fix: update client configuration to be handled correctly by ory hydra

Author: ewelinagr

charts/management-portal/README.md

@@ -88,6 +88,7 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant
 | startupProbe.failureThreshold | int | `30` | Failure threshold for startupProbe |
 | networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to |
 | keystore | string | `""` | base 64 encoded binary p12 keystore containing a ECDSA certificate with alias `radarbase-managementportal-ec` and a RSA certificate with alias `selfsigned`. |
+| public_jwks | string | `""` |  |
 | postgres.host | string | `nil` | host name of the postgres db |
 | postgres.port | string | `nil` | post of the postgres db |
 | postgres.database | string | `nil` | database name |
@@ -108,6 +109,7 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant
 | authserver.server_url | string | `"http://radar-hydra-public:4444"` | The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth |
 | authserver.server_admin_url | string | `"http://radar-hydra-admin:4445"` | The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides |
 | authserver.login_url | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra"` | The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login |
+| authserver.client_secret | string | `"secret"` |  |
 | managementportal.catalogue_server_enable_auto_import | bool | `false` | set to true, if automatic source-type import from catalogue server should be enabled |
 | managementportal.common_privacy_policy_url | string | `"http://info.thehyve.nl/radar-cns-privacy-policy"` | Override with a publicly resolvable url of the privacy-policy url for your set-up. This can be overridden on a project basis as well. |
 | managementportal.oauth_checking_key_aliases_0 | string | `"radarbase-managementportal-ec"` | Keystore alias to sign JWT tokens from Management Portal |

charts/management-portal/templates/deployment.yaml

@@ -82,16 +82,21 @@ spec:
             value: {{ printf "%s://%s" .Values.advertised_protocol .Values.server_name }}
           - name: MANAGEMENTPORTAL_COMMON_MANAGEMENT_PORTAL_BASE_URL
             value: {{ printf "%s://%s/managementportal" .Values.advertised_protocol .Values.server_name }}
+{{/* TODO for now secret with client_id and client_secret replaced with job creating clients with fixed client names*/}}
+{{/*          - name: MANAGEMENTPORTAL_FRONTEND_CLIENTID*/}}
+{{/*            valueFrom:*/}}
+{{/*              secretKeyRef:*/}}
+{{/*                name: managementportalapp-oauth-client*/}}
+{{/*                key: CLIENT_ID*/}}
+{{/*          - name: MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET*/}}
+{{/*            valueFrom:*/}}
+{{/*              secretKeyRef:*/}}
+{{/*                name: managementportalapp-oauth-client*/}}
+{{/*                key: CLIENT_SECRET*/}}
           - name: MANAGEMENTPORTAL_FRONTEND_CLIENTID
-            valueFrom:
-              secretKeyRef:
-                name: managementportal-oauth-client
-                key: CLIENT_ID
+            value: "ManagementPortalapp"
           - name: MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: managementportal-oauth-client
-                key: CLIENT_SECRET
+            value: "{{ .Values.authserver.client_secret }}"
           - name: MANAGEMENTPORTAL_CATALOGUE_SERVER_ENABLE_AUTO_IMPORT
             value: "{{ .Values.managementportal.catalogue_server_enable_auto_import }}"
           - name: MANAGEMENTPORTAL_OAUTH_CLIENTS_FILE

charts/management-portal/values.yaml

@@ -348,6 +348,7 @@ authserver:
   server_admin_url: http://radar-hydra-admin:4445
   # -- The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login
   login_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra'
+  client_secret: secret
 
 managementportal:
   # -- set to true, if automatic source-type import from catalogue server should be enabled

charts/radar-fitbit-connector/README.md

@@ -93,12 +93,12 @@ A Helm chart for RADAR-base fitbit connector. This application collects data fro
 | fitbit_api_url | string | `"https://api.fitbit.com"` | Fitbit API URL. |
 | fitbit_api_client | string | `""` | Fitbit API client id. |
 | fitbit_api_secret | string | `""` | Fitbit API client secret. |
-| oauthClientId | string | `"radar_fitbit_connector"` | OAuth2 client id from Management Portal |
-| oauthClientSecret | string | `"secret"` | OAuth2 client secret from Management Portal |
-| auth_url | string | `"http://management-portal:8080/managementportal/oauth/token"` | OAuth2 Auth URL for connector client to get access tokens |
+| oauthClientId | string | `"radar_fitbit_connector"` | OAuth2 client id from Hydra |
+| oauthClientSecret | string | `"secret"` | OAuth2 client secret from Hydra |
+| auth_url | string | `"http://radar-hydra-public:4444/oauth2/token"` | OAuth2 Auth URL for connector client to get access tokens |
 | managementportal_url | string | `"http://management-portal:8080/managementportal"` | URL of Management Portal. This will be used to create URLs to access Management Portal |
 | includeIntradayData | bool | `true` | Set to true, if intraday access data should be collected by the connector. This will be set in connector.properties. |
-| user_repository_class | string | `"ServiceUserRepositoryLegacy"` | Class of the user repository to use. This should be a class that implements the UserRepository interface. |
+| user_repository_class | string | `"ServiceUserRepository"` | Class of the user repository to use. This should be a class that implements the UserRepository interface. |
 | rest_source_poll_interval_ms | int | `60000` | How often to poll the source URL. Only use to speed up processing times during e2e testing. |
 | fitbit_user_poll_interval | int | `5000` | Polling interval per Fitbit user per request route in seconds. Only use to speed up processing times during e2e testing. |
 | application_loop_interval_ms | int | `300000` | How often to perform the main application loop (only controls how often to poll for new user registrations). Only use to speed up processing times during e2e testing. |

charts/radar-fitbit-connector/values.yaml

@@ -197,6 +197,12 @@ networkpolicy:
       podSelector:
         matchLabels:
           app.kubernetes.io/name: 'management-portal'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'radar-hydra'
   - to:
     - namespaceSelector:
         matchLabels:
@@ -238,19 +244,19 @@ fitbit_api_client: ""
 # -- Fitbit API client secret.
 fitbit_api_secret: ""
 
-# -- OAuth2 client id from Management Portal
+# -- OAuth2 client id from Hydra
 oauthClientId: radar_fitbit_connector
-# -- OAuth2 client secret from Management Portal
+# -- OAuth2 client secret from Hydra
 oauthClientSecret: secret
 # -- OAuth2 Auth URL for connector client to get access tokens
-auth_url: http://management-portal:8080/managementportal/oauth/token
+auth_url: http://radar-hydra-public:4444/oauth2/token
 # -- URL of Management Portal. This will be used to create URLs to access Management Portal
 managementportal_url: http://management-portal:8080/managementportal
 # -- Set to true, if intraday access data should be collected by the connector. This will be set in connector.properties.
 includeIntradayData: true
 
 # -- Class of the user repository to use. This should be a class that implements the UserRepository interface.
-user_repository_class: ServiceUserRepositoryLegacy
+user_repository_class: ServiceUserRepository
 
 # -- How often to poll the source URL.
 # Only use to speed up processing times during e2e testing.