c9976cba33932389d5d54 GIT binary patch literal 1286 zcmV+h1^N0gf&~Hs0Ru3C1gr)LDuzgg_YDCD0ic2eodkjenJ|I`l`w(?kp>AWhDe6@ z4FLxRpn?Q~FoFbr0s#Opf&_O42`Yw2hW8Bt2LUi<1_>&LNQU+thDZTr0|Wso1Q0c5Zirbc?MUY!hwQ|X;K_i31OP7!=J;p>E>r!H*oC-H#d)TQ zk$B@?Tdh7B+PxwIcv=V878aA{Qwl8>T1QSm)Rh5lgH4q^2VYQoX)(L8ct(6wJ9bO^n=ztr9{|7OXo!5~Z&f1#xhZBw1bx2K2ImPz^0^ z8xLHnTu`X=^;fYh1KM*=V0RSDVu<94NCj8WV?pdKQGZxH`e5{gdT1qamR1^tncMzDB2J=Sx z&ErDKX7Bjr-2dtofauh>KP{YH8So1w;~SAnGsI!KLb!&Q?xhw@ZZp&sz?do(q&z|> zO$Fa(h}L-QJx^CIqt-i|o0#85 z&yfYvmlmd;z3(8;7|#XcxU@5}@WFW6__>(J%~Bf) zlj|e4kV$+*mBayoFEa8kIBRfVlnQ2$WqH5js z{80v?2jG{Dz?%UL(2tWvqz*7mFflL<1_@w>NC9O71OfpC00bZ%SqR?)D4)L;ixE)@ w39#yCVab>}u{VC#hihd|K)yc&6b3{y86I@>NcVPsTxrrCJUCaLAp!y?5E4^EH2?qr literal 0 HcmV?d00001 diff --git a/certs2/tls.crt b/certs2/tls.crt new file mode 100644 index 000000000..fa66b5449 --- /dev/null +++ b/certs2/tls.crt @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIIKtJpS/SQwK4wDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE +AwwbaW5ncmVzcy1vcGVyYXRvckAxNzAyNjMwODYyMB4XDTIzMTIxNTA5MDEwM1oX +DTI1MTIxNDA5MDEwNFowNjE0MDIGA1UEAwwrKi5hcHBzLnJhZGltNDE0LmFwaWN1 +cmlvLmludGVncmF0aW9uLXFlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAK1A+aimtRTmG0RzzSHzKxV0mEI6wyniPf8VpjmZQXMcMbCRDKCThSyh +ul3X7112UNUq4jkn3tq5tj+1t91xs7BvimHMdwttsZ7cq/LQlSoywSBISTV2PNCS +zs+MYQsIA3ZXcL5Y6hdjTc3qF81G4AJjFs2Ams7DORYSslE7IncwEmxNKmNuhQC9 +DtMSkkJRZJDXsrVGWJwnYu6NVT72fNWFcJBvIlHWN4zOLp3a2QO4U7qj/UG7xkkq +6RFCEerUzs5xJB7EiLcqW+krvoFeB0ovdAdUpi0YPeeNfzQYG1Xhbr/2WtL3zUkl +rFvMs2TQtk2xcdJgDT8tGY57BVNiPGECAwEAAaOBrjCBqzAOBgNVHQ8BAf8EBAMC +BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU +avmRss5JxGheVIkcyQ1yCRhpzBMwHwYDVR0jBBgwFoAUXR4y/3XKqeempblbMNNb +8w9OvGIwNgYDVR0RBC8wLYIrKi5hcHBzLnJhZGltNDE0LmFwaWN1cmlvLmludGVn +cmF0aW9uLXFlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAbx1VRD2HvhGHIFLm8oIN +b7QO/CzvOOYWaiJevQzK6RzoYfHZTCb3tmy/+VY5ldLdMmqYzWORvV48mZCQT0TA +59wZvGMLaWIMIFYb5oPXB9SLRsF8um3j01KlkE5bLQx7cUnNfdN0DUIxe3Ka8n4U +n8CpmHhdIDyYVHNFd3QCXfRlFA8fBWrS5yGpzsktcVzMhSstYKLUACf88OljnGDL +uMeeux/a+rhHQduKwpKIv6Md8WVNL2FS3fDQJCOss8bTIDEiQpsbTm9LjkSTQE4L +HmoWoSZCymog2MOMJlJtUMxRB2wq0SDaOLOIaDbwgl7VonaktYlbYJlivkQW9Vkl +9w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy +ZXNzLW9wZXJhdG9yQDE3MDI2MzA4NjIwHhcNMjMxMjE1MDkwMTAyWhcNMjUxMjE0 +MDkwMTAzWjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3MDI2MzA4NjIw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDebrAxUSCwIjdZSztgIlay +CbyyiqmNjNdGff5Apj4Qxb0SZ/JAEvJDt2KfOI8stbgit4wqg0d6Avaznh4nHZT7 +BInZZk6lWwSghcrP9vSUnz7gLvShDiY9NAVnxCfHQJryd8HB/VyBDUOhLHtHwhJE +o+FLUQfWlsvzNoMu894WFTPf3K6IXinnxn0S7DsHgb3j8npkQNN/TZnW24Q6OQUS +4ofTC7b/2Ukn1D+dfhJ9G9vEZhb69yqnS7RcuHv9jpWim8UMTECO5MZCFtk1uyFn +7959PIvPyEXh8XNI1sDfyoqj7dVCPGbCuD2/S2OqAURLsZr2vo0wLrx2yE6FAQCV +AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G +A1UdDgQWBBRdHjL/dcqp56aluVsw01vzD068YjANBgkqhkiG9w0BAQsFAAOCAQEA +FJ5NoeFYcj6FIavNjnG82ywxJUxqtvM/D1IAm99DLCAFpqbN404WxBBxMZPbAxhJ +NHH1DA+p/r9SC+OzXGO2856szM03i0g4Gp9nk9tRrrD6MPW2zVqIWVxZJse+97SI +FEQz3LTVdWCjkIwF+Kc1zGCOcdQcuKZoRrwn2rt+EtTZhrY4LXMOK6+ALUno4wx9 +xopUOLJUs2wzEkFJoDjQxLb+UTfB9djZXexXI6pgi81JHUGqRDwTc5Dd6aMr9eoX +UDoBvXgsfItTHHntpIoqg7JAKnPnp/MV03ktvFdoVVKcCpZiK7cU04i7NsGIAzZ1 +AUQoL1cht//FcVQ89tfqog== +-----END CERTIFICATE----- diff --git a/kafka-oauth/manual.txt b/kafka-oauth/manual.txt new file mode 100644 index 000000000..9e7d0961c --- /dev/null +++ b/kafka-oauth/manual.txt @@ -0,0 +1,17 @@ +How to deploy testing environment +--------------------------------- +1. Create test namespace +2. Install operators +- AMQ Streams +- Keycloak 23+ (in namespace) +- Service Registry +3. Copy secret 'router-certs-default' from 'openshift-ingress' namespace into test namespace +4. Create Keycloak resources +- PVC +- StatefulSet +- Service +- Keycloak +5. Import Keycloak realm +6. Create Kafka +7. Create Secret with truststore +8. Create Registry \ No newline at end of file diff --git a/kubefiles/apicurio/oauthkafka_registry.yaml b/kubefiles/apicurio/oauthkafka_registry.yaml new file mode 100644 index 000000000..5d4742eee --- /dev/null +++ b/kubefiles/apicurio/oauthkafka_registry.yaml @@ -0,0 +1,63 @@ +apiVersion: registry.apicur.io/v1 +kind: ApicurioRegistry +metadata: + name: console-apicurioregistry-ga +spec: + configuration: + env: + - name: JAVA_TOOL_OPTIONS + value: >- + -Djavax.net.ssl.trustStore=/mytruststore/myTrustStore + -Djavax.net.ssl.trustStorePassword=password + - name: QUARKUS_LOG_LEVEL + value: INFO + - name: ENABLE_KAFKA_SASL + value: 'true' + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_ID + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_SECRET + - name: KAFKA_SECURITY_PROTOCOL + value: SASL_SSL + - name: KAFKA_SSL_TRUSTSTORE_TYPE + value: PKCS12 + - name: KAFKA_SSL_TRUSTSTORE_LOCATION + value: /tmp/cluster-ca-cert/ca.p12 + - name: KAFKA_SSL_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: kafka1-cluster-ca-cert + key: ca.password + - name: OAUTH_TOKEN_ENDPOINT_URI + value: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + kafkasql: + bootstrapServers: >- + kafka1-kafka-oauth-bootstrap-kafka-oauth.apps.rkub414.apicurio.integration-qe.com:443 + persistence: kafkasql + deployment: + host: >- + console-apicurioregistry-ga.kafka-oauth.apps.rkub414.apicurio.integration-qe.com + podTemplateSpecPreview: + spec: + containers: + - name: registry + volumeMounts: + - mountPath: /tmp/cluster-ca-cert + name: cluster-ca-cert + - name: mytruststore + mountPath: /mytruststore + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka1-cluster-ca-cert + - name: mytruststore + secret: + secretName: mytruststore-secret + defaultMode: 420 \ No newline at end of file diff --git a/kubefiles/keycloak/keycloak_oauth_kafka-realm.yaml b/kubefiles/keycloak/keycloak_oauth_kafka-realm.yaml new file mode 100644 index 000000000..5c9ca1e05 --- /dev/null +++ b/kubefiles/keycloak/keycloak_oauth_kafka-realm.yaml @@ -0,0 +1,1855 @@ +apiVersion: k8s.keycloak.org/v2alpha1 +kind: KeycloakRealmImport +metadata: + name: keycloak-sso-realm +spec: + keycloakCRName: registry-sso + realm: + id: demo + realm: demo + displayName: demo + notBefore: 0 + defaultSignatureAlgorithm: RS256 + revokeRefreshToken: false + refreshTokenMaxReuse: 0 + accessTokenLifespan: 300 + accessTokenLifespanForImplicitFlow: 900 + ssoSessionIdleTimeout: 1800 + ssoSessionMaxLifespan: 36000 + ssoSessionIdleTimeoutRememberMe: 0 + ssoSessionMaxLifespanRememberMe: 0 + offlineSessionIdleTimeout: 2592000 + offlineSessionMaxLifespanEnabled: false + offlineSessionMaxLifespan: 5184000 + clientSessionIdleTimeout: 0 + clientSessionMaxLifespan: 0 + clientOfflineSessionIdleTimeout: 0 + clientOfflineSessionMaxLifespan: 0 + accessCodeLifespan: 60 + accessCodeLifespanUserAction: 300 + accessCodeLifespanLogin: 1800 + actionTokenGeneratedByAdminLifespan: 43200 + actionTokenGeneratedByUserLifespan: 300 + oauth2DeviceCodeLifespan: 600 + oauth2DevicePollingInterval: 5 + enabled: true + sslRequired: external + registrationAllowed: false + registrationEmailAsUsername: false + rememberMe: false + verifyEmail: false + loginWithEmailAllowed: true + duplicateEmailsAllowed: false + resetPasswordAllowed: false + editUsernameAllowed: false + bruteForceProtected: false + permanentLockout: false + maxFailureWaitSeconds: 900 + minimumQuickLoginWaitSeconds: 60 + waitIncrementSeconds: 60 + quickLoginCheckMilliSeconds: 1000 + maxDeltaTimeSeconds: 43200 + failureFactor: 30 + roles: + realm: + - id: 702d71f9-b2f5-456a-84d5-0b11c5663b12 + name: uma_authorization + description: ${role_uma_authorization} + composite: false + clientRole: false + containerId: demo + attributes: {} + - id: c2b7bbe1-988b-44dc-81cc-d83b749fe895 + name: offline_access + description: ${role_offline-access} + composite: false + clientRole: false + containerId: demo + attributes: {} + - id: c28cb655-f972-4e88-a138-c2c85319d7fe + name: default-roles-demo + description: ${role_default-roles} + composite: true + composites: + realm: + - offline_access + - uma_authorization + client: + account: + - manage-account + - view-profile + clientRole: false + containerId: demo + attributes: {} + client: + console-ui: [] + realm-management: + - id: ac469256-066b-4171-b1ad-f940479958d2 + name: manage-realm + description: ${role_manage-realm} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: f5c93fce-b7b3-4176-9619-d901f00cfa0d + name: manage-users + description: ${role_manage-users} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: a1311f32-b570-4417-b828-67dc0fc5b8dc + name: query-groups + description: ${role_query-groups} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: dd5e5f4d-66e9-423a-a47d-bbe6b61f7695 + name: manage-authorization + description: ${role_manage-authorization} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: d49305a4-c0d6-4e03-a80a-915fe020c4fa + name: query-users + description: ${role_query-users} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: a1089b0a-6536-4269-ba24-f71c92c0ed1f + name: create-client + description: ${role_create-client} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: 95cd417a-195f-42e7-b0d1-1244cc5022ac + name: manage-events + description: ${role_manage-events} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: 22267975-9be3-457c-a88a-e7c8e24b973b + name: query-clients + description: ${role_query-clients} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: f89439e8-d471-4c45-8625-12a62706d3d6 + name: view-realm + description: ${role_view-realm} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: ba2bb4fc-5aae-4c14-8e69-88aef402eefc + name: manage-clients + description: ${role_manage-clients} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: 61d4e2e5-3d76-4766-b260-ee3ad198fe4a + name: view-authorization + description: ${role_view-authorization} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: d9312847-4fe2-4fc3-9e5e-043200d87e8a + name: manage-identity-providers + description: ${role_manage-identity-providers} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: e1b2b864-1f7f-4a7f-acd7-2a2670f74209 + name: view-users + description: ${role_view-users} + composite: true + composites: + client: + realm-management: + - query-groups + - query-users + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: a80aa9ca-24dd-4c52-819b-715f148dea70 + name: realm-admin + description: ${role_realm-admin} + composite: true + composites: + client: + realm-management: + - manage-realm + - manage-users + - query-groups + - manage-authorization + - query-users + - create-client + - manage-events + - view-realm + - query-clients + - view-authorization + - manage-clients + - view-users + - manage-identity-providers + - view-clients + - query-realms + - view-events + - view-identity-providers + - impersonation + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: e4843b5a-8e42-4388-817c-0a2c35ee6646 + name: query-realms + description: ${role_query-realms} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: b236b6b7-6d97-4652-abd1-b9f27ed6b603 + name: view-clients + description: ${role_view-clients} + composite: true + composites: + client: + realm-management: + - query-clients + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: e34ca4f3-a393-477d-9044-096cda2afe22 + name: view-events + description: ${role_view-events} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: 5912960a-a83d-4499-b9fc-fdb76ab9c386 + name: view-identity-providers + description: ${role_view-identity-providers} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + - id: f53156dc-890f-4d4b-8fc3-aab1a90236a7 + name: impersonation + description: ${role_impersonation} + composite: false + clientRole: true + containerId: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + attributes: {} + registry-service: [] + security-admin-console: [] + kafka: [] + admin-cli: [] + account-console: [] + broker: + - id: 0fafdb5e-31f6-46ba-a640-10eeb5800ba4 + name: read-token + description: ${role_read-token} + composite: false + clientRole: true + containerId: acbfaabf-9ab8-4e9f-b4d6-fc049de4b651 + attributes: {} + account: + - id: aebd948a-3ea4-4015-98c9-bfb4689c19e7 + name: view-applications + description: ${role_view-applications} + composite: false + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: 56abdf4b-12c6-448f-893e-ccb1a7142f74 + name: view-consent + description: ${role_view-consent} + composite: false + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: ba0dfdb3-b29f-4809-a6a0-30bc21457297 + name: delete-account + description: ${role_delete-account} + composite: false + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: ce879a32-0924-4026-884f-1eaade0fa621 + name: manage-account + description: ${role_manage-account} + composite: true + composites: + client: + account: + - manage-account-links + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: fe3f7075-bb43-474c-989e-abe507123119 + name: view-groups + description: ${role_view-groups} + composite: false + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: 43c2e3ab-148e-4dfd-abd9-cb0f2e943b7c + name: manage-consent + description: ${role_manage-consent} + composite: true + composites: + client: + account: + - view-consent + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: f8783309-ffab-49b1-9809-a71d3c4e0f41 + name: view-profile + description: ${role_view-profile} + composite: false + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + - id: 7aa44244-8f7d-452f-9843-215f37b35120 + name: manage-account-links + description: ${role_manage-account-links} + composite: false + clientRole: true + containerId: 752f6101-92ba-4b02-a766-153484270279 + attributes: {} + groups: [] + defaultRole: + id: c28cb655-f972-4e88-a138-c2c85319d7fe + name: default-roles-demo + description: ${role_default-roles} + composite: true + clientRole: false + containerId: demo + requiredCredentials: + - password + otpPolicyType: totp + otpPolicyAlgorithm: HmacSHA1 + otpPolicyInitialCounter: 0 + otpPolicyDigits: 6 + otpPolicyLookAheadWindow: 1 + otpPolicyPeriod: 30 + otpPolicyCodeReusable: false + otpSupportedApplications: + - totpAppGoogleName + - totpAppMicrosoftAuthenticatorName + - totpAppFreeOTPName + webAuthnPolicyRpEntityName: keycloak + webAuthnPolicySignatureAlgorithms: + - ES256 + webAuthnPolicyRpId: "" + webAuthnPolicyAttestationConveyancePreference: not specified + webAuthnPolicyAuthenticatorAttachment: not specified + webAuthnPolicyRequireResidentKey: not specified + webAuthnPolicyUserVerificationRequirement: not specified + webAuthnPolicyCreateTimeout: 0 + webAuthnPolicyAvoidSameAuthenticatorRegister: false + webAuthnPolicyAcceptableAaguids: [] + webAuthnPolicyPasswordlessRpEntityName: keycloak + webAuthnPolicyPasswordlessSignatureAlgorithms: + - ES256 + webAuthnPolicyPasswordlessRpId: "" + webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified + webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified + webAuthnPolicyPasswordlessRequireResidentKey: not specified + webAuthnPolicyPasswordlessUserVerificationRequirement: not specified + webAuthnPolicyPasswordlessCreateTimeout: 0 + webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false + webAuthnPolicyPasswordlessAcceptableAaguids: [] + users: + - id: bf6a5fd6-1388-4d75-ba5e-2c7a3c474f5b + createdTimestamp: 1694718530087 + username: service-account-kafka + enabled: true + totp: false + emailVerified: false + serviceAccountClientId: kafka + disableableCredentialTypes: [] + requiredActions: [] + realmRoles: + - default-roles-demo + notBefore: 0 + groups: [] + - id: 9f29811f-5ff6-4294-b212-6d6d62792542 + createdTimestamp: 1695649143340 + username: service-account-registry-service + enabled: true + totp: false + emailVerified: false + serviceAccountClientId: registry-service + disableableCredentialTypes: [] + requiredActions: [] + realmRoles: + - default-roles-demo + notBefore: 0 + groups: [] + scopeMappings: + - clientScope: offline_access + roles: + - offline_access + clientScopeMappings: + account: + - client: account-console + roles: + - manage-account + - view-groups + clients: + - id: 752f6101-92ba-4b02-a766-153484270279 + clientId: account + name: ${client_account} + rootUrl: ${authBaseUrl} + baseUrl: /realms/demo/account/ + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: + - /realms/demo/account/* + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: + + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 863b5336-86f4-4449-870c-21153ba8f9ab + clientId: account-console + name: ${client_account-console} + rootUrl: ${authBaseUrl} + baseUrl: /realms/demo/account/ + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: + - /realms/demo/account/* + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: + + pkce.code.challenge.method: S256 + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + protocolMappers: + - id: c1570269-fb57-4a74-95a3-69cce4d902f0 + name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: {} + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: ed90a83c-6591-4da2-9cf1-d887133c32fb + clientId: admin-cli + name: ${client_admin-cli} + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: false + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: {} + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: acbfaabf-9ab8-4e9f-b4d6-fc049de4b651 + clientId: broker + name: ${client_broker} + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: true + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: false + protocol: openid-connect + attributes: {} + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: bb0163c9-19c5-49f1-904a-697cd4139c29 + clientId: console-ui + name: console-ui + description: "" + rootUrl: "" + adminUrl: "" + baseUrl: "" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + secret: '**********' + redirectUris: + - http://localhost:3000/* + - /* + webOrigins: + - '*' + - /* + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: true + protocol: openid-connect + attributes: + oidc.ciba.grant.enabled: "false" + client.secret.creation.time: "1695657470" + backchannel.logout.session.required: "true" + display.on.consent.screen: "false" + oauth2.device.authorization.grant.enabled: "false" + backchannel.logout.revoke.offline.tokens: "false" + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: fef65052-9be3-4abb-8e4d-f79bd8e0bd7e + clientId: kafka + name: kafka + description: 'console-api: kafka client' + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + secret: '**********' + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: true + publicClient: false + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: + + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + protocolMappers: + - id: 8997d6e1-1065-48c7-85dc-46df805db09b + name: Client IP Address + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: clientAddress + id.token.claim: "true" + access.token.claim: "true" + claim.name: clientAddress + jsonType.label: String + - id: c89322bc-60ee-4172-ae06-a602e1c2aa56 + name: Client Host + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: clientHost + id.token.claim: "true" + access.token.claim: "true" + claim.name: clientHost + jsonType.label: String + - id: b313f56a-d878-4d1c-acc9-779710c22ed4 + name: Client ID + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: client_id + id.token.claim: "true" + access.token.claim: "true" + claim.name: client_id + jsonType.label: String + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 9c8a3ddb-2a06-4348-9594-72b21d4fa61d + clientId: realm-management + name: ${client_realm-management} + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: true + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: false + protocol: openid-connect + attributes: {} + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 0fabadf6-2289-4288-b025-fbdee2c77aac + clientId: registry-service + name: registry-service + description: "" + rootUrl: "" + adminUrl: "" + baseUrl: "" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + secret: '**********' + redirectUris: + - /* + webOrigins: + - /* + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: false + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: true + publicClient: false + frontchannelLogout: true + protocol: openid-connect + attributes: + oidc.ciba.grant.enabled: "false" + oauth2.device.authorization.grant.enabled: "false" + client.secret.creation.time: "1695649143" + backchannel.logout.session.required: "true" + backchannel.logout.revoke.offline.tokens: "false" + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + protocolMappers: + - id: 0d12cde5-0f09-46c2-a933-8377e480bc51 + name: Client IP Address + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: clientAddress + id.token.claim: "true" + access.token.claim: "true" + claim.name: clientAddress + jsonType.label: String + - id: 53ce2f0d-1bce-4fe6-adfc-5c91de5e5f06 + name: Client ID + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: client_id + id.token.claim: "true" + access.token.claim: "true" + claim.name: client_id + jsonType.label: String + - id: 275a645d-9910-464b-aee4-5c8cc4730ada + name: Client Host + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: clientHost + id.token.claim: "true" + access.token.claim: "true" + claim.name: clientHost + jsonType.label: String + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 307a7228-421c-4e27-90af-40ea19bb972c + clientId: security-admin-console + name: ${client_security-admin-console} + rootUrl: ${authAdminUrl} + baseUrl: /admin/demo/console/ + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: + - /admin/demo/console/* + webOrigins: + - + + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: + + pkce.code.challenge.method: S256 + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + protocolMappers: + - id: 914b0c58-7bcc-40ee-a845-c2950c30d156 + name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: locale + id.token.claim: "true" + access.token.claim: "true" + claim.name: locale + jsonType.label: String + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + clientScopes: + - id: 8e015c2c-5b15-416f-b27a-29f075329eeb + name: address + description: 'OpenID Connect built-in scope: address' + protocol: openid-connect + attributes: + include.in.token.scope: "true" + display.on.consent.screen: "true" + consent.screen.text: ${addressScopeConsentText} + protocolMappers: + - id: 3d113575-1405-4376-a522-3935653a4f39 + name: address + protocol: openid-connect + protocolMapper: oidc-address-mapper + consentRequired: false + config: + user.attribute.formatted: formatted + user.attribute.country: country + user.attribute.postal_code: postal_code + userinfo.token.claim: "true" + user.attribute.street: street + id.token.claim: "true" + user.attribute.region: region + access.token.claim: "true" + user.attribute.locality: locality + - id: ed733d2e-73b6-4bc0-9580-92b894eeb74f + name: phone + description: 'OpenID Connect built-in scope: phone' + protocol: openid-connect + attributes: + include.in.token.scope: "true" + display.on.consent.screen: "true" + consent.screen.text: ${phoneScopeConsentText} + protocolMappers: + - id: e8c8abee-6fd0-4874-95d3-471653ed5766 + name: phone number verified + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: phoneNumberVerified + id.token.claim: "true" + access.token.claim: "true" + claim.name: phone_number_verified + jsonType.label: boolean + - id: cbfc826f-6339-4330-8f24-3a4f1867a2b8 + name: phone number + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: phoneNumber + id.token.claim: "true" + access.token.claim: "true" + claim.name: phone_number + jsonType.label: String + - id: abbe794c-08d2-4428-8e35-9ca4e7825147 + name: acr + description: OpenID Connect scope for add acr (authentication context class reference) to the token + protocol: openid-connect + attributes: + include.in.token.scope: "false" + display.on.consent.screen: "false" + protocolMappers: + - id: 7733ef99-12a5-4ab9-b8b3-0902c04971cf + name: acr loa level + protocol: openid-connect + protocolMapper: oidc-acr-mapper + consentRequired: false + config: + id.token.claim: "true" + access.token.claim: "true" + - id: 5c9dbf0e-6dba-4b42-8488-9d37cd343081 + name: profile + description: 'OpenID Connect built-in scope: profile' + protocol: openid-connect + attributes: + include.in.token.scope: "true" + display.on.consent.screen: "true" + consent.screen.text: ${profileScopeConsentText} + protocolMappers: + - id: e4f26795-f510-4be1-bfde-be3c222d4562 + name: nickname + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: nickname + id.token.claim: "true" + access.token.claim: "true" + claim.name: nickname + jsonType.label: String + - id: 2074e5f7-add6-4dcb-be9b-878e77d43d70 + name: zoneinfo + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: zoneinfo + id.token.claim: "true" + access.token.claim: "true" + claim.name: zoneinfo + jsonType.label: String + - id: f5e77523-9324-44a6-9c25-f8984e409505 + name: picture + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: picture + id.token.claim: "true" + access.token.claim: "true" + claim.name: picture + jsonType.label: String + - id: 09e8675f-6bfb-4641-bbc6-0c75b208080b + name: full name + protocol: openid-connect + protocolMapper: oidc-full-name-mapper + consentRequired: false + config: + id.token.claim: "true" + access.token.claim: "true" + userinfo.token.claim: "true" + - id: 0e90fbbf-749b-4997-9e8b-440df8efb8ad + name: birthdate + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: birthdate + id.token.claim: "true" + access.token.claim: "true" + claim.name: birthdate + jsonType.label: String + - id: f466fe41-d6b1-484a-b768-8a17bbc27ec9 + name: middle name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: middleName + id.token.claim: "true" + access.token.claim: "true" + claim.name: middle_name + jsonType.label: String + - id: ce7c7d3f-220b-4da6-9487-b5a1e76b6ae1 + name: username + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: username + id.token.claim: "true" + access.token.claim: "true" + claim.name: preferred_username + jsonType.label: String + - id: 316be96b-9987-4741-b655-06089cd43000 + name: family name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: lastName + id.token.claim: "true" + access.token.claim: "true" + claim.name: family_name + jsonType.label: String + - id: 3203252e-bb90-4131-81d5-cd25e06157b9 + name: gender + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: gender + id.token.claim: "true" + access.token.claim: "true" + claim.name: gender + jsonType.label: String + - id: d972115f-9e7c-412e-8214-08c7c0ce58db + name: website + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: website + id.token.claim: "true" + access.token.claim: "true" + claim.name: website + jsonType.label: String + - id: aeafed22-260c-4caa-9c30-955b43724f51 + name: profile + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: profile + id.token.claim: "true" + access.token.claim: "true" + claim.name: profile + jsonType.label: String + - id: d537a98d-7f29-4d8c-a363-b9395e377285 + name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: locale + id.token.claim: "true" + access.token.claim: "true" + claim.name: locale + jsonType.label: String + - id: d8ca2a90-aeba-4490-ba7e-d7c15b80bb5a + name: given name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: firstName + id.token.claim: "true" + access.token.claim: "true" + claim.name: given_name + jsonType.label: String + - id: 6522cbb6-268b-4020-8ac6-d455d2677ab4 + name: updated at + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: updatedAt + id.token.claim: "true" + access.token.claim: "true" + claim.name: updated_at + jsonType.label: long + - id: 64ac7a42-492f-4d20-9e13-1ddcd935aeb5 + name: offline_access + description: 'OpenID Connect built-in scope: offline_access' + protocol: openid-connect + attributes: + consent.screen.text: ${offlineAccessScopeConsentText} + display.on.consent.screen: "true" + - id: c2ecede7-82ac-4aea-a723-f994d7795a66 + name: role_list + description: SAML role list + protocol: saml + attributes: + consent.screen.text: ${samlRoleListScopeConsentText} + display.on.consent.screen: "true" + protocolMappers: + - id: 73b9e55f-c1af-4aa3-8b24-9c52ab1bc0f4 + name: role list + protocol: saml + protocolMapper: saml-role-list-mapper + consentRequired: false + config: + single: "false" + attribute.nameformat: Basic + attribute.name: Role + - id: 2980ec58-e1d2-4dd1-b5c8-ca6782917f3e + name: email + description: 'OpenID Connect built-in scope: email' + protocol: openid-connect + attributes: + include.in.token.scope: "true" + display.on.consent.screen: "true" + consent.screen.text: ${emailScopeConsentText} + protocolMappers: + - id: ca5c227f-17d0-48a8-8e93-7aa4878eadb9 + name: email verified + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: emailVerified + id.token.claim: "true" + access.token.claim: "true" + claim.name: email_verified + jsonType.label: boolean + - id: 41bff78e-3a95-47df-b3d6-96668c132aa4 + name: email + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: email + id.token.claim: "true" + access.token.claim: "true" + claim.name: email + jsonType.label: String + - id: 813b0911-ab37-4f87-9c0d-580446f62787 + name: roles + description: OpenID Connect scope for add user roles to the access token + protocol: openid-connect + attributes: + include.in.token.scope: "false" + display.on.consent.screen: "true" + consent.screen.text: ${rolesScopeConsentText} + protocolMappers: + - id: 442d338a-648f-4114-9679-432bac57c4c0 + name: realm roles + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: "true" + claim.name: realm_access.roles + jsonType.label: String + multivalued: "true" + - id: 6b423a2b-a332-4361-9fb8-b352ac57705b + name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: "true" + claim.name: resource_access.${client_id}.roles + jsonType.label: String + multivalued: "true" + - id: 2c07a97d-08a0-4909-ad11-be9578e5aff1 + name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: {} + - id: 6d902c6b-8662-4eec-819b-8d3f81c65947 + name: web-origins + description: OpenID Connect scope for add allowed web origins to the access token + protocol: openid-connect + attributes: + include.in.token.scope: "false" + display.on.consent.screen: "false" + consent.screen.text: "" + protocolMappers: + - id: 71641c87-bf62-439b-9503-396bf0391b73 + name: allowed web origins + protocol: openid-connect + protocolMapper: oidc-allowed-origins-mapper + consentRequired: false + config: {} + - id: 544d79c5-9fd4-479d-abdb-572fa1fca203 + name: microprofile-jwt + description: Microprofile - JWT built-in scope + protocol: openid-connect + attributes: + include.in.token.scope: "true" + display.on.consent.screen: "false" + protocolMappers: + - id: 5db1c574-6e51-4c83-a132-2dd1ac178454 + name: upn + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: "true" + user.attribute: username + id.token.claim: "true" + access.token.claim: "true" + claim.name: upn + jsonType.label: String + - id: 8a5f1a8e-ee2a-41a0-9564-ab7ca7e7be03 + name: groups + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + multivalued: "true" + user.attribute: foo + id.token.claim: "true" + access.token.claim: "true" + claim.name: groups + jsonType.label: String + defaultDefaultClientScopes: + - role_list + - profile + - email + - roles + - web-origins + - acr + defaultOptionalClientScopes: + - offline_access + - address + - phone + - microprofile-jwt + browserSecurityHeaders: + contentSecurityPolicyReportOnly: "" + xContentTypeOptions: nosniff + referrerPolicy: no-referrer + xRobotsTag: none + xFrameOptions: SAMEORIGIN + contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; + xXSSProtection: 1; mode=block + strictTransportSecurity: max-age=31536000; includeSubDomains + smtpServer: {} + eventsEnabled: false + eventsListeners: + - jboss-logging + enabledEventTypes: [] + adminEventsEnabled: false + adminEventsDetailsEnabled: false + identityProviders: [] + identityProviderMappers: [] + components: + org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy: + - id: 59a5ab35-2be7-4eb2-8dfe-4d783506f83a + name: Allowed Protocol Mapper Types + providerId: allowed-protocol-mappers + subType: authenticated + subComponents: {} + config: + allowed-protocol-mapper-types: + - saml-user-attribute-mapper + - oidc-address-mapper + - oidc-full-name-mapper + - oidc-sha256-pairwise-sub-mapper + - saml-user-property-mapper + - oidc-usermodel-property-mapper + - saml-role-list-mapper + - oidc-usermodel-attribute-mapper + - id: 0c5e80ed-0909-45a7-aeda-55a86b6c93d6 + name: Allowed Client Scopes + providerId: allowed-client-templates + subType: authenticated + subComponents: {} + config: + allow-default-scopes: + - "true" + - id: c56fa45a-6fac-4265-9f9c-3f6e1e1b7161 + name: Consent Required + providerId: consent-required + subType: anonymous + subComponents: {} + config: {} + - id: 919116d0-7ee8-433a-b0a6-77fc2f0d5f9c + name: Full Scope Disabled + providerId: scope + subType: anonymous + subComponents: {} + config: {} + - id: f1addac7-90fa-4ebe-b67d-a9cb4e1823f6 + name: Allowed Protocol Mapper Types + providerId: allowed-protocol-mappers + subType: anonymous + subComponents: {} + config: + allowed-protocol-mapper-types: + - saml-role-list-mapper + - saml-user-property-mapper + - oidc-full-name-mapper + - oidc-sha256-pairwise-sub-mapper + - oidc-usermodel-property-mapper + - saml-user-attribute-mapper + - oidc-address-mapper + - oidc-usermodel-attribute-mapper + - id: 5bc74320-5da8-4d0a-8bc7-1e70c5bab8d2 + name: Max Clients Limit + providerId: max-clients + subType: anonymous + subComponents: {} + config: + max-clients: + - "200" + - id: c4fdf4ba-2055-415b-afc3-91466a583072 + name: Allowed Client Scopes + providerId: allowed-client-templates + subType: anonymous + subComponents: {} + config: + allow-default-scopes: + - "true" + - id: 34b1ab24-9729-46eb-9f5e-14d8992322f0 + name: Trusted Hosts + providerId: trusted-hosts + subType: anonymous + subComponents: {} + config: + host-sending-registration-request-must-match: + - "true" + client-uris-must-match: + - "true" + org.keycloak.keys.KeyProvider: + - id: 1ff7ef01-7cfd-4e73-a8b1-fa8d8b619cf3 + name: aes-generated + providerId: aes-generated + subComponents: {} + config: + priority: + - "100" + - id: 0370c602-5cf7-4c40-90ca-5b0f2256aab5 + name: rsa-enc-generated + providerId: rsa-enc-generated + subComponents: {} + config: + priority: + - "100" + algorithm: + - RSA-OAEP + - id: bdeab9b7-b052-4f9d-ab3c-dc4a3f339998 + name: hmac-generated + providerId: hmac-generated + subComponents: {} + config: + priority: + - "100" + algorithm: + - HS256 + - id: 9ea7a7ff-3802-402f-81b0-3ea366ec3aad + name: rsa-generated + providerId: rsa-generated + subComponents: {} + config: + priority: + - "100" + internationalizationEnabled: false + supportedLocales: [] + authenticationFlows: + - id: 11cd1854-5565-40e8-b963-dcc091151c90 + alias: Account verification options + description: Method with which to verity the existing account + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: idp-email-verification + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: ALTERNATIVE + priority: 20 + autheticatorFlow: true + flowAlias: Verify Existing Account by Re-authentication + userSetupAllowed: false + - id: 6e38719a-5aef-4d18-a004-fde33ef031c3 + alias: Browser - Conditional OTP + description: Flow to determine if the OTP is required for the authentication + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: auth-otp-form + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: 610c5aa9-2577-4a0c-892a-b4ca9f7cff8f + alias: Direct Grant - Conditional OTP + description: Flow to determine if the OTP is required for the authentication + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: direct-grant-validate-otp + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: 4fc69b69-d785-4c97-bce0-4b832086d1f1 + alias: First broker login - Conditional OTP + description: Flow to determine if the OTP is required for the authentication + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: auth-otp-form + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: ca95f056-2b3b-4914-a81e-e9274849e64b + alias: Handle Existing Account + description: Handle what to do if there is existing account with same email/username like authenticated identity provider + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: idp-confirm-link + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: REQUIRED + priority: 20 + autheticatorFlow: true + flowAlias: Account verification options + userSetupAllowed: false + - id: ff7e41cb-5ff7-4129-ba99-0cdbec8883b5 + alias: Reset - Conditional OTP + description: Flow to determine if the OTP should be reset or not. Set to REQUIRED to force. + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: reset-otp + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: 6f6c9932-a383-4548-aab5-f8c09e6848f3 + alias: User creation or linking + description: Flow for the existing/non-existing user alternatives + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticatorConfig: create unique user config + authenticator: idp-create-user-if-unique + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: ALTERNATIVE + priority: 20 + autheticatorFlow: true + flowAlias: Handle Existing Account + userSetupAllowed: false + - id: 239f3a44-4717-47b6-956d-e2116909b6b1 + alias: Verify Existing Account by Re-authentication + description: Reauthentication of existing account + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: idp-username-password-form + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 20 + autheticatorFlow: true + flowAlias: First broker login - Conditional OTP + userSetupAllowed: false + - id: e460f200-0c28-4c57-9569-2737488ee058 + alias: browser + description: browser based authentication + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: auth-cookie + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: auth-spnego + authenticatorFlow: false + requirement: DISABLED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: identity-provider-redirector + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 25 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: ALTERNATIVE + priority: 30 + autheticatorFlow: true + flowAlias: forms + userSetupAllowed: false + - id: 4d3b1ad8-df8a-4031-af03-a01ddf2f6446 + alias: clients + description: Base authentication for clients + providerId: client-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: client-secret + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: client-jwt + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: client-secret-jwt + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 30 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: client-x509 + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 40 + autheticatorFlow: false + userSetupAllowed: false + - id: bd922a6d-4512-4bec-914a-a600dea3fde0 + alias: direct grant + description: OpenID Connect Resource Owner Grant + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: direct-grant-validate-username + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: direct-grant-validate-password + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 30 + autheticatorFlow: true + flowAlias: Direct Grant - Conditional OTP + userSetupAllowed: false + - id: efbe7c9c-9baa-465f-8353-54bfdf9272ed + alias: docker auth + description: Used by Docker clients to authenticate against the IDP + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: docker-http-basic-authenticator + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - id: 6473eff0-1fbb-47f5-99a7-3265893edf10 + alias: first broker login + description: Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticatorConfig: review profile config + authenticator: idp-review-profile + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: REQUIRED + priority: 20 + autheticatorFlow: true + flowAlias: User creation or linking + userSetupAllowed: false + - id: 029db825-e073-47f5-a3b2-0a24722423e6 + alias: forms + description: Username, password, otp and other auth forms. + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: auth-username-password-form + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 20 + autheticatorFlow: true + flowAlias: Browser - Conditional OTP + userSetupAllowed: false + - id: 507b5573-14dd-42ba-a975-786034d06d0f + alias: registration + description: registration flow + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: registration-page-form + authenticatorFlow: true + requirement: REQUIRED + priority: 10 + autheticatorFlow: true + flowAlias: registration form + userSetupAllowed: false + - id: aa14d044-eae8-4139-9bdb-821eead92dba + alias: registration form + description: registration form + providerId: form-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: registration-user-creation + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: registration-profile-action + authenticatorFlow: false + requirement: REQUIRED + priority: 40 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: registration-password-action + authenticatorFlow: false + requirement: REQUIRED + priority: 50 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: registration-recaptcha-action + authenticatorFlow: false + requirement: DISABLED + priority: 60 + autheticatorFlow: false + userSetupAllowed: false + - id: 4355c737-f767-4ea2-99a5-2af6c903c69b + alias: reset credentials + description: Reset credentials for a user if they forgot their password or something + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: reset-credentials-choose-user + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: reset-credential-email + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: reset-password + authenticatorFlow: false + requirement: REQUIRED + priority: 30 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 40 + autheticatorFlow: true + flowAlias: Reset - Conditional OTP + userSetupAllowed: false + - id: 5ba8e664-7e0a-408e-9081-b802ff3c964d + alias: saml ecp + description: SAML ECP Profile Authentication Flow + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: http-basic-authenticator + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + authenticatorConfig: + - id: 7cfa83f2-aec2-41fa-91e7-fa6e86369c26 + alias: create unique user config + config: + require.password.update.after.registration: "false" + - id: ab259169-ec8b-464c-b1b4-d8ccdc71a092 + alias: review profile config + config: + update.profile.on.first.login: missing + requiredActions: + - alias: CONFIGURE_TOTP + name: Configure OTP + providerId: CONFIGURE_TOTP + enabled: true + defaultAction: false + priority: 10 + config: {} + - alias: TERMS_AND_CONDITIONS + name: Terms and Conditions + providerId: TERMS_AND_CONDITIONS + enabled: false + defaultAction: false + priority: 20 + config: {} + - alias: UPDATE_PASSWORD + name: Update Password + providerId: UPDATE_PASSWORD + enabled: true + defaultAction: false + priority: 30 + config: {} + - alias: UPDATE_PROFILE + name: Update Profile + providerId: UPDATE_PROFILE + enabled: true + defaultAction: false + priority: 40 + config: {} + - alias: VERIFY_EMAIL + name: Verify Email + providerId: VERIFY_EMAIL + enabled: true + defaultAction: false + priority: 50 + config: {} + - alias: delete_account + name: Delete Account + providerId: delete_account + enabled: false + defaultAction: false + priority: 60 + config: {} + - alias: webauthn-register + name: Webauthn Register + providerId: webauthn-register + enabled: true + defaultAction: false + priority: 70 + config: {} + - alias: webauthn-register-passwordless + name: Webauthn Register Passwordless + providerId: webauthn-register-passwordless + enabled: true + defaultAction: false + priority: 80 + config: {} + - alias: update_user_locale + name: Update User Locale + providerId: update_user_locale + enabled: true + defaultAction: false + priority: 1000 + config: {} + browserFlow: browser + registrationFlow: registration + directGrantFlow: direct grant + resetCredentialsFlow: reset credentials + clientAuthenticationFlow: clients + dockerAuthenticationFlow: docker auth + attributes: + cibaBackchannelTokenDeliveryMode: poll + cibaExpiresIn: "120" + cibaAuthRequestedUserHint: login_hint + oauth2DeviceCodeLifespan: "600" + oauth2DevicePollingInterval: "5" + parRequestUriLifespan: "60" + cibaInterval: "5" + realmReusableOtpCode: "false" + keycloakVersion: 22.0.3 + userManagedAccessAllowed: false + clientProfiles: + profiles: [] + clientPolicies: + policies: [] \ No newline at end of file diff --git a/kubefiles/keycloak/keycloak_oauth_kafka.yaml b/kubefiles/keycloak/keycloak_oauth_kafka.yaml new file mode 100644 index 000000000..c89a11841 --- /dev/null +++ b/kubefiles/keycloak/keycloak_oauth_kafka.yaml @@ -0,0 +1,26 @@ +apiVersion: k8s.keycloak.org/v2alpha1 +kind: Keycloak +metadata: + name: registry-sso + labels: + app: sso +spec: + additionalOptions: + - name: proxy + value: edge + db: + host: keycloak-db + passwordSecret: + key: password + name: keycloak-db-secret + usernameSecret: + key: username + name: keycloak-db-secret + vendor: postgres + hostname: + hostname: registry-sso.apps.rkubis414.apicurio.integration-qe.com + ingress: + className: openshift-default + http: + httpEnabled: true + instances: 1 \ No newline at end of file diff --git a/pom.xml b/pom.xml index 46e3f2826..796d8a17a 100644 --- a/pom.xml +++ b/pom.xml @@ -18,7 +18,7 @@ 2.16.2 0.103.1 1.18.30 - 1.0.0-v2.0.0.final + 1.1.0-v2.4.12.final 2.2 2.0.12 0.39.0 @@ -261,7 +261,7 @@ wget - https://raw.githubusercontent.com/Apicurio/apicurio-registry-operator/${version.operator}/packagemanifests/${version.operator}/registry.apicur.io_apicurioregistries.yaml + https://raw.githubusercontent.com/Apicurio/apicurio-registry-operator/v${version.operator}/bundle/${version.operator}/manifests/registry.apicur.io_apicurioregistries.yaml registry.apicur.io_apicurioregistries.yaml ${project.build.directory} true diff --git a/run571.sh b/run571.sh new file mode 100755 index 000000000..4e92267c8 --- /dev/null +++ b/run571.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk413.apicurio.integration-qe.com:6443/ + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistrySqlKeycloakAnonymousReadAccess,BundleAPITests#testRegistryKafkasqlTLSKeycloakCreateReadUpdateDelete + +oc logout diff --git a/run572.sh b/run572.sh new file mode 100755 index 000000000..825673bbd --- /dev/null +++ b/run572.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk14.apicurio.integration-qe.com:6443/ + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakBasicAuthentication + +oc logout diff --git a/run575.sh b/run575.sh new file mode 100755 index 000000000..e76ca4be1 --- /dev/null +++ b/run575.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk11.apicurio.integration-qe.com:6443/ + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlNoAuthNoIAMAnonymousReadAccess,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakArtifactOwnerOnlyAuthorization + +oc logout diff --git a/run576.sh b/run576.sh new file mode 100755 index 000000000..269c0036b --- /dev/null +++ b/run576.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk12.apicurio.integration-qe.com:6443/ + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakAuthenticatedReads,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationToken,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlTLSKeycloakArtifactGroupOwnerOnlyAuthorization + +oc logout diff --git a/run577.sh b/run577.sh new file mode 100755 index 000000000..da40d3c0c --- /dev/null +++ b/run577.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk13.apicurio.integration-qe.com:6443 + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationRoleNames,BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationAdminOverrideRole,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlTLSKeycloakArtifactOwnerOnlyAuthorization,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakRoleBasedAuthorizationAdminOverrideRole,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationToken,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationToken,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlTLSKeycloakArtifactGroupOwnerOnlyAuthorization + +oc logout diff --git a/run578.sh b/run578.sh new file mode 100755 index 000000000..51000a7cd --- /dev/null +++ b/run578.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk14.apicurio.integration-qe.com:6443/ + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakArtifactGroupOwnerOnlyAuthorization,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationAdminOverrideClaim + +oc logout diff --git a/run579.sh b/run579.sh new file mode 100755 index 000000000..ce42d7fef --- /dev/null +++ b/run579.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rk15.apicurio.integration-qe.com:6443 + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationApplication,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationRoleNames,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakRoleBasedAuthorizationRoleNames,BundleAuthTests#testRegistrySqlKeycloakAnonymousReadAccess,BundleAuthTests#testRegistryKafkasqlTLSKeycloakAuthenticatedReads,BundleAuthTests#testRegistrySqlKeycloakAuthenticatedReads,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakAuthenticatedReads,BundleAuthTests#testRegistryKafkasqlTLSKeycloakRoleBasedAuthorizationAdminOverrideClaim + +oc logout diff --git a/run580.sh b/run580.sh new file mode 100755 index 000000000..f1b696b8e --- /dev/null +++ b/run580.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.apicur.eastus.aroapp.io:6443 + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleAuthTests#testRegistrySqlKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlSCRAMKeycloakRoleBasedAuthorizationRoleNames,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakRoleBasedAuthorizationAdminOverrideClaim,BundleAuthTests#testRegistryKafkasqlNoAuthKeycloakArtifactGroupOwnerOnlyAuthorization + +oc logout diff --git a/run_oauth.sh b/run_oauth.sh new file mode 100755 index 000000000..16a5c58e7 --- /dev/null +++ b/run_oauth.sh @@ -0,0 +1,11 @@ +oc login -u admin -p admin https://api.rkubis414.apicurio.integration-qe.com:6443 + +FORCE_NAMESPACE=rkubis-namespace \ + REGISTRY_PACKAGE=service-registry-operator \ + REGISTRY_BUNDLE=./scripts/install.yaml \ + KAFKA_PACKAGE=amq-streams \ + KAFKA_DEPLOYMENT=amq-streams-cluster-operator \ + CATALOG=redhat-operators \ + mvn test -Dtest=BundleOAuthKafkaTests#testRegistryOAuthKafka + +oc logout diff --git a/scripts/install.yaml b/scripts/install.yaml index 4ff251d14..4b846cba6 100644 --- a/scripts/install.yaml +++ b/scripts/install.yaml @@ -4760,9 +4760,9 @@ spec: - name: REGISTRY_VERSION value: 2.5.5.Final-redhat-00001 - name: RELATED_IMAGE_REGISTRY_IMAGE_KAFKASQL - value: registry.redhat.io/integration/service-registry-kafkasql-rhel8:2.5.5 + value: brew.registry.redhat.io/rh-osbs/integration-service-registry-kafkasql-rhel8:2.5.5-1.1705575906 - name: RELATED_IMAGE_REGISTRY_IMAGE_SQL - value: registry.redhat.io/integration/service-registry-sql-rhel8:2.5.5 + value: brew.registry.redhat.io/rh-osbs/integration-service-registry-sql-rhel8:2.5.5-1.1705575905 - name: WATCH_NAMESPACE valueFrom: fieldRef: diff --git a/src/main/java/io/apicurio/registry/systemtests/framework/ApicurioRegistryUtils.java b/src/main/java/io/apicurio/registry/systemtests/framework/ApicurioRegistryUtils.java index 20b6a1309..921feee47 100644 --- a/src/main/java/io/apicurio/registry/systemtests/framework/ApicurioRegistryUtils.java +++ b/src/main/java/io/apicurio/registry/systemtests/framework/ApicurioRegistryUtils.java @@ -230,4 +230,23 @@ public static boolean waitApicurioRegistryReady(ApicurioRegistry apicurioRegistr return registryResourceType.isReady(apicurioRegistry); } + + public static ApicurioRegistry deployDefaultApicurioRegistryOAuthKafka(Kafka kafka) throws InterruptedException { + // Get Apicurio Registry + ApicurioRegistry apicurioRegistryOAuthKafka = ApicurioRegistryResourceType.getDefaultOAuthKafka( + Constants.REGISTRY, + Environment.NAMESPACE + ); + + CertificateUtils.createTruststore( + kafka.getMetadata().getNamespace(), + kafka.getMetadata().getName() + "-cluster-ca-cert", + Constants.OAUTH_KAFKA_TRUSTSTORE_SECRET_NAME + ); + + // Create Apicurio Registry + ResourceManager.getInstance().createResource(true, apicurioRegistryOAuthKafka); + + return apicurioRegistryOAuthKafka; + } } diff --git a/src/main/java/io/apicurio/registry/systemtests/framework/Constants.java b/src/main/java/io/apicurio/registry/systemtests/framework/Constants.java index 6d63fe320..e3cddd234 100644 --- a/src/main/java/io/apicurio/registry/systemtests/framework/Constants.java +++ b/src/main/java/io/apicurio/registry/systemtests/framework/Constants.java @@ -26,6 +26,11 @@ public class Constants { public static final String SSO_USER_PASSWORD = "changeme"; // Defined in kubefiles/keycloak-realm.yaml public static final String TESTSUITE_NAMESPACE = "testsuite-namespace"; + public static final String SSO_DB_SECRET_NAME = "keycloak-db-secret"; + public static final String DB_PASSWORD = "password"; + public static final String DB_USERNAME = "username"; + public static final String OAUTH_KAFKA_TRUSTSTORE_SECRET_NAME = "mytruststore-secret"; + // TODO: Move other constants here too? // PostgreSQL port // PostgreSQL username diff --git a/src/main/java/io/apicurio/registry/systemtests/framework/DatabaseUtils.java b/src/main/java/io/apicurio/registry/systemtests/framework/DatabaseUtils.java index d6630d3df..843f93f6d 100644 --- a/src/main/java/io/apicurio/registry/systemtests/framework/DatabaseUtils.java +++ b/src/main/java/io/apicurio/registry/systemtests/framework/DatabaseUtils.java @@ -30,4 +30,16 @@ public static void deployPostgresqlDatabase(String name, String namespace) { e.printStackTrace(); } } + + public static void deployPostgresqlDatabase(String name, String namespace, String databaseName) { + Deployment deployment = DeploymentResourceType.getDefaultPostgresql(name, namespace, databaseName); + Service service = ServiceResourceType.getDefaultPostgresql(name, namespace); + + try { + ResourceManager.getInstance().createResource(true, deployment); + ResourceManager.getInstance().createResource(false, service); + } catch (Exception e) { + e.printStackTrace(); + } + } } diff --git a/src/main/java/io/apicurio/registry/systemtests/framework/KafkaUtils.java b/src/main/java/io/apicurio/registry/systemtests/framework/KafkaUtils.java index d579c7951..a44e2d45a 100644 --- a/src/main/java/io/apicurio/registry/systemtests/framework/KafkaUtils.java +++ b/src/main/java/io/apicurio/registry/systemtests/framework/KafkaUtils.java @@ -85,4 +85,12 @@ public static Kafka deployDefaultKafkaTls() throws InterruptedException { public static Kafka deployDefaultKafkaScram() throws InterruptedException { return deployDefaultKafkaByKind(KafkaKind.SCRAM); } + + public static Kafka deployDefaultOAuthKafka() throws InterruptedException { + Kafka kafka = KafkaResourceType.getDefaultOAuth(); + + ResourceManager.getInstance().createResource(true, kafka); + + return kafka; + } } diff --git a/src/main/java/io/apicurio/registry/systemtests/framework/KeycloakUtils.java b/src/main/java/io/apicurio/registry/systemtests/framework/KeycloakUtils.java index 7a367a072..ee29814fc 100644 --- a/src/main/java/io/apicurio/registry/systemtests/framework/KeycloakUtils.java +++ b/src/main/java/io/apicurio/registry/systemtests/framework/KeycloakUtils.java @@ -10,6 +10,7 @@ import io.apicurio.registry.systemtests.registryinfra.resources.RouteResourceType; import io.apicurio.registry.systemtests.registryinfra.resources.ServiceResourceType; import io.fabric8.kubernetes.api.model.Secret; +import io.fabric8.openshift.api.model.Route; import org.apache.hc.core5.http.HttpStatus; import org.junit.jupiter.api.Assertions; import org.slf4j.Logger; @@ -39,6 +40,10 @@ public static void deployKeycloak() throws InterruptedException, IOException { deployKeycloak(Environment.NAMESPACE); } + public static void deployOAuthKafkaKeycloak() throws IOException, InterruptedException { + deployOAuthKafkaKeycloak(Environment.NAMESPACE); + } + private static void deployKeycloakPostgres(String namespace) throws URISyntaxException { URL dtb = KeycloakUtils.class.getClassLoader().getResource("postgres.yaml"); @@ -104,6 +109,38 @@ public static void deployKeycloak(String namespace) throws InterruptedException, LOGGER.info("Keycloak should be deployed."); } + public static void deployOAuthKafkaKeycloak(String namespace) throws InterruptedException, IOException { + LOGGER.info("Deploying OAuth Kafka Keycloak..."); + ResourceManager manager = ResourceManager.getInstance(); + // Deploy Keycloak server + Exec.executeAndCheck("oc", "apply", "-n", namespace, "-f", getKeycloakFilePath("keycloak_oauth_kafka.yaml")); + + // Wait for Keycloak server to be ready + Assertions.assertTrue(ResourceUtils.waitStatefulSetReady(namespace, "registry-sso")); + + // Create Keycloak HTTP Service and wait for its readiness + // manager.createSharedResource( true, ServiceResourceType.getDefaultKeycloakHttp(namespace)); + + // Create Keycloak Route and wait for its readiness + // manager.createSharedResource( true, RouteResourceType.getDefaultOAuthKafkaKeycloak(namespace)); + + // Log Keycloak URL + // LOGGER.info("Keycloak URL: {}", getDefaultKeycloakURL(namespace)); + + // TODO: Wait for Keycloak Realm readiness, but API model not available + // Create Keycloak Realm + Exec.executeAndCheck( + "oc", + "apply", + "-n", namespace, + "-f", getKeycloakFilePath("keycloak_oauth_kafka-realm.yaml") + ); + + Thread.sleep(Duration.ofMinutes(1).toMillis()); + + LOGGER.info("Keycloak should be deployed."); + } + public static void removeKeycloakRealm(String namespace) { LOGGER.info("Removing keycloak realm"); @@ -115,6 +152,17 @@ public static void removeKeycloakRealm(String namespace) { ); } + public static void removeOAuthKafkaKeycloakRealm(String namespace) { + LOGGER.info("Removing OAuth Kafka keycloak realm"); + + Exec.executeAndCheck( + "oc", + "delete", + "-n", namespace, + "-f", getKeycloakFilePath("keycloak_oauth_kafka-realm.yaml") + ); + } + public static void removeKeycloak(String namespace) throws InterruptedException { removeKeycloakRealm(namespace); Thread.sleep(Duration.ofMinutes(2).toMillis()); @@ -129,6 +177,20 @@ public static void removeKeycloak(String namespace) throws InterruptedException LOGGER.info("Keycloak should be removed."); } + public static void removeOAuthKafkaKeycloak(String namespace) throws InterruptedException { + removeOAuthKafkaKeycloakRealm(namespace); + Thread.sleep(Duration.ofMinutes(2).toMillis()); + LOGGER.info("Removing OAuth Kafka Keycloak..."); + Exec.executeAndCheck( + "oc", + "delete", + "-n", namespace, + "-f", getKeycloakFilePath("keycloak_oauth_kafka.yaml") + ); + + LOGGER.info("OAuth Kafka Keycloak should be removed."); + } + public static String getKeycloakURL(String namespace, String name, boolean secured) { String scheme = secured ? "https://" : "http://"; @@ -151,6 +213,27 @@ public static String getDefaultKeycloakAdminURL(String namespace) { return getKeycloakURL(namespace, "keycloak", true); } + public static String getDefaultOAuthKafkaTokenEndpointUri() { + Route route = Kubernetes.getRouteByPrefix(Environment.NAMESPACE, Constants.SSO_NAME + "-ingress"); + + return "https://" + Kubernetes.getRouteHost(Environment.NAMESPACE, route.getMetadata().getName()) + + "/realms/demo/protocol/openid-connect/token"; + } + + public static String getDefaultOAuthKafkaJwksEndpointUri() { + Route route = Kubernetes.getRouteByPrefix(Environment.NAMESPACE, Constants.SSO_NAME + "-ingress"); + + return "https://" + Kubernetes.getRouteHost(Environment.NAMESPACE, route.getMetadata().getName()) + + "/realms/demo/protocol/openid-connect/certs"; + } + + public static String getDefaultOAuthKafkaValidIssuerUri() { + Route route = Kubernetes.getRouteByPrefix(Environment.NAMESPACE, Constants.SSO_NAME + "-ingress"); + + return "https://" + Kubernetes.getRouteHost(Environment.NAMESPACE, route.getMetadata().getName()) + + "/realms/demo"; + } + private static HttpRequest.BodyPublisher ofFormData(Map data) { StringBuilder stringBuilder = new StringBuilder(); diff --git a/src/main/java/io/apicurio/registry/systemtests/platform/Kubernetes.java b/src/main/java/io/apicurio/registry/systemtests/platform/Kubernetes.java index 3fa95c6a4..363dd0724 100644 --- a/src/main/java/io/apicurio/registry/systemtests/platform/Kubernetes.java +++ b/src/main/java/io/apicurio/registry/systemtests/platform/Kubernetes.java @@ -242,6 +242,18 @@ public static Route getRoute(ApicurioRegistry apicurioRegistry) { .orElse(null); } + public static Route getRouteByPrefix(String namespace, String prefix) { + return ((OpenShiftClient) Kubernetes.getClient()) + .routes() + .inNamespace(namespace) + .list() + .getItems() + .stream() + .filter(r -> r.getMetadata().getName().startsWith(prefix)) + .findFirst() + .orElse(null); + } + public static void createRoute(String namespace, Route route) { ((OpenShiftClient) getClient()) .routes() diff --git a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/ApicurioRegistryResourceType.java b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/ApicurioRegistryResourceType.java index 1dd6ecb02..af934421d 100644 --- a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/ApicurioRegistryResourceType.java +++ b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/ApicurioRegistryResourceType.java @@ -2,7 +2,14 @@ import io.apicur.registry.v1.ApicurioRegistry; import io.apicur.registry.v1.ApicurioRegistryBuilder; +import io.apicur.registry.v1.apicurioregistryspec.configuration.Env; +import io.apicur.registry.v1.apicurioregistryspec.configuration.env.ValueFrom; +import io.apicur.registry.v1.apicurioregistryspec.configuration.env.valuefrom.SecretKeyRef; import io.apicur.registry.v1.apicurioregistryspec.configuration.kafkasql.SecurityBuilder; +import io.apicur.registry.v1.apicurioregistryspec.deployment.podtemplatespecpreview.spec.Containers; +import io.apicur.registry.v1.apicurioregistryspec.deployment.podtemplatespecpreview.spec.Volumes; +import io.apicur.registry.v1.apicurioregistryspec.deployment.podtemplatespecpreview.spec.containers.VolumeMounts; +import io.apicur.registry.v1.apicurioregistryspec.deployment.podtemplatespecpreview.spec.volumes.Secret; import io.apicurio.registry.systemtests.framework.Constants; import io.apicurio.registry.systemtests.framework.Environment; import io.apicurio.registry.systemtests.framework.KeycloakUtils; @@ -11,9 +18,15 @@ import io.fabric8.kubernetes.client.dsl.MixedOperation; import io.fabric8.kubernetes.client.dsl.Resource; +import java.nio.file.Paths; import java.time.Duration; +import java.util.ArrayList; public class ApicurioRegistryResourceType implements ResourceType { + private static String getApicurioRegistryFilePath(String filename) { + return Paths.get(Environment.TESTSUITE_PATH, "kubefiles", "apicurio", filename).toString(); + } + @Override public Duration getTimeout() { return Duration.ofMinutes(10); @@ -173,6 +186,139 @@ public static ApicurioRegistry getDefaultKafkasql(String name) { return getDefaultKafkasql(name, Environment.NAMESPACE); } + public static ArrayList getDefaultOAuthKafkaEnv1() { + return new ArrayList<>() {{ + add(new Env() {{ + setName("JAVA_TOOL_OPTIONS"); + setValue("-Djavax.net.ssl.trustStore=/mytruststore/myTrustStore " + + "-Djavax.net.ssl.trustStorePassword=password"); }}); + add(new Env() {{ + setName("QUARKUS_LOG_LEVEL"); setValue("INFO"); }}); + add(new Env() {{ + setName("ENABLE_KAFKA_SASL"); setValue("true"); }}); + add(new Env() {{ + setName("CLIENT_ID"); + setValueFrom(new ValueFrom() {{ + setSecretKeyRef(new SecretKeyRef() {{ + setName("console-ui-secrets"); setKey("REGISTRY_CLIENT_ID"); + }}); + }}); + }}); + add(new Env() {{ + setName("CLIENT_SECRET"); + setValueFrom(new ValueFrom() {{ + setSecretKeyRef(new SecretKeyRef() {{ + setName("console-ui-secrets"); setKey("REGISTRY_CLIENT_SECRET"); + }}); + }}); + }}); + }}; + } + + public static ArrayList getDefaultOAuthKafkaEnv2() { + return new ArrayList<>() {{ + add(new Env() {{ + setName("KAFKA_SECURITY_PROTOCOL"); + setValue("SASL_SSL"); + }}); + add(new Env() {{ + setName("KAFKA_SSL_TRUSTSTORE_TYPE"); + setValue("PKCS12"); + }}); + add(new Env() {{ + setName("KAFKA_SSL_TRUSTSTORE_LOCATION"); + setValue("/tmp/cluster-ca-cert/ca.p12"); + }}); + add(new Env() {{ + setName("KAFKA_SSL_TRUSTSTORE_PASSWORD"); + setValueFrom(new ValueFrom() {{ + setSecretKeyRef(new SecretKeyRef() {{ + setName("kafka1-cluster-ca-cert"); + setKey("ca.password"); + }}); + }}); + }}); + add(new Env() {{ + setName("OAUTH_TOKEN_ENDPOINT_URI"); + // TODO: Use real URL + setValue("https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/" + + "realms/demo/protocol/openid-connect/token"); + }}); + }}; + } + + public static ArrayList getDefaultOAuthKafkaEnv() { + ArrayList fullList = getDefaultOAuthKafkaEnv1(); + + fullList.addAll(getDefaultOAuthKafkaEnv2()); + + return fullList; + } + + public static Containers getDefaultOAuthKafkaContainers() { + return new Containers() {{ + setName("registry"); + setVolumeMounts(new ArrayList<>() {{ + add(new VolumeMounts() {{ + setName("cluster-ca-cert"); + setMountPath("/tmp/cluster-ca-cert"); + }}); + add(new VolumeMounts() {{ + setName("mytruststore"); + setMountPath("/mytruststore"); + }}); + }}); + }}; + } + + public static ArrayList getDefaultOAuthKafkaVolumes() { + return new ArrayList<>() {{ + add(new Volumes() {{ + setName("cluster-ca-cert"); + setSecret(new Secret() {{ + setSecretName("kafka1-cluster-ca-cert"); + }}); + }}); + add(new Volumes() {{ + setName("mytruststore"); + setSecret(new Secret() {{ + setSecretName(Constants.OAUTH_KAFKA_TRUSTSTORE_SECRET_NAME); + setDefaultMode(420); + }}); + }}); + }}; + } + + public static ApicurioRegistry getDefaultOAuthKafka(String name, String namespace) { + return new ApicurioRegistryBuilder() + .withNewMetadata() + .withName(name) + .withNamespace(namespace) + .endMetadata() + .withNewSpec() + .withNewConfiguration() + .withEnv(getDefaultOAuthKafkaEnv()) + .withPersistence("kafkasql") + .withNewKafkasql() + .withBootstrapServers( + // TODO: Use "public" URL with 443 port + Constants.KAFKA + "-kafka-bootstrap." + Environment.NAMESPACE + + "svc.cluster.local:9092" + ) + .endKafkasql() + .endConfiguration() + .withNewDeployment() + .withNewPodTemplateSpecPreview() + .withNewSpec() + .withContainers(getDefaultOAuthKafkaContainers()) + .withVolumes(getDefaultOAuthKafkaVolumes()) + .endSpec() + .endPodTemplateSpecPreview() + .endDeployment() + .endSpec() + .build(); + } + public static ApicurioRegistry getDefaultMem() { return getDefaultMem(Constants.REGISTRY); } diff --git a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/DeploymentResourceType.java b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/DeploymentResourceType.java index 2bb2888b7..f12a65e32 100644 --- a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/DeploymentResourceType.java +++ b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/DeploymentResourceType.java @@ -1,5 +1,6 @@ package io.apicurio.registry.systemtests.registryinfra.resources; +import io.apicurio.registry.systemtests.framework.Constants; import io.apicurio.registry.systemtests.framework.Environment; import io.apicurio.registry.systemtests.platform.Kubernetes; import io.fabric8.kubernetes.api.model.Container; @@ -70,18 +71,22 @@ public void refreshResource(Deployment existing, Deployment newResource) { /** Get default instances **/ - private static List getDefaultPostgresqlEnvVars() { + private static List getDefaultPostgresqlEnvVars(String databaseName) { List envVars = new ArrayList<>(); envVars.add(new EnvVar("POSTGRES_ADMIN_PASSWORD", "adminpassword", null)); - envVars.add(new EnvVar("POSTGRES_DB", "postgresdb", null)); - envVars.add(new EnvVar("POSTGRES_USER", "postgresuser", null)); - envVars.add(new EnvVar("POSTGRES_PASSWORD", "postgrespassword", null)); + envVars.add(new EnvVar("POSTGRES_DB", databaseName, null)); + envVars.add(new EnvVar("POSTGRES_USER", Constants.DB_USERNAME, null)); + envVars.add(new EnvVar("POSTGRES_PASSWORD", Constants.DB_PASSWORD, null)); envVars.add(new EnvVar("PGDATA", "/postgresql/data", null)); return envVars; } + private static List getDefaultPostgresqlEnvVars() { + return getDefaultPostgresqlEnvVars("postgresdb"); + } + private static Container getDefaultPostgresqlContainer(String name) { return new ContainerBuilder() .withEnv(getDefaultPostgresqlEnvVars()) @@ -110,6 +115,34 @@ private static Container getDefaultPostgresqlContainer(String name) { .build(); } + private static Container getDefaultPostgresqlContainer(String name, String databaseName) { + return new ContainerBuilder() + .withEnv(getDefaultPostgresqlEnvVars(databaseName)) + .withImage("postgres:" + Environment.POSTGRESQL_VERSION) + .withImagePullPolicy("IfNotPresent") + .withName(name) + .addNewPort() + .withContainerPort(5432) + .withName("postgresql") + .withProtocol("TCP") + .endPort() + .withNewReadinessProbe() + .withNewTcpSocket() + .withNewPort(5432) + .endTcpSocket() + .endReadinessProbe() + .withNewLivenessProbe() + .withNewTcpSocket() + .withNewPort(5432) + .endTcpSocket() + .endLivenessProbe() + .withVolumeMounts(new VolumeMount() {{ + setMountPath("/postgresql"); + setName(name); + }}) + .build(); + } + public static Deployment getDefaultPostgresql(String name, String namespace) { return new DeploymentBuilder() .withNewMetadata() @@ -139,6 +172,35 @@ public static Deployment getDefaultPostgresql(String name, String namespace) { .build(); } + public static Deployment getDefaultPostgresql(String name, String namespace, String databaseName) { + return new DeploymentBuilder() + .withNewMetadata() + .addToLabels("app", name) + .withName(name) + .withNamespace(namespace) + .endMetadata() + .withNewSpec() + .withReplicas(1) + .withNewSelector() + .addToMatchLabels("app", name) + .endSelector() + .withNewTemplate() + .withNewMetadata() + .addToLabels("app", name) + .endMetadata() + .withNewSpec() + .withContainers(getDefaultPostgresqlContainer(name, databaseName)) + .withVolumes(new Volume() {{ + setName(name); + setEmptyDir(new EmptyDirVolumeSource()); + }}) + .withRestartPolicy("Always") + .endSpec() + .endTemplate() + .endSpec() + .build(); + } + public static Deployment getDefaultPostgresql() { return getDefaultPostgresql("postgresql", "postgresql"); } diff --git a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/KafkaResourceType.java b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/KafkaResourceType.java index 282c64c68..8e41dce52 100644 --- a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/KafkaResourceType.java +++ b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/KafkaResourceType.java @@ -2,13 +2,17 @@ import io.apicurio.registry.systemtests.framework.Constants; import io.apicurio.registry.systemtests.framework.Environment; +import io.apicurio.registry.systemtests.framework.KeycloakUtils; import io.apicurio.registry.systemtests.platform.Kubernetes; import io.fabric8.kubernetes.api.model.KubernetesResourceList; import io.fabric8.kubernetes.client.dsl.MixedOperation; import io.fabric8.kubernetes.client.dsl.Resource; +import io.strimzi.api.kafka.model.CertSecretSource; import io.strimzi.api.kafka.model.EntityOperatorSpec; import io.strimzi.api.kafka.model.EntityOperatorSpecBuilder; import io.strimzi.api.kafka.model.Kafka; +import io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak; +import io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder; import io.strimzi.api.kafka.model.KafkaBuilder; import io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512; import io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls; @@ -17,6 +21,8 @@ import io.strimzi.api.kafka.model.listener.arraylistener.KafkaListenerType; import io.strimzi.api.kafka.model.storage.EphemeralStorage; import io.strimzi.api.kafka.model.storage.EphemeralStorageBuilder; +import io.strimzi.api.kafka.model.storage.PersistentClaimStorage; +import io.strimzi.api.kafka.model.storage.PersistentClaimStorageBuilder; import java.time.Duration; import java.util.HashMap; @@ -239,4 +245,96 @@ public static Kafka getDefaultByKind(KafkaKind kind) { throw new IllegalStateException("Unexpected value: " + kind); } } + + public static CertSecretSource getDefaultOAuthKafkaTlsTrustedCertificates() { + return new CertSecretSource() {{ + setCertificate("tls.crt"); + setSecretName("router-certs-default"); + }}; + } + + public static HashMap getDefaultOAuthKafkaConfig() { + return new HashMap<>() {{ + put("allow.everyone.if.no.acl.found", true); + put("default.replication.factor", 3); + put("inter.broker.protocol.version", "3.5"); + put("min.insync.replicas", 2); + put("offsets.topic.replication.factor", 3); + put("transaction.state.log.min.isr", 2); + put("transaction.state.log.replication.factor", 3); + }}; + } + + public static GenericKafkaListener getDefaultOAuthKafkaSecureListener() { + return new GenericKafkaListenerBuilder() + .withName("secure") + .withPort(9092) + .withTls(true) + .withType(KafkaListenerType.ROUTE) + .build(); + } + + public static GenericKafkaListener getDefaultOAuthKafkaOAuthListener() { + return new GenericKafkaListenerBuilder() + .withName("oauth") + .withPort(9093) + .withTls(true) + .withType(KafkaListenerType.ROUTE) + .withNewKafkaListenerAuthenticationOAuth() + .withUserNameClaim("preferred_username") + .withTlsTrustedCertificates(getDefaultOAuthKafkaTlsTrustedCertificates()) + .withValidIssuerUri(KeycloakUtils.getDefaultOAuthKafkaValidIssuerUri()) + .withJwksEndpointUri(KeycloakUtils.getDefaultOAuthKafkaJwksEndpointUri()) + .endKafkaListenerAuthenticationOAuth() + .build(); + } + + public static KafkaAuthorizationKeycloak getDefaultOAuthKafkaAuthorization() { + return new KafkaAuthorizationKeycloakBuilder() + .withClientId("kafka") + .withDelegateToKafkaAcls(false) + .withTokenEndpointUri(KeycloakUtils.getDefaultOAuthKafkaTokenEndpointUri()) + .withSuperUsers("service-account-kafka") + .withTlsTrustedCertificates(getDefaultOAuthKafkaTlsTrustedCertificates()) + .build(); + } + + public static PersistentClaimStorage getDefaultOAuthKafkaPersistentClaimStorage() { + return new PersistentClaimStorageBuilder() + .withId(0) + .withSize("10Gi") + .withDeleteClaim(false) + .build(); + } + + public static Kafka getDefaultOAuth() { + return new KafkaBuilder() + .withNewMetadata() + .withName("kafka1") + .withNamespace(Environment.NAMESPACE) + .endMetadata() + .withNewSpec() + .withEntityOperator(getDefaultEntityOperator()) + .withNewZookeeper() + .withReplicas(3) + .withNewPersistentClaimStorage() + .withDeleteClaim(false) + .withSize("10Gi") + .endPersistentClaimStorage() + .endZookeeper() + .withNewKafka() + .withReplicas(3) + .withAuthorization(getDefaultOAuthKafkaAuthorization()) + .withNewJbodStorage() + .withVolumes(getDefaultOAuthKafkaPersistentClaimStorage()) + .endJbodStorage() + .withVersion("3.5.0") + .withConfig(getDefaultOAuthKafkaConfig()) + .withListeners( + getDefaultOAuthKafkaSecureListener(), getDefaultOAuthKafkaOAuthListener() + ) + .endKafka() + .endSpec() + .build(); + } } diff --git a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/RouteResourceType.java b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/RouteResourceType.java index a38cb7397..2614b3ea2 100644 --- a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/RouteResourceType.java +++ b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/RouteResourceType.java @@ -80,6 +80,23 @@ public static Route getDefaultKeycloak(String namespace) { .build(); } + public static Route getDefaultOAuthKafkaKeycloak(String namespace) { + return new RouteBuilder() + .withNewMetadata() + .withName(Constants.SSO_HTTP_SERVICE) + .withNamespace(namespace) + .endMetadata() + .withNewSpec() + .withPath("/") + .withTo(new RouteTargetReference() {{ + setKind("Service"); + setName(Constants.SSO_NAME + "-service"); + setWeight(100); + }}) + .endSpec() + .build(); + } + public static Route getDefaultSelenium(String name, String namespace) { return new RouteBuilder() .withNewMetadata() diff --git a/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/x b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/x new file mode 100644 index 000000000..4808f8cf2 --- /dev/null +++ b/src/main/java/io/apicurio/registry/systemtests/registryinfra/resources/x @@ -0,0 +1,27 @@ +apiVersion: k8s.keycloak.org/v2alpha1 +kind: Keycloak +metadata: + name: console-keycloak + namespace: rhsso-operator + labels: + ingress-controller: amq-streams-ui +spec: + additionalOptions: + - name: proxy + value: edge + db: + host: postgresql-db + passwordSecret: + name: keycloak-db-secret + key: password + usernameSecret: + name: keycloak-db-secret + key: username + vendor: postgres + ingress: + className: openshift-default + hostname: + hostname: REPLACED + http: + httpEnabled: true + instances: 1 \ No newline at end of file diff --git a/src/test/java/io/apicurio/registry/systemtests/TestBaseOAuthKafka.java b/src/test/java/io/apicurio/registry/systemtests/TestBaseOAuthKafka.java new file mode 100644 index 000000000..bcc24f98d --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/TestBaseOAuthKafka.java @@ -0,0 +1,150 @@ +package io.apicurio.registry.systemtests; + +import io.apicur.registry.v1.ApicurioRegistry; +import io.apicurio.registry.systemtests.framework.ApicurioRegistryUtils; +import io.apicurio.registry.systemtests.framework.Base64Utils; +import io.apicurio.registry.systemtests.framework.Constants; +import io.apicurio.registry.systemtests.framework.DatabaseUtils; +import io.apicurio.registry.systemtests.framework.Environment; +import io.apicurio.registry.systemtests.framework.KafkaUtils; +import io.apicurio.registry.systemtests.framework.KeycloakUtils; +import io.apicurio.registry.systemtests.framework.LoggerUtils; +import io.apicurio.registry.systemtests.framework.TestNameGenerator; +import io.apicurio.registry.systemtests.operator.OperatorManager; +import io.apicurio.registry.systemtests.operator.types.KeycloakOLMOperatorType; +import io.apicurio.registry.systemtests.operator.types.StrimziClusterOLMOperatorType; +import io.apicurio.registry.systemtests.platform.Kubernetes; +import io.apicurio.registry.systemtests.registryinfra.ResourceManager; +import io.apicurio.registry.systemtests.resolver.ExtensionContextParameterResolver; +import io.fabric8.kubernetes.api.model.ObjectMeta; +import io.fabric8.kubernetes.api.model.Secret; +import io.strimzi.api.kafka.model.Kafka; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayNameGeneration; +import org.junit.jupiter.api.extension.ExtendWith; +import org.junit.jupiter.api.extension.ExtensionContext; +import org.slf4j.Logger; + +import java.io.IOException; +import java.time.Duration; +import java.util.HashMap; + +@DisplayNameGeneration(TestNameGenerator.class) +@ExtendWith(ExtensionContextParameterResolver.class) +public abstract class TestBaseOAuthKafka { + protected static Logger LOGGER = LoggerUtils.getLogger(); + protected final ResourceManager resourceManager = ResourceManager.getInstance(); + protected final OperatorManager operatorManager = OperatorManager.getInstance(); + + /* Function to set all necessary variables for test subclasses */ + + public abstract void setupTestClass(); + + /* Constructor for all test subclasses */ + + public TestBaseOAuthKafka() { + setupTestClass(); + } + + @BeforeAll + protected void beforeAllTests() throws InterruptedException, IOException { + // Install Keycloak operator + LoggerUtils.logDelimiter("#"); + LOGGER.info("Deploying shared keycloak operator and instance!"); + LoggerUtils.logDelimiter("#"); + + Secret dbSecret = new Secret(); + dbSecret.setMetadata(new ObjectMeta() {{ + setName(Constants.SSO_DB_SECRET_NAME); + setNamespace(Environment.NAMESPACE); + }}); + dbSecret.setType("Opaque"); + dbSecret.setData(new HashMap<>() {{ + put("password", Base64Utils.encode(Constants.DB_PASSWORD)); + put("username", Base64Utils.encode(Constants.DB_USERNAME)); + }}); + + resourceManager.createResource(true, dbSecret); + + DatabaseUtils.deployPostgresqlDatabase("keycloak-db", Environment.NAMESPACE, "keycloak"); + + KeycloakOLMOperatorType keycloakOLMOperator = new KeycloakOLMOperatorType("fast"); + operatorManager.installOperatorShared(keycloakOLMOperator); + KeycloakUtils.deployOAuthKafkaKeycloak(); + Thread.sleep(Duration.ofMinutes(2).toMillis()); + LoggerUtils.logDelimiter("#"); + LOGGER.info("Deploying shared strimzi operator"); + LoggerUtils.logDelimiter("#"); + + StrimziClusterOLMOperatorType strimziOperator = new StrimziClusterOLMOperatorType(); + operatorManager.installOperatorShared(strimziOperator); + + LoggerUtils.logDelimiter("#"); + LOGGER.info("Deployment of shared resources is done!"); + LoggerUtils.logDelimiter("#"); + } + + @AfterAll + protected void afterAllTests() throws InterruptedException { + LoggerUtils.logDelimiter("#"); + LOGGER.info("Cleaning shared resources!"); + LoggerUtils.logDelimiter("#"); + resourceManager.deleteKafka(); + KeycloakUtils.removeOAuthKafkaKeycloak(Environment.NAMESPACE); + Thread.sleep(Duration.ofMinutes(2).toMillis()); + operatorManager.uninstallSharedOperators(); + resourceManager.deleteSharedResources(); + LoggerUtils.logDelimiter("#"); + LOGGER.info("Cleaning done!"); + LoggerUtils.logDelimiter("#"); + } + + @BeforeEach + protected void beforeEachTest(ExtensionContext testContext) { + LoggerUtils.logDelimiter("#"); + LOGGER.info( + "[TEST-START] {}.{}-STARTED", + testContext.getTestClass().get().getName(), + testContext.getTestMethod().get().getName() + ); + LoggerUtils.logDelimiter("#"); + LOGGER.info(""); + } + + @AfterEach + protected void afterEachTest(ExtensionContext testContext) { + resourceManager.deleteResources(); + + operatorManager.uninstallOperators(); + + LOGGER.info(""); + LoggerUtils.logDelimiter("#"); + LOGGER.info( + "[TEST-END] {}.{}-FINISHED", + testContext.getTestClass().get().getName(), + testContext.getTestMethod().get().getName() + ); + LoggerUtils.logDelimiter("#"); + } + + protected ApicurioRegistry deployOAuthKafkaTestRegistry() throws InterruptedException { + Secret routerCertsDefaultSecret = Kubernetes.getSecret("openshift-ingress", "router-certs-default"); + Secret newSecret = new Secret(); + + newSecret.setMetadata(new ObjectMeta() {{ + setName(routerCertsDefaultSecret.getMetadata().getName()); + setNamespace(Environment.NAMESPACE); + }}); + newSecret.setType("kubernetes.io/tls"); + newSecret.setData(routerCertsDefaultSecret.getData()); + + resourceManager.createResource(true, newSecret); + + Kafka kafka = KafkaUtils.deployDefaultOAuthKafka(); + + return ApicurioRegistryUtils.deployDefaultApicurioRegistryOAuthKafka(kafka); + } +} diff --git a/src/test/java/io/apicurio/registry/systemtests/TestIt.java b/src/test/java/io/apicurio/registry/systemtests/TestIt.java new file mode 100644 index 000000000..42b5a5ff8 --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/TestIt.java @@ -0,0 +1,50 @@ +package io.apicurio.registry.systemtests; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.dataformat.yaml.YAMLFactory; +import io.apicurio.registry.systemtests.framework.Environment; +import io.apicurio.registry.systemtests.platform.Kubernetes; +import io.apicurio.registry.systemtests.registryinfra.ResourceManager; +import io.fabric8.kubernetes.api.model.ObjectMeta; +import io.fabric8.kubernetes.api.model.Secret; +import io.fabric8.openshift.client.OpenShiftClient; +import org.junit.jupiter.api.Test; + +import java.net.URL; +import java.util.regex.Pattern; + +public class TestIt { + public static final ObjectMapper MAPPER = new ObjectMapper(new YAMLFactory()); + + protected final ResourceManager resourceManager = ResourceManager.getInstance(); + + @Test + public void test1() throws JsonProcessingException, InterruptedException { + Secret routerCertsDefaultSecret = Kubernetes.getSecret("openshift-ingress", "router-certs-default"); + Secret newSecret = new Secret(); + + newSecret.setMetadata(new ObjectMeta() {{ + setName(routerCertsDefaultSecret.getMetadata().getName()); + setNamespace(Environment.NAMESPACE); + }}); + + newSecret.setType("kubernetes.io/tls"); + newSecret.setData(routerCertsDefaultSecret.getData()); + + System.out.println(MAPPER.writeValueAsString(newSecret)); + + resourceManager.createResource(true, newSecret); + + Kubernetes.getClient().getMasterUrl(); + } + + @Test + public void test2() { + System.out.println(Kubernetes.getClient().getMasterUrl().getHost().split(Pattern.quote("."), 2)[1]); + } + + public void test3() { + ((OpenShiftClient) Kubernetes.getClient()).routes().inNamespace(Environment.NAMESPACE).list().getItems().stream().filter(r -> r.getMetadata().getName().startsWith("registry-sso-ingress")); + } +} diff --git a/src/test/java/io/apicurio/registry/systemtests/oauthkafka/BundleOAuthKafkaTests.java b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/BundleOAuthKafkaTests.java new file mode 100644 index 000000000..68568aafc --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/BundleOAuthKafkaTests.java @@ -0,0 +1,25 @@ +package io.apicurio.registry.systemtests.oauthkafka; + +import io.apicurio.registry.systemtests.framework.LoggerUtils; +import io.apicurio.registry.systemtests.operator.types.ApicurioRegistryBundleOperatorType; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Tag; +import org.junit.jupiter.api.extension.ExtensionContext; + +@Tag("bundle") +@Tag("bundle-oauthkafka") +public class BundleOAuthKafkaTests extends OAuthKafkaTests { + @Override + public void setupTestClass() { + LOGGER = LoggerUtils.getLogger(); + } + + @BeforeEach + public void testBeforeEach(ExtensionContext testContext) throws InterruptedException { + LOGGER.info("BeforeEach: " + testContext.getTestMethod().get().getName()); + + ApicurioRegistryBundleOperatorType registryBundleOperator = new ApicurioRegistryBundleOperatorType(); + + operatorManager.installOperator(registryBundleOperator); + } +} diff --git a/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OAuthKafkaTests.java b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OAuthKafkaTests.java new file mode 100644 index 000000000..9dbc545ac --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OAuthKafkaTests.java @@ -0,0 +1,15 @@ +package io.apicurio.registry.systemtests.oauthkafka; + +import io.apicurio.registry.systemtests.TestBaseOAuthKafka; +import org.junit.jupiter.api.Tag; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.TestInstance; + +@TestInstance(TestInstance.Lifecycle.PER_CLASS) +public abstract class OAuthKafkaTests extends TestBaseOAuthKafka { + @Test + @Tag("oauthkafka") + public void testRegistryOAuthKafka() throws InterruptedException { + deployOAuthKafkaTestRegistry(); + } +} diff --git a/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMClusterWideOAuthKafkaTests.java b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMClusterWideOAuthKafkaTests.java new file mode 100644 index 000000000..f78302fb0 --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMClusterWideOAuthKafkaTests.java @@ -0,0 +1,16 @@ +package io.apicurio.registry.systemtests.oauthkafka; + +import io.apicurio.registry.systemtests.framework.LoggerUtils; +import org.junit.jupiter.api.Tag; + +@Tag("olm") +@Tag("olm-clusterwide") +@Tag("olm-clusterwide-oauthkafka") +public class OLMClusterWideOAuthKafkaTests extends OLMOAuthKafkaTests { + @Override + public void setupTestClass() { + LOGGER = LoggerUtils.getLogger(); + + setClusterWide(true); + } +} diff --git a/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMNamespacedOAuthKafkaTests.java b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMNamespacedOAuthKafkaTests.java new file mode 100644 index 000000000..eda43defd --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMNamespacedOAuthKafkaTests.java @@ -0,0 +1,16 @@ +package io.apicurio.registry.systemtests.oauthkafka; + +import io.apicurio.registry.systemtests.framework.LoggerUtils; +import org.junit.jupiter.api.Tag; + +@Tag("olm") +@Tag("olm-namespace") +@Tag("olm-namespace-oauthkafka") +public class OLMNamespacedOAuthKafkaTests extends OLMOAuthKafkaTests { + @Override + public void setupTestClass() { + LOGGER = LoggerUtils.getLogger(); + + setClusterWide(false); + } +} diff --git a/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMOAuthKafkaTests.java b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMOAuthKafkaTests.java new file mode 100644 index 000000000..b3bf5ac8e --- /dev/null +++ b/src/test/java/io/apicurio/registry/systemtests/oauthkafka/OLMOAuthKafkaTests.java @@ -0,0 +1,26 @@ +package io.apicurio.registry.systemtests.oauthkafka; + +import io.apicurio.registry.systemtests.operator.types.ApicurioRegistryOLMOperatorType; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.extension.ExtensionContext; + +public abstract class OLMOAuthKafkaTests extends OAuthKafkaTests { + private boolean clusterWide; + + public boolean getClusterWide() { + return clusterWide; + } + + public void setClusterWide(boolean clusterWide) { + this.clusterWide = clusterWide; + } + + @BeforeEach + public void testBeforeEach(ExtensionContext testContext) throws InterruptedException { + LOGGER.info("BeforeEach: " + testContext.getTestMethod().get().getName()); + + ApicurioRegistryOLMOperatorType registryOLMOperator = new ApicurioRegistryOLMOperatorType(clusterWide); + + operatorManager.installOperator(registryOLMOperator); + } +} diff --git a/src/test/resources/adminOverrideClaimData.csv b/src/test/resources/adminOverrideClaimData.csv index 2f5d173df..c87ea131c 100644 --- a/src/test/resources/adminOverrideClaimData.csv +++ b/src/test/resources/adminOverrideClaimData.csv @@ -1,16 +1,11 @@ CLAIM,CLAIM_VALUE,ADMIN_SUFFIX,IS_ADMIN_ALLOWED -default,default,"",false -default,default,"-org-admin-true",true -default,true,"-org-admin-true",true -default,yes,"-org-admin-yes",true -default,yes,"-org-admin-true",false -org-admin,default,"-org-admin-true",true -org-admin,true,"-org-admin-true",true -org-admin,yes,"-org-admin-yes",true -org-admin,yes,"-org-admin-true",false -admin-role,default,"-admin-role-true",true -admin-role,default,"-org-admin-true",false -admin-role,true,"-admin-role-true",true -admin-role,true,"-org-admin-true",false -admin-role,admin,"-admin-role-admin",true -admin-role,admin,"-org-admin-true",false \ No newline at end of file + default,default,"",false + default,true,"-org-admin-true",true + default,yes,"-org-admin-yes",true + default,yes,"-org-admin-true",false + org-admin,true,"-org-admin-true",true + org-admin,yes,"-org-admin-yes",true + admin-role,default,"-org-admin-true",false + admin-role,true,"-admin-role-true",true + admin-role,true,"-org-admin-true",false + admin-role,admin,"-org-admin-true",false \ No newline at end of file diff --git a/src/test/resources/ar.yaml b/src/test/resources/ar.yaml new file mode 100644 index 000000000..a3fdf3c9d --- /dev/null +++ b/src/test/resources/ar.yaml @@ -0,0 +1,22 @@ +apiVersion: registry.apicur.io/v1 +kind: ApicurioRegistry +metadata: + name: rkubis + namespace: kafka-oauth +spec: + configuration: + env: + - name: JAVA_OPTIONS + value: >- + -Dregistry.kafka.common.security.protocol=SASL_PLAINTEXT + -Dregistry.kafka.common.sasl.mechanism=OAUTHBEARER + -Dregistry.kafka.common.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule + -Dregistry.kafka.common.oauth.client.id="team-a-client" + -Dregistry.kafka.common.oauth.client.secret="team-a-client-secret" + -Dregistry.kafka.common.oauth.token.endpoint.uri="https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token" + -Dregistry.kafka.common.sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler + - name: QUARKUS_OIDC_TLS_VERIFICATION + value: none + kafkasql: + bootstrapServers: 'my-cluster-kafka-bootstrap.kafka-oauth.svc:9092' + persistence: kafkasql \ No newline at end of file diff --git a/src/test/resources/cert.pem b/src/test/resources/cert.pem new file mode 100644 index 000000000..e13520c8a --- /dev/null +++ b/src/test/resources/cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDizCCAnOgAwIBAgIIbCgyQe4A1wcwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE +AwwbaW5ncmVzcy1vcGVyYXRvckAxNzAxMTY0MjAzMB4XDTIzMTEyODA5MzY0MloX +DTI1MTEyNzA5MzY0M1owNTEzMDEGA1UEAwwqKi5hcHBzLnJrdWI0MTQuYXBpY3Vy +aW8uaW50ZWdyYXRpb24tcWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA34xMtBnzenONKu3wiyETT3Q9n2ecKaPn4phSvNtspJB36hdWnBGhJ5ML +4jUYqew1NcWTDL0sUAcsrFb0LugFwImZdxTgTgn91c16cFh4KSKMQ6E+1EKRHymB +Xb2PYp0jtgao/KKvBH+GaZbG51gHvWxKHv/mQzsXLFW5WN6GMJY0z5LdHbi31Pm7 +npBepdOedM/EyW57tZVX+8ONtPm2tIuc/zw8iSp0F9Le1dHDl/qyCotympP1j7O4 +JArDVztDhuFUP+R41lX5xgpc98oXygak5VvWst4Wc1V04k5YRmbeZe3/F7OHQnwP +Yvxdhagnoda5bIhSYpIfwv5OxkarIwIDAQABo4GtMIGqMA4GA1UdDwEB/wQEAwIF +oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS3 +WSHWWFFI5K1tDEtdQ3UjlslUBTAfBgNVHSMEGDAWgBRinspIUYrHpXOuYpZgkUpN +ThiZajA1BgNVHREELjAsgioqLmFwcHMucmt1YjQxNC5hcGljdXJpby5pbnRlZ3Jh +dGlvbi1xZS5jb20wDQYJKoZIhvcNAQELBQADggEBADSTGmYyffVvLqGxoNbxNEG8 +wmCK+82AgsYO5kuOhLHDVyRlVOzRzTHnCeRQ3pg6rz9FNWFNFl30TgLWD60OYJ9U +v84PkuqcXVPvK689/1qp3JFLfh0bQACZfxkYdiOte/BgYanFz1EvG4flP/qA8+aE +wNvhCHPX2jOi+ufqINMwETSAg51Il7GK3NA1ucK3xUwDWSDOIPA/MO4sSmyCqvCy +kOYC53nxEiJrxLRCOw6pUzcTEGN7kA+u7wbjcJL+CWy009G1D5+p34Qx+V8MYWl4 +IJxY6p5dxBjEyOLlpbngel+mj0VOjEUuC5BrPQZGBti+tMznsKvPEM9fwHpFan4= +-----END CERTIFICATE----- diff --git a/src/test/resources/cert2.pem b/src/test/resources/cert2.pem new file mode 100644 index 000000000..10c926b27 --- /dev/null +++ b/src/test/resources/cert2.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy +ZXNzLW9wZXJhdG9yQDE3MDExNjQyMDMwHhcNMjMxMTI4MDkzNjQyWhcNMjUxMTI3 +MDkzNjQzWjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3MDExNjQyMDMw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpw8/3KqebP9wVJU4gT4rI +aOHfZ4B6kNNEwky+UWHWOIFkgcuhKS+NKdNLCDg2jy/Nga/wWqCUXJ660HaoYcyy +o2UtA+qBeXWePh+nay+cvUu9iw+jDMdoxg4auJBuMMMDZNUFZ75ujSZa9oKBKmfp +I8Kpch5Tse5TsQIrf3dJTcTr2je7sH7pz+GeCMGavo3oycfdduvqG8dQ5oHDLOKc +ojmQstld5UcXw9ZmGLskfYi+b6npYDhEDY/VMKRmSIqKtkMWlN6aaHL7znFPP475 +h/8nmssU9ZAIpZkyri5q3ZXS3yKBEhnImpFwAxVkX/7rs4bffCjwq8MSt7pV6/ul +AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G +A1UdDgQWBBRinspIUYrHpXOuYpZgkUpNThiZajANBgkqhkiG9w0BAQsFAAOCAQEA +xNG8Gtc1ob/85ZooP2wzEdTpDA0ScjmncfdOmZLTz7ZvJ25ufdpgVmwZ9D3/561G +qR3TjiaJTCgQyr6fMxR7Um75NV7IuQDfu4LlRSpliZ05g9USCu3porNpU/q9NfGz +NJ7mMEqox20UYgDv6zS3QvcVAcoN1XHyp8QXnI0CzFuzb1GzVTdpkd1ii/Pzrfbx +jWk3tqonsTf9Q4C99fL0zcj9FTrCS/vK4rdNN7HdEpg3KD8V1ujPtPIYSJEJNEmK +cbDCYjQJsuyv5qWv2n3Ud4vpVJHMoLU2ftQHYGQgKhRbVUmqSIBYco4GlupeTsd2 +wCAgzum89JOPfnyGmIsJSQ== +-----END CERTIFICATE----- diff --git a/src/test/resources/deployment.yaml b/src/test/resources/deployment.yaml new file mode 100644 index 000000000..7cb395126 --- /dev/null +++ b/src/test/resources/deployment.yaml @@ -0,0 +1,101 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: example-apicurioregistry-kafkasql-rkubis + namespace: kafka-oauth +spec: + replicas: 1 + selector: + matchLabels: + app: example-apicurioregistry-kafkasql-rkubis + template: + metadata: + creationTimestamp: null + labels: + app: example-apicurioregistry-kafkasql-rkubis + spec: + volumes: + - name: tmp + emptyDir: {} + - name: mytruststore + secret: + secretName: mytruststore-secret + defaultMode: 420 + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: JAVA_OPTIONS + value: >- + -Dregistry.kafka.common.security.protocol=SASL_PLAINTEXT + -Dregistry.kafka.common.sasl.mechanism=OAUTHBEARER + -Dregistry.kafka.common.oauth.client.id=team-a-client + -Dregistry.kafka.common.oauth.client.secret=team-a-client-secret + -Dregistry.kafka.common.oauth.token.endpoint.uri=https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token + -Doauth.client.id=team-a-client + -Doauth.client.secret=team-a-client-secret + -Doauth.token.endpoint.uri=https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token + -Dregistry.kafka.common.sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler + -Djavax.net.ssl.trustStore=/mytruststore/myTrustStore + -Djavax.net.ssl.trustStorePassword=password + - name: KAFKA_BOOTSTRAP_SERVERS + value: 'my-cluster-kafka-bootstrap.kafka-oauth.svc:9092' + - name: QUARKUS_PROFILE + value: prod + - name: REGISTRY_KAFKA_COMMON_SASL_JAAS_CONFIG + value: >- + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule + required; + - name: CORS_ALLOWED_ORIGINS + value: >- + http://example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com,https://example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + - name: mytruststore + mountPath: /mytruststore + terminationMessagePolicy: File + image: 'brew.registry.redhat.io/rh-osbs/integration-service-registry-kafkasql-rhel8:2.5.5-1' + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 \ No newline at end of file diff --git a/src/test/resources/deployment2.yaml b/src/test/resources/deployment2.yaml new file mode 100644 index 000000000..b1b7038c0 --- /dev/null +++ b/src/test/resources/deployment2.yaml @@ -0,0 +1,101 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: rkubis-deployment + namespace: kafka-oauth +spec: + replicas: 1 + selector: + matchLabels: + app: rkubis-deployment + template: + metadata: + creationTimestamp: null + labels: + app: rkubis-deployment + spec: + volumes: + - name: tmp + emptyDir: {} + - name: mytruststore + secret: + secretName: mytruststore-secret + defaultMode: 420 + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: JAVA_OPTIONS + value: >- + -Dregistry.kafka.common.security.protocol=SASL_PLAINTEXT + -Dregistry.kafka.common.sasl.mechanism=OAUTHBEARER + -Dregistry.kafka.common.oauth.client.id=team-a-client + -Dregistry.kafka.common.oauth.client.secret=team-a-client-secret + -Dregistry.kafka.common.oauth.token.endpoint.uri=https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token + -Doauth.client.id=team-a-client + -Doauth.client.secret=team-a-client-secret + -Doauth.token.endpoint.uri=https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token + -Dregistry.kafka.common.sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler + -Djavax.net.ssl.trustStore=/mytruststore/myTrustStore + -Djavax.net.ssl.trustStorePassword=password + - name: KAFKA_BOOTSTRAP_SERVERS + value: 'my-cluster-kafka-bootstrap.kafka-oauth.svc:9092' + - name: QUARKUS_PROFILE + value: prod + - name: REGISTRY_KAFKA_COMMON_SASL_JAAS_CONFIG + value: >- + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule + required; + - name: CORS_ALLOWED_ORIGINS + value: >- + http://example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com,https://example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + - name: mytruststore + mountPath: /mytruststore + terminationMessagePolicy: File + image: 'brew.registry.redhat.io/rh-osbs/integration-service-registry-kafkasql-rhel8:2.5.4-1' + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 \ No newline at end of file diff --git a/src/test/resources/deployment_with_truststore.yaml b/src/test/resources/deployment_with_truststore.yaml new file mode 100644 index 000000000..e1f7788b0 --- /dev/null +++ b/src/test/resources/deployment_with_truststore.yaml @@ -0,0 +1,124 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: console-apicurioregistry-deployment-ssl + namespace: kafka-oauth + labels: + app: console-apicurioregistry-ssl +spec: + replicas: 1 + selector: + matchLabels: + app: console-apicurioregistry-ssl + template: + metadata: + labels: + app: console-apicurioregistry-ssl + spec: + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka1-cluster-ca-cert + defaultMode: 420 + - name: tmp + emptyDir: {} + - name: mytruststore + secret: + secretName: mytruststore-secret + defaultMode: 420 + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: JAVA_TOOL_OPTIONS + value: >- + -Djavax.net.ssl.trustStore=/mytruststore/myTrustStore + - name: QUARKUS_LOG_LEVEL + value: INFO + - name: ENABLE_KAFKA_SASL + value: 'true' + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_ID + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_SECRET + - name: KAFKA_SECURITY_PROTOCOL + value: SASL_SSL + - name: KAFKA_SSL_TRUSTSTORE_TYPE + value: PKCS12 + - name: KAFKA_SSL_TRUSTSTORE_LOCATION + value: /tmp/cluster-ca-cert/ca.p12 + - name: KAFKA_SSL_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: kafka1-cluster-ca-cert + key: ca.password + - name: OAUTH_TOKEN_ENDPOINT_URI + value: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + - name: KAFKA_BOOTSTRAP_SERVERS + value: >- + kafka1-kafka-oauth-bootstrap-kafka-oauth.apps.rkub414.apicurio.integration-qe.com:443 + - name: QUARKUS_PROFILE + value: prod + - name: CORS_ALLOWED_ORIGINS + value: >- + http://console-apicurioregistry.kafka-oauth.apps.rkub414.apicurio.integration-qe.com.router-default.apps.rkub414.apicurio.integration-qe.com,https://console-apicurioregistry.kafka-oauth.apps.rkub414.apicurio.integration-qe.com.router-default.apps.rkub414.apicurio.integration-qe.com + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: cluster-ca-cert + mountPath: /tmp/cluster-ca-cert + - name: tmp + mountPath: /tmp + - name: mytruststore + mountPath: /mytruststore + terminationMessagePolicy: File + image: >- + registry.redhat.io/integration/service-registry-kafkasql-rhel8:2.4.4 + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 \ No newline at end of file diff --git a/src/test/resources/final_registry.yaml b/src/test/resources/final_registry.yaml new file mode 100644 index 000000000..9e6169e1c --- /dev/null +++ b/src/test/resources/final_registry.yaml @@ -0,0 +1,125 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: console-apicurioregistry-deployment-final + namespace: kafka-oauth + labels: + app: console-apicurioregistry-final +spec: + replicas: 1 + selector: + matchLabels: + app: console-apicurioregistry-final + template: + metadata: + labels: + app: console-apicurioregistry-final + spec: + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka1-cluster-ca-cert + defaultMode: 420 + - name: tmp + emptyDir: {} + - name: mytruststore + secret: + secretName: mytruststore-secret + defaultMode: 420 + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: JAVA_TOOL_OPTIONS + value: >- + -Djavax.net.ssl.trustStore=/mytruststore/myTrustStore + -Djavax.net.ssl.trustStorePassword=password + - name: QUARKUS_LOG_LEVEL + value: INFO + - name: ENABLE_KAFKA_SASL + value: 'true' + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_ID + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_SECRET + - name: KAFKA_SECURITY_PROTOCOL + value: SASL_SSL + - name: KAFKA_SSL_TRUSTSTORE_TYPE + value: PKCS12 + - name: KAFKA_SSL_TRUSTSTORE_LOCATION + value: /tmp/cluster-ca-cert/ca.p12 + - name: KAFKA_SSL_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: kafka1-cluster-ca-cert + key: ca.password + - name: OAUTH_TOKEN_ENDPOINT_URI + value: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + - name: KAFKA_BOOTSTRAP_SERVERS + value: >- + kafka1-kafka-oauth-bootstrap-kafka-oauth.apps.rkub414.apicurio.integration-qe.com:443 + - name: QUARKUS_PROFILE + value: prod + - name: CORS_ALLOWED_ORIGINS + value: >- + https://console-apicurioregistry-deployment-final.kafka-oauth.apps.rkub414.apicurio.integration-qe.com.router-default.apps.rkub414.apicurio.integration-qe.com,https://console-apicurioregistry-deployment-final.kafka-oauth.apps.rkub414.apicurio.integration-qe.com.router-default.apps.rkub414.apicurio.integration-qe.com + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: cluster-ca-cert + mountPath: /tmp/cluster-ca-cert + - name: tmp + mountPath: /tmp + - name: mytruststore + mountPath: /mytruststore + terminationMessagePolicy: File + image: >- + registry.redhat.io/integration/service-registry-kafkasql-rhel8:2.4.4 + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 \ No newline at end of file diff --git a/src/test/resources/fixed_deployment.yaml b/src/test/resources/fixed_deployment.yaml new file mode 100644 index 000000000..b211bac14 --- /dev/null +++ b/src/test/resources/fixed_deployment.yaml @@ -0,0 +1,118 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: rkubis-deployment-2 + namespace: kafka-oauth + labels: + app: rkubis-2 + rht.comp_ver: '2.5' + rht.prod_name: Red_Hat_Integration + app.kubernetes.io/instance: rkubis + app.kubernetes.io/version: 2.5.5.Final-redhat-00001 + rht.prod_ver: '2.5' + apicur.io/name: rkubis + com.company: Red_Hat + app.kubernetes.io/managed-by: apicurio-registry-operator + rht.comp_t: infrastructure + apicur.io/version: 2.5.5.Final-redhat-00001 + app.kubernetes.io/name: apicurio-registry + apicur.io/type: apicurio-registry + rht.comp: Service_Registry +spec: + replicas: 1 + selector: + matchLabels: + app: rkubis-2 + template: + metadata: + creationTimestamp: null + labels: + app: rkubis-2 + rht.comp_ver: '2.5' + rht.prod_name: Red_Hat_Integration + app.kubernetes.io/instance: rkubis + app.kubernetes.io/version: 2.5.5.Final-redhat-00001 + rht.prod_ver: '2.5' + apicur.io/name: rkubis + com.company: Red_Hat + app.kubernetes.io/managed-by: apicurio-registry-operator + rht.comp_t: infrastructure + apicur.io/version: 2.5.5.Final-redhat-00001 + app.kubernetes.io/name: apicurio-registry + apicur.io/type: apicurio-registry + rht.comp: Service_Registry + spec: + volumes: + - name: tmp + emptyDir: {} + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: JAVA_OPTIONS + value: >- + -Dregistry.kafka.common.security.protocol=SASL_PLAINTEXT + -Dregistry.kafka.common.sasl.mechanism=OAUTHBEARER + -Dregistry.kafka.common.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule + -Dregistry.kafka.common.oauth.client.id="team-a-client" + -Dregistry.kafka.common.oauth.client.secret="team-a-client-secret" + -Dregistry.kafka.common.oauth.token.endpoint.uri="https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token" + -Dregistry.kafka.common.sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler + - name: QUARKUS_OIDC_TLS_VERIFICATION + value: none + - name: KAFKA_BOOTSTRAP_SERVERS + value: 'my-cluster-kafka-bootstrap.kafka-oauth.svc:9092' + - name: QUARKUS_PROFILE + value: prod + - name: CORS_ALLOWED_ORIGINS + value: >- + http://rkubis.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com,https://rkubis.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + terminationMessagePolicy: File + image: >- + brew.registry.redhat.io/rh-osbs/integration-service-registry-kafkasql-rhel8:2.5.5-1 + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 \ No newline at end of file diff --git a/src/test/resources/generated.yaml b/src/test/resources/generated.yaml new file mode 100644 index 000000000..96dba292a --- /dev/null +++ b/src/test/resources/generated.yaml @@ -0,0 +1,58 @@ +apiVersion: "registry.apicur.io/v1" +kind: "ApicurioRegistry" +metadata: + name: "registry" + namespace: "testsuite-namespace" +spec: + configuration: + env: + - name: "JAVA_TOOL_OPTIONS" + value: "-Djavax.net.ssl.trustStore=/mytruststore/myTrustStore -Djavax.net.ssl.trustStorePassword=password" + - name: "QUARKUS_LOG_LEVEL" + value: "INFO" + - name: "ENABLE_KAFKA_SASL" + value: "true" + - name: "CLIENT_ID" + valueFrom: + secretKeyRef: + key: "REGISTRY_CLIENT_ID" + name: "console-ui-secrets" + - name: "CLIENT_SECRET" + valueFrom: + secretKeyRef: + key: "REGISTRY_CLIENT_SECRET" + name: "console-ui-secrets" + - name: "KAFKA_SECURITY_PROTOCOL" + value: "SASL_SSL" + - name: "KAFKA_SSL_TRUSTSTORE_TYPE" + value: "PKCS12" + - name: "KAFKA_SSL_TRUSTSTORE_LOCATION" + value: "/tmp/cluster-ca-cert/ca.p12" + - name: "KAFKA_SSL_TRUSTSTORE_PASSWORD" + valueFrom: + secretKeyRef: + key: "ca.password" + name: "kafka1-cluster-ca-cert" + - name: "OAUTH_TOKEN_ENDPOINT_URI" + value: "https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token" + kafkasql: + bootstrapServers: "kafka-for-registry-kafka-bootstrap.testsuite-namespacesvc.cluster.local:9092" + persistence: "kafkasql" + deployment: + podTemplateSpecPreview: + spec: + containers: + - name: "registry" + volumeMounts: + - mountPath: "/tmp/cluster-ca-cert" + name: "cluster-ca-cert" + - mountPath: "/mytruststore" + name: "mytruststore" + volumes: + - name: "cluster-ca-cert" + secret: + secretName: "kafka1-cluster-ca-cert" + - name: "mytruststore" + secret: + defaultMode: 420 + secretName: "mytruststore-secret" \ No newline at end of file diff --git a/src/test/resources/kafka-oauth-realm.json b/src/test/resources/kafka-oauth-realm.json new file mode 100644 index 000000000..22d46ae1e --- /dev/null +++ b/src/test/resources/kafka-oauth-realm.json @@ -0,0 +1,3068 @@ +{ + "id": "kafka-oauth", + "realm": "kafka-oauth", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 120, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 864000, + "ssoSessionMaxLifespan": 864000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "d858c503-efbe-48ef-b2dc-bb37823435f2", + "name": "default-roles-kafka-oauth", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "kafka-oauth", + "attributes": {} + }, + { + "id": "128394ea-f11f-405d-b3e8-6ce6ce5f7cca", + "name": "Dev Team A", + "description": "Developer on Dev Team A", + "composite": false, + "clientRole": false, + "containerId": "kafka-oauth", + "attributes": {} + }, + { + "id": "d0c73c99-9713-45cc-b897-b0c7e6454d65", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "kafka-oauth", + "attributes": {} + }, + { + "id": "c417299c-c938-4553-8e83-0eaf85a9e001", + "name": "Ops Team", + "description": "Operations team member", + "composite": false, + "clientRole": false, + "containerId": "kafka-oauth", + "attributes": {} + }, + { + "id": "c6329fd9-0ec4-49d9-ac33-62943baa0b6a", + "name": "Dev Team B", + "description": "Developer on Dev Team B", + "composite": false, + "clientRole": false, + "containerId": "kafka-oauth", + "attributes": {} + }, + { + "id": "8cb15888-52ee-4335-a5b4-6a4ed4cbcc03", + "name": "uma_authorization", + "composite": false, + "clientRole": false, + "containerId": "kafka-oauth", + "attributes": {} + } + ], + "client": { + "team-a-client": [], + "kafka-cli": [], + "realm-management": [ + { + "id": "0cfd3cde-5343-41d9-bc39-44bc0247cab8", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "d96a5bb3-9765-4d41-98ed-470947b694f0", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "dacf058c-c17c-4c12-8a51-98e643f78c18", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "c9e50593-8f99-48f1-ae3b-6523988c0dad", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-clients", + "view-users", + "query-users", + "view-realm", + "view-events", + "view-clients", + "manage-realm", + "manage-authorization", + "create-client", + "manage-events", + "manage-identity-providers", + "view-identity-providers", + "view-authorization", + "query-clients", + "query-groups", + "impersonation", + "query-realms", + "manage-users" + ] + } + }, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "e38de266-4233-450f-a521-12312d6c3960", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "d09d45a9-f8f3-4bc9-9542-c902251a6de6", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "cd4a1776-6ac8-43e0-a768-31172916df62", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "22cafb61-95e1-4a2f-a0a6-2f6198623c2f", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "16cc765f-9c7d-4bff-be2c-49f885cc9eca", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "2d4acd42-2dde-48f7-9825-0f164d9e6a64", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "5409e188-8358-4341-9f0a-bac2b1b5d1b7", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "bb4d1e89-7262-4781-b88e-e9b7f03ebc83", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "3fda1a95-75e2-4192-b409-1b5f2ae5ab8c", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "54e87742-6754-4f78-a841-6f40c210cde9", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "453aa269-ce1e-4f30-8052-029e8f3ba7e8", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "534ca72c-514c-454c-b156-a4335796a965", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "b9a9b579-f223-47cd-beff-f0a6c865e19e", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "129c0308-bddf-462c-b55a-8496f7c605d1", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + }, + { + "id": "55a9731c-6da6-406b-9219-f78bfaf6797b", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "attributes": {} + } + ], + "security-admin-console": [], + "kafka": [ + { + "id": "bc85efd7-dc04-49cb-9bdd-06f0073a452a", + "name": "uma_protection", + "composite": false, + "clientRole": true, + "containerId": "fb2d1da8-a83a-4b1a-bef9-29d2089697e6", + "attributes": {} + } + ], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "a1d058a9-766e-42b4-82a8-979ceea86ce6", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "0f8e2b87-4c04-4403-a0af-a64d0e32ad4c", + "attributes": {} + } + ], + "account": [ + { + "id": "76cfad95-9815-4d12-a45b-ceed2ea74c35", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + }, + { + "id": "5c075653-8732-444d-91ba-e2f9fecc402a", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + }, + { + "id": "66cd58a6-c936-44de-84a2-2425c2e33c3c", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + }, + { + "id": "41fcfc99-a029-4c93-8b2f-251b3435db97", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + }, + { + "id": "2c50d58a-4cb6-44e6-a88c-531d5e8fcfec", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + }, + { + "id": "b84cc2cc-dc83-413b-be61-29b7b4e9b06b", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + }, + { + "id": "ffc91634-40bb-4926-a296-3e91d1cb4cd4", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "attributes": {} + } + ], + "team-b-client": [] + } + }, + "groups": [ + { + "id": "06b1992e-ecb6-43a1-87ba-5edc64b030f2", + "name": "ClusterManager Group", + "path": "/ClusterManager Group", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "80ba5c0a-8f6b-43b9-93f5-8e55757c8cbb", + "name": "ClusterManager-my-cluster Group", + "path": "/ClusterManager-my-cluster Group", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "0940af3a-e7c6-404f-af32-f781ad57b521", + "name": "Ops Team Group", + "path": "/Ops Team Group", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } + ], + "defaultRole": { + "id": "d858c503-efbe-48ef-b2dc-bb37823435f2", + "name": "default-roles-kafka-oauth", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "kafka-oauth" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "id": "711c3266-7884-4d93-865a-5e7a02687c9c", + "createdTimestamp": 1702032553278, + "username": "service-account-kafka", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "kafka", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-kafka-oauth" + ], + "clientRoles": { + "kafka": [ + "uma_protection" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "1411e4a3-5f15-4550-abc5-e860b5e8abdb", + "username": "service-account-team-a-client", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "team-a-client", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "Dev Team A", + "offline_access" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "5a0b535a-6246-4f49-9837-ee5d9446954f", + "username": "service-account-team-b-client", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "team-b-client", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "offline_access", + "Dev Team B" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [] + } + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account" + ] + } + ] + }, + "clients": [ + { + "id": "5e5e2682-f509-40f4-aa82-224c8877c2ec", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/kafka-oauth/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/kafka-oauth/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "ec77c891-9173-4b47-a5a3-a91ea569b997", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/kafka-oauth/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/kafka-oauth/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "6b8ea997-3eac-4e5b-ade3-535869715bce", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "28a48879-f553-40cb-942e-3f22d54f428e", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "0f8e2b87-4c04-4403-a0af-a64d0e32ad4c", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "fb2d1da8-a83a-4b1a-bef9-29d2089697e6", + "clientId": "kafka", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "bbc70982-4887-45fe-b28f-4620727cdfdc", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "85d975db-c598-4730-896b-2ff4e7a9749b", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "d49e83c2-a9a8-4187-b718-67bcadbf18da", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "authorizationSettings": { + "allowRemoteResourceManagement": true, + "policyEnforcementMode": "ENFORCING", + "resources": [ + { + "name": "Cluster:*", + "type": "Cluster", + "ownerManagedAccess": false, + "attributes": {}, + "_id": "d84ebd5e-f0a5-4b11-ad13-b369d06bbcbf", + "uris": [], + "scopes": [ + { + "name": "IdempotentWrite" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + }, + { + "name": "ClusterAction" + } + ] + }, + { + "name": "kafka-cluster:my-cluster,Topic:*", + "type": "Topic", + "ownerManagedAccess": false, + "displayName": "Any topic on my-cluster", + "attributes": {}, + "_id": "beab73b4-cb71-4dbe-a1d5-66ed9db34038", + "uris": [], + "scopes": [ + { + "name": "Write" + }, + { + "name": "Create" + }, + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "IdempotentWrite" + }, + { + "name": "Read" + }, + { + "name": "Alter" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + }, + { + "name": "kafka-cluster:my-cluster,Group:*", + "type": "Group", + "ownerManagedAccess": false, + "displayName": "Any group on my-cluster", + "attributes": {}, + "_id": "85c02adf-b1d6-4c5a-96a0-f06bbeda3640", + "uris": [], + "scopes": [ + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "Read" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + }, + { + "name": "kafka-cluster:my-cluster,Cluster:*", + "type": "Cluster", + "ownerManagedAccess": false, + "displayName": "Cluster scope on my-cluster", + "attributes": {}, + "_id": "4ed1e9fc-58fa-4908-9b9d-1e45e8ead4c9", + "uris": [], + "scopes": [ + { + "name": "IdempotentWrite" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + }, + { + "name": "ClusterAction" + } + ] + }, + { + "name": "kafka-cluster:my-cluster,Topic:b_*", + "type": "Topic", + "ownerManagedAccess": false, + "attributes": {}, + "_id": "b8e08687-c141-4a4c-a4c4-6828aa70491b", + "uris": [], + "scopes": [ + { + "name": "Write" + }, + { + "name": "Create" + }, + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "Read" + }, + { + "name": "Alter" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + }, + { + "name": "Topic:*", + "type": "Topic", + "ownerManagedAccess": false, + "displayName": "Any topic", + "attributes": {}, + "_id": "93f7ddda-23c5-4d8c-8c54-a9e4722e0ec3", + "uris": [], + "scopes": [ + { + "name": "Write" + }, + { + "name": "Create" + }, + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "Read" + }, + { + "name": "Alter" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + }, + { + "name": "Group:*", + "type": "Group", + "ownerManagedAccess": false, + "displayName": "Any group", + "attributes": {}, + "_id": "72bc56fd-1b97-452c-979f-5d57a482f0cf", + "uris": [], + "scopes": [ + { + "name": "Describe" + }, + { + "name": "Read" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + }, + { + "name": "Group:a_*", + "type": "Group", + "ownerManagedAccess": false, + "displayName": "Groups that start with a_", + "attributes": {}, + "_id": "426dba83-fdbd-4b6a-ae7a-73df54479f3a", + "uris": [], + "scopes": [ + { + "name": "Describe" + }, + { + "name": "Read" + } + ] + }, + { + "name": "Topic:x_*", + "type": "Topic", + "ownerManagedAccess": false, + "displayName": "Topics that start with x_", + "attributes": {}, + "_id": "c392ce94-1897-43ff-8830-08848230eb11", + "uris": [], + "scopes": [ + { + "name": "Write" + }, + { + "name": "Create" + }, + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "Read" + }, + { + "name": "Alter" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + }, + { + "name": "Group:x_*", + "type": "Group", + "ownerManagedAccess": false, + "displayName": "Consumer groups that start with x_", + "attributes": {}, + "_id": "48f8c446-8dce-4b3a-810c-7ecc77a5ac31", + "uris": [], + "scopes": [ + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "Read" + } + ] + }, + { + "name": "Topic:a_*", + "type": "Topic", + "ownerManagedAccess": false, + "displayName": "Topics that start with a_", + "attributes": {}, + "_id": "09517f54-35ab-40cf-94aa-73b82303a584", + "uris": [], + "scopes": [ + { + "name": "Write" + }, + { + "name": "Create" + }, + { + "name": "Describe" + }, + { + "name": "Delete" + }, + { + "name": "Read" + }, + { + "name": "Alter" + }, + { + "name": "DescribeConfigs" + }, + { + "name": "AlterConfigs" + } + ] + } + ], + "policies": [ + { + "id": "c3976d8e-d61f-4f99-a966-351faa2f737d", + "name": "ClusterManager of my-cluster Group", + "type": "group", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "groups": "[{\"path\":\"/ClusterManager-my-cluster Group\",\"extendChildren\":false}]" + } + }, + { + "id": "c84c99c2-d49f-4bd5-8d77-62d22bc952e1", + "name": "ClusterManager Group", + "type": "group", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "groups": "[{\"path\":\"/ClusterManager Group\",\"extendChildren\":false}]" + } + }, + { + "id": "70d3e36b-9686-45db-b5cf-9a3c61646fd0", + "name": "Ops Team", + "type": "role", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "roles": "[{\"id\":\"Ops Team\",\"required\":true}]" + } + }, + { + "id": "84a71f54-34d5-4909-b57b-8e1484811a8f", + "name": "Dev Team B", + "type": "role", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "roles": "[{\"id\":\"Dev Team B\",\"required\":true}]" + } + }, + { + "id": "e779e62d-4439-4bbd-870f-5b03e8818d6b", + "name": "Dev Team A", + "type": "role", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "roles": "[{\"id\":\"Dev Team A\",\"required\":true}]" + } + }, + { + "id": "3fbb005e-2b14-41db-881f-b73cee487c5d", + "name": "ClusterManager Group has full access to cluster config", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Cluster:*\"]", + "applyPolicies": "[\"ClusterManager Group\"]" + } + }, + { + "id": "909d468e-30de-4518-ae87-849d25b1383c", + "name": "ClusterManager Group has full access to manage and affect topics", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Topic:*\"]", + "applyPolicies": "[\"ClusterManager Group\"]" + } + }, + { + "id": "791a8300-2e12-4e88-a2b5-2a6c3d5436ac", + "name": "ClusterManager Group has full access to manage and affect groups", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Group:*\"]", + "applyPolicies": "[\"ClusterManager Group\"]" + } + }, + { + "id": "d6171fa3-0533-432e-b2f5-d0fdc3f20e10", + "name": "ClusterManager of my-cluster Group has full access to cluster config on my-cluster", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"kafka-cluster:my-cluster,Cluster:*\"]", + "applyPolicies": "[\"ClusterManager of my-cluster Group\"]" + } + }, + { + "id": "6a4ebf18-bfd3-40df-aec0-1417ad0f66c6", + "name": "ClusterManager of my-cluster Group has full access to consumer groups on my-cluster", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"kafka-cluster:my-cluster,Group:*\"]", + "applyPolicies": "[\"ClusterManager of my-cluster Group\"]" + } + }, + { + "id": "03e2901c-833a-4c5c-be90-d84fb046c6f2", + "name": "ClusterManager of my-cluster Group has full access to topics on my-cluster", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"kafka-cluster:my-cluster,Topic:*\"]", + "applyPolicies": "[\"ClusterManager of my-cluster Group\"]" + } + }, + { + "id": "eccb8dbc-ec91-4993-8a4f-bd170900b54f", + "name": "Dev Team A can use consumer groups that start with a_ on any cluster", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Group:a_*\"]", + "applyPolicies": "[\"Dev Team A\"]" + } + }, + { + "id": "032248c4-ee09-48f8-be12-9b441c17076d", + "name": "Dev Team B can do IdempotentWrites on cluster my-cluster", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"kafka-cluster:my-cluster,Cluster:*\"]", + "scopes": "[\"IdempotentWrite\"]", + "applyPolicies": "[\"Dev Team B\"]" + } + }, + { + "id": "236b346b-adb8-469e-8de5-08a67d9a488f", + "name": "Dev Team B can update consumer group offsets that start with x_ on any cluster", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Group:x_*\"]", + "scopes": "[\"Read\",\"Describe\"]", + "applyPolicies": "[\"Dev Team B\"]" + } + }, + { + "id": "e6c622d4-96dc-4c0a-8540-232dd5ab1ad1", + "name": "Dev Team B can read from topics that start with x_ on any cluster", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Topic:x_*\"]", + "scopes": "[\"Read\",\"Describe\"]", + "applyPolicies": "[\"Dev Team B\"]" + } + }, + { + "id": "02dac176-7e0b-4017-875f-1bfb3a7082f9", + "name": "Dev Team B owns topics that start with b_ on cluster my-cluster", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"kafka-cluster:my-cluster,Topic:b_*\"]", + "applyPolicies": "[\"Dev Team B\"]" + } + }, + { + "id": "66a2350b-20ca-4eff-a78a-8bf51dc5aa2b", + "name": "Dev Team A can do IdempotentWrites on cluster my-cluster", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"kafka-cluster:my-cluster,Cluster:*\"]", + "scopes": "[\"IdempotentWrite\"]", + "applyPolicies": "[\"Dev Team A\"]" + } + }, + { + "id": "42c289a0-3770-49c1-9210-8580584ddd40", + "name": "Dev Team A can write to topics that start with x_ on any cluster", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Topic:x_*\"]", + "scopes": "[\"Write\",\"Describe\"]", + "applyPolicies": "[\"Dev Team A\"]" + } + }, + { + "id": "1949be66-d274-49ba-b205-9048b9e130ae", + "name": "Dev Team A owns topics that start with a_ on any cluster", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Topic:a_*\"]", + "applyPolicies": "[\"Dev Team A\"]" + } + } + ], + "scopes": [ + { + "id": "e3c0b013-0a16-4d0e-9441-9c2da373c8e4", + "name": "IdempotentWrite" + }, + { + "id": "2f2a7a20-15a8-4789-8877-151dfd6fe025", + "name": "AlterConfigs" + }, + { + "id": "8785246b-dffc-45c7-bcaa-aa59726975f6", + "name": "DescribeConfigs" + }, + { + "id": "e2ad859d-5ef4-4d29-aad0-16eae344b6d1", + "name": "ClusterAction" + }, + { + "id": "47509cd2-7acf-45ec-9e3d-06da2dcd1a7f", + "name": "Describe" + }, + { + "id": "01c1fefc-1ef1-42fd-a6a4-39d9ebf1e51e", + "name": "Alter" + }, + { + "id": "cab15ad7-a62c-43b7-b222-d1b205f497af", + "name": "Delete" + }, + { + "id": "16d68914-4a7b-434a-ba9d-893ab8ce7f3e", + "name": "Write" + }, + { + "id": "08d81ab1-f944-465d-ab7c-fe7b996cb38a", + "name": "Read" + }, + { + "id": "56c74bd0-049a-40a8-85dc-01bfa390fb1b", + "name": "Create" + } + ], + "decisionStrategy": "AFFIRMATIVE" + } + }, + { + "id": "479e42d7-18b0-4296-9e02-9652446b1286", + "clientId": "kafka-cli", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "26fdcda0-f050-40fe-8dcf-8b133a77c6dc", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "b36bdb5c-23e7-42bf-b425-5891dcd23612", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/kafka-oauth/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/kafka-oauth/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "18b351c7-8bf5-41fe-8c42-66ac45db90a4", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "a45e483c-70fb-4c7f-8b7d-a83bfda095eb", + "clientId": "team-a-client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "edacf46a-2fd9-496c-a024-370793050148", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "46ff5945-c1e7-4ebf-adb7-0df1af70fcc3", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "8cfc5cd7-5af3-4532-a24b-ca0e58d93a27", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "98666c23-564e-4469-a42f-9bf607c3c804", + "clientId": "team-b-client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "8ea07b8f-c868-4a0f-b499-63edf7eb6dc6", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "9f8599f9-80e2-49b0-94b3-f29d0c6c2c59", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "e432b1b4-66f9-4f5c-a187-a68a40a97f3b", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "a881f477-18e7-4273-aab8-2e29066ba3f8", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "b26f0ca2-dafd-4e94-9d3b-51d8973ed22b", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "90b32ae5-3789-4d30-b0d0-ae753027a657", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "b073a43d-293e-4a24-ace8-0ed8e2390ea8", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "eee5a5be-b3a6-4cf3-9db7-ac633b67b12b", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "9d45dec1-db54-4c8a-bab5-edc086023ba1", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "1508c272-726e-4d51-a48e-ef11b1741297", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "83d37562-3070-4008-b8c9-2ddd15a3b156", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "7995112a-62f4-4dfc-9b03-d717b39bbaf6", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "12749b42-0474-4d0e-96fe-b66d8aa8de33", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "7f5669c0-c4e1-4eba-9c60-d16bba5afeff", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "8dce120b-cf6f-4457-84f3-359027bbc5c0", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "c3242ce0-e985-4a43-8747-44aa6d2cc049", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "87ae906f-c613-4700-9356-20c8516cab9a", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "e14c84bc-11e7-4f48-9d9b-32ee5608eae3", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "50305b49-825f-42b9-9035-b0595f3f7ab0", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "9d94b77a-4953-426f-b461-af089e7536f7", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "86505c0e-c45d-444d-9d57-a7880dee40fb", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "d834e48f-6def-4ad0-8200-60b23621d6ef", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "a98b38c4-cb6a-471b-917d-28ce403373ca", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "cc084584-7f89-4e17-98b1-9fcfa0c68ca3", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "79555cce-f858-4742-a876-d17466782470", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "c7e12529-37bf-434e-b8b1-8b4cea94a232", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "eb40cb82-9c3b-4f2e-b5a2-d8b853173da1", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "90ac2dba-610d-47c3-883d-43616efa9ac8", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "2b5d8a31-88ca-4a17-b990-e85c2fca5263", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "f2a169b6-0b60-473c-9e45-2c5b4123db14", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "6f11435a-7c93-4d71-abe8-f857e6cebd9f", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "26df65fe-5e09-4ec3-b99e-e565607d764d", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "231a4fa1-a2e0-4f53-bc3c-26f0a4f27599", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "27ab85a6-6937-4bc0-a324-dbe198f77945", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "398f6a84-96e3-4b85-986d-d12bc42adb83", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "8ceef5d7-e0c6-4e05-bfde-b6a44244e184", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "735f3a9d-3827-4833-bb56-4ba9dc885c0a", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "69b3102f-af79-4286-9f82-6c7580348376", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "3f0a1488-1975-4d67-b7ef-ee6b9a0c404e", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "6c131b9f-b4c9-4048-bb2e-702772bf35e4", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "c94aa780-8e50-419b-802f-d6a8f0947caf", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper" + ] + } + }, + { + "id": "1a8fcb3e-b1ac-4674-b0d4-9668b3b95df3", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "c99cec80-de5c-4be0-85da-d0770a070681", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "56166eba-a9be-4b50-988f-d65b2358f0d4", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "6bed45fb-6427-4155-9f04-7cf70b2aab41", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "a23e67b8-e53b-406b-94a6-958864ca3237", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "16f70057-6d9a-41fb-9576-9cc5fc4ac32a", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "21d7cc4a-88d1-4793-b3ce-a2064c3ebe5d", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "767fe0b9-99c1-4b28-9304-6020fdf6a241", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "7a1414ab-fe8e-46ed-8c1c-5b89280b377f", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "75e84ed5-ff20-4dc1-8f7c-81350674da74", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "de458cee-1bcc-49fe-b7b6-972573e7d4b1", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5b80efe6-3364-4321-bd99-cdb59dadf678", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "3e7a3e06-8517-4d47-992f-33132bceb09a", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "9a474547-f3d1-4a5c-aca6-2e7c4fc04614", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "981cc54a-d355-466a-9657-e1fcfc952ff8", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "c267730f-00ea-43d2-876c-86a651e98814", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "0f44a61e-02f1-4b37-b69e-c0e9e4b1d068", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "61375792-3258-49c9-89c2-d2d9650d5c40", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "26bee321-4f0a-4d28-9bcc-2c0c60eda079", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5039d365-7081-4fac-bbce-0d35066ddfcc", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "bf8847cf-94b0-4415-8a28-c15bf8590f1c", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5da2badf-a5b8-45a4-b612-eb03b8e12557", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "e863a43c-addc-437f-94f8-d00cdf16be62", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "3bb0b730-841d-4e70-bfb8-83bbdb908d26", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "id": "c68bdcc1-7207-4335-9836-1bee4cf51062", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "30c8db5b-35dd-45f5-88f5-6933beae7b31", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "8a9588c3-3dc2-4ee3-978e-0976d7939020", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "c0248037-608a-4309-a40e-f13661fda9c8", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "14765923-d4f8-4aa6-ad7b-cf954620658e", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "bf30ad68-5fdd-4f66-99cd-eb68c077fd03", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "18.0.11.redhat-00001", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/src/test/resources/kafka.yaml b/src/test/resources/kafka.yaml new file mode 100644 index 000000000..351da55f7 --- /dev/null +++ b/src/test/resources/kafka.yaml @@ -0,0 +1,60 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: Kafka +metadata: + name: my-cluster + namespace: kafka-oauth +spec: + entityOperator: + topicOperator: {} + userOperator: {} + kafka: + authorization: + clientId: kafka + delegateToKafkaAcls: true + superUsers: + - service-account-kafka + tlsTrustedCertificates: + - certificate: tls.crt + secretName: router-certs-default + tokenEndpointUri: >- + https://registry-sso-kafka-oauth.apps.rkub414.apicurio.integration-qe.com/auth/realms/kafka-oauth/protocol/openid-connect/token + type: keycloak + config: + default.replication.factor: 1 + inter.broker.protocol.version: '3.6' + min.insync.replicas: 1 + offsets.topic.replication.factor: 1 + transaction.state.log.min.isr: 1 + transaction.state.log.replication.factor: 1 + listeners: + - authentication: + checkAccessTokenType: false + customClaimCheck: '@.typ && @.typ == ''Bearer''' + jwksEndpointUri: >- + https://registry-sso-kafka-oauth.apps.rkub414.apicurio.integration-qe.com/auth/realms/kafka-oauth/protocol/openid-connect/certs + maxSecondsWithoutReauthentication: 3600 + tlsTrustedCertificates: + - certificate: tls.crt + secretName: router-certs-default + type: oauth + userNameClaim: preferred_username + validIssuerUri: >- + https://registry-sso-kafka-oauth.apps.rkub414.apicurio.integration-qe.com/auth/realms/kafka-oauth + name: plain + port: 9092 + tls: false + type: internal + logging: + loggers: + log4j.logger.io.strimzi: TRACE + log4j.logger.kafka: DEBUG + log4j.logger.org.apache.kafka: DEBUG + type: inline + replicas: 1 + storage: + type: ephemeral + version: 3.6.0 + zookeeper: + replicas: 1 + storage: + type: ephemeral \ No newline at end of file diff --git a/src/test/resources/kafka1.yaml b/src/test/resources/kafka1.yaml new file mode 100644 index 000000000..d36d48789 --- /dev/null +++ b/src/test/resources/kafka1.yaml @@ -0,0 +1,67 @@ +apiVersion: kafka.strimzi.io/v1beta2 +kind: Kafka +metadata: + name: kafka1 + namespace: kafka-oauth +spec: + entityOperator: + topicOperator: {} + userOperator: {} + kafka: + authorization: + clientId: kafka + delegateToKafkaAcls: false + tokenEndpointUri: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + type: keycloak + superUsers: + - service-account-kafka + tlsTrustedCertificates: + - certificate: tls.crt + secretName: router-certs-default + config: + allow.everyone.if.no.acl.found: 'true' + default.replication.factor: 3 + inter.broker.protocol.version: '3.5' + min.insync.replicas: 2 + offsets.topic.replication.factor: 3 + transaction.state.log.min.isr: 2 + transaction.state.log.replication.factor: 3 + listeners: + - name: secure + port: 9092 + tls: true + type: route + - authentication: + jwksEndpointUri: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/certs + type: oauth + userNameClaim: preferred_username + tlsTrustedCertificates: + - certificate: tls.crt + secretName: router-certs-default + validIssuerUri: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo + name: oauth + port: 9093 + tls: true + type: route + configuration: + bootstrap: + annotations: + eyefloaters.github.com/console-listener: 'true' + replicas: 3 + storage: + type: jbod + volumes: + - id: 0 + type: persistent-claim + size: 10Gi + deleteClaim: false + version: 3.5.0 + zookeeper: + replicas: 3 + storage: + deleteClaim: false + size: 10Gi + type: persistent-claim \ No newline at end of file diff --git a/src/test/resources/keystore.jks b/src/test/resources/keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..35ef8a844846bb564394c631076e1eb97d0016fd GIT binary patch literal 2718 zcmai#cQo9I7RP6X8KOpXl8g}1f}a^BMDIi|PhBEobuC_A8CS(ynLBg$P|H?@dbH0|GX2)R9|q|4=IFhM0Mx$ z@oAis|c{ngp?YuOhzLX={=DNeJ0@wzzwJKGNkET zr)jq7ucN_1nK8}!S2tL$2I5v$fT}iX%`*MbgfR=!`w=B7-HTHe@ z+alp%;~C^$Jx@EKN}!?!Qrj&=_}IXO3R0bghbNqC(PqRJl5-NGrO*~$6#AUZIQf+{M7j+-z>ws{WH*J0TBeGmEGs#)L-6bA3-(o?fO>!jeas?c~u z1V`dq_iWQ0TU<7@TF7hYh_RGFJX=3pm2&F^&X`>iLH_tN` ze*M}st$XN3?E+P}Z@W2}>x7f0F~{^i7tiu6B8`K?h+A;{ju0jms=O6M7RQqG&91Ar zeA6$%s-%>GV@|k)vE%Z$@4C_G7xImBt{xsvY0ZW#QwnbC`H9SrjjEG&2Z-qb7R3I! zC$zi62{yZCzu;>%zftoROEy=>U z_?vh6XN(=ujW&mAriM{Zc+Wh`kI=jeH_G$-Sb^4eCK@g8iR@l-Z=)V@wfZf|Q$gU2 zYIKn@+P4ftJK)=A#BehEpMC00*Lq;W;heImk~5B`OLX&XaYHT%dwi!=%PWCqAud@_ z74pYVX6VNZ)|Ur5rs-3OUzD#_>V=!D^T;^j>Y_it`ROxBDFmxtr0lb{w6I3J$vH48 z5INZOK`SQD$~-n&fm{fa-5qUy>+N&6(9e4uX+oo}2N66=&3WlH!HLtB+{3Mj@;hGw zR`9jIAf^4Ts|P(#^rYM_s=-#;jxXYVAxP9NsSqCSB1IJKMLdayK%MzOZq%Vf_B7fx zfps>sBS(&#tB8a*e)HbQD3|^-UMA#PA>|EaeuF0JHl%@wKUL2Y(&BZVfd;PTJk8-d zEz9W|f#rR_Dt_lu37-s$upPFkP^g9G<(OfJm*!74bltYoN3JYzUsCv0=sd)Z#5PjD zvuQo)yJDJZ$+d4npMvh|O6esh>xEA&k=~Si9UP56XuYUYN;?R*!(1S20sb&(Qu~g^+WwJ`% zOD||f=@kzYbm~<4y?$)*DBVj@c;I|w_kc{C${-Lf6_cHZrsb9r<& z;QjW?j~={yoe371fQ9Iw5vk+nuusbVn-9w2tGE5F0>}i*MehCh|@blco0)=tv9{k|w^y*U1ja@Z4zDKR5lswxwOOUj_ zV~;Z_u;F;_rHnt7Uz4^9e#$4PdsqYY^~RW!aV$*{n}P>BnvsW$clqmRL_KpB0(cHr z9ru~o_8W^zDX*Q9zG^qS8YN9?o&(rtgWhb7&k`yy5-NDA2>M!)mD7 zHsiAZPk-XeNV(*a=u##R5f1*O)4I^Tp6V4lamKJ$Y(;xlmU>=G*O1%2W=lVi8cnHx zby`_UeU$gnmKc&ER0W|<)UWxhU*P+RRYpVr)#Qw2#psY$mb1=Su3}wv4QC%f(8bhm z=EO2TXw$X5Zb9f;aH!iDn>Gl@bCw3_su7o5U!hhg^_Bf~0^&@q;r%T#&i6;Zv!N2B zS^6`CG++ns^@gW2BHK0DrKoZ~Wx2C{dN!kI~(*bJML3h5&Nrso3?P RF^O?HYz}q$UXT0~{tkd1)0qGO literal 0 HcmV?d00001 diff --git a/src/test/resources/oauth-kafka.yaml b/src/test/resources/oauth-kafka.yaml new file mode 100644 index 000000000..1b8107b91 --- /dev/null +++ b/src/test/resources/oauth-kafka.yaml @@ -0,0 +1,25 @@ +apiVersion: registry.apicur.io/v1 +kind: ApicurioRegistry +metadata: + name: example-apicurioregistry-kafkasql + namespace: kafka-oauth +spec: + configuration: + env: + - name: JAVA_OPTIONS + value: >- + -Dregistry.kafka.common.security.protocol=SASL_PLAINTEXT + -Dregistry.kafka.common.sasl.mechanism=OAUTHBEARER + -Dregistry.kafka.common.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule + -Dregistry.kafka.common.oauth.client.id="team-a-client" + -Dregistry.kafka.common.oauth.client.secret="team-a-client-secret" + -Dregistry.kafka.common.oauth.token.endpoint.uri="https://registry-sso-kafka-oauth.apps.rkub414.apicurio.integration-qe.com/auth/realms/kafka-oauth/protocol/openid-connect/token" + -Dregistry.kafka.common.sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler + - name: QUARKUS_OIDC_TLS_VERIFICATION + value: none + kafkasql: + bootstrapServers: 'my-cluster-kafka-bootstrap.kafka-oauth.svc:9092' + persistence: kafkasql + deployment: + host: >- + example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.rkub414.apicurio.integration-qe.com diff --git a/src/test/resources/pod.yaml b/src/test/resources/pod.yaml new file mode 100644 index 000000000..101f635b1 --- /dev/null +++ b/src/test/resources/pod.yaml @@ -0,0 +1,166 @@ +kind: Pod +apiVersion: v1 +metadata: + annotations: + k8s.v1.cni.cncf.io/network-status: |- + [{ + "name": "openshift-sdn", + "interface": "eth0", + "ips": [ + "10.129.2.45" + ], + "default": true, + "dns": {} + }] + openshift.io/scc: restricted-v2 + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: example-apicurioregistry-kafkasql-deployment-rkubis + namespace: kafka-oauth + ownerReferences: + - apiVersion: apps/v1 + kind: ReplicaSet + name: example-apicurioregistry-kafkasql-deployment-6d4bb8648 + uid: d1dbb9b5-3e08-4134-819b-dc305051c9a8 + controller: true + blockOwnerDeletion: true + labels: + app: example-apicurioregistry-kafkasql + rht.comp_ver: '2.5' + rht.prod_name: Red_Hat_Integration + app.kubernetes.io/instance: example-apicurioregistry-kafkasql + app.kubernetes.io/version: 2.5.4.Final-redhat-00001 + rht.prod_ver: '2.5' + apicur.io/name: example-apicurioregistry-kafkasql + com.company: Red_Hat + app.kubernetes.io/managed-by: apicurio-registry-operator + rht.comp_t: infrastructure + apicur.io/version: 2.5.5.Final-redhat-00001 + app.kubernetes.io/name: apicurio-registry + pod-template-hash: 6d4bb8648 + apicur.io/type: apicurio-registry + rht.comp: Service_Registry +spec: + restartPolicy: Always + serviceAccountName: default + imagePullSecrets: + - name: default-dockercfg-z5mr4 + priority: 0 + schedulerName: default-scheduler + enableServiceLinks: true + terminationGracePeriodSeconds: 30 + preemptionPolicy: PreemptLowerPriority + securityContext: + seLinuxOptions: + level: 's0:c26,c20' + fsGroup: 1000690000 + seccompProfile: + type: RuntimeDefault + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: JAVA_OPTIONS + value: >- + -Dregistry.kafka.common.security.protocol=SASL_PLAINTEXT + -Dregistry.kafka.common.sasl.mechanism=OAUTHBEARER + -Dregistry.kafka.common.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule + -Dregistry.kafka.common.oauth.client.id="team-a-client" + -Dregistry.kafka.common.oauth.client.secret="team-a-client-secret" + -Dregistry.kafka.common.oauth.token.endpoint.uri="https://keycloak-kafka-oauth.apps.jsenko413.apicurio.integration-qe.com/auth/realms/kafka-authz/protocol/openid-connect/token" + -Dregistry.kafka.common.sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler + - name: QUARKUS_OIDC_TLS_VERIFICATION + value: none + - name: KAFKA_BOOTSTRAP_SERVERS + value: 'my-cluster-kafka-bootstrap.kafka-oauth.svc:9092' + - name: QUARKUS_PROFILE + value: prod + - name: CORS_ALLOWED_ORIGINS + value: >- + http://example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com,https://example-apicurioregistry-kafkasql.kafka-oauth.router-default.apps.jsenko413.apicurio.integration-qe.com + securityContext: + capabilities: + drop: + - ALL + runAsUser: 1000690000 + runAsNonRoot: true + allowPrivilegeEscalation: false + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + - name: kube-api-access-vw94c + readOnly: true + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + terminationMessagePolicy: File + image: >- + brew.registry.redhat.io/rh-osbs/integration-service-registry-kafkasql-rhel8:2.5.5-1 + serviceAccount: default + volumes: + - name: tmp + emptyDir: {} + - name: kube-api-access-vw94c + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - configMap: + name: openshift-service-ca.crt + items: + - key: service-ca.crt + path: service-ca.crt + defaultMode: 420 + dnsPolicy: ClusterFirst + tolerations: + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoExecute + tolerationSeconds: 300 + - key: node.kubernetes.io/unreachable + operator: Exists + effect: NoExecute + tolerationSeconds: 300 + - key: node.kubernetes.io/memory-pressure + operator: Exists + effect: NoSchedule diff --git a/src/test/resources/registry-ga.yaml b/src/test/resources/registry-ga.yaml new file mode 100644 index 000000000..5d4742eee --- /dev/null +++ b/src/test/resources/registry-ga.yaml @@ -0,0 +1,63 @@ +apiVersion: registry.apicur.io/v1 +kind: ApicurioRegistry +metadata: + name: console-apicurioregistry-ga +spec: + configuration: + env: + - name: JAVA_TOOL_OPTIONS + value: >- + -Djavax.net.ssl.trustStore=/mytruststore/myTrustStore + -Djavax.net.ssl.trustStorePassword=password + - name: QUARKUS_LOG_LEVEL + value: INFO + - name: ENABLE_KAFKA_SASL + value: 'true' + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_ID + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_SECRET + - name: KAFKA_SECURITY_PROTOCOL + value: SASL_SSL + - name: KAFKA_SSL_TRUSTSTORE_TYPE + value: PKCS12 + - name: KAFKA_SSL_TRUSTSTORE_LOCATION + value: /tmp/cluster-ca-cert/ca.p12 + - name: KAFKA_SSL_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: kafka1-cluster-ca-cert + key: ca.password + - name: OAUTH_TOKEN_ENDPOINT_URI + value: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + kafkasql: + bootstrapServers: >- + kafka1-kafka-oauth-bootstrap-kafka-oauth.apps.rkub414.apicurio.integration-qe.com:443 + persistence: kafkasql + deployment: + host: >- + console-apicurioregistry-ga.kafka-oauth.apps.rkub414.apicurio.integration-qe.com + podTemplateSpecPreview: + spec: + containers: + - name: registry + volumeMounts: + - mountPath: /tmp/cluster-ca-cert + name: cluster-ca-cert + - name: mytruststore + mountPath: /mytruststore + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka1-cluster-ca-cert + - name: mytruststore + secret: + secretName: mytruststore-secret + defaultMode: 420 \ No newline at end of file diff --git a/src/test/resources/registry.yaml b/src/test/resources/registry.yaml new file mode 100644 index 000000000..1e0e94788 --- /dev/null +++ b/src/test/resources/registry.yaml @@ -0,0 +1,53 @@ +apiVersion: registry.apicur.io/v1 +kind: ApicurioRegistry +metadata: + name: console-apicurioregistry +spec: + configuration: + env: + - name: QUARKUS_LOG_LEVEL + value: INFO + - name: ENABLE_KAFKA_SASL + value: 'true' + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_ID + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_SECRET + - name: KAFKA_SECURITY_PROTOCOL + value: SASL_SSL + - name: KAFKA_SSL_TRUSTSTORE_TYPE + value: PKCS12 + - name: KAFKA_SSL_TRUSTSTORE_LOCATION + value: /tmp/cluster-ca-cert/ca.p12 + - name: KAFKA_SSL_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: kafka1-cluster-ca-cert + key: ca.password + - name: OAUTH_TOKEN_ENDPOINT_URI + value: >- + https://console-keycloak.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + kafkasql: + bootstrapServers: >- + kafka1-kafka-oauth-bootstrap-kafka-oauth.apps.rkub414.apicurio.integration-qe.com:443 + persistence: kafkasql + deployment: + host: >- + console-apicurioregistry.kafka-oauth.apps.rkub414.apicurio.integration-qe.com + podTemplateSpecPreview: + spec: + containers: + - name: registry + volumeMounts: + - mountPath: /tmp/cluster-ca-cert + name: cluster-ca-cert + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka1-cluster-ca-cert \ No newline at end of file diff --git a/src/test/resources/router-certs-default.yaml b/src/test/resources/router-certs-default.yaml new file mode 100644 index 000000000..c30e0e03d --- /dev/null +++ b/src/test/resources/router-certs-default.yaml @@ -0,0 +1,26 @@ +kind: Secret +apiVersion: v1 +metadata: + name: router-certs-default + namespace: kafka-oauth + uid: c69afa8c-7bf5-4bb7-9c79-7477a5968aae + resourceVersion: '19702069' + creationTimestamp: '2023-12-08T11:11:43Z' + managedFields: + - manager: Mozilla + operation: Update + apiVersion: v1 + time: '2023-12-08T11:11:43Z' + fieldsType: FieldsV1 + fieldsV1: + 'f:data': + .: {} + 'f:tls.crt': {} + 'f:tls.key': {} + 'f:type': {} +data: + tls.crt: >- + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lJTkcrbnI0blVjcWt3RFFZSktvWklodmNOQVFFTEJRQXdKakVrTUNJR0ExVUUKQXd3YmFXNW5jbVZ6Y3kxdmNHVnlZWFJ2Y2tBeE5qazRPVE13T1RZM01CNFhEVEl6TVRFd01qRXpNVFl3TmxvWApEVEkxTVRFd01URXpNVFl3TjFvd056RTFNRE1HQTFVRUF3d3NLaTVoY0hCekxtcHpaVzVyYnpReE15NWhjR2xqCmRYSnBieTVwYm5SbFozSmhkR2x2YmkxeFpTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNsdEc3Y1crRzByUWtrQnNPYTNNeGFNUE52elhDTzdxOUpzSUpUYnZ0RTBNc3NybitjMlk1SQpSajQ1L0FabjFnRnZjODdtTDljZy9ManYybU9mZU9ROER3R3ZXWjVxK1pMVlJUdlRYdlhFdEFhOEFFWm1TeHdzCkJRa1pVTUxDNVhlMjd0SUpBVGppai9xdm51UkYxa1gxSmRzREk1RWpMTGQwVVRDSzBIUlJsY2puTnJGMHlEdUwKZm5yRWovZUFKVFVoWGNKaTZCc2dHOTZDTUs3bzNJT1gvRmpFb3ExOHRaeXZ6MHoyaDlibVF0czNGcEdaY3dCTQpFUjEyQWZUbFBSd2REK1NsNXZxam9yTGVwYWt3dHI3MU54N2c2QUduamgvTm9qaVl2MTkrZkQ5VTJJQUMwYmFUCmhiOVZDQmZJdHN0UmtRWlBmdjVCOVNLMnVHN1hzQ3V2QWdNQkFBR2pnYTh3Z2F3d0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRQpGUDFtWnFlaStLN2FhckJsSEhYUVdqNHdEdThOTUI4R0ExVWRJd1FZTUJhQUZIM3Zwb1pFZjR6K2pmNWFDN1FCCkRYbGwvdzU3TURjR0ExVWRFUVF3TUM2Q0xDb3VZWEJ3Y3k1cWMyVnVhMjgwTVRNdVlYQnBZM1Z5YVc4dWFXNTAKWldkeVlYUnBiMjR0Y1dVdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFDdC9sc3dLM2hIQitsaVc2UAppckppaWdJZXRlbzhMV3poelhTaHRtVDNxaG8relYrSEg0OWFtbktrWklaVnJVZGtkYm50WTFJS1dWdDlMYjhUCjRUSld2aFVIbVUydkl2UG0wNlE3cDk4TkdwaUpseUk5amJ3djNOZ0VmWGNEMmxibWQvZytZTnRDRDk2TTNiRU8KempqVHFrRGpkNjhaT0UvUS8wcUR2dmtpZUJrRk1iY2RPVldwMFBKMHJSaS9MbjNSYVExODRrUlpPQ20zNHBoSgoxREJFdVAvaWxRYXRXYStxSjdMdzhZMVozUTBMV0VIWkczaUxvTkY4cjB5cnRlVkNRc3VKWGgySVRxbDI2V3Y4CmtCWk5aamZoSVBqSFlsbW1vUWdKak1ZcXZKWVJFQ3B6SS80a0l5V0k2Q0cyckRNMXFwTGJVTVg3dEh0bHF4TDYKbHBCKwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlERERDQ0FmU2dBd0lCQWdJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBbU1TUXdJZ1lEVlFRRERCdHBibWR5ClpYTnpMVzl3WlhKaGRHOXlRREUyT1RnNU16QTVOamN3SGhjTk1qTXhNVEF5TVRNeE5qQTJXaGNOTWpVeE1UQXgKTVRNeE5qQTNXakFtTVNRd0lnWURWUVFEREJ0cGJtZHlaWE56TFc5d1pYSmhkRzl5UURFMk9UZzVNekE1TmpjdwpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDeVZYd2dPc29HUTNNaDlsSzJpaHZzCkNhYS9DNUJyYU4wTFZ3Mlk4QnA5MmJnWnJFOFNEemJZeWxpNk9BVkdXMURlaFJxM2NBaVk2QzkzRjBmNVdrYmoKRUdrWGRRNEE4aVErK3UvRXg1SFFMQmRFR0dZS250QTBIcVk3bXdwMENjVUZXVGVmQ21QTmkwMU90Z3gwTi9uaQpXMVJHWTZCRzUvcnBMS3k5Z25GZ0FtYklRTmZWbHhzc1dXTDIxQ0RrQnRBQzlxbmxDbExxS2hhV0lFc0liWTFYCkJ2VFhkUHhYNFpyNjRCOG51OFZzMlRiRnFiUENKR001Z1RINlAyMEMzMXBFY2ticCtnQTlUblhLQVRnU28vNE0KQ2RVclBMMmNKcDViWmJSNlhUV0JJSWdqY1kzZks2VldFSm1vS1JVRFRxSW1Pejd0cHZFMkpwSW5SbHlZV1BjbApBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVNCZ05WSFJNQkFmOEVDREFHQVFIL0FnRUFNQjBHCkExVWREZ1FXQkJSOTc2YUdSSCtNL28zK1dndTBBUTE1WmY4T2V6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUEKZkVtV2wzUmlFVElNS242Q1RZM0xId3dMbEFOeE90TGlRdTJrSVgyYjNPZDNGdkh5Q1QwMTBxMG1UdHN3TFROaQoxZlRPMExRQUtQaVl5RFdJSXJRYVdVTlVKcjBBY2pFQ0xVZi92cTBhenZwdG1ielY2RmFYd3lDbUhiY2grdHNHCmt5WWNPU0x1RDNzOTd3WUZPQkRsOC9lZ1dYak5YeUZHdGd0ZEh0WTBPRTNrYVhHWUVhOERScUJLWG1mMldYME0KOWkrM1JNMWpqekxLaTYybWZGYTNCSGtrWGpnNWJJeW5mbW14Q3JCMzNYYmdoQ0JMRGFFWGpSQTNLb0duMWFnbQprY1FaSFpFUWxqNXI1YTFGSk9wSzNXZXhjSjdXak9Pa1BiZW1BZDYzL1NoYU03RlFpekdLV2VNV0I4VGMrZzE4CjZBTDRYcVVyb09SVW9ZenhWVEpIY1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: >- + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcGJSdTNGdmh0SzBKSkFiRG10ek1XakR6Yjgxd2p1NnZTYkNDVTI3N1JORExMSzUvCm5ObU9TRVkrT2Z3R1o5WUJiM1BPNWkvWElQeTQ3OXBqbjNqa1BBOEJyMW1lYXZtUzFVVTcwMTcxeExRR3ZBQkcKWmtzY0xBVUpHVkRDd3VWM3R1N1NDUUU0NG8vNnI1N2tSZFpGOVNYYkF5T1JJeXkzZEZFd2l0QjBVWlhJNXpheApkTWc3aTM1NnhJLzNnQ1UxSVYzQ1l1Z2JJQnZlZ2pDdTZOeURsL3hZeEtLdGZMV2NyODlNOW9mVzVrTGJOeGFSCm1YTUFUQkVkZGdIMDVUMGNIUS9rcGViNm82S3kzcVdwTUxhKzlUY2U0T2dCcDQ0ZnphSTRtTDlmZm53L1ZOaUEKQXRHMms0Vy9WUWdYeUxiTFVaRUdUMzcrUWZVaXRyaHUxN0FycndJREFRQUJBb0lCQUNNdmVRclpoOGV4cG1zNwo5SFVCeFhLeFNqL0hROHRWNjJxZVRFNGpGcis2QmlwcXN6WS9DL05VMXduQTlpcytTZmU4ZzRabFNpejYvTm9SCmFXNEhZWTlQTUhCbmV6Z0QzcVhpbVoxOFlIdHdMcTNrOFEzdmpQL2I0ZDY2UTJEWEVPQ0xQWllqNkV4VGZrdWsKVlp4dXIxUXF3YUtjL3NpVlNpOHN2ajM3blhkbEcwYjJxRFRBblBza3RHKy9RZ2dTZysvVDVSazNjUnRFTERpbgpIRTdPU0lybWlrNVhDajl4Yk9OekMrV0hGZGxPNTVjK201N0NxbHZydzhFOWdRSU1DblZtdGExTHptaUV5UGFhCmNFTjlIQnpQRnkzQXBQa1I1WFVHbGR3c3FPR2VpMDFsbHREeXY5UjhZQnl0WHdtNytRdWJhTkVzdCt0T3hxajEKMkwrS0lTRUNnWUVBeGhwODFoRys2SWNEVUI4UzZpUk9xajdIWFhmTlNQem1wVVZJZE1nTk1WVGh2aE9iMmJ3ZQpTZ3UvRzNjb2Q2QzhNaEhJVzVEc0hpbmwwNzJqSWxuekplekJHVUExUjFJWHlmTThSMEEvQ0RJUVFOMWpHN2lrCjA5OUMyY01RZldWaEZDN3MyQjFJRFY1N3lzS1VFbHBjVlVPRmZyWVFvZWVvdDdxNTB5NXhzbzBDZ1lFQTFpSDUKaGRHeE5rQWdoTFNVTXROVU9YVXJyZ3B4RjdMU01EN1ZKcXFveG00WUZJZnhHK1NVY21uSkgzVjFGMHlBcnhFSApoSEwySDA3ZWk2SWY4S1g3RWVkS1pYdVlVYjFieWVEVGxlMlNsRnoxTXJHZmZFN2kyU2pNT09OU3owckpRSS93CmIxWlFVdzNRakc1THhwdENEYmhQbG1FSmg3R0ZIWUUvSEMvL1ppc0NnWUJSZTF1VmdUOFF6VmVqZ09SNndleEoKUWdFbWhMdy9KU2FKRy9JdGRvdFdteDh1MjBualNPajhjOUJyTDV2SmVLZHZ3TGkwVU91TmpKWW5mWHk0Q0Y5bQpYZmNldDdZeVc2WEZQdkt3SzlEQlFqWkZOOG9vQU01ckJ3MnNHL3VRV0Q2UjJxczRTUEwxN01MbUp4cFlZaXBRCk43R1U2TFgyb2g1WFU4cFMvbXR0a1FLQmdGYlcvR3lLdDhWNmlEV0pUamkyZjRlMXZ2c2IvUFZSYmZCbTZ1WjkKZTJqTnFUSmFWeXVxclpFZzJaSEtmcXZ1T0puRzNEZVlyN3ZPcm00T1Y4bXVabjNDUU9lYkVoREVMSDlZa0RaVApYSWlTa2xYMnR1a2d6TnFvc3ZtM0p4UXVEaVFDdTgxTFFkUU0zREMzWWordkkwQ1JLS1dod00ybzdvVWlyMGR0Cko3UjFBb0dBR3kySHlibHovQ21ialZ3NGVEMzcrekgvZi84ZHd6WVY1dllFWHUvMXBzWmd6bnkyUHNHMEpWRC8KbU5pMUl6Ykl2YzAvbXRUemFuSVZXZ0ZPUEFaYkxKdGhFV3ZFUVA0UFB6L0VjYys4aEhaM09JVTZIdGtON0QvQgo5N0kzd0tSZ3VBQ2pvL3R3U0ZxcnVBRmVXaFB2OCtjaEdERXR5L05wQzYrQldGVFpLRHM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +type: kubernetes.io/tls diff --git a/src/test/resources/secret.yaml b/src/test/resources/secret.yaml new file mode 100644 index 000000000..cebe22b50 --- /dev/null +++ b/src/test/resources/secret.yaml @@ -0,0 +1,23 @@ +kind: Secret +apiVersion: v1 +metadata: + name: mytruststore-secret + namespace: kafka-oauth + uid: 82760fa0-0c92-474d-afd8-01a6755d44a5 + resourceVersion: '19740388' + creationTimestamp: '2023-12-08T12:46:57Z' + managedFields: + - manager: kubectl-create + operation: Update + apiVersion: v1 + time: '2023-12-08T12:46:57Z' + fieldsType: FieldsV1 + fieldsV1: + 'f:data': + .: {} + 'f:myTrustStore': {} + 'f:type': {} +data: + myTrustStore: >- + MIIFAgIBAzCCBKwGCSqGSIb3DQEHAaCCBJ0EggSZMIIElTCCBJEGCSqGSIb3DQEHBqCCBIIwggR+AgEAMIIEdwYJKoZIhvcNAQcBMGYGCSqGSIb3DQEFDTBZMDgGCSqGSIb3DQEFDDArBBQ9CyHsTGQO30CtVz7gKyIQ9zcEwwICJxACASAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEKvaTgsL+dwhhgTwPe/BXyaAggQACBwErGbnuYjGmNu27Vh912lKwcuWhg2prgX9NpDn+3jrI9KdAY+num/XTWzZIiO4sOM7mMp9N2LyCHJaZuMg1646zk2NUAyS1Hql9LQpQzBakMDG1CvuJYcy4vFONGgGNyA9FRyntbBswW80IHtAU5XPMkhLkkPjO6bztzqhxsc7QiCdK5yIUbQyof1AcHP0fL1dFec4L3p2rsdRzTn3YVyFTUTtxWnAInlSitMC8Gzi/bwcJhpZJpd0v8+ulsGZm2dRcJoevQ37bxO8pmkRmI14GdpZJiXSMMQj6hmmXEZ9TQQLsyXVOffAY/QkfvR/0y5dJE6Xce/J0ydeUCxXurVlPM7IRDYzp0LhmXHTvQRC1EZ0f2Z2LeEipXNxkOEbVtgFDFLYlWTczEuMoMlb2UuhbarUPcQP+I9kju+5q11A8MtNVnDoKEuFhbn08+f7QX9GvqrdJvHMhXhKqmhKrINBhriPBNJjdRTKvPgyrXXy9IcIOhe6Y3Uo96GVRfZiOFxYvKFcwuaMwj+KTvWLfpL/rmP28wvMQSPR3ibvjhHI39ZoEhW6SomxkhBoyx7pJ0chAMEUSFLw1Kbluf8jThI/nk34uIXVL4/ei6zFu1T++qOpD1tiVyb56nVLaxPtRbtj6pABJSALlj+W4JE3YBuEQ3sEZrvtGCH9YhVZooNex4AM8n9RxwjvwB4LFGDyFv6aJfCdpj+k4xFkB8MhShaFfnfU2VX1ujYde/p+Cj8yvOTWf16UDrmyp9mm+Bv2bAobNo0aMc6ag1+Tq5HZmD6ngbW61/oM0JDxrhEavKNCAB+B6Q1SUFCAsLBorE2wYVcmk+4bXKwZUMrIS1bi6RZft5hBmwHtHNLb0uCEA2GxsdWP+b4XfO9ERyWpK6gnzdFzDv7moNPo3zfA+fltUXbp9MMx5MLElFdQFEypoAqzhe9o8T8LUxJkV3nrJ3zccyBO1Ms295LuMLtzV8wsfgGnRl59Y7iQRnHPyww27L7yd2TOifkE9p4+jAW/2cs/0KCWr11OYxmNexoUSpEKf8ckRpYrzS6vi1vetEQpjYUGQrH4/i8yxLpRsBmqaFzg1KA6WmtsoDqaMz2hOAr9KwoPSCXCIRTuhlQIuA+Vw3WAbOpAu/lxVkD9q3tz8tKEfJAgPWUvBHFmIXXGw2BW6pzFxy6Rx9WBHHSfr5E6XwTfZQoynoxMGnMPJ79slzFOLVOc6mXvCWJoQgaOW6uwZYrnlxe3+w6eZ7SGTqMn/VLb7QmXfxmQFlS2K+paYS6hPNMK5GYG3+R03kKqHwmCr8+cembk9tu7GF2KRKrgmWSWj5V+zcxm8mZRuOzsarG4XRHxQ40Aj0W1iPg6Ou3hGDBNMDEwDQYJYIZIAWUDBAIBBQAEIC90FiQ98H1LVzZ8EwgYnEXkwRT8/h1si+IHHZi0XYZnBBSwYsfvn1k7HgbVeVzZYCUHiQh/qgICJxA= +type: Opaque diff --git a/src/test/resources/success_deployment.yaml b/src/test/resources/success_deployment.yaml new file mode 100644 index 000000000..e8e0e3392 --- /dev/null +++ b/src/test/resources/success_deployment.yaml @@ -0,0 +1,115 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: console-apicurioregistry-deployment-2 + namespace: kafka-oauth + labels: + app: console-apicurioregistry-2 +spec: + replicas: 1 + selector: + matchLabels: + app: console-apicurioregistry-2 + template: + metadata: + labels: + app: console-apicurioregistry-2 + spec: + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka1-cluster-ca-cert + defaultMode: 420 + - name: tmp + emptyDir: {} + containers: + - resources: + limits: + cpu: '1' + memory: 1300Mi + requests: + cpu: 500m + memory: 512Mi + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + terminationMessagePath: /dev/termination-log + name: registry + livenessProbe: + httpGet: + path: /health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + env: + - name: QUARKUS_LOG_LEVEL + value: INFO + - name: ENABLE_KAFKA_SASL + value: 'true' + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_ID + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: console-ui-secrets + key: REGISTRY_CLIENT_SECRET + - name: KAFKA_SECURITY_PROTOCOL + value: SASL_SSL + - name: KAFKA_SSL_TRUSTSTORE_TYPE + value: PKCS12 + - name: KAFKA_SSL_TRUSTSTORE_LOCATION + value: /tmp/cluster-ca-cert/ca.p12 + - name: KAFKA_SSL_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: kafka1-cluster-ca-cert + key: ca.password + - name: OAUTH_TOKEN_ENDPOINT_URI + value: >- + http://keycloak-http-kafka-oauth.apps.rkub414.apicurio.integration-qe.com/realms/demo/protocol/openid-connect/token + - name: KAFKA_BOOTSTRAP_SERVERS + value: >- + kafka1-kafka-oauth-bootstrap-kafka-oauth.apps.rkub414.apicurio.integration-qe.com:443 + - name: QUARKUS_PROFILE + value: prod + - name: CORS_ALLOWED_ORIGINS + value: >- + http://console-apicurioregistry.kafka-oauth.apps.rkub414.apicurio.integration-qe.com.router-default.apps.rkub414.apicurio.integration-qe.com,https://console-apicurioregistry.kafka-oauth.apps.rkub414.apicurio.integration-qe.com.router-default.apps.rkub414.apicurio.integration-qe.com + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: cluster-ca-cert + mountPath: /tmp/cluster-ca-cert + - name: tmp + mountPath: /tmp + terminationMessagePolicy: File + image: >- + registry.redhat.io/integration/service-registry-kafkasql-rhel8:2.5.4-1 + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 \ No newline at end of file