feat: add init IAM script

README.md

@@ -149,10 +149,12 @@ TODO
 | global.images.tag | string | `"dev"` |  |
 | global.images.web.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` |  |
 | global.images.web.tag | string | `"latest"` |  |
+| indigoiam.config.initial_client.id | string | `nil` |  |
+| indigoiam.config.initial_client.secret | string | `nil` |  |
 | indigoiam.config.issuer | string | `"http://anything:32003"` |  |
 | indigoiam.enabled | bool | `true` |  |
 | indigoiam.image.repository | string | `"indigoiam/iam-login-service"` |  |
-| indigoiam.image.tag | string | `"v1.8.2"` |  |
+| indigoiam.image.tag | string | `"v1.8.3.rc.20231211"` |  |
 | indigoiam.service.nodePort | int | `32003` |  |
 | indigoiam.service.port | int | `8080` |  |
 | indigoiam.service.type | string | `"NodePort"` |  |

demo/values.tpl.yaml

@@ -19,7 +19,7 @@ init-cs:
     - name: diracAdmin
       IdP:
         idp_url: http://{{ hostname }}:32003
-        idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
+        idp_client_id: client
       defaultGroup: admin
       Users:
       - sub: EgVsb2NhbA
@@ -60,3 +60,37 @@ dex:
 indigoiam:
   config:
     issuer: http://{{ hostname }}:32003
+
+    admin_user:
+      username: admin
+      password: password
+    initial_client:
+      name: "Admin client (read-write)"
+      id: admin-client-rw
+      secret: secret
+
+    users:
+      - username: jane_doe
+        given_name: Jane
+        family_name: Doe
+        password: password
+
+    clients:
+      - name: "Test client"
+        id: client
+        secret: secret
+        grant_types:
+          - refresh_token
+          - authorization_code
+          - urn:ietf:params:oauth:grant-type:device_code
+        scope:
+          - offline
+          - openid
+          - profile
+        redirect_uris:
+          - https://{{ hostname }}:8000/api/auth/device/complete
+          - https://{{ hostname }}:8000/api/auth/authorize/complete
+
+    groups:
+      dirac:
+        user: [jane_doe]

diracx/templates/_helpers.tpl

@@ -100,17 +100,6 @@ Return the name template for shared-secrets job.
 {{- default "init-secrets" $sharedSecretValues.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{- define "init-iam.fullname" -}}
-{{- printf "%s-init-iam" .Release.Name -}}
-{{- end -}}
-
-{{- define "init-iam.jobname" -}}
-{{- $name := include "init-iam.fullname" . | trunc 55 | trimSuffix "-" -}}
-{{- $rand := randAlphaNum 3 | lower }}
-{{- printf "%s-%d-%s" $name .Release.Revision $rand | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-
 {{/*
 Create a default fully qualified job name for init-secrets.
 Due to the job only being allowed to run once, we add the chart revision so helm

diracx/templates/tests/indigo-iam/deployment.yaml

@@ -13,7 +13,7 @@ spec:
       labels:
         app: iam
       annotations:
-        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | sha256sum }}
+        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.py.tpl") . | sha256sum }}
     spec:
       volumes:
         - name: iam-secret