idp auto config

Co-authored-by: Copilot <copilot@github.com>
2026-04-30 14:37:13 +02:00
parent 03e60a3512
commit 417185d567
4 changed files with 106 additions and 0 deletions
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1384,6 +1384,46 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 ### Keycloak Microsoft/Entra Identity Provider
 **File**: `infra/values/upc-dev/keycloak-values.yaml`
 **Namespace**: `keycloak`
 **Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
 **Configuration via keycloakConfigCli**:
 - IdP alias: `forte-entra`, provider: `microsoft`
 - Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
 - `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
 **Key Configuration Notes**:
 | Field | Location | Notes |
 |-------|----------|-------|
 | `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
 | `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
 | `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
 | `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
 **Token Storage & Broker Access**:
 - `storeToken: true` persists the Entra access token in Keycloak
 - Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
 - Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
 **Identity Provider Mappers**:
 - `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
 **Required Secret** (`microsoft-idp-credentials`):
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: microsoft-idp-credentials
  namespace: keycloak
 stringData:
  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
 ```
 ### Default Namespace Blocker
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
--- a/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
+++ b/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
@@ -0,0 +1,15 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: microsoft-idp-credentials
  namespace: keycloak
 spec:
  encryptedData:
    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
  template:
    metadata:
      creationTimestamp: null
      name: microsoft-idp-credentials
      namespace: keycloak
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 - entra-upc-dev-credentials-sealed.yaml
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -1,2 +1,52 @@
 ingress:
  hostname: id.forteapps.net
 keycloakConfigCli:
  extraEnvVarsSecret: microsoft-idp-credentials
  configuration:
    microsoft-idp.json: |
      {
        "realm": "forte",
        "identityProviders": [
          {
            "alias": "forte-entra",
            "displayName": "Forte Entra",
            "providerId": "microsoft",
            "enabled": true,
            "storeToken": true,
            "trustEmail": true,
            "firstBrokerLoginFlowAlias": "first broker login",
            "config": {
              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
              "defaultScope": "openid email profile User.Read Mail.Send",
              "tenant": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
              "syncMode": "IMPORT"
            }
          }
        ],
        "identityProviderMappers": [
          {
            "name": "forte-entra-email",
            "identityProviderAlias": "forte-entra",
            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
            "config": {
              "syncMode": "INHERIT",
              "attribute": "emailVerified",
              "attribute.value": "true"
            }
          }
        ],
        "roles": {
          "realm": [
            {
              "name": "default-roles-forte",
              "composites": {
                "client": {
                  "broker": ["read-token"]
                }
              }
            }
          ]
        }
      }