From c286ddd2183d7cfac81bc21d729ec297fd9bd359 Mon Sep 17 00:00:00 2001 From: Michael Stingl Date: Tue, 22 Jul 2025 09:29:27 +0200 Subject: [PATCH 1/3] feat: make Keycloak demo users configurable via createDemoUsers setting - Demo users (alan, dennis, lynn, margaret, mary) are now only created when opencloud.createDemoUsers=true - This aligns with the OpenCloud createDemoUsers setting for consistency - Updated README to clarify that the setting affects both OpenCloud and Keycloak users - Default is false, so demo users are not created by default --- charts/opencloud/README.md | 2 +- .../opencloud/files/keycloak/opencloud-realm.json.gotmpl | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/opencloud/README.md b/charts/opencloud/README.md index 7c3cd563..1882a09c 100644 --- a/charts/opencloud/README.md +++ b/charts/opencloud/README.md @@ -252,7 +252,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e | `opencloud.insecure` | Insecure mode (for self-signed certificates) | `true` | | `opencloud.existingSecret` | Name of the existing secret | `` | | `opencloud.adminPassword` | Admin password | `admin` | -| `opencloud.createDemoUsers` | Create demo users | `false` | +| `opencloud.createDemoUsers` | Create demo users in OpenCloud and Keycloak (alan, dennis, lynn, margaret, mary) | `false` | | `opencloud.resources` | CPU/Memory resource requests/limits | `{}` | | `opencloud.persistence.enabled` | Enable persistence | `true` | | `opencloud.persistence.size` | Size of the persistent volume | `10Gi` | diff --git a/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl b/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl index 2aecf121..6a995b2b 100644 --- a/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl +++ b/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl @@ -485,7 +485,9 @@ "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], "webAuthnPolicyPasswordlessExtraOrigins" : [ ], - "users" : [ { + "users" : [ +{{- if .Values.opencloud.createDemoUsers }} + { "id" : "0ab77e6d-23b4-4ba3-9843-a3b3efdcfc53", "username" : "admin", "firstName" : "Admin", @@ -622,7 +624,9 @@ "realmRoles" : [ "default-roles-opencloud", "opencloudUser" ], "notBefore" : 0, "groups" : [ "/bible-readers", "/users" ] - } ], + } +{{- end }} + ], "scopeMappings" : [ { "clientScope" : "offline_access", "roles" : [ "offline_access" ] From c8d73491979b94a1b35cb0a89e71d552cbcbb6af Mon Sep 17 00:00:00 2001 From: Michael Stingl Date: Tue, 22 Jul 2025 09:48:03 +0200 Subject: [PATCH 2/3] docs: add user management section and security warnings - Added detailed instructions for creating production users in Keycloak - Listed available OpenCloud roles and their purposes - Added security warning about demo users with hardcoded passwords - Clarified that demo users should never be used in production --- charts/opencloud/README.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/charts/opencloud/README.md b/charts/opencloud/README.md index 1882a09c..2670c8fd 100644 --- a/charts/opencloud/README.md +++ b/charts/opencloud/README.md @@ -252,7 +252,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e | `opencloud.insecure` | Insecure mode (for self-signed certificates) | `true` | | `opencloud.existingSecret` | Name of the existing secret | `` | | `opencloud.adminPassword` | Admin password | `admin` | -| `opencloud.createDemoUsers` | Create demo users in OpenCloud and Keycloak (alan, dennis, lynn, margaret, mary) | `false` | +| `opencloud.createDemoUsers` | Create demo users in OpenCloud and Keycloak (alan, dennis, lynn, margaret, mary). **WARNING**: Demo users have hardcoded passwords and should never be used in production! | `false` | | `opencloud.resources` | CPU/Memory resource requests/limits | `{}` | | `opencloud.persistence.enabled` | Enable persistence | `true` | | `opencloud.persistence.size` | Size of the persistent volume | `10Gi` | @@ -347,6 +347,29 @@ keycloak: **Note**: If `keycloak.internal.enabled` is `true`, the `global.oidc.issuer` should be left empty to not override the generated issuer URL. +#### User Management + +When `opencloud.createDemoUsers` is set to `false` (default for production), you need to manually create users in Keycloak: + +1. **Access Keycloak Admin Console**: + - URL: `https://[your-keycloak-domain]/admin/` + - Login with Keycloak admin credentials (from `keycloak.internal.adminUser/adminPassword`) + +2. **Create Users in the openCloud Realm**: + - Switch to the "openCloud" realm (dropdown in top-left corner) + - Navigate to Users → Add User + - Create users and set passwords in the Credentials tab + +3. **Assign Roles**: + - Available roles in the openCloud realm: + - `opencloudAdmin` - Full administrative access + - `opencloudSpaceAdmin` - Space administration capabilities + - `opencloudUser` - Regular user access + - `opencloudGuest` - Guest access + - Assign roles in the Role Mappings tab for each user + +**WARNING**: The demo users (when `createDemoUsers: true`) have hardcoded passwords and should NEVER be used in production environments. They are intended for development and testing only. + ### PostgreSQL Settings | Parameter | Description | Default | From 3f4ad224bcf476e96bc0b9ca821804a559ea1c45 Mon Sep 17 00:00:00 2001 From: Michael Stingl Date: Wed, 23 Jul 2025 13:08:13 +0200 Subject: [PATCH 3/3] refactor: rename createDemoUsers to demoUsers.enabled for consistency - Changed opencloud.createDemoUsers to opencloud.demoUsers.enabled - Follows consistent pattern with other enable/disable settings - Updates all references in templates, values.yaml, and documentation - Breaking change acceptable as we're in 0.x.x version --- charts/opencloud/README.md | 6 +++--- charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl | 2 +- charts/opencloud/templates/opencloud/deployment.yaml | 2 +- charts/opencloud/values.yaml | 5 ++++- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/charts/opencloud/README.md b/charts/opencloud/README.md index 2670c8fd..40fe8764 100644 --- a/charts/opencloud/README.md +++ b/charts/opencloud/README.md @@ -252,7 +252,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e | `opencloud.insecure` | Insecure mode (for self-signed certificates) | `true` | | `opencloud.existingSecret` | Name of the existing secret | `` | | `opencloud.adminPassword` | Admin password | `admin` | -| `opencloud.createDemoUsers` | Create demo users in OpenCloud and Keycloak (alan, dennis, lynn, margaret, mary). **WARNING**: Demo users have hardcoded passwords and should never be used in production! | `false` | +| `opencloud.demoUsers.enabled` | Create demo users in OpenCloud and Keycloak (alan, dennis, lynn, margaret, mary). **WARNING**: Demo users have hardcoded passwords and should never be used in production! | `false` | | `opencloud.resources` | CPU/Memory resource requests/limits | `{}` | | `opencloud.persistence.enabled` | Enable persistence | `true` | | `opencloud.persistence.size` | Size of the persistent volume | `10Gi` | @@ -349,7 +349,7 @@ keycloak: #### User Management -When `opencloud.createDemoUsers` is set to `false` (default for production), you need to manually create users in Keycloak: +When `opencloud.demoUsers.enabled` is set to `false` (default for production), you need to manually create users in Keycloak: 1. **Access Keycloak Admin Console**: - URL: `https://[your-keycloak-domain]/admin/` @@ -368,7 +368,7 @@ When `opencloud.createDemoUsers` is set to `false` (default for production), you - `opencloudGuest` - Guest access - Assign roles in the Role Mappings tab for each user -**WARNING**: The demo users (when `createDemoUsers: true`) have hardcoded passwords and should NEVER be used in production environments. They are intended for development and testing only. +**WARNING**: The demo users (when `demoUsers.enabled: true`) have hardcoded passwords and should NEVER be used in production environments. They are intended for development and testing only. ### PostgreSQL Settings diff --git a/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl b/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl index 6a995b2b..50c11c00 100644 --- a/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl +++ b/charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl @@ -486,7 +486,7 @@ "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], "webAuthnPolicyPasswordlessExtraOrigins" : [ ], "users" : [ -{{- if .Values.opencloud.createDemoUsers }} +{{- if .Values.opencloud.demoUsers.enabled }} { "id" : "0ab77e6d-23b4-4ba3-9843-a3b3efdcfc53", "username" : "admin", diff --git a/charts/opencloud/templates/opencloud/deployment.yaml b/charts/opencloud/templates/opencloud/deployment.yaml index 85823a36..0341a1e1 100644 --- a/charts/opencloud/templates/opencloud/deployment.yaml +++ b/charts/opencloud/templates/opencloud/deployment.yaml @@ -278,7 +278,7 @@ spec: key: adminPassword # Demo users - name: IDM_CREATE_DEMO_USERS - value: {{ .Values.opencloud.createDemoUsers | quote }} + value: {{ .Values.opencloud.demoUsers.enabled | quote }} {{- if .Values.opencloud.nats.external.enabled }} # Use the external nats as the service registry - name: MICRO_REGISTRY_ADDRESS diff --git a/charts/opencloud/values.yaml b/charts/opencloud/values.yaml index 643cd12a..1f2c0497 100644 --- a/charts/opencloud/values.yaml +++ b/charts/opencloud/values.yaml @@ -435,7 +435,10 @@ opencloud: adminPassword: admin # Create demo users - createDemoUsers: false + # Demo users configuration + demoUsers: + # Enable demo users (WARNING: Only for development/testing, NOT for production!) + enabled: false # Additional services to start additionalServices: [] # Services to exclude from starting