From c3fc675039c58a2b58e330bb1adac99bc7c51612 Mon Sep 17 00:00:00 2001 From: Andrew Block Date: Fri, 29 May 2026 09:10:19 -0500 Subject: [PATCH] Lifecycle management for ExternalSecrets Signed-off-by: Andrew Block --- Chart.yaml | 2 +- README.md | 787 +++++++++--------- templates/_helpers.tpl | 33 + ...cs-oidc-client-secret-external-secret.yaml | 4 +- .../keycloak-admin-user-external-secret.yaml | 4 +- templates/keycloak-users-external-secret.yaml | 20 +- .../oidc-client-secret-external-secret.yaml | 4 +- templates/postgresql-db-external-secret.yaml | 4 +- ...rhtpa-oidc-cli-secret-external-secret.yaml | 4 +- values.yaml | 60 +- 10 files changed, 490 insertions(+), 432 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 0ba6ea0..5e19d94 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ keywords: - pattern name: rhbk type: application -version: 0.0.10 +version: 0.0.11 home: https://github.com/validatedpatterns/rhbk-chart maintainers: - name: Validated Patterns Team diff --git a/README.md b/README.md index 4342145..3a2eb06 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ -![Version: 0.0.10](https://img.shields.io/badge/Version-0.0.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.0.11](https://img.shields.io/badge/Version-0.0.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) @@ -28,398 +28,399 @@ This chart is used to serve as the template for Validated Patterns Charts ## Values -| Key | Type | Default | Description | -| ------------------------------------------------------------------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| defaultDenyNetworkPolicy | object | false | Default-deny NetworkPolicy for the keycloak namespace. When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress for pods without an explicit allow policy. Patterns that need zero-trust network isolation should enable this and provide per-pod allow rules via networkPolicy. | -| externalSecrets | object | disabled (regular ExternalSecret, no hooks) | One-shot ExternalSecret provisioning for keycloak-users. When oneShot is true, the keycloak-users ExternalSecret becomes an ArgoCD Sync hook with HookSucceeded and creationPolicy: Orphan. Orphan prevents ESO from setting an ownerReference on the Secret, so k8s GC will not cascade-delete the Secret when ArgoCD removes the ExternalSecret hook after sync. A PostSync Job in the wrapper chart (e.g. rh-keycloak in layered-zero-trust) then cleans up Secrets labeled secretCleanupLabel=delete. When oneShot is false (default), keycloak-users is a regular ExternalSecret with no hook annotations — the Secret and ExternalSecret persist. | -| global.localClusterDomain | string | `"apps.example.com"` | | -| global.secretStore.kind | string | `"ClusterSecretStore"` | | -| global.secretStore.name | string | `"vault-backend"` | | -| keycloak.adminUser.enabled | bool | `true` | | -| keycloak.adminUser.passwordVaultKey | string | `"secret/data/hub/infra/keycloak/keycloak"` | | -| keycloak.adminUser.secretName | string | `"keycloak-admin-user"` | | -| keycloak.adminUser.username | string | `"admin"` | | -| keycloak.defaultConfig | bool | `true` | | -| keycloak.defaultRealm.clientScopes[0].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[0].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[0].description | string | `"OpenID Connect built-in scope"` | | -| keycloak.defaultRealm.clientScopes[0].name | string | `"openid"` | | -| keycloak.defaultRealm.clientScopes[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].config."introspection.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].name | string | `"sub"` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].protocolMapper | string | `"oidc-sub-mapper"` | | -| keycloak.defaultRealm.clientScopes[1].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[1].attributes."include.in.token.scope" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[1].description | string | `"OpenID Connect basic scope"` | | -| keycloak.defaultRealm.clientScopes[1].name | string | `"basic"` | | -| keycloak.defaultRealm.clientScopes[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].config."introspection.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].name | string | `"sub"` | | -| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].protocolMapper | string | `"oidc-sub-mapper"` | | -| keycloak.defaultRealm.clientScopes[2].attributes."consent.screen.text" | string | `"${emailScopeConsentText}"` | | -| keycloak.defaultRealm.clientScopes[2].attributes."display.on.consent.screen" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].description | string | `"OpenID Connect email scope"` | | -| keycloak.defaultRealm.clientScopes[2].name | string | `"email"` | | -| keycloak.defaultRealm.clientScopes[2].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."claim.name" | string | `"email"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."jsonType.label" | string | `"String"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."user.attribute" | string | `"email"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."userinfo.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].name | string | `"email"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].protocolMapper | string | `"oidc-usermodel-attribute-mapper"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."claim.name" | string | `"email_verified"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."jsonType.label" | string | `"boolean"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."user.attribute" | string | `"emailVerified"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."userinfo.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].name | string | `"email verified"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].protocolMapper | string | `"oidc-usermodel-attribute-mapper"` | | -| keycloak.defaultRealm.clientScopes[3].attributes."consent.screen.text" | string | `"${profileScopeConsentText}"` | | -| keycloak.defaultRealm.clientScopes[3].attributes."display.on.consent.screen" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].description | string | `"OpenID Connect profile scope"` | | -| keycloak.defaultRealm.clientScopes[3].name | string | `"profile"` | | -| keycloak.defaultRealm.clientScopes[3].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."claim.name" | string | `"preferred_username"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."jsonType.label" | string | `"String"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."user.attribute" | string | `"username"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."userinfo.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].name | string | `"username"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].protocolMapper | string | `"oidc-usermodel-attribute-mapper"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].config."userinfo.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].name | string | `"full name"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].protocolMapper | string | `"oidc-full-name-mapper"` | | -| keycloak.defaultRealm.clientScopes[4].attributes."consent.screen.text" | string | `"${rolesScopeConsentText}"` | | -| keycloak.defaultRealm.clientScopes[4].attributes."display.on.consent.screen" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[4].attributes."include.in.token.scope" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[4].description | string | `"OpenID Connect roles scope"` | | -| keycloak.defaultRealm.clientScopes[4].name | string | `"roles"` | | -| keycloak.defaultRealm.clientScopes[4].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."claim.name" | string | `"realm_access.roles"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."jsonType.label" | string | `"String"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."user.attribute" | string | `"foo"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config.multivalued | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].name | string | `"realm roles"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].protocolMapper | string | `"oidc-usermodel-realm-role-mapper"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].name | string | `"audience resolve"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].protocolMapper | string | `"oidc-audience-resolve-mapper"` | | -| keycloak.defaultRealm.clientScopes[5].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[5].attributes."include.in.token.scope" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[5].description | string | `"OpenID Connect web origins scope"` | | -| keycloak.defaultRealm.clientScopes[5].name | string | `"web-origins"` | | -| keycloak.defaultRealm.clientScopes[5].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].name | string | `"allowed web origins"` | | -| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].protocolMapper | string | `"oidc-allowed-origins-mapper"` | | -| keycloak.defaultRealm.clientScopes[6].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[6].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[6].description | string | `"Permission to create documents"` | | -| keycloak.defaultRealm.clientScopes[6].name | string | `"create:document"` | | -| keycloak.defaultRealm.clientScopes[6].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[7].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[7].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[7].description | string | `"Permission to read documents"` | | -| keycloak.defaultRealm.clientScopes[7].name | string | `"read:document"` | | -| keycloak.defaultRealm.clientScopes[7].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[8].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[8].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[8].description | string | `"Permission to update documents"` | | -| keycloak.defaultRealm.clientScopes[8].name | string | `"update:document"` | | -| keycloak.defaultRealm.clientScopes[8].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clientScopes[9].attributes."display.on.consent.screen" | string | `"false"` | | -| keycloak.defaultRealm.clientScopes[9].attributes."include.in.token.scope" | string | `"true"` | | -| keycloak.defaultRealm.clientScopes[9].description | string | `"Permission to delete documents"` | | -| keycloak.defaultRealm.clientScopes[9].name | string | `"delete:document"` | | -| keycloak.defaultRealm.clientScopes[9].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[0].attributes."jwt.credential.issuer" | string | `"spiffe"` | | -| keycloak.defaultRealm.clients[0].attributes."jwt.credential.sub" | string | `""` | | -| keycloak.defaultRealm.clients[0].attributes."post.logout.redirect.uris" | string | `"+"` | | -| keycloak.defaultRealm.clients[0].clientAuthenticatorType | string | `"federated-jwt"` | | -| keycloak.defaultRealm.clients[0].clientId | string | `"qtodo-app"` | | -| keycloak.defaultRealm.clients[0].defaultClientScopes[0] | string | `"web-origins"` | | -| keycloak.defaultRealm.clients[0].defaultClientScopes[1] | string | `"roles"` | | -| keycloak.defaultRealm.clients[0].defaultClientScopes[2] | string | `"profile"` | | -| keycloak.defaultRealm.clients[0].defaultClientScopes[3] | string | `"basic"` | | -| keycloak.defaultRealm.clients[0].defaultClientScopes[4] | string | `"email"` | | -| keycloak.defaultRealm.clients[0].directAccessGrantsEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[0].enabled | bool | `true` | | -| keycloak.defaultRealm.clients[0].fullScopeAllowed | bool | `true` | | -| keycloak.defaultRealm.clients[0].name | string | `"qtodo"` | | -| keycloak.defaultRealm.clients[0].optionalClientScopes[0] | string | `"offline_access"` | | -| keycloak.defaultRealm.clients[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[0].publicClient | bool | `false` | | -| keycloak.defaultRealm.clients[0].redirectUris[0] | string | `"*"` | | -| keycloak.defaultRealm.clients[0].serviceAccountsEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[0].standardFlowEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[0].webOrigins[0] | string | `"+"` | | -| keycloak.defaultRealm.clients[1].attributes."oauth2.device.authorization.grant.enabled" | string | `"true"` | | -| keycloak.defaultRealm.clients[1].clientId | string | `"trusted-artifact-signer"` | | -| keycloak.defaultRealm.clients[1].directAccessGrantsEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[1].enabled | bool | `true` | | -| keycloak.defaultRealm.clients[1].implicitFlowEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[1].name | string | `"Red Hat Trusted Artifact Signer Client"` | | -| keycloak.defaultRealm.clients[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[0].config."id.token.claim" | string | `"false"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[0].config."included.client.audience" | string | `"trusted-artifact-signer"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[0].name | string | `"audience-mapper"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[0].protocolMapper | string | `"oidc-audience-mapper"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].config."claim.name" | string | `"email_verified"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].config."claim.value" | string | `"true"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].config."jsonType.label" | string | `"boolean"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].config."userinfo.token.claim" | string | `"false"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].name | string | `"email-mapper"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[1].protocolMappers[1].protocolMapper | string | `"oidc-hardcoded-claim-mapper"` | | -| keycloak.defaultRealm.clients[1].publicClient | bool | `true` | | -| keycloak.defaultRealm.clients[1].redirectUris[0] | string | `"*"` | | -| keycloak.defaultRealm.clients[1].redirectUris[1] | string | `"urn:ietf:wg:oauth:2.0:oob"` | | -| keycloak.defaultRealm.clients[1].redirectUris[2] | string | `"http://localhost:*/auth/callback"` | | -| keycloak.defaultRealm.clients[1].standardFlowEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[1].webOrigins[0] | string | `"+"` | | -| keycloak.defaultRealm.clients[2].clientId | string | `"acs-central"` | | -| keycloak.defaultRealm.clients[2].defaultClientScopes[0] | string | `"openid"` | | -| keycloak.defaultRealm.clients[2].defaultClientScopes[1] | string | `"basic"` | | -| keycloak.defaultRealm.clients[2].defaultClientScopes[2] | string | `"email"` | | -| keycloak.defaultRealm.clients[2].defaultClientScopes[3] | string | `"profile"` | | -| keycloak.defaultRealm.clients[2].defaultClientScopes[4] | string | `"roles"` | | -| keycloak.defaultRealm.clients[2].defaultClientScopes[5] | string | `"web-origins"` | | -| keycloak.defaultRealm.clients[2].directAccessGrantsEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[2].enabled | bool | `true` | | -| keycloak.defaultRealm.clients[2].fullScopeAllowed | bool | `true` | | -| keycloak.defaultRealm.clients[2].implicitFlowEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[2].name | string | `"Red Hat Advanced Cluster Security Central"` | | -| keycloak.defaultRealm.clients[2].optionalClientScopes[0] | string | `"address"` | | -| keycloak.defaultRealm.clients[2].optionalClientScopes[1] | string | `"phone"` | | -| keycloak.defaultRealm.clients[2].optionalClientScopes[2] | string | `"offline_access"` | | -| keycloak.defaultRealm.clients[2].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].config."claim.name" | string | `"groups"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].config."full.path" | string | `"false"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].config."userinfo.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].name | string | `"groups"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[0].protocolMapper | string | `"oidc-group-membership-mapper"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].config."access.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].config."claim.name" | string | `"roles"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].config."id.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].config."jsonType.label" | string | `"String"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].config."userinfo.token.claim" | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].config.multivalued | string | `"true"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].consentRequired | bool | `false` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].name | string | `"roles"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[2].protocolMappers[1].protocolMapper | string | `"oidc-usermodel-realm-role-mapper"` | | -| keycloak.defaultRealm.clients[2].publicClient | bool | `false` | | -| keycloak.defaultRealm.clients[2].redirectUris[0] | string | `"*"` | | -| keycloak.defaultRealm.clients[2].secret | string | `"${ACS_CLIENT_SECRET}"` | | -| keycloak.defaultRealm.clients[2].standardFlowEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[2].webOrigins[0] | string | `"*"` | | -| keycloak.defaultRealm.clients[3].attributes."access.token.lifespan" | string | `"300"` | | -| keycloak.defaultRealm.clients[3].attributes."post.logout.redirect.uris" | string | `"+"` | | -| keycloak.defaultRealm.clients[3].clientId | string | `"rhtpa-cli"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[0] | string | `"basic"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[1] | string | `"email"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[2] | string | `"profile"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[3] | string | `"roles"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[4] | string | `"web-origins"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[5] | string | `"create:document"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[6] | string | `"read:document"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[7] | string | `"update:document"` | | -| keycloak.defaultRealm.clients[3].defaultClientScopes[8] | string | `"delete:document"` | | -| keycloak.defaultRealm.clients[3].directAccessGrantsEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[3].enabled | bool | `true` | | -| keycloak.defaultRealm.clients[3].fullScopeAllowed | bool | `true` | | -| keycloak.defaultRealm.clients[3].implicitFlowEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[3].name | string | `"RHTPA CLI Client"` | | -| keycloak.defaultRealm.clients[3].optionalClientScopes[0] | string | `"address"` | | -| keycloak.defaultRealm.clients[3].optionalClientScopes[1] | string | `"microprofile-jwt"` | | -| keycloak.defaultRealm.clients[3].optionalClientScopes[2] | string | `"offline_access"` | | -| keycloak.defaultRealm.clients[3].optionalClientScopes[3] | string | `"phone"` | | -| keycloak.defaultRealm.clients[3].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[3].publicClient | bool | `false` | | -| keycloak.defaultRealm.clients[3].secret | string | `"${RHTPA_CLI_SECRET}"` | | -| keycloak.defaultRealm.clients[3].serviceAccountsEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[3].standardFlowEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[4].attributes."access.token.lifespan" | string | `"300"` | | -| keycloak.defaultRealm.clients[4].attributes."post.logout.redirect.uris" | string | `"+"` | | -| keycloak.defaultRealm.clients[4].clientId | string | `"rhtpa-frontend"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[0] | string | `"basic"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[1] | string | `"email"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[2] | string | `"profile"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[3] | string | `"roles"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[4] | string | `"web-origins"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[5] | string | `"create:document"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[6] | string | `"read:document"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[7] | string | `"update:document"` | | -| keycloak.defaultRealm.clients[4].defaultClientScopes[8] | string | `"delete:document"` | | -| keycloak.defaultRealm.clients[4].directAccessGrantsEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[4].enabled | bool | `true` | | -| keycloak.defaultRealm.clients[4].fullScopeAllowed | bool | `true` | | -| keycloak.defaultRealm.clients[4].implicitFlowEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[4].name | string | `"RHTPA Frontend Client"` | | -| keycloak.defaultRealm.clients[4].optionalClientScopes[0] | string | `"address"` | | -| keycloak.defaultRealm.clients[4].optionalClientScopes[1] | string | `"microprofile-jwt"` | | -| keycloak.defaultRealm.clients[4].optionalClientScopes[2] | string | `"offline_access"` | | -| keycloak.defaultRealm.clients[4].optionalClientScopes[3] | string | `"phone"` | | -| keycloak.defaultRealm.clients[4].protocol | string | `"openid-connect"` | | -| keycloak.defaultRealm.clients[4].publicClient | bool | `true` | | -| keycloak.defaultRealm.clients[4].redirectUris[0] | string | `"*"` | | -| keycloak.defaultRealm.clients[4].serviceAccountsEnabled | bool | `false` | | -| keycloak.defaultRealm.clients[4].standardFlowEnabled | bool | `true` | | -| keycloak.defaultRealm.clients[4].webOrigins[0] | string | `"*"` | | -| keycloak.defaultRealm.defaultDefaultClientScopes[0] | string | `"openid"` | | -| keycloak.defaultRealm.defaultDefaultClientScopes[1] | string | `"basic"` | | -| keycloak.defaultRealm.defaultDefaultClientScopes[2] | string | `"email"` | | -| keycloak.defaultRealm.defaultDefaultClientScopes[3] | string | `"profile"` | | -| keycloak.defaultRealm.defaultDefaultClientScopes[4] | string | `"roles"` | | -| keycloak.defaultRealm.defaultDefaultClientScopes[5] | string | `"web-origins"` | | -| keycloak.defaultRealm.displayName | string | `"ZTVP Realm"` | | -| keycloak.defaultRealm.enabled | bool | `true` | | -| keycloak.defaultRealm.realm | string | `"ztvp"` | | -| keycloak.defaultRealm.registrationAllowed | bool | `false` | | -| keycloak.defaultRealm.roles.realm[0].description | string | `"QTodo App Administrator"` | | -| keycloak.defaultRealm.roles.realm[0].name | string | `"qtodo-admin"` | | -| keycloak.defaultRealm.roles.realm[1].description | string | `"Read-only access"` | | -| keycloak.defaultRealm.roles.realm[1].name | string | `"viewer"` | | -| keycloak.defaultRealm.roles.realm[2].description | string | `"RHTPA SBOM Creator"` | | -| keycloak.defaultRealm.roles.realm[2].name | string | `"create:sbom"` | | -| keycloak.defaultRealm.roles.realm[3].description | string | `"RHTPA Document Creator"` | | -| keycloak.defaultRealm.roles.realm[3].name | string | `"create:document"` | | -| keycloak.defaultRealm.roles.realm[4].description | string | `"ACS Administrator"` | | -| keycloak.defaultRealm.roles.realm[4].name | string | `"acs-admin"` | | -| keycloak.defaultRealm.users[0].createdTimestamp | int | `1` | | -| keycloak.defaultRealm.users[0].credentials[0].temporary | bool | `true` | | -| keycloak.defaultRealm.users[0].credentials[0].type | string | `"password"` | | -| keycloak.defaultRealm.users[0].credentials[0].value | string | `"${QTODO_ADMIN_PASSWORD}"` | | -| keycloak.defaultRealm.users[0].email | string | `"qtodo-admin@example.com"` | | -| keycloak.defaultRealm.users[0].emailVerified | bool | `true` | | -| keycloak.defaultRealm.users[0].enabled | bool | `true` | | -| keycloak.defaultRealm.users[0].firstName | string | `"QTodo"` | | -| keycloak.defaultRealm.users[0].lastName | string | `"Admin"` | | -| keycloak.defaultRealm.users[0].realmRoles[0] | string | `"qtodo-admin"` | | -| keycloak.defaultRealm.users[0].requiredActions[0] | string | `"UPDATE_PASSWORD"` | | -| keycloak.defaultRealm.users[0].username | string | `"qtodo-admin"` | | -| keycloak.defaultRealm.users[1].createdTimestamp | int | `1` | | -| keycloak.defaultRealm.users[1].credentials[0].temporary | bool | `true` | | -| keycloak.defaultRealm.users[1].credentials[0].type | string | `"password"` | | -| keycloak.defaultRealm.users[1].credentials[0].value | string | `"${QTODO_USER1_PASSWORD}"` | | -| keycloak.defaultRealm.users[1].email | string | `"qtodo-user1@example.com"` | | -| keycloak.defaultRealm.users[1].emailVerified | bool | `true` | | -| keycloak.defaultRealm.users[1].enabled | bool | `true` | | -| keycloak.defaultRealm.users[1].firstName | string | `"QTodo"` | | -| keycloak.defaultRealm.users[1].lastName | string | `"User-1"` | | -| keycloak.defaultRealm.users[1].realmRoles[0] | string | `"viewer"` | | -| keycloak.defaultRealm.users[1].requiredActions[0] | string | `"UPDATE_PASSWORD"` | | -| keycloak.defaultRealm.users[1].username | string | `"qtodo-user1"` | | -| keycloak.defaultRealm.users[2].createdTimestamp | int | `1` | | -| keycloak.defaultRealm.users[2].credentials[0].temporary | bool | `false` | | -| keycloak.defaultRealm.users[2].credentials[0].type | string | `"password"` | | -| keycloak.defaultRealm.users[2].credentials[0].value | string | `"${RHTAS_USER_PASSWORD}"` | | -| keycloak.defaultRealm.users[2].email | string | `"rhtas-user@example.com"` | | -| keycloak.defaultRealm.users[2].emailVerified | bool | `true` | | -| keycloak.defaultRealm.users[2].enabled | bool | `true` | | -| keycloak.defaultRealm.users[2].firstName | string | `"RHTAS"` | | -| keycloak.defaultRealm.users[2].lastName | string | `"Signer"` | | -| keycloak.defaultRealm.users[2].realmRoles[0] | string | `"viewer"` | | -| keycloak.defaultRealm.users[2].username | string | `"rhtas-user"` | | -| keycloak.defaultRealm.users[3].createdTimestamp | int | `1` | | -| keycloak.defaultRealm.users[3].credentials[0].temporary | bool | `false` | | -| keycloak.defaultRealm.users[3].credentials[0].type | string | `"password"` | | -| keycloak.defaultRealm.users[3].credentials[0].value | string | `"${RHTPA_USER_PASSWORD}"` | | -| keycloak.defaultRealm.users[3].email | string | `"rhtpa-user@example.com"` | | -| keycloak.defaultRealm.users[3].emailVerified | bool | `true` | | -| keycloak.defaultRealm.users[3].enabled | bool | `true` | | -| keycloak.defaultRealm.users[3].firstName | string | `"RHTPA"` | | -| keycloak.defaultRealm.users[3].lastName | string | `"User"` | | -| keycloak.defaultRealm.users[3].realmRoles[0] | string | `"viewer"` | | -| keycloak.defaultRealm.users[3].realmRoles[1] | string | `"create:sbom"` | | -| keycloak.defaultRealm.users[3].realmRoles[2] | string | `"create:document"` | | -| keycloak.defaultRealm.users[3].username | string | `"rhtpa-user"` | | -| keycloak.defaultRealm.users[4].createdTimestamp | int | `1` | | -| keycloak.defaultRealm.users[4].credentials[0].temporary | bool | `false` | | -| keycloak.defaultRealm.users[4].credentials[0].type | string | `"password"` | | -| keycloak.defaultRealm.users[4].credentials[0].value | string | `"${ACS_ADMIN_PASSWORD}"` | | -| keycloak.defaultRealm.users[4].email | string | `"acs-admin@example.com"` | | -| keycloak.defaultRealm.users[4].emailVerified | bool | `true` | | -| keycloak.defaultRealm.users[4].enabled | bool | `true` | | -| keycloak.defaultRealm.users[4].firstName | string | `"ACS"` | | -| keycloak.defaultRealm.users[4].lastName | string | `"Administrator"` | | -| keycloak.defaultRealm.users[4].realmRoles[0] | string | `"acs-admin"` | | -| keycloak.defaultRealm.users[4].realmRoles[1] | string | `"offline_access"` | | -| keycloak.defaultRealm.users[4].username | string | `"acs-admin"` | | -| keycloak.ingress.enabled | bool | `true` | | -| keycloak.ingress.hostname | string | `""` | | -| keycloak.ingress.service | string | `"keycloak-service-trusted"` | | -| keycloak.ingress.termination | string | `"reencrypt"` | | -| keycloak.name | string | `"keycloak"` | | -| keycloak.oidcSecrets.acsClient.vaultPath | string | `"secret/data/hub/infra/acs/acs-central"` | | -| keycloak.oidcSecrets.qtodo.enabled | bool | `false` | | -| keycloak.oidcSecrets.qtodo.vaultPath | string | `"secret/data/apps/qtodo/qtodo-oidc-client"` | | -| keycloak.oidcSecrets.rhtpaCli.vaultPath | string | `"secret/data/hub/infra/rhtpa/rhtpa-oidc-cli"` | | -| keycloak.postgresqlDb.database | string | `"keycloak"` | | -| keycloak.postgresqlDb.passwordVaultKey | string | `"secret/data/hub/infra/keycloak/keycloak"` | | -| keycloak.postgresqlDb.secretName | string | `"postgresql-db"` | | -| keycloak.postgresqlDb.username | string | `"keycloak"` | | -| keycloak.realms | list | `[]` | | -| keycloak.spiffeIdentityProvider.config.alias | string | `"spiffe"` | | -| keycloak.spiffeIdentityProvider.config.config.authorizationUrl | string | `""` | | -| keycloak.spiffeIdentityProvider.config.config.clientId | string | `"keycloak"` | | -| keycloak.spiffeIdentityProvider.config.config.clientSecret | string | `"unused"` | | -| keycloak.spiffeIdentityProvider.config.config.issuer | string | `""` | | -| keycloak.spiffeIdentityProvider.config.config.jwksUrl | string | `""` | | -| keycloak.spiffeIdentityProvider.config.config.supportsClientAssertionReuse | string | `"true"` | | -| keycloak.spiffeIdentityProvider.config.config.supportsClientAssertions | string | `"true"` | | -| keycloak.spiffeIdentityProvider.config.config.syncMode | string | `"LEGACY"` | | -| keycloak.spiffeIdentityProvider.config.config.tokenUrl | string | `""` | | -| keycloak.spiffeIdentityProvider.config.config.useJwksUrl | string | `"true"` | | -| keycloak.spiffeIdentityProvider.config.config.validateSignature | string | `"true"` | | -| keycloak.spiffeIdentityProvider.config.displayName | string | `"SPIFFE Workload Identity"` | | -| keycloak.spiffeIdentityProvider.config.enabled | bool | `true` | | -| keycloak.spiffeIdentityProvider.config.hideOnLogin | bool | `true` | | -| keycloak.spiffeIdentityProvider.config.providerId | string | `"oidc"` | | -| keycloak.spiffeIdentityProvider.enabled | bool | `true` | | -| keycloak.tls.secret | string | `"keycloak-tls"` | | -| keycloak.tls.serviceServing | bool | `true` | | -| keycloak.users.passwordVaultKey | string | `"secret/data/hub/infra/users/keycloak-users"` | | -| keycloak.users.secretName | string | `"keycloak-users"` | | -| networkPolicy | object | `{"keycloak":{"egress":[],"enabled":false},"operator":{"egress":[],"enabled":false,"ingress":[]},"postgresql":{"egress":[],"enabled":false,"ingress":[]},"realmImport":{"egress":[],"enabled":false,"podSelector":{"app":"keycloak-realm-import"}}}` | Per-pod NetworkPolicy rules for keycloak, PostgreSQL, and operator pods. Only effective when defaultDenyNetworkPolicy is enabled. The RHBK operator manages its own ingress policy for keycloak pods (keycloak-network-policy) — these templates add egress rules for keycloak and full ingress/egress rules for PostgreSQL and operator pods. | +| Key | Type | Default | Description | +| ------------------------------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| defaultDenyNetworkPolicy | object | false | Default-deny NetworkPolicy for the keycloak namespace. When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress for pods without an explicit allow policy. Patterns that need zero-trust network isolation should enable this and provide per-pod allow rules via networkPolicy. | +| externalSecrets | object | `{"acs":{"annotations":{},"creationPolicy":"Owner","deletionPolicy":"Retain","labels":{},"refreshPolicy":"Periodic"},"adminUser":{"annotations":{},"creationPolicy":"Owner","deletionPolicy":"Retain","labels":{},"refreshPolicy":"Periodic"},"keycloakUsers":{"annotations":{},"creationPolicy":"Owner","deletionPolicy":"Retain","labels":{},"refreshPolicy":"Periodic"},"oidcClientSecret":{"annotations":{},"creationPolicy":"Owner","deletionPolicy":"Retain","labels":{},"refreshPolicy":"Periodic"},"postgresqlDb":{"annotations":{},"creationPolicy":"Owner","deletionPolicy":"Retain","labels":{},"refreshPolicy":"Periodic"},"rhtpa":{"annotations":{},"creationPolicy":"Owner","deletionPolicy":"Retain","labels":{},"refreshPolicy":"Periodic"}}` | Properties associated with ExternalSecret resources. | +| global.localClusterDomain | string | `"apps.example.com"` | | +| global.refreshInterval | string | `"1h"` | | +| global.secretStore.kind | string | `"ClusterSecretStore"` | | +| global.secretStore.name | string | `"vault-backend"` | | +| keycloak.adminUser.enabled | bool | `true` | | +| keycloak.adminUser.passwordVaultKey | string | `"secret/data/hub/infra/keycloak/keycloak"` | | +| keycloak.adminUser.secretName | string | `"keycloak-admin-user"` | | +| keycloak.adminUser.username | string | `"admin"` | | +| keycloak.defaultConfig | bool | `true` | | +| keycloak.defaultRealm.clientScopes[0].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[0].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[0].description | string | `"OpenID Connect built-in scope"` | | +| keycloak.defaultRealm.clientScopes[0].name | string | `"openid"` | | +| keycloak.defaultRealm.clientScopes[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].config."introspection.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].name | string | `"sub"` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[0].protocolMappers[0].protocolMapper | string | `"oidc-sub-mapper"` | | +| keycloak.defaultRealm.clientScopes[1].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[1].attributes."include.in.token.scope" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[1].description | string | `"OpenID Connect basic scope"` | | +| keycloak.defaultRealm.clientScopes[1].name | string | `"basic"` | | +| keycloak.defaultRealm.clientScopes[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].config."introspection.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].name | string | `"sub"` | | +| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[1].protocolMappers[0].protocolMapper | string | `"oidc-sub-mapper"` | | +| keycloak.defaultRealm.clientScopes[2].attributes."consent.screen.text" | string | `"${emailScopeConsentText}"` | | +| keycloak.defaultRealm.clientScopes[2].attributes."display.on.consent.screen" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].description | string | `"OpenID Connect email scope"` | | +| keycloak.defaultRealm.clientScopes[2].name | string | `"email"` | | +| keycloak.defaultRealm.clientScopes[2].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."claim.name" | string | `"email"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."jsonType.label" | string | `"String"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."user.attribute" | string | `"email"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].config."userinfo.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].name | string | `"email"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[0].protocolMapper | string | `"oidc-usermodel-attribute-mapper"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."claim.name" | string | `"email_verified"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."jsonType.label" | string | `"boolean"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."user.attribute" | string | `"emailVerified"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].config."userinfo.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].name | string | `"email verified"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[2].protocolMappers[1].protocolMapper | string | `"oidc-usermodel-attribute-mapper"` | | +| keycloak.defaultRealm.clientScopes[3].attributes."consent.screen.text" | string | `"${profileScopeConsentText}"` | | +| keycloak.defaultRealm.clientScopes[3].attributes."display.on.consent.screen" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].description | string | `"OpenID Connect profile scope"` | | +| keycloak.defaultRealm.clientScopes[3].name | string | `"profile"` | | +| keycloak.defaultRealm.clientScopes[3].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."claim.name" | string | `"preferred_username"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."jsonType.label" | string | `"String"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."user.attribute" | string | `"username"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].config."userinfo.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].name | string | `"username"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[0].protocolMapper | string | `"oidc-usermodel-attribute-mapper"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].config."userinfo.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].name | string | `"full name"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[3].protocolMappers[1].protocolMapper | string | `"oidc-full-name-mapper"` | | +| keycloak.defaultRealm.clientScopes[4].attributes."consent.screen.text" | string | `"${rolesScopeConsentText}"` | | +| keycloak.defaultRealm.clientScopes[4].attributes."display.on.consent.screen" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[4].attributes."include.in.token.scope" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[4].description | string | `"OpenID Connect roles scope"` | | +| keycloak.defaultRealm.clientScopes[4].name | string | `"roles"` | | +| keycloak.defaultRealm.clientScopes[4].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."claim.name" | string | `"realm_access.roles"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."jsonType.label" | string | `"String"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config."user.attribute" | string | `"foo"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].config.multivalued | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].name | string | `"realm roles"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[0].protocolMapper | string | `"oidc-usermodel-realm-role-mapper"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].name | string | `"audience resolve"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[4].protocolMappers[1].protocolMapper | string | `"oidc-audience-resolve-mapper"` | | +| keycloak.defaultRealm.clientScopes[5].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[5].attributes."include.in.token.scope" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[5].description | string | `"OpenID Connect web origins scope"` | | +| keycloak.defaultRealm.clientScopes[5].name | string | `"web-origins"` | | +| keycloak.defaultRealm.clientScopes[5].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].name | string | `"allowed web origins"` | | +| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[5].protocolMappers[0].protocolMapper | string | `"oidc-allowed-origins-mapper"` | | +| keycloak.defaultRealm.clientScopes[6].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[6].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[6].description | string | `"Permission to create documents"` | | +| keycloak.defaultRealm.clientScopes[6].name | string | `"create:document"` | | +| keycloak.defaultRealm.clientScopes[6].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[7].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[7].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[7].description | string | `"Permission to read documents"` | | +| keycloak.defaultRealm.clientScopes[7].name | string | `"read:document"` | | +| keycloak.defaultRealm.clientScopes[7].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[8].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[8].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[8].description | string | `"Permission to update documents"` | | +| keycloak.defaultRealm.clientScopes[8].name | string | `"update:document"` | | +| keycloak.defaultRealm.clientScopes[8].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clientScopes[9].attributes."display.on.consent.screen" | string | `"false"` | | +| keycloak.defaultRealm.clientScopes[9].attributes."include.in.token.scope" | string | `"true"` | | +| keycloak.defaultRealm.clientScopes[9].description | string | `"Permission to delete documents"` | | +| keycloak.defaultRealm.clientScopes[9].name | string | `"delete:document"` | | +| keycloak.defaultRealm.clientScopes[9].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[0].attributes."jwt.credential.issuer" | string | `"spiffe"` | | +| keycloak.defaultRealm.clients[0].attributes."jwt.credential.sub" | string | `""` | | +| keycloak.defaultRealm.clients[0].attributes."post.logout.redirect.uris" | string | `"+"` | | +| keycloak.defaultRealm.clients[0].clientAuthenticatorType | string | `"federated-jwt"` | | +| keycloak.defaultRealm.clients[0].clientId | string | `"qtodo-app"` | | +| keycloak.defaultRealm.clients[0].defaultClientScopes[0] | string | `"web-origins"` | | +| keycloak.defaultRealm.clients[0].defaultClientScopes[1] | string | `"roles"` | | +| keycloak.defaultRealm.clients[0].defaultClientScopes[2] | string | `"profile"` | | +| keycloak.defaultRealm.clients[0].defaultClientScopes[3] | string | `"basic"` | | +| keycloak.defaultRealm.clients[0].defaultClientScopes[4] | string | `"email"` | | +| keycloak.defaultRealm.clients[0].directAccessGrantsEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[0].enabled | bool | `true` | | +| keycloak.defaultRealm.clients[0].fullScopeAllowed | bool | `true` | | +| keycloak.defaultRealm.clients[0].name | string | `"qtodo"` | | +| keycloak.defaultRealm.clients[0].optionalClientScopes[0] | string | `"offline_access"` | | +| keycloak.defaultRealm.clients[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[0].publicClient | bool | `false` | | +| keycloak.defaultRealm.clients[0].redirectUris[0] | string | `"*"` | | +| keycloak.defaultRealm.clients[0].serviceAccountsEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[0].standardFlowEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[0].webOrigins[0] | string | `"+"` | | +| keycloak.defaultRealm.clients[1].attributes."oauth2.device.authorization.grant.enabled" | string | `"true"` | | +| keycloak.defaultRealm.clients[1].clientId | string | `"trusted-artifact-signer"` | | +| keycloak.defaultRealm.clients[1].directAccessGrantsEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[1].enabled | bool | `true` | | +| keycloak.defaultRealm.clients[1].implicitFlowEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[1].name | string | `"Red Hat Trusted Artifact Signer Client"` | | +| keycloak.defaultRealm.clients[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[0].config."id.token.claim" | string | `"false"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[0].config."included.client.audience" | string | `"trusted-artifact-signer"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[0].name | string | `"audience-mapper"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[0].protocolMapper | string | `"oidc-audience-mapper"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].config."claim.name" | string | `"email_verified"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].config."claim.value" | string | `"true"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].config."jsonType.label" | string | `"boolean"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].config."userinfo.token.claim" | string | `"false"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].name | string | `"email-mapper"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[1].protocolMappers[1].protocolMapper | string | `"oidc-hardcoded-claim-mapper"` | | +| keycloak.defaultRealm.clients[1].publicClient | bool | `true` | | +| keycloak.defaultRealm.clients[1].redirectUris[0] | string | `"*"` | | +| keycloak.defaultRealm.clients[1].redirectUris[1] | string | `"urn:ietf:wg:oauth:2.0:oob"` | | +| keycloak.defaultRealm.clients[1].redirectUris[2] | string | `"http://localhost:*/auth/callback"` | | +| keycloak.defaultRealm.clients[1].standardFlowEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[1].webOrigins[0] | string | `"+"` | | +| keycloak.defaultRealm.clients[2].clientId | string | `"acs-central"` | | +| keycloak.defaultRealm.clients[2].defaultClientScopes[0] | string | `"openid"` | | +| keycloak.defaultRealm.clients[2].defaultClientScopes[1] | string | `"basic"` | | +| keycloak.defaultRealm.clients[2].defaultClientScopes[2] | string | `"email"` | | +| keycloak.defaultRealm.clients[2].defaultClientScopes[3] | string | `"profile"` | | +| keycloak.defaultRealm.clients[2].defaultClientScopes[4] | string | `"roles"` | | +| keycloak.defaultRealm.clients[2].defaultClientScopes[5] | string | `"web-origins"` | | +| keycloak.defaultRealm.clients[2].directAccessGrantsEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[2].enabled | bool | `true` | | +| keycloak.defaultRealm.clients[2].fullScopeAllowed | bool | `true` | | +| keycloak.defaultRealm.clients[2].implicitFlowEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[2].name | string | `"Red Hat Advanced Cluster Security Central"` | | +| keycloak.defaultRealm.clients[2].optionalClientScopes[0] | string | `"address"` | | +| keycloak.defaultRealm.clients[2].optionalClientScopes[1] | string | `"phone"` | | +| keycloak.defaultRealm.clients[2].optionalClientScopes[2] | string | `"offline_access"` | | +| keycloak.defaultRealm.clients[2].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].config."claim.name" | string | `"groups"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].config."full.path" | string | `"false"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].config."userinfo.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].name | string | `"groups"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[0].protocolMapper | string | `"oidc-group-membership-mapper"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].config."access.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].config."claim.name" | string | `"roles"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].config."id.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].config."jsonType.label" | string | `"String"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].config."userinfo.token.claim" | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].config.multivalued | string | `"true"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].consentRequired | bool | `false` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].name | string | `"roles"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[2].protocolMappers[1].protocolMapper | string | `"oidc-usermodel-realm-role-mapper"` | | +| keycloak.defaultRealm.clients[2].publicClient | bool | `false` | | +| keycloak.defaultRealm.clients[2].redirectUris[0] | string | `"*"` | | +| keycloak.defaultRealm.clients[2].secret | string | `"${ACS_CLIENT_SECRET}"` | | +| keycloak.defaultRealm.clients[2].standardFlowEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[2].webOrigins[0] | string | `"*"` | | +| keycloak.defaultRealm.clients[3].attributes."access.token.lifespan" | string | `"300"` | | +| keycloak.defaultRealm.clients[3].attributes."post.logout.redirect.uris" | string | `"+"` | | +| keycloak.defaultRealm.clients[3].clientId | string | `"rhtpa-cli"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[0] | string | `"basic"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[1] | string | `"email"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[2] | string | `"profile"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[3] | string | `"roles"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[4] | string | `"web-origins"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[5] | string | `"create:document"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[6] | string | `"read:document"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[7] | string | `"update:document"` | | +| keycloak.defaultRealm.clients[3].defaultClientScopes[8] | string | `"delete:document"` | | +| keycloak.defaultRealm.clients[3].directAccessGrantsEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[3].enabled | bool | `true` | | +| keycloak.defaultRealm.clients[3].fullScopeAllowed | bool | `true` | | +| keycloak.defaultRealm.clients[3].implicitFlowEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[3].name | string | `"RHTPA CLI Client"` | | +| keycloak.defaultRealm.clients[3].optionalClientScopes[0] | string | `"address"` | | +| keycloak.defaultRealm.clients[3].optionalClientScopes[1] | string | `"microprofile-jwt"` | | +| keycloak.defaultRealm.clients[3].optionalClientScopes[2] | string | `"offline_access"` | | +| keycloak.defaultRealm.clients[3].optionalClientScopes[3] | string | `"phone"` | | +| keycloak.defaultRealm.clients[3].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[3].publicClient | bool | `false` | | +| keycloak.defaultRealm.clients[3].secret | string | `"${RHTPA_CLI_SECRET}"` | | +| keycloak.defaultRealm.clients[3].serviceAccountsEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[3].standardFlowEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[4].attributes."access.token.lifespan" | string | `"300"` | | +| keycloak.defaultRealm.clients[4].attributes."post.logout.redirect.uris" | string | `"+"` | | +| keycloak.defaultRealm.clients[4].clientId | string | `"rhtpa-frontend"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[0] | string | `"basic"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[1] | string | `"email"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[2] | string | `"profile"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[3] | string | `"roles"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[4] | string | `"web-origins"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[5] | string | `"create:document"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[6] | string | `"read:document"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[7] | string | `"update:document"` | | +| keycloak.defaultRealm.clients[4].defaultClientScopes[8] | string | `"delete:document"` | | +| keycloak.defaultRealm.clients[4].directAccessGrantsEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[4].enabled | bool | `true` | | +| keycloak.defaultRealm.clients[4].fullScopeAllowed | bool | `true` | | +| keycloak.defaultRealm.clients[4].implicitFlowEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[4].name | string | `"RHTPA Frontend Client"` | | +| keycloak.defaultRealm.clients[4].optionalClientScopes[0] | string | `"address"` | | +| keycloak.defaultRealm.clients[4].optionalClientScopes[1] | string | `"microprofile-jwt"` | | +| keycloak.defaultRealm.clients[4].optionalClientScopes[2] | string | `"offline_access"` | | +| keycloak.defaultRealm.clients[4].optionalClientScopes[3] | string | `"phone"` | | +| keycloak.defaultRealm.clients[4].protocol | string | `"openid-connect"` | | +| keycloak.defaultRealm.clients[4].publicClient | bool | `true` | | +| keycloak.defaultRealm.clients[4].redirectUris[0] | string | `"*"` | | +| keycloak.defaultRealm.clients[4].serviceAccountsEnabled | bool | `false` | | +| keycloak.defaultRealm.clients[4].standardFlowEnabled | bool | `true` | | +| keycloak.defaultRealm.clients[4].webOrigins[0] | string | `"*"` | | +| keycloak.defaultRealm.defaultDefaultClientScopes[0] | string | `"openid"` | | +| keycloak.defaultRealm.defaultDefaultClientScopes[1] | string | `"basic"` | | +| keycloak.defaultRealm.defaultDefaultClientScopes[2] | string | `"email"` | | +| keycloak.defaultRealm.defaultDefaultClientScopes[3] | string | `"profile"` | | +| keycloak.defaultRealm.defaultDefaultClientScopes[4] | string | `"roles"` | | +| keycloak.defaultRealm.defaultDefaultClientScopes[5] | string | `"web-origins"` | | +| keycloak.defaultRealm.displayName | string | `"ZTVP Realm"` | | +| keycloak.defaultRealm.enabled | bool | `true` | | +| keycloak.defaultRealm.realm | string | `"ztvp"` | | +| keycloak.defaultRealm.registrationAllowed | bool | `false` | | +| keycloak.defaultRealm.roles.realm[0].description | string | `"QTodo App Administrator"` | | +| keycloak.defaultRealm.roles.realm[0].name | string | `"qtodo-admin"` | | +| keycloak.defaultRealm.roles.realm[1].description | string | `"Read-only access"` | | +| keycloak.defaultRealm.roles.realm[1].name | string | `"viewer"` | | +| keycloak.defaultRealm.roles.realm[2].description | string | `"RHTPA SBOM Creator"` | | +| keycloak.defaultRealm.roles.realm[2].name | string | `"create:sbom"` | | +| keycloak.defaultRealm.roles.realm[3].description | string | `"RHTPA Document Creator"` | | +| keycloak.defaultRealm.roles.realm[3].name | string | `"create:document"` | | +| keycloak.defaultRealm.roles.realm[4].description | string | `"ACS Administrator"` | | +| keycloak.defaultRealm.roles.realm[4].name | string | `"acs-admin"` | | +| keycloak.defaultRealm.users[0].createdTimestamp | int | `1` | | +| keycloak.defaultRealm.users[0].credentials[0].temporary | bool | `true` | | +| keycloak.defaultRealm.users[0].credentials[0].type | string | `"password"` | | +| keycloak.defaultRealm.users[0].credentials[0].value | string | `"${QTODO_ADMIN_PASSWORD}"` | | +| keycloak.defaultRealm.users[0].email | string | `"qtodo-admin@example.com"` | | +| keycloak.defaultRealm.users[0].emailVerified | bool | `true` | | +| keycloak.defaultRealm.users[0].enabled | bool | `true` | | +| keycloak.defaultRealm.users[0].firstName | string | `"QTodo"` | | +| keycloak.defaultRealm.users[0].lastName | string | `"Admin"` | | +| keycloak.defaultRealm.users[0].realmRoles[0] | string | `"qtodo-admin"` | | +| keycloak.defaultRealm.users[0].requiredActions[0] | string | `"UPDATE_PASSWORD"` | | +| keycloak.defaultRealm.users[0].username | string | `"qtodo-admin"` | | +| keycloak.defaultRealm.users[1].createdTimestamp | int | `1` | | +| keycloak.defaultRealm.users[1].credentials[0].temporary | bool | `true` | | +| keycloak.defaultRealm.users[1].credentials[0].type | string | `"password"` | | +| keycloak.defaultRealm.users[1].credentials[0].value | string | `"${QTODO_USER1_PASSWORD}"` | | +| keycloak.defaultRealm.users[1].email | string | `"qtodo-user1@example.com"` | | +| keycloak.defaultRealm.users[1].emailVerified | bool | `true` | | +| keycloak.defaultRealm.users[1].enabled | bool | `true` | | +| keycloak.defaultRealm.users[1].firstName | string | `"QTodo"` | | +| keycloak.defaultRealm.users[1].lastName | string | `"User-1"` | | +| keycloak.defaultRealm.users[1].realmRoles[0] | string | `"viewer"` | | +| keycloak.defaultRealm.users[1].requiredActions[0] | string | `"UPDATE_PASSWORD"` | | +| keycloak.defaultRealm.users[1].username | string | `"qtodo-user1"` | | +| keycloak.defaultRealm.users[2].createdTimestamp | int | `1` | | +| keycloak.defaultRealm.users[2].credentials[0].temporary | bool | `false` | | +| keycloak.defaultRealm.users[2].credentials[0].type | string | `"password"` | | +| keycloak.defaultRealm.users[2].credentials[0].value | string | `"${RHTAS_USER_PASSWORD}"` | | +| keycloak.defaultRealm.users[2].email | string | `"rhtas-user@example.com"` | | +| keycloak.defaultRealm.users[2].emailVerified | bool | `true` | | +| keycloak.defaultRealm.users[2].enabled | bool | `true` | | +| keycloak.defaultRealm.users[2].firstName | string | `"RHTAS"` | | +| keycloak.defaultRealm.users[2].lastName | string | `"Signer"` | | +| keycloak.defaultRealm.users[2].realmRoles[0] | string | `"viewer"` | | +| keycloak.defaultRealm.users[2].username | string | `"rhtas-user"` | | +| keycloak.defaultRealm.users[3].createdTimestamp | int | `1` | | +| keycloak.defaultRealm.users[3].credentials[0].temporary | bool | `false` | | +| keycloak.defaultRealm.users[3].credentials[0].type | string | `"password"` | | +| keycloak.defaultRealm.users[3].credentials[0].value | string | `"${RHTPA_USER_PASSWORD}"` | | +| keycloak.defaultRealm.users[3].email | string | `"rhtpa-user@example.com"` | | +| keycloak.defaultRealm.users[3].emailVerified | bool | `true` | | +| keycloak.defaultRealm.users[3].enabled | bool | `true` | | +| keycloak.defaultRealm.users[3].firstName | string | `"RHTPA"` | | +| keycloak.defaultRealm.users[3].lastName | string | `"User"` | | +| keycloak.defaultRealm.users[3].realmRoles[0] | string | `"viewer"` | | +| keycloak.defaultRealm.users[3].realmRoles[1] | string | `"create:sbom"` | | +| keycloak.defaultRealm.users[3].realmRoles[2] | string | `"create:document"` | | +| keycloak.defaultRealm.users[3].username | string | `"rhtpa-user"` | | +| keycloak.defaultRealm.users[4].createdTimestamp | int | `1` | | +| keycloak.defaultRealm.users[4].credentials[0].temporary | bool | `false` | | +| keycloak.defaultRealm.users[4].credentials[0].type | string | `"password"` | | +| keycloak.defaultRealm.users[4].credentials[0].value | string | `"${ACS_ADMIN_PASSWORD}"` | | +| keycloak.defaultRealm.users[4].email | string | `"acs-admin@example.com"` | | +| keycloak.defaultRealm.users[4].emailVerified | bool | `true` | | +| keycloak.defaultRealm.users[4].enabled | bool | `true` | | +| keycloak.defaultRealm.users[4].firstName | string | `"ACS"` | | +| keycloak.defaultRealm.users[4].lastName | string | `"Administrator"` | | +| keycloak.defaultRealm.users[4].realmRoles[0] | string | `"acs-admin"` | | +| keycloak.defaultRealm.users[4].realmRoles[1] | string | `"offline_access"` | | +| keycloak.defaultRealm.users[4].username | string | `"acs-admin"` | | +| keycloak.ingress.enabled | bool | `true` | | +| keycloak.ingress.hostname | string | `""` | | +| keycloak.ingress.service | string | `"keycloak-service-trusted"` | | +| keycloak.ingress.termination | string | `"reencrypt"` | | +| keycloak.name | string | `"keycloak"` | | +| keycloak.oidcSecrets.acsClient.vaultPath | string | `"secret/data/hub/infra/acs/acs-central"` | | +| keycloak.oidcSecrets.qtodo.enabled | bool | `false` | | +| keycloak.oidcSecrets.qtodo.vaultPath | string | `"secret/data/apps/qtodo/qtodo-oidc-client"` | | +| keycloak.oidcSecrets.rhtpaCli.vaultPath | string | `"secret/data/hub/infra/rhtpa/rhtpa-oidc-cli"` | | +| keycloak.postgresqlDb.database | string | `"keycloak"` | | +| keycloak.postgresqlDb.passwordVaultKey | string | `"secret/data/hub/infra/keycloak/keycloak"` | | +| keycloak.postgresqlDb.secretName | string | `"postgresql-db"` | | +| keycloak.postgresqlDb.username | string | `"keycloak"` | | +| keycloak.realms | list | `[]` | | +| keycloak.spiffeIdentityProvider.config.alias | string | `"spiffe"` | | +| keycloak.spiffeIdentityProvider.config.config.authorizationUrl | string | `""` | | +| keycloak.spiffeIdentityProvider.config.config.clientId | string | `"keycloak"` | | +| keycloak.spiffeIdentityProvider.config.config.clientSecret | string | `"unused"` | | +| keycloak.spiffeIdentityProvider.config.config.issuer | string | `""` | | +| keycloak.spiffeIdentityProvider.config.config.jwksUrl | string | `""` | | +| keycloak.spiffeIdentityProvider.config.config.supportsClientAssertionReuse | string | `"true"` | | +| keycloak.spiffeIdentityProvider.config.config.supportsClientAssertions | string | `"true"` | | +| keycloak.spiffeIdentityProvider.config.config.syncMode | string | `"LEGACY"` | | +| keycloak.spiffeIdentityProvider.config.config.tokenUrl | string | `""` | | +| keycloak.spiffeIdentityProvider.config.config.useJwksUrl | string | `"true"` | | +| keycloak.spiffeIdentityProvider.config.config.validateSignature | string | `"true"` | | +| keycloak.spiffeIdentityProvider.config.displayName | string | `"SPIFFE Workload Identity"` | | +| keycloak.spiffeIdentityProvider.config.enabled | bool | `true` | | +| keycloak.spiffeIdentityProvider.config.hideOnLogin | bool | `true` | | +| keycloak.spiffeIdentityProvider.config.providerId | string | `"oidc"` | | +| keycloak.spiffeIdentityProvider.enabled | bool | `true` | | +| keycloak.tls.secret | string | `"keycloak-tls"` | | +| keycloak.tls.serviceServing | bool | `true` | | +| keycloak.users.passwordVaultKey | string | `"secret/data/hub/infra/users/keycloak-users"` | | +| keycloak.users.secretName | string | `"keycloak-users"` | | +| networkPolicy | object | `{"keycloak":{"egress":[],"enabled":false},"operator":{"egress":[],"enabled":false,"ingress":[]},"postgresql":{"egress":[],"enabled":false,"ingress":[]},"realmImport":{"egress":[],"enabled":false,"podSelector":{"app":"keycloak-realm-import"}}}` | Per-pod NetworkPolicy rules for keycloak, PostgreSQL, and operator pods. Only effective when defaultDenyNetworkPolicy is enabled. The RHBK operator manages its own ingress policy for keycloak pods (keycloak-network-policy) — these templates add egress rules for keycloak and full ingress/egress rules for PostgreSQL and operator pods. | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 7683ee0..d0b4b44 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -19,4 +19,37 @@ Generate the hostname for the Ingress. {{- else }} {{- print .Values.keycloak.ingress.hostname }} {{- end }} +{{- end }} + +{{/* +Generate the metadata for the ExternalSecrets resource. +*/}} +{{- define "keycloak.externalSecrets.metadata" -}} +{{- if or .annotations .labels }} +metadata: + {{- if .annotations }} + annotations: + {{- toYaml .annotations | nindent 4 }} + {{- end }} + {{- if .labels }} + labels: + {{- toYaml .labels | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Generate the lifecycle for the ExternalSecrets resource. +*/}} +{{- define "keycloak.externalSecrets.lifecycle" -}} +creationPolicy: {{ .creationPolicy }} +deletionPolicy: {{ .deletionPolicy }} +refreshPolicy: {{ .refreshPolicy }} +{{- end }} + +{{/* +Generate the refresh interval for the ExternalSecrets resource. +*/}} +{{- define "keycloak.externalSecrets.refreshInterval" -}} +{{ printf "%s" (.refreshInterval | default .globalRefreshInterval) }} {{- end }} \ No newline at end of file diff --git a/templates/acs-oidc-client-secret-external-secret.yaml b/templates/acs-oidc-client-secret-external-secret.yaml index 77f244c..6f4d0f3 100644 --- a/templates/acs-oidc-client-secret-external-secret.yaml +++ b/templates/acs-oidc-client-secret-external-secret.yaml @@ -6,13 +6,15 @@ metadata: name: acs-oidc-client-secret namespace: {{ .Release.Namespace }} spec: - refreshInterval: 15s + refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.acs.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }} secretStoreRef: name: {{ .Values.global.secretStore.name }} kind: {{ .Values.global.secretStore.kind }} target: name: acs-oidc-client-secret + {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.acs | nindent 4 }} template: + {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.acs | nindent 6 }} type: Opaque data: client-secret: "{{ `{{ .client_secret }}` }}" diff --git a/templates/keycloak-admin-user-external-secret.yaml b/templates/keycloak-admin-user-external-secret.yaml index a2775bb..cc9ce22 100644 --- a/templates/keycloak-admin-user-external-secret.yaml +++ b/templates/keycloak-admin-user-external-secret.yaml @@ -5,13 +5,15 @@ metadata: name: keycloak-admin-user namespace: {{ .Release.Namespace }} spec: - refreshInterval: 15s + refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.adminUser.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }} secretStoreRef: name: {{ .Values.global.secretStore.name }} kind: {{ .Values.global.secretStore.kind }} target: name: {{ .Values.keycloak.adminUser.secretName }} + {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.adminUser | nindent 4 }} template: + {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.adminUser | nindent 6 }} type: Opaque data: username: "{{ .Values.keycloak.adminUser.username }}" diff --git a/templates/keycloak-users-external-secret.yaml b/templates/keycloak-users-external-secret.yaml index 77e5f02..1c7d39d 100644 --- a/templates/keycloak-users-external-secret.yaml +++ b/templates/keycloak-users-external-secret.yaml @@ -4,30 +4,16 @@ kind: ExternalSecret metadata: name: keycloak-users namespace: {{ .Release.Namespace }} - {{- if .Values.externalSecrets.oneShot }} - annotations: - argocd.argoproj.io/hook: Sync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - argocd.argoproj.io/sync-options: PrunePropagationPolicy=orphan - {{- end }} spec: - refreshInterval: 15s + refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.keycloakUsers.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }} secretStoreRef: name: {{ .Values.global.secretStore.name }} kind: {{ .Values.global.secretStore.kind }} target: name: keycloak-users - {{- if .Values.externalSecrets.oneShot }} - creationPolicy: Orphan - {{- else }} - creationPolicy: {{ .Values.externalSecrets.creationPolicy }} - {{- end }} + {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.keycloakUsers | nindent 4 }} template: - {{- if .Values.externalSecrets.oneShot }} - metadata: - labels: - {{ .Values.externalSecrets.secretCleanupLabel }}: delete - {{- end }} + {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.keycloakUsers | nindent 6 }} type: Opaque data: qtodo-admin-password: "{{ `{{ .qtodo_admin_password }}` }}" diff --git a/templates/oidc-client-secret-external-secret.yaml b/templates/oidc-client-secret-external-secret.yaml index 0ba01a6..9036ef4 100644 --- a/templates/oidc-client-secret-external-secret.yaml +++ b/templates/oidc-client-secret-external-secret.yaml @@ -5,13 +5,15 @@ metadata: name: oidc-client-secret namespace: {{ .Release.Namespace }} spec: - refreshInterval: 15s + refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.oidcClientSecret.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }} secretStoreRef: name: {{ .Values.global.secretStore.name }} kind: {{ .Values.global.secretStore.kind }} target: name: oidc-client-secret + {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.oidcClientSecret | nindent 4 }} template: + {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.oidcClientSecret | nindent 6 }} type: Opaque data: client-secret: "{{ `{{ .client_secret }}` }}" diff --git a/templates/postgresql-db-external-secret.yaml b/templates/postgresql-db-external-secret.yaml index cc81f46..064ad79 100644 --- a/templates/postgresql-db-external-secret.yaml +++ b/templates/postgresql-db-external-secret.yaml @@ -4,13 +4,15 @@ metadata: name: postgresql-db namespace: {{ .Release.Namespace }} spec: - refreshInterval: 15s + refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.postgresqlDb.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }} secretStoreRef: name: {{ .Values.global.secretStore.name }} kind: {{ .Values.global.secretStore.kind }} target: name: {{ .Values.keycloak.postgresqlDb.secretName }} + {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.postgresqlDb | nindent 4 }} template: + {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.postgresqlDb | nindent 6 }} type: Opaque data: username: {{ .Values.keycloak.postgresqlDb.username }} diff --git a/templates/rhtpa-oidc-cli-secret-external-secret.yaml b/templates/rhtpa-oidc-cli-secret-external-secret.yaml index f74fbec..77d0d3c 100644 --- a/templates/rhtpa-oidc-cli-secret-external-secret.yaml +++ b/templates/rhtpa-oidc-cli-secret-external-secret.yaml @@ -6,13 +6,15 @@ metadata: name: rhtpa-oidc-cli-secret namespace: {{ .Release.Namespace }} spec: - refreshInterval: 15s + refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.rhtpa.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }} secretStoreRef: name: {{ .Values.global.secretStore.name }} kind: {{ .Values.global.secretStore.kind }} target: name: rhtpa-oidc-cli-secret + {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.rhtpa | nindent 4 }} template: + {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.rhtpa | nindent 6 }} type: Opaque data: client-secret: "{{ `{{ .client_secret | trim }}` }}" diff --git a/values.yaml b/values.yaml index 0b6cac6..4f71b1b 100644 --- a/values.yaml +++ b/values.yaml @@ -1,26 +1,54 @@ global: localClusterDomain: apps.example.com + refreshInterval: 1h secretStore: kind: ClusterSecretStore name: vault-backend -# -- One-shot ExternalSecret provisioning for keycloak-users. -# When oneShot is true, the keycloak-users ExternalSecret becomes an -# ArgoCD Sync hook with HookSucceeded and creationPolicy: Orphan. -# Orphan prevents ESO from setting an ownerReference on the Secret, -# so k8s GC will not cascade-delete the Secret when ArgoCD removes -# the ExternalSecret hook after sync. -# A PostSync Job in the wrapper chart (e.g. rh-keycloak in -# layered-zero-trust) then cleans up Secrets labeled -# secretCleanupLabel=delete. -# When oneShot is false (default), keycloak-users is a regular -# ExternalSecret with no hook annotations — the Secret and -# ExternalSecret persist. -# @default -- disabled (regular ExternalSecret, no hooks) +# -- Properties associated with ExternalSecret resources. externalSecrets: - oneShot: false - creationPolicy: Owner - secretCleanupLabel: "validatedpatterns.io/cleanup" + acs: + creationPolicy: Owner + deletionPolicy: Retain + refreshPolicy: Periodic + #refreshInterval: 1h + annotations: {} + labels: {} + adminUser: + creationPolicy: Owner + deletionPolicy: Retain + refreshPolicy: Periodic + #refreshInterval: 1h + annotations: {} + labels: {} + keycloakUsers: + creationPolicy: Owner + deletionPolicy: Retain + refreshPolicy: Periodic + #refreshInterval: 1h + annotations: {} + labels: {} + oidcClientSecret: + creationPolicy: Owner + deletionPolicy: Retain + refreshPolicy: Periodic + #refreshInterval: 1h + annotations: {} + labels: {} + postgresqlDb: + creationPolicy: Owner + deletionPolicy: Retain + refreshPolicy: Periodic + #refreshInterval: 1h + annotations: {} + labels: {} + rhtpa: + creationPolicy: Owner + deletionPolicy: Retain + refreshPolicy: Periodic + #refreshInterval: 1h + annotations: {} + labels: {} # -- Default-deny NetworkPolicy for the keycloak namespace. # When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress