Add flow-0.10.18 and update documentation

2026-04-09 10:30:54 +00:00
parent 5be6fe300f
commit ceeb9d58e9
3 changed files with 195 additions and 48 deletions
--- a/examples/values.yaml
+++ b/examples/values.yaml
@@ -68,6 +68,18 @@ global:
  # When both keycloak.enabled and azureAd.enabled are true, the system runs in
  # dual-auth mode — accepting JWTs from either provider during the migration period.
  #
+  # AUTHENTICATION MODES:
+  #   1. Entra-only:    azureAd.enabled=true,  keycloak.enabled=false
+  #   2. Keycloak-only: azureAd.enabled=false, keycloak.enabled=true
+  #   3. Dual-auth:     azureAd.enabled=true,  keycloak.enabled=true
+  #   4. Disabled:      azureAd.enabled=false,  keycloak.enabled=false
+  #
+  # USING ENTRA LOGIN THROUGH KEYCLOAK (recommended for new deployments):
+  #   Set azureAd.enabled=false and keycloak.enabled=true, then configure
+  #   keycloak.entraIdBroker (see keycloak section below) with your Entra
+  #   app registration. Users will see "Sign in with Microsoft Entra ID"
+  #   on the Keycloak login page. All tokens are issued by Keycloak.
+  #
  # DATABASE:
  #   Internal PostgreSQL (default): The chart automatically creates a "keycloak"
  #   database and user in the shared PostgreSQL instance. No manual setup needed.
@@ -1215,6 +1227,93 @@ keycloak:
  # -- Extra environment variables for Keycloak
  extraEnv: []

+  # ==========================================================================
+  # Realm configuration
+  # ==========================================================================
+  # These values are injected into the realm import JSON at deploy time.
+  # The realm is auto-imported on first Keycloak boot. To re-import after
+  # changes, delete the Keycloak pod (the realm is re-imported on startup).
+  realm:
+    # -- Additional redirect URIs for the frontend client (production URLs)
+    # The realm always includes localhost URIs for development.
+    # Add your production domain(s) here, e.g.:
+    #   frontendRedirectUris:
+    #     - "https://flow.your-domain.com/*"
+    frontendRedirectUris: []
+
+    # -- Additional web origins for CORS (production domains)
+    # Must match the redirect URI domains without path/wildcard, e.g.:
+    #   frontendWebOrigins:
+    #     - "https://flow.your-domain.com"
+    frontendWebOrigins: []
+
+  # ==========================================================================
+  # Entra ID (Azure AD) Identity Broker
+  # ==========================================================================
+  # When using Keycloak as the sole identity provider (global.azureAd.enabled=false,
+  # global.keycloak.enabled=true), users can still sign in with their existing
+  # Microsoft Entra ID / Azure AD accounts through Keycloak's identity brokering.
+  #
+  # HOW IT WORKS:
+  #   Keycloak is configured as a "broker" — it delegates authentication to Entra ID
+  #   via OIDC, then creates/links a local Keycloak user automatically. From the
+  #   backend services' perspective, all tokens come from Keycloak.
+  #
+  # ENTRA APP REGISTRATION SETUP:
+  #   1. Create (or reuse) an App Registration in Azure Entra ID
+  #   2. Under "Authentication", add a redirect URI:
+  #        https://<keycloak-host>/realms/flow/broker/microsoft/endpoint
+  #      (e.g. https://auth.flow.your-domain.com/realms/flow/broker/microsoft/endpoint)
+  #   3. Under "Certificates & secrets", create a client secret
+  #   4. Copy the Application (client) ID → keycloak.entraIdBroker.clientId
+  #   5. Copy the Directory (tenant) ID → keycloak.entraIdBroker.tenantId
+  #   6. Copy the client secret value → keycloak.entraIdBroker.clientSecret
+  #
+  # SCENARIOS:
+  #   ┌──────────────────────────────┬───────────────────┬──────────────────────┐
+  #   │ Scenario                     │ global.azureAd    │ entraIdBroker        │
+  #   ├──────────────────────────────┼───────────────────┼──────────────────────┤
+  #   │ Keycloak-only, local users   │ enabled: false    │ enabled: false       │
+  #   │ Keycloak + Entra login       │ enabled: false    │ enabled: true        │
+  #   │ Dual-auth (migration)        │ enabled: true     │ enabled: false       │
+  #   │ Full Keycloak with Entra IdP │ enabled: false    │ enabled: true        │
+  #   └──────────────────────────────┴───────────────────┴──────────────────────┘
+  #
+  #   - "Keycloak + Entra login": Keycloak is the only token issuer. Users click
+  #     "Sign in with Microsoft" on the Keycloak login page. Backend services only
+  #     need to validate Keycloak tokens.
+  #   - "Dual-auth (migration)": Both Entra and Keycloak tokens are accepted
+  #     directly by backend services. Use this during migration only.
+  entraIdBroker:
+    # -- Enable Microsoft Entra ID as an identity provider in Keycloak
+    enabled: false
+
+    # -- Display name shown on the Keycloak login page button
+    displayName: "Microsoft Entra ID"
+
+    # -- Azure AD Tenant ID (Directory ID from Azure portal)
+    tenantId: ""
+
+    # -- Azure AD Application (client) ID from the App Registration
+    clientId: ""
+
+    # -- Azure AD client secret from the App Registration
+    # For production, use --set or an external secret instead of storing in values
+    clientSecret: ""
+
+    # -- Trust email addresses from Entra ID without requiring verification
+    # Safe to enable since Entra verifies emails itself
+    trustEmail: true
+
+    # -- First login flow — what happens when an Entra user logs in for the first time
+    # "first broker login": Keycloak's default flow (link or create account)
+    firstLoginFlow: "first broker login"
+
+    # -- Attribute sync mode: INHERIT, IMPORT, LEGACY, or FORCE
+    # IMPORT: Sync attributes on first login only
+    # FORCE: Sync on every login (keeps Keycloak in sync with Entra changes)
+    syncMode: "FORCE"
+
  # -- Resource requests and limits
  resources:
    limits: