diff --git a/glasskube/README.md b/glasskube/README.md new file mode 100644 index 0000000000..dbacd26add --- /dev/null +++ b/glasskube/README.md @@ -0,0 +1,78 @@ +# Trieve Glasskube Kubernetes installation + + +## 1. Start a new minikube cluster + +[Minikube](https://minikube.sigs.k8s.io/docs/start/) can be installed via Homebrew or binary downloads. + +```shell +minikube start -p trieve +``` + +## 2. Bootstrap glasskube + +[Glasskube](https://glasskube.dev/docs/getting-started/install/) can also be installed via Homebrew or binary downloads. + +```shell +glasskube bootstrap +``` + +## 3. Install trieve dependencies + +Make sure you cloned the repository and navigated into the `glasskube/` folder. + +```shell +kubectl apply -k dependencies +``` + +Depending on your API Server, you might need to execute the command multiple times to install all dependencies. + +## 4. Install trieve + +Feel free to modify the kustomize based configurations as desired. + +```shell +kubectl apply -k trieve +``` + + +## 5. Configure local DNS + + +Receive the IP address of your minikube cluster + +```shell +minikube ip -p trieve +``` + +and make sure to add following entries into your `/etc/hosts` file (make sure you edit this file as root). + +```txt +192.168.xxx.x analytics.localtrieve.com +192.168.xxx.x chat.localtrieve.com +192.168.xxx.x api.localtrieve.com +192.168.xxx.x dashboard.localtrieve.com +192.168.xxx.x search.localtrieve.com +127.0.0.1 trieve-keycloak-service +``` + + +## 6. Port-forward Keycloak + +```shell +kubectl port-forward svc/trieve-keycloak-service 8080:8080 +``` + + +### 7. Open trieve + +Open [dashboard.localtrieve.com](http://dashboard.localtrieve.com) in your browser. + +## Optional commands + +Scale down all embedding servers: + +```shell +kubectl scale deployment trieve-embedding-bgem3 trieve-embedding-jina trieve-embedding-reranker trieve-embedding-splade-doc trieve-embedding-splade-query --replicas 0 + +``` \ No newline at end of file diff --git a/glasskube/dependencies/clickhouse-operator.yaml b/glasskube/dependencies/clickhouse-operator.yaml new file mode 100644 index 0000000000..eb10880898 --- /dev/null +++ b/glasskube/dependencies/clickhouse-operator.yaml @@ -0,0 +1,9 @@ +apiVersion: packages.glasskube.dev/v1alpha1 +kind: ClusterPackage +metadata: + name: clickhouse-operator +spec: + packageInfo: + name: clickhouse-operator + version: v0.23.7+2 + repositoryName: glasskube \ No newline at end of file diff --git a/glasskube/dependencies/cloudnative-pg.yaml b/glasskube/dependencies/cloudnative-pg.yaml new file mode 100644 index 0000000000..a71ee851d1 --- /dev/null +++ b/glasskube/dependencies/cloudnative-pg.yaml @@ -0,0 +1,9 @@ +apiVersion: packages.glasskube.dev/v1alpha1 +kind: ClusterPackage +metadata: + name: cloudnative-pg +spec: + packageInfo: + name: cloudnative-pg + version: v1.24.0+1 + repositoryName: glasskube \ No newline at end of file diff --git a/glasskube/dependencies/keycloak-operator.yaml b/glasskube/dependencies/keycloak-operator.yaml new file mode 100644 index 0000000000..f8a3436c44 --- /dev/null +++ b/glasskube/dependencies/keycloak-operator.yaml @@ -0,0 +1,9 @@ +apiVersion: packages.glasskube.dev/v1alpha1 +kind: Package +metadata: + name: trieve-keycloak-operator +spec: + packageInfo: + name: keycloak-operator + version: v25.0.2+1 + repositoryName: glasskube diff --git a/glasskube/dependencies/kustomization.yaml b/glasskube/dependencies/kustomization.yaml new file mode 100644 index 0000000000..c136da1272 --- /dev/null +++ b/glasskube/dependencies/kustomization.yaml @@ -0,0 +1,9 @@ +namespace: default +resources: + - cloudnative-pg.yaml + - clickhouse-operator.yaml + - keycloak-operator.yaml + - qdrant.yaml + - redis.yaml + - tika.yaml + diff --git a/glasskube/dependencies/qdrant.yaml b/glasskube/dependencies/qdrant.yaml new file mode 100644 index 0000000000..f4506b8343 --- /dev/null +++ b/glasskube/dependencies/qdrant.yaml @@ -0,0 +1,9 @@ +apiVersion: packages.glasskube.dev/v1alpha1 +kind: Package +metadata: + name: trieve-qdrant +spec: + packageInfo: + name: qdrant + repositoryName: glasskube + version: v1.11.1+1 \ No newline at end of file diff --git a/glasskube/dependencies/redis.yaml b/glasskube/dependencies/redis.yaml new file mode 100644 index 0000000000..3594ca05b0 --- /dev/null +++ b/glasskube/dependencies/redis.yaml @@ -0,0 +1,9 @@ +apiVersion: packages.glasskube.dev/v1alpha1 +kind: Package +metadata: + name: trieve-redis +spec: + packageInfo: + name: redis + repositoryName: glasskube + version: v7.4.0+1 \ No newline at end of file diff --git a/glasskube/dependencies/tika.yaml b/glasskube/dependencies/tika.yaml new file mode 100644 index 0000000000..6c36f2586e --- /dev/null +++ b/glasskube/dependencies/tika.yaml @@ -0,0 +1,9 @@ +apiVersion: packages.glasskube.dev/v1alpha1 +kind: Package +metadata: + name: trieve-tika +spec: + packageInfo: + name: tika + repositoryName: glasskube + version: v2.9.2+1 \ No newline at end of file diff --git a/glasskube/trieve/clickhouse.yaml b/glasskube/trieve/clickhouse.yaml new file mode 100644 index 0000000000..eb5957c508 --- /dev/null +++ b/glasskube/trieve/clickhouse.yaml @@ -0,0 +1,52 @@ +apiVersion: clickhouse.altinity.com/v1 +kind: ClickHouseInstallation +metadata: + name: trieve-clickhouse +spec: + configuration: + users: + default/password: "password" # todo + # to allow access outside from kubernetes + default/networks/ip: + - 0.0.0.0/0 + clusters: + - name: cluster1 + templates: + podTemplate: clickhouse-pod-template + layout: + shardsCount: 1 + replicasCount: 1 + templates: + podTemplates: + - name: clickhouse-pod-template + spec: + containers: + - name: clickhouse + image: trieve/clickhouse:latest + digest: sha256:324f541975c43e96b5df6ede74632102d89172b703960bbf01f1842ccf48d240 + volumeMounts: + - name: trieve-clickhouse-data + mountPath: /var/lib/clickhouse + - name: trieve-clickhouse-logs + mountPath: /var/log/clickhouse-server + env: + - name: EMBEDDING_SERVER_URL + value: "" # todo + - name: CLICKHOUSE_ADMIN_PASSWORD + value: "password" # todo + + volumeClaimTemplates: + - name: trieve-clickhouse-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + - name: trieve-clickhouse-logs + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/glasskube/trieve/configmap.yaml b/glasskube/trieve/configmap.yaml new file mode 100644 index 0000000000..24c96caaba --- /dev/null +++ b/glasskube/trieve/configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trieve-server-config +data: + SENTRY_URL: "https://********************************@sentry.trieve.ai/6" + ADMIN_API_KEY: "admin" #generate + BASE_SERVER_URL: "http://api.localtrieve.com" + REDIS_URL: "redis://redis:6379" + QDRANT_URL: "http://trieve-qdrant-qdrant:6334" + QUANTIZE_VECTORS: "false" + REPLICATION_FACTOR: "2" + VECTOR_SIZES: "384,512,768,1024,1536,3072" + SMTP_RELAY: "smtp.fastmail.com" + SMTP_USERNAME: "noreply@trieve.ai" + SMTP_PASSWORD: "FROM SECRET" + SMTP_EMAIL_ADDRESS: "noreply@trieve.ai" + OPENAI_API_KEY: "sk-************************************************" + LLM_API_KEY: "sk-************************************************" + SECRET_KEY: "01234012340123401234012340123401234012340123401234012340123401234012340123401234" #generate + SALT: "" # OPTIOANL + S3_ENDPOINT: "" + S3_ACCESS_KEY: "" + S3_SECRET_KEY: "" + S3_BUCKET: "" + COOKIE_SECURE: "false" + TIKA_URL: "http://tika:9998" + OPENAI_BASE_URL: "https://api.openai.com/v1" + STRIPE_SECRET: "" #load from secret + STRIPE_WEBHOOK_SECRET: "" # load from secret + ADMIN_DASHBOARD_URL: "http://localhost:5173" #load + OIDC_CLIENT_SECRET: "YllmLDTy67MbsUBrUAWvQ7z9aMq0QcKx" + OIDC_CLIENT_ID: "trieve" + OIDC_AUTH_REDIRECT_URL: "http://trieve-keycloak-service:8080/realms/trieve/protocol/openid-connect/auth" + OIDC_ISSUER_URL: "http://trieve-keycloak-service:8080/realms/trieve" + GPU_SERVER_ORIGIN: "http://localhost:7070" + SPARSE_SERVER_QUERY_ORIGIN: "http://trieve-embedding-splade-query" + SPARSE_SERVER_DOC_ORIGIN: "http://trieve-embedding-splade-doc" + EMBEDDING_SERVER_ORIGIN: "http://trieve-embedding-bgem3" + EMBEDDING_SERVER_ORIGIN_BGEM3: "http://trieve-embedding-bgem3" + EMBEDDING_SERVER_ORIGIN_JINA_CODE: "http://trieve-embedding-jina" + RERANKER_SERVER_ORIGIN: "http://trieve-embedding-reranker" + UNLIMITED: "true" + REDIS_CONNECTIONS: "2" + USE_ANALYTICS: "true" + CLICKHOUSE_URL: "http://clickhouse-trieve-clickhouse:8123" + CLICKHOUSE_DB: "default" + CLICKHOUSE_USER: "default" + CLICKHOUSE_PASSWORD: "password" + JINA_CODE_API_KEY: "" + RUST_LOG: "INFO" + BM25_ACTIVE: "true" + CREATE_QDRANT_COLLECTIONS: "true" \ No newline at end of file diff --git a/glasskube/trieve/embeddings/base/deployment.yaml b/glasskube/trieve/embeddings/base/deployment.yaml new file mode 100644 index 0000000000..62fdfa4d0f --- /dev/null +++ b/glasskube/trieve/embeddings/base/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + readinessProbe: + httpGet: + path: "/" + port: 80 + image: ghcr.io/huggingface/text-embeddings-inference + ports: + - containerPort: 80 diff --git a/glasskube/trieve/embeddings/base/kustomization.yaml b/glasskube/trieve/embeddings/base/kustomization.yaml new file mode 100644 index 0000000000..706be98a60 --- /dev/null +++ b/glasskube/trieve/embeddings/base/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - deployment.yaml + - service.yaml + + diff --git a/glasskube/trieve/embeddings/base/service.yaml b/glasskube/trieve/embeddings/base/service.yaml new file mode 100644 index 0000000000..dd744b127c --- /dev/null +++ b/glasskube/trieve/embeddings/base/service.yaml @@ -0,0 +1,11 @@ +kind: Service +apiVersion: v1 +metadata: + name: trieve-embedding +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: svc diff --git a/glasskube/trieve/embeddings/bgem3/deployment-patch.yaml b/glasskube/trieve/embeddings/bgem3/deployment-patch.yaml new file mode 100644 index 0000000000..91110356c7 --- /dev/null +++ b/glasskube/trieve/embeddings/bgem3/deployment-patch.yaml @@ -0,0 +1,13 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + args: + - --model-id + - BAAI/bge-m3 diff --git a/glasskube/trieve/embeddings/bgem3/kustomization.yaml b/glasskube/trieve/embeddings/bgem3/kustomization.yaml new file mode 100644 index 0000000000..1bd02e5cba --- /dev/null +++ b/glasskube/trieve/embeddings/bgem3/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: embedding-bgem3 +nameSuffix: -bgem3 +resources: + - ../base +patches: + - path: deployment-patch.yaml diff --git a/glasskube/trieve/embeddings/components/cpu/kustomization.yaml b/glasskube/trieve/embeddings/components/cpu/kustomization.yaml new file mode 100644 index 0000000000..d4ff2a15ce --- /dev/null +++ b/glasskube/trieve/embeddings/components/cpu/kustomization.yaml @@ -0,0 +1,4 @@ +kind: Component +images: + - name: ghcr.io/huggingface/text-embeddings-inference + newTag: cpu-1.4 diff --git a/glasskube/trieve/embeddings/components/gpu/deployment-patch.yaml b/glasskube/trieve/embeddings/components/gpu/deployment-patch.yaml new file mode 100644 index 0000000000..a2d19a1954 --- /dev/null +++ b/glasskube/trieve/embeddings/components/gpu/deployment-patch.yaml @@ -0,0 +1,13 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + resources: + limits: + nvidia.com/gpu: "1" diff --git a/glasskube/trieve/embeddings/components/gpu/kustomization.yaml b/glasskube/trieve/embeddings/components/gpu/kustomization.yaml new file mode 100644 index 0000000000..47ecc7c3f5 --- /dev/null +++ b/glasskube/trieve/embeddings/components/gpu/kustomization.yaml @@ -0,0 +1,6 @@ +kind: Component +images: + - name: ghcr.io/huggingface/text-embeddings-inference + newTag: 89-1.2 +patches: + - path: deployment-patch.yaml diff --git a/glasskube/trieve/embeddings/jina/deployment-patch.yaml b/glasskube/trieve/embeddings/jina/deployment-patch.yaml new file mode 100644 index 0000000000..62b1361eb1 --- /dev/null +++ b/glasskube/trieve/embeddings/jina/deployment-patch.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + args: + - --model-id + - jinaai/jina-embeddings-v2-base-en + - --revision + - main diff --git a/glasskube/trieve/embeddings/jina/kustomization.yaml b/glasskube/trieve/embeddings/jina/kustomization.yaml new file mode 100644 index 0000000000..072ac928bc --- /dev/null +++ b/glasskube/trieve/embeddings/jina/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: embedding-jina +nameSuffix: -jina +resources: + - ../base +patches: + - path: deployment-patch.yaml diff --git a/glasskube/trieve/embeddings/kustomization.yaml b/glasskube/trieve/embeddings/kustomization.yaml new file mode 100644 index 0000000000..1ae80377fd --- /dev/null +++ b/glasskube/trieve/embeddings/kustomization.yaml @@ -0,0 +1,8 @@ +resources: + - bgem3 + - jina + - reranker + - splade-doc + - splade-query +components: + - components/cpu diff --git a/glasskube/trieve/embeddings/reranker/deployment-patch.yaml b/glasskube/trieve/embeddings/reranker/deployment-patch.yaml new file mode 100644 index 0000000000..1f0333a03d --- /dev/null +++ b/glasskube/trieve/embeddings/reranker/deployment-patch.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + args: + - --model-id + - BAAI/bge-reranker-base + - --revision + - main diff --git a/glasskube/trieve/embeddings/reranker/kustomization.yaml b/glasskube/trieve/embeddings/reranker/kustomization.yaml new file mode 100644 index 0000000000..cdce182fa0 --- /dev/null +++ b/glasskube/trieve/embeddings/reranker/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: embedding-reranker +nameSuffix: -reranker +resources: + - ../base +patches: + - path: deployment-patch.yaml diff --git a/glasskube/trieve/embeddings/splade-doc/deployment-patch.yaml b/glasskube/trieve/embeddings/splade-doc/deployment-patch.yaml new file mode 100644 index 0000000000..f17c3ccd3a --- /dev/null +++ b/glasskube/trieve/embeddings/splade-doc/deployment-patch.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + args: + - --model-id + - naver/efficient-splade-VI-BT-large-doc + - --revision + - main + - --pooling + - splade diff --git a/glasskube/trieve/embeddings/splade-doc/kustomization.yaml b/glasskube/trieve/embeddings/splade-doc/kustomization.yaml new file mode 100644 index 0000000000..e05e4ba042 --- /dev/null +++ b/glasskube/trieve/embeddings/splade-doc/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: embedding-splade-doc +nameSuffix: -splade-doc +resources: + - ../base +patches: + - path: deployment-patch.yaml diff --git a/glasskube/trieve/embeddings/splade-query/deployment-patch.yaml b/glasskube/trieve/embeddings/splade-query/deployment-patch.yaml new file mode 100644 index 0000000000..3e88f00484 --- /dev/null +++ b/glasskube/trieve/embeddings/splade-query/deployment-patch.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-embedding +spec: + selector: {} + template: + spec: + containers: + - name: embedding + args: + - --model-id + - naver/efficient-splade-VI-BT-large-query + - --revision + - main + - --pooling + - splade diff --git a/glasskube/trieve/embeddings/splade-query/kustomization.yaml b/glasskube/trieve/embeddings/splade-query/kustomization.yaml new file mode 100644 index 0000000000..0ba04029bf --- /dev/null +++ b/glasskube/trieve/embeddings/splade-query/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: embedding-splade-query +nameSuffix: -splade-query +resources: + - ../base +patches: + - path: deployment-patch.yaml diff --git a/glasskube/trieve/ingest/deployment.yaml b/glasskube/trieve/ingest/deployment.yaml new file mode 100644 index 0000000000..2d4dfcb89c --- /dev/null +++ b/glasskube/trieve/ingest/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-ingest +spec: + selector: {} + template: + spec: + containers: + - name: ingest + image: trieve/ingest + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: trieve-postgresql-server-app + key: uri + - name: QDRANT_API_KEY + valueFrom: + secretKeyRef: + name: trieve-qdrant-qdrant-apikey + key: api-key + envFrom: + - configMapRef: + name: trieve-server-config + resources: + limits: + cpu: "1" + memory: 100Mi diff --git a/glasskube/trieve/ingest/kustomization.yaml b/glasskube/trieve/ingest/kustomization.yaml new file mode 100644 index 0000000000..e06a289ae1 --- /dev/null +++ b/glasskube/trieve/ingest/kustomization.yaml @@ -0,0 +1,4 @@ +commonLabels: + app.kubernetes.io/component: ingest +resources: + - deployment.yaml \ No newline at end of file diff --git a/glasskube/trieve/keycloak/keycloak.yaml b/glasskube/trieve/keycloak/keycloak.yaml new file mode 100644 index 0000000000..22fa45f3f3 --- /dev/null +++ b/glasskube/trieve/keycloak/keycloak.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.keycloak.org/v2alpha1 +kind: Keycloak +metadata: + name: trieve-keycloak +spec: + instances: 1 + db: + vendor: postgres + host: trieve-keycloak-db-rw + usernameSecret: + name: trieve-keycloak-db-app + key: username + passwordSecret: + name: trieve-keycloak-db-app + key: password + http: + httpEnabled: true + hostname: + strict: false + hostname: http://trieve-keycloak-service:8080 + proxy: + headers: xforwarded # double check your reverse proxy sets and overwrites the X-Forwarded-* headers \ No newline at end of file diff --git a/glasskube/trieve/keycloak/kustomization.yaml b/glasskube/trieve/keycloak/kustomization.yaml new file mode 100644 index 0000000000..c1bf7151e3 --- /dev/null +++ b/glasskube/trieve/keycloak/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: keycloak +resources: + - postgres.yaml + - keycloak.yaml + - realm-import.yaml + \ No newline at end of file diff --git a/glasskube/trieve/keycloak/postgres.yaml b/glasskube/trieve/keycloak/postgres.yaml new file mode 100644 index 0000000000..3863f0fce4 --- /dev/null +++ b/glasskube/trieve/keycloak/postgres.yaml @@ -0,0 +1,15 @@ +kind: Cluster +apiVersion: postgresql.cnpg.io/v1 +metadata: + name: trieve-keycloak-db +spec: + enableSuperuserAccess: false + instances: 1 # TODO: increase to 3 for prod + bootstrap: + initdb: + database: keycloak + owner: keycloak + storage: + size: 2Gi + monitoring: + enablePodMonitor: true \ No newline at end of file diff --git a/glasskube/trieve/keycloak/realm-import.yaml b/glasskube/trieve/keycloak/realm-import.yaml new file mode 100644 index 0000000000..3d59475379 --- /dev/null +++ b/glasskube/trieve/keycloak/realm-import.yaml @@ -0,0 +1,1819 @@ +apiVersion: k8s.keycloak.org/v2alpha1 +kind: KeycloakRealmImport +metadata: + name: trieve-realm +spec: + keycloakCRName: trieve-keycloak + realm: + id: 531033cd-c690-4255-9641-4eb0aca669f7 + realm: trieve + notBefore: 0 + defaultSignatureAlgorithm: RS256 + revokeRefreshToken: false + refreshTokenMaxReuse: 0 + accessTokenLifespan: 300 + accessTokenLifespanForImplicitFlow: 900 + ssoSessionIdleTimeout: 1800 + ssoSessionMaxLifespan: 36000 + ssoSessionIdleTimeoutRememberMe: 0 + ssoSessionMaxLifespanRememberMe: 0 + offlineSessionIdleTimeout: 2592000 + offlineSessionMaxLifespanEnabled: false + offlineSessionMaxLifespan: 5184000 + clientSessionIdleTimeout: 0 + clientSessionMaxLifespan: 0 + clientOfflineSessionIdleTimeout: 0 + clientOfflineSessionMaxLifespan: 0 + accessCodeLifespan: 60 + accessCodeLifespanUserAction: 300 + accessCodeLifespanLogin: 1800 + actionTokenGeneratedByAdminLifespan: 43200 + actionTokenGeneratedByUserLifespan: 300 + oauth2DeviceCodeLifespan: 600 + oauth2DevicePollingInterval: 5 + enabled: true + sslRequired: external + registrationAllowed: true + registrationEmailAsUsername: true + rememberMe: true + verifyEmail: false + loginWithEmailAllowed: true + duplicateEmailsAllowed: false + resetPasswordAllowed: false + editUsernameAllowed: false + bruteForceProtected: false + permanentLockout: false + maxTemporaryLockouts: 0 + maxFailureWaitSeconds: 900 + minimumQuickLoginWaitSeconds: 60 + waitIncrementSeconds: 60 + quickLoginCheckMilliSeconds: 1000 + maxDeltaTimeSeconds: 43200 + failureFactor: 30 + roles: + realm: + - id: e4b1f494-b23c-4193-a616-7f3896ed1739 + name: uma_authorization + description: "${role_uma_authorization}" + composite: false + clientRole: false + containerId: 531033cd-c690-4255-9641-4eb0aca669f7 + attributes: {} + - id: 1b1bd16f-0b5a-408b-98c5-af9a0da03d47 + name: default-roles-trieve + description: "${role_default-roles}" + composite: true + composites: + realm: + - offline_access + - uma_authorization + client: + account: + - manage-account + - view-profile + clientRole: false + containerId: 531033cd-c690-4255-9641-4eb0aca669f7 + attributes: {} + - id: 95e8dc66-13f2-4d07-acf2-191d0f16eae9 + name: offline_access + description: "${role_offline-access}" + composite: false + clientRole: false + containerId: 531033cd-c690-4255-9641-4eb0aca669f7 + attributes: {} + client: + trieve: [] + realm-management: + - id: a5988596-2dff-4f10-bcbe-191b7a750d33 + name: manage-clients + description: "${role_manage-clients}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: '08e3babd-fc58-4c19-8ccb-1171da72bc6d' + name: query-users + description: "${role_query-users}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 444adf15-2aca-43d1-bf2b-f6200119e079 + name: realm-admin + description: "${role_realm-admin}" + composite: true + composites: + client: + realm-management: + - query-users + - manage-clients + - query-clients + - view-realm + - manage-events + - view-authorization + - query-realms + - manage-identity-providers + - manage-authorization + - create-client + - view-events + - manage-users + - view-clients + - impersonation + - view-users + - view-identity-providers + - query-groups + - manage-realm + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 26aded60-83bc-46b8-8831-ad12ccabdab1 + name: query-clients + description: "${role_query-clients}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 540e2999-709d-4084-ada5-38dec9dab9b1 + name: manage-events + description: "${role_manage-events}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 536c17b0-a24d-4394-bdaa-5c1667959061 + name: view-realm + description: "${role_view-realm}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: b245b142-0387-40ae-ba64-9b664d448091 + name: view-authorization + description: "${role_view-authorization}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 397e56ed-8ea1-4ba0-84aa-1e37ade7d9d3 + name: query-realms + description: "${role_query-realms}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 76d5e94b-5d33-4094-b1d2-54b3ddd05d7c + name: manage-authorization + description: "${role_manage-authorization}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 0d3f7392-14e8-4d43-bc8b-6d23af210139 + name: manage-identity-providers + description: "${role_manage-identity-providers}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: e6b7da8d-7425-43b7-a563-16dcdc9e6394 + name: create-client + description: "${role_create-client}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 5ef48e8a-e949-4ece-a928-745e1d16b6d6 + name: view-events + description: "${role_view-events}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 7ad86194-ab30-4d6c-aed6-db5d15b9ee2c + name: manage-users + description: "${role_manage-users}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 7edab984-ed9c-4974-805c-45f553b2c5e9 + name: view-clients + description: "${role_view-clients}" + composite: true + composites: + client: + realm-management: + - query-clients + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 89a35f45-4e94-4882-b848-d886bea342ed + name: impersonation + description: "${role_impersonation}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: a81b5827-ab7b-40ca-b1b6-c02595eeffb3 + name: view-users + description: "${role_view-users}" + composite: true + composites: + client: + realm-management: + - query-users + - query-groups + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: fa419d9e-494f-422a-8bb5-3c87dd4316d2 + name: view-identity-providers + description: "${role_view-identity-providers}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: 4f790b62-f9ea-432b-bb65-c4e4c30bc6b6 + name: query-groups + description: "${role_query-groups}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + - id: def34bce-5250-4f83-90d4-d8a41a6f7042 + name: manage-realm + description: "${role_manage-realm}" + composite: false + clientRole: true + containerId: 4a393392-46f5-469d-add8-0ff115e2d5fe + attributes: {} + security-admin-console: [] + admin-cli: [] + account-console: [] + broker: + - id: 5aeefc4a-a89d-431c-a48f-63d5dd3ae37c + name: read-token + description: "${role_read-token}" + composite: false + clientRole: true + containerId: 52a7a498-5f2e-43fc-a27c-268e9e439113 + attributes: {} + account: + - id: 3bdcff89-e132-455c-bce1-2ce62ce528cc + name: manage-account + description: "${role_manage-account}" + composite: true + composites: + client: + account: + - manage-account-links + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: 1259017c-20fd-46d5-aa72-9a8b08f12ce1 + name: view-groups + description: "${role_view-groups}" + composite: false + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: 33ac9e6b-32eb-4422-8024-b08575f7af93 + name: manage-consent + description: "${role_manage-consent}" + composite: true + composites: + client: + account: + - view-consent + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: c4600a95-643a-479e-adc6-213dc51ab0c6 + name: view-applications + description: "${role_view-applications}" + composite: false + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: c24ae6bf-cd5d-4018-a6f4-3c4f838da241 + name: delete-account + description: "${role_delete-account}" + composite: false + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: ed17f784-a5ae-4e36-8ded-ffed116c95a0 + name: view-profile + description: "${role_view-profile}" + composite: false + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: 8a3d6f57-b3f5-4089-b470-968ff481cb5c + name: manage-account-links + description: "${role_manage-account-links}" + composite: false + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + - id: 38455d21-f159-482d-b779-541c715c0961 + name: view-consent + description: "${role_view-consent}" + composite: false + clientRole: true + containerId: 9b276326-3e28-474e-ba58-7d1b6ca1801c + attributes: {} + groups: [] + defaultRole: + id: 1b1bd16f-0b5a-408b-98c5-af9a0da03d47 + name: default-roles-trieve + description: "${role_default-roles}" + composite: true + clientRole: false + containerId: 531033cd-c690-4255-9641-4eb0aca669f7 + requiredCredentials: + - password + otpPolicyType: totp + otpPolicyAlgorithm: HmacSHA1 + otpPolicyInitialCounter: 0 + otpPolicyDigits: 6 + otpPolicyLookAheadWindow: 1 + otpPolicyPeriod: 30 + otpPolicyCodeReusable: false + otpSupportedApplications: + - totpAppFreeOTPName + - totpAppGoogleName + - totpAppMicrosoftAuthenticatorName + localizationTexts: {} + webAuthnPolicyRpEntityName: keycloak + webAuthnPolicySignatureAlgorithms: + - ES256 + webAuthnPolicyRpId: '' + webAuthnPolicyAttestationConveyancePreference: not specified + webAuthnPolicyAuthenticatorAttachment: not specified + webAuthnPolicyRequireResidentKey: not specified + webAuthnPolicyUserVerificationRequirement: not specified + webAuthnPolicyCreateTimeout: 0 + webAuthnPolicyAvoidSameAuthenticatorRegister: false + webAuthnPolicyAcceptableAaguids: [] + webAuthnPolicyExtraOrigins: [] + webAuthnPolicyPasswordlessRpEntityName: keycloak + webAuthnPolicyPasswordlessSignatureAlgorithms: + - ES256 + webAuthnPolicyPasswordlessRpId: '' + webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified + webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified + webAuthnPolicyPasswordlessRequireResidentKey: not specified + webAuthnPolicyPasswordlessUserVerificationRequirement: not specified + webAuthnPolicyPasswordlessCreateTimeout: 0 + webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false + webAuthnPolicyPasswordlessAcceptableAaguids: [] + webAuthnPolicyPasswordlessExtraOrigins: [] + scopeMappings: + - clientScope: offline_access + roles: + - offline_access + clientScopeMappings: + account: + - client: account-console + roles: + - manage-account + - view-groups + clients: + - id: 9b276326-3e28-474e-ba58-7d1b6ca1801c + clientId: account + name: "${client_account}" + rootUrl: "${authBaseUrl}" + baseUrl: "/realms/trieve/account/" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: + - "/realms/trieve/account/*" + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: "+" + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - basic + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 5d951454-ddd7-47c9-b003-c7c20f04407e + clientId: account-console + name: "${client_account-console}" + rootUrl: "${authBaseUrl}" + baseUrl: "/realms/trieve/account/" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: + - "/realms/trieve/account/*" + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: "+" + pkce.code.challenge.method: S256 + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + protocolMappers: + - id: 02e8c346-df53-4e16-9507-46089b62270e + name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: {} + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - basic + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: f2368491-bb33-4c88-909c-1bb8e25a2955 + clientId: admin-cli + name: "${client_admin-cli}" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: false + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: "+" + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - basic + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 52a7a498-5f2e-43fc-a27c-268e9e439113 + clientId: broker + name: "${client_broker}" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: true + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: "+" + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 4a393392-46f5-469d-add8-0ff115e2d5fe + clientId: realm-management + name: "${client_realm-management}" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: [] + webOrigins: [] + notBefore: 0 + bearerOnly: true + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: "+" + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: 5f6124c4-e746-4712-9d8a-13768ea2a2a4 + clientId: security-admin-console + name: "${client_security-admin-console}" + rootUrl: "${authAdminUrl}" + baseUrl: "/admin/trieve/console/" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + redirectUris: + - "/admin/trieve/console/*" + webOrigins: + - "+" + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: openid-connect + attributes: + post.logout.redirect.uris: "+" + pkce.code.challenge.method: S256 + authenticationFlowBindingOverrides: {} + fullScopeAllowed: false + nodeReRegistrationTimeout: 0 + protocolMappers: + - id: d5b8b81b-81e7-4ea1-acb9-b148b27a1b8d + name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: locale + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: locale + jsonType.label: String + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - basic + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + - id: cd16f176-0417-4449-a5b5-31da6056b634 + clientId: trieve + name: '' + description: '' + rootUrl: '' + adminUrl: '' + baseUrl: '' + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: client-secret + secret: YllmLDTy67MbsUBrUAWvQ7z9aMq0QcKx + redirectUris: + - http://api.localtrieve.com/* + - http://dashboard.localtrieve.com/* + - http://chat.localtrieve.com/* + - http://search.localtrieve.com/* + - http://analytics.localtrieve.com/* + webOrigins: + - http://analytics.localtrieve.com + - http://chat.localtrieve.com + - http://api.localtrieve.com + - http://search.localtrieve.com + - http://dashboard.localtrieve.com + notBefore: 0 + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: false + frontchannelLogout: true + protocol: openid-connect + attributes: + oidc.ciba.grant.enabled: 'false' + client.secret.creation.time: '1702168106' + backchannel.logout.session.required: 'true' + post.logout.redirect.uris: "+" + oauth2.device.authorization.grant.enabled: 'false' + backchannel.logout.revoke.offline.tokens: 'false' + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + defaultClientScopes: + - web-origins + - acr + - profile + - roles + - basic + - email + optionalClientScopes: + - address + - phone + - offline_access + - microprofile-jwt + clientScopes: + - id: f535ab0e-5a4c-4fc0-a55b-ef9ae24b9012 + name: profile + description: 'OpenID Connect built-in scope: profile' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + consent.screen.text: "${profileScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - id: 39447277-2a62-4103-82d3-c5f84718ae8d + name: gender + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: gender + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: gender + jsonType.label: String + - id: 1b41e747-f660-4d27-a87d-f22779cd6a1e + name: profile + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: profile + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: profile + jsonType.label: String + - id: a51f74df-4c3f-44e1-a819-2e8dba88f313 + name: picture + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: picture + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: picture + jsonType.label: String + - id: 79f40696-70b8-44fe-80bb-96b697fdff5c + name: middle name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: middleName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: middle_name + jsonType.label: String + - id: c5fbf16e-974e-4700-aad5-e0ad5d82c3fa + name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: locale + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: locale + jsonType.label: String + - id: df88a306-9b73-4b46-b655-fc80edddaa3f + name: family name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: lastName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: family_name + jsonType.label: String + - id: 7f41a45f-0548-4750-823e-b7ab66661e8b + name: nickname + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: nickname + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: nickname + jsonType.label: String + - id: a346cecc-864c-4089-ba72-35d2ae2e8119 + name: website + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: website + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: website + jsonType.label: String + - id: 19e87518-5f15-49ea-9921-2228db644054 + name: updated at + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: updatedAt + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: updated_at + jsonType.label: long + - id: 91774c94-3d79-4d12-8b1b-b39929bbe9ee + name: full name + protocol: openid-connect + protocolMapper: oidc-full-name-mapper + consentRequired: false + config: + id.token.claim: 'true' + introspection.token.claim: 'true' + access.token.claim: 'true' + userinfo.token.claim: 'true' + - id: a7efee9f-657f-46be-8cc6-0e8c1b0e154c + name: birthdate + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: birthdate + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: birthdate + jsonType.label: String + - id: d56be991-b3ba-497a-ae3a-6acfb9b6f579 + name: given name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: firstName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: given_name + jsonType.label: String + - id: fe814e86-ee34-4826-be9d-ad99b78c10aa + name: zoneinfo + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: zoneinfo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: zoneinfo + jsonType.label: String + - id: 259e5eae-f9a9-4a78-8b1b-78c959afd6bf + name: username + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: preferred_username + jsonType.label: String + - id: e065a209-bc32-4cb0-98f7-bcdc605e1843 + name: microprofile-jwt + description: Microprofile - JWT built-in scope + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'false' + protocolMappers: + - id: a5515c2b-8769-42b2-9a7d-acde9555c14f + name: groups + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + multivalued: 'true' + userinfo.token.claim: 'true' + user.attribute: foo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + jsonType.label: String + - id: 4815d634-ae9c-4482-869d-520792447b47 + name: upn + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: upn + jsonType.label: String + - id: 5a4a2195-6ecc-4c13-9f10-ea0dc397d7d6 + name: role_list + description: SAML role list + protocol: saml + attributes: + consent.screen.text: "${samlRoleListScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - id: 8f29ec81-b65c-438d-bb6b-04855803e6e4 + name: role list + protocol: saml + protocolMapper: saml-role-list-mapper + consentRequired: false + config: + single: 'false' + attribute.nameformat: Basic + attribute.name: Role + - id: 3f208658-8178-44c6-93e8-fb2c30ea472e + name: roles + description: OpenID Connect scope for add user roles to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + consent.screen.text: "${rolesScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - id: e7d69eec-0d9c-40b4-ac2c-15086f6799d1 + name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + user.attribute: foo + introspection.token.claim: 'true' + access.token.claim: 'true' + claim.name: resource_access.${client_id}.roles + jsonType.label: String + multivalued: 'true' + - id: 7f9bf6e8-1baf-4ba1-b7f2-626299032fa0 + name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + access.token.claim: 'true' + - id: 2757b094-8fd2-4bed-a194-ed8360e7b219 + name: realm roles + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + user.attribute: foo + introspection.token.claim: 'true' + access.token.claim: 'true' + claim.name: realm_access.roles + jsonType.label: String + multivalued: 'true' + - id: 57ebdd9c-a22c-47c3-bc52-d61730c36a1b + name: acr + description: OpenID Connect scope for add acr (authentication context class reference) + to the token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + protocolMappers: + - id: 6f5352b0-3d85-4ae2-8184-4954864815b0 + name: acr loa level + protocol: openid-connect + protocolMapper: oidc-acr-mapper + consentRequired: false + config: + id.token.claim: 'true' + introspection.token.claim: 'true' + access.token.claim: 'true' + userinfo.token.claim: 'true' + - id: 0f7bca97-2ced-4c2d-9c0d-2e9e4f926c21 + name: email + description: 'OpenID Connect built-in scope: email' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + consent.screen.text: "${emailScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - id: 8bf84a78-f63e-4208-974a-55400c52c285 + name: email + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: email + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email + jsonType.label: String + - id: db6e78cf-c2e2-4c1a-8c04-19396d8aa7f8 + name: email verified + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: emailVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email_verified + jsonType.label: boolean + - id: bcfac10f-0dbe-424c-8fbc-a2429475dd20 + name: address + description: 'OpenID Connect built-in scope: address' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + consent.screen.text: "${addressScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - id: f99d03a1-52d1-430e-9036-5f6579b96e27 + name: address + protocol: openid-connect + protocolMapper: oidc-address-mapper + consentRequired: false + config: + user.attribute.formatted: formatted + user.attribute.country: country + introspection.token.claim: 'true' + user.attribute.postal_code: postal_code + userinfo.token.claim: 'true' + user.attribute.street: street + id.token.claim: 'true' + user.attribute.region: region + access.token.claim: 'true' + user.attribute.locality: locality + - id: 318c6124-31a2-4d82-9237-38c53540c21e + name: offline_access + description: 'OpenID Connect built-in scope: offline_access' + protocol: openid-connect + attributes: + consent.screen.text: "${offlineAccessScopeConsentText}" + display.on.consent.screen: 'true' + - id: d4c2944a-02fa-4bec-8f84-ae2fd54eea97 + name: phone + description: 'OpenID Connect built-in scope: phone' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + consent.screen.text: "${phoneScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - id: 1aeec4b1-fd57-41fb-b090-37cc58b5fe97 + name: phone number + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: phoneNumber + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number + jsonType.label: String + - id: a42e1546-2164-44d5-a218-5502b90db043 + name: phone number verified + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + userinfo.token.claim: 'true' + user.attribute: phoneNumberVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number_verified + jsonType.label: boolean + - id: ee557e57-b7db-42cb-baa7-d691ec26670e + name: basic + description: OpenID Connect scope for add all basic claims to the token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + protocolMappers: + - id: 50356505-1ab0-4ca9-a14f-beae86302f46 + name: auth_time + protocol: openid-connect + protocolMapper: oidc-usersessionmodel-note-mapper + consentRequired: false + config: + user.session.note: AUTH_TIME + id.token.claim: 'true' + introspection.token.claim: 'true' + access.token.claim: 'true' + claim.name: auth_time + jsonType.label: long + - id: 2acf69ec-1105-4fae-95b6-528fab4f7a12 + name: sub + protocol: openid-connect + protocolMapper: oidc-sub-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + access.token.claim: 'true' + - id: 72d15810-c693-4d4a-824a-ab03404021d2 + name: web-origins + description: OpenID Connect scope for add allowed web origins to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + consent.screen.text: '' + display.on.consent.screen: 'false' + protocolMappers: + - id: cd1ea28b-d696-41b5-b1c6-c4af74632fc9 + name: allowed web origins + protocol: openid-connect + protocolMapper: oidc-allowed-origins-mapper + consentRequired: false + config: + introspection.token.claim: 'true' + access.token.claim: 'true' + defaultDefaultClientScopes: + - role_list + - profile + - email + - roles + - web-origins + - acr + - basic + defaultOptionalClientScopes: + - offline_access + - address + - phone + - microprofile-jwt + browserSecurityHeaders: + contentSecurityPolicyReportOnly: '' + xContentTypeOptions: nosniff + referrerPolicy: no-referrer + xRobotsTag: none + xFrameOptions: SAMEORIGIN + contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; + xXSSProtection: 1; mode=block + strictTransportSecurity: max-age=31536000; includeSubDomains + smtpServer: {} + eventsEnabled: false + eventsListeners: + - jboss-logging + enabledEventTypes: [] + adminEventsEnabled: false + adminEventsDetailsEnabled: false + identityProviders: + - alias: google + internalId: 3666ee7a-9543-4e7e-80e5-c7c05da9e29d + providerId: google + enabled: true + updateProfileFirstLoginMode: 'on' + trustEmail: true + storeToken: false + addReadTokenRoleOnCreate: false + authenticateByDefault: false + linkOnly: false + firstBrokerLoginFlowAlias: first broker login + config: + hideOnLoginPage: 'false' + clientId: '45112953303-vl3ek5l6oaea945c9qts5hd2i3i55nsr.apps.googleusercontent.com ' + acceptsPromptNoneForwardFromClient: 'false' + disableUserInfo: 'false' + filteredByClaim: 'false' + syncMode: IMPORT + clientSecret: "**********" + guiOrder: '0' + - alias: github + internalId: c46c3eeb-d255-4efd-bd46-f919f68b9609 + providerId: github + enabled: true + updateProfileFirstLoginMode: 'on' + trustEmail: true + storeToken: false + addReadTokenRoleOnCreate: false + authenticateByDefault: false + linkOnly: false + firstBrokerLoginFlowAlias: first broker login + config: + hideOnLoginPage: 'false' + clientId: 2974442c1f1f2b364090 + acceptsPromptNoneForwardFromClient: 'false' + disableUserInfo: 'false' + filteredByClaim: 'false' + syncMode: IMPORT + clientSecret: "**********" + identityProviderMappers: [] + components: + org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy: + - id: d3fe4159-71fe-48ba-a4b0-93d95ac3feb7 + name: Full Scope Disabled + providerId: scope + subType: anonymous + subComponents: {} + config: {} + - id: 529fdd4d-93f7-40a4-a2bc-4bc61bf5765c + name: Trusted Hosts + providerId: trusted-hosts + subType: anonymous + subComponents: {} + config: + host-sending-registration-request-must-match: + - 'true' + client-uris-must-match: + - 'true' + - id: 9ff3d6e1-3051-4eb8-a745-780f9de2b79f + name: Allowed Client Scopes + providerId: allowed-client-templates + subType: anonymous + subComponents: {} + config: + allow-default-scopes: + - 'true' + - id: 67f11ec2-e17d-44e2-a842-7e427812ee60 + name: Max Clients Limit + providerId: max-clients + subType: anonymous + subComponents: {} + config: + max-clients: + - '200' + - id: 7410c0a1-3dd6-4b86-8abc-7e387dbc6303 + name: Consent Required + providerId: consent-required + subType: anonymous + subComponents: {} + config: {} + - id: 4410d5c8-1957-4375-a2c3-d775868c11bb + name: Allowed Protocol Mapper Types + providerId: allowed-protocol-mappers + subType: authenticated + subComponents: {} + config: + allowed-protocol-mapper-types: + - oidc-usermodel-attribute-mapper + - oidc-address-mapper + - saml-user-property-mapper + - saml-user-attribute-mapper + - oidc-usermodel-property-mapper + - saml-role-list-mapper + - oidc-full-name-mapper + - oidc-sha256-pairwise-sub-mapper + - id: 7796ed68-9a88-4c20-ae1c-5d050b71764b + name: Allowed Protocol Mapper Types + providerId: allowed-protocol-mappers + subType: anonymous + subComponents: {} + config: + allowed-protocol-mapper-types: + - saml-role-list-mapper + - oidc-address-mapper + - saml-user-attribute-mapper + - oidc-sha256-pairwise-sub-mapper + - saml-user-property-mapper + - oidc-full-name-mapper + - oidc-usermodel-attribute-mapper + - oidc-usermodel-property-mapper + - id: 35eef69e-de14-41d9-85e7-1a2cd7d5e276 + name: Allowed Client Scopes + providerId: allowed-client-templates + subType: authenticated + subComponents: {} + config: + allow-default-scopes: + - 'true' + org.keycloak.userprofile.UserProfileProvider: + - id: 3331a0c4-082d-476f-bde3-1d209dd3f6a5 + providerId: declarative-user-profile + subComponents: {} + config: + kc.user.profile.config: + - '{"attributes":[{"name":"username","displayName":"${username}","validations":{"length":{"min":3,"max":255},"username-prohibited-characters":{},"up-username-not-idn-homograph":{}},"permissions":{"view":["admin","user"],"edit":["admin","user"]},"multivalued":false},{"name":"email","displayName":"${email}","validations":{"email":{},"length":{"max":255}},"required":{"roles":["user"]},"permissions":{"view":["admin","user"],"edit":["admin","user"]},"multivalued":false},{"name":"firstName","displayName":"${firstName}","validations":{"length":{"max":255},"person-name-prohibited-characters":{}},"required":{"roles":["user"]},"permissions":{"view":["admin","user"],"edit":["admin","user"]},"multivalued":false},{"name":"lastName","displayName":"${lastName}","validations":{"length":{"max":255},"person-name-prohibited-characters":{}},"required":{"roles":["user"]},"permissions":{"view":["admin","user"],"edit":["admin","user"]},"multivalued":false}],"groups":[{"name":"user-metadata","displayHeader":"User + metadata","displayDescription":"Attributes, which refer to user metadata"}],"unmanagedAttributePolicy":"ENABLED"}' + org.keycloak.keys.KeyProvider: + - id: 9e361714-2e57-459e-b5cd-8c2e2f6b237d + name: aes-generated + providerId: aes-generated + subComponents: {} + config: + priority: + - '100' + - id: 4ced0c28-2000-4b79-a0ae-d55eb5e03e19 + name: rsa-enc-generated + providerId: rsa-enc-generated + subComponents: {} + config: + priority: + - '100' + algorithm: + - RSA-OAEP + - id: d3c9dfd9-70a8-4e34-a044-84335b73be12 + name: rsa-generated + providerId: rsa-generated + subComponents: {} + config: + priority: + - '100' + - id: 8f408cd4-27a6-4988-9b2e-5f5179280cc7 + name: hmac-generated + providerId: hmac-generated + subComponents: {} + config: + priority: + - '100' + algorithm: + - HS256 + - id: 1a443a09-d75e-46c2-b4cf-f34e13073182 + name: hmac-generated-hs512 + providerId: hmac-generated + subComponents: {} + config: + priority: + - '100' + algorithm: + - HS512 + internationalizationEnabled: false + supportedLocales: [] + authenticationFlows: + - id: de2f487f-2550-4592-8d88-173d31b66ae7 + alias: Account verification options + description: Method with which to verity the existing account + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: idp-email-verification + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: ALTERNATIVE + priority: 20 + autheticatorFlow: true + flowAlias: Verify Existing Account by Re-authentication + userSetupAllowed: false + - id: 438c4ac3-ecbe-45dc-8ef8-1025627241fd + alias: Browser - Conditional OTP + description: Flow to determine if the OTP is required for the authentication + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: auth-otp-form + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: 395923eb-81b0-41a7-ac4f-2e0a57dd9cea + alias: Direct Grant - Conditional OTP + description: Flow to determine if the OTP is required for the authentication + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: direct-grant-validate-otp + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: 35ee01b8-25ba-40b9-9666-5d00065b78f2 + alias: First broker login - Conditional OTP + description: Flow to determine if the OTP is required for the authentication + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: auth-otp-form + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: d8b8c15c-d317-475d-8c05-496dcf9054a6 + alias: Handle Existing Account + description: Handle what to do if there is existing account with same email/username + like authenticated identity provider + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: idp-confirm-link + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: REQUIRED + priority: 20 + autheticatorFlow: true + flowAlias: Account verification options + userSetupAllowed: false + - id: 96b56190-bbd3-4679-8f5a-cb2b8c391c43 + alias: Reset - Conditional OTP + description: Flow to determine if the OTP should be reset or not. Set to REQUIRED + to force. + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: conditional-user-configured + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: reset-otp + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - id: 1ae4f391-128c-4c0e-b872-ecadedb21bef + alias: User creation or linking + description: Flow for the existing/non-existing user alternatives + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticatorConfig: create unique user config + authenticator: idp-create-user-if-unique + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: ALTERNATIVE + priority: 20 + autheticatorFlow: true + flowAlias: Handle Existing Account + userSetupAllowed: false + - id: 4bd8c972-0e6d-4e89-82c6-ce8f52ce2bfb + alias: Verify Existing Account by Re-authentication + description: Reauthentication of existing account + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: idp-username-password-form + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 20 + autheticatorFlow: true + flowAlias: First broker login - Conditional OTP + userSetupAllowed: false + - id: 87ea120d-0e86-40da-b667-51fe07f9a898 + alias: browser + description: browser based authentication + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: auth-cookie + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: auth-spnego + authenticatorFlow: false + requirement: DISABLED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: identity-provider-redirector + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 25 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: ALTERNATIVE + priority: 30 + autheticatorFlow: true + flowAlias: forms + userSetupAllowed: false + - id: 7495c5b3-856e-4afa-bc7f-7670fba47538 + alias: clients + description: Base authentication for clients + providerId: client-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: client-secret + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: client-jwt + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: client-secret-jwt + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 30 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: client-x509 + authenticatorFlow: false + requirement: ALTERNATIVE + priority: 40 + autheticatorFlow: false + userSetupAllowed: false + - id: bb66c8a4-5bdc-4aaf-9a3c-92cbc1e611e5 + alias: direct grant + description: OpenID Connect Resource Owner Grant + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: direct-grant-validate-username + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: direct-grant-validate-password + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 30 + autheticatorFlow: true + flowAlias: Direct Grant - Conditional OTP + userSetupAllowed: false + - id: 7d9767b7-2410-42bd-9d22-0da964fd05b0 + alias: docker auth + description: Used by Docker clients to authenticate against the IDP + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: docker-http-basic-authenticator + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - id: e6d09572-c4e2-4540-a292-830a0683a741 + alias: first broker login + description: Actions taken after first broker login with identity provider account, + which is not yet linked to any Keycloak account + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticatorConfig: review profile config + authenticator: idp-review-profile + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: REQUIRED + priority: 20 + autheticatorFlow: true + flowAlias: User creation or linking + userSetupAllowed: false + - id: 40f3b564-90f7-4914-bd05-18e42162cb9f + alias: forms + description: Username, password, otp and other auth forms. + providerId: basic-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: auth-username-password-form + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 20 + autheticatorFlow: true + flowAlias: Browser - Conditional OTP + userSetupAllowed: false + - id: 6ed3f0b7-fcde-48be-ad7c-5d68bb028e35 + alias: registration + description: registration flow + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: registration-page-form + authenticatorFlow: true + requirement: REQUIRED + priority: 10 + autheticatorFlow: true + flowAlias: registration form + userSetupAllowed: false + - id: 3eddb01d-1dd2-473c-8ed3-861846430d42 + alias: registration form + description: registration form + providerId: form-flow + topLevel: false + builtIn: true + authenticationExecutions: + - authenticator: registration-user-creation + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: registration-password-action + authenticatorFlow: false + requirement: REQUIRED + priority: 50 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: registration-recaptcha-action + authenticatorFlow: false + requirement: DISABLED + priority: 60 + autheticatorFlow: false + userSetupAllowed: false + - id: 9a6ca2a8-a533-478e-aa47-93274b91ca16 + alias: reset credentials + description: Reset credentials for a user if they forgot their password or something + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: reset-credentials-choose-user + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: reset-credential-email + authenticatorFlow: false + requirement: REQUIRED + priority: 20 + autheticatorFlow: false + userSetupAllowed: false + - authenticator: reset-password + authenticatorFlow: false + requirement: REQUIRED + priority: 30 + autheticatorFlow: false + userSetupAllowed: false + - authenticatorFlow: true + requirement: CONDITIONAL + priority: 40 + autheticatorFlow: true + flowAlias: Reset - Conditional OTP + userSetupAllowed: false + - id: b794d7ec-d301-4816-8d43-47ae824af4e8 + alias: saml ecp + description: SAML ECP Profile Authentication Flow + providerId: basic-flow + topLevel: true + builtIn: true + authenticationExecutions: + - authenticator: http-basic-authenticator + authenticatorFlow: false + requirement: REQUIRED + priority: 10 + autheticatorFlow: false + userSetupAllowed: false + authenticatorConfig: + - id: 0c5e4a1c-ce11-45ca-bf9b-81ef6a15e6fc + alias: create unique user config + config: + require.password.update.after.registration: 'false' + - id: 5cb1f47e-96d2-4d9b-94f3-1805f55ceaf6 + alias: review profile config + config: + update.profile.on.first.login: missing + requiredActions: + - alias: CONFIGURE_TOTP + name: Configure OTP + providerId: CONFIGURE_TOTP + enabled: true + defaultAction: false + priority: 10 + config: {} + - alias: TERMS_AND_CONDITIONS + name: Terms and Conditions + providerId: TERMS_AND_CONDITIONS + enabled: false + defaultAction: false + priority: 20 + config: {} + - alias: UPDATE_PASSWORD + name: Update Password + providerId: UPDATE_PASSWORD + enabled: true + defaultAction: false + priority: 30 + config: {} + - alias: UPDATE_PROFILE + name: Update Profile + providerId: UPDATE_PROFILE + enabled: true + defaultAction: false + priority: 40 + config: {} + - alias: VERIFY_EMAIL + name: Verify Email + providerId: VERIFY_EMAIL + enabled: true + defaultAction: false + priority: 50 + config: {} + - alias: delete_account + name: Delete Account + providerId: delete_account + enabled: false + defaultAction: false + priority: 60 + config: {} + - alias: webauthn-register + name: Webauthn Register + providerId: webauthn-register + enabled: true + defaultAction: false + priority: 70 + config: {} + - alias: webauthn-register-passwordless + name: Webauthn Register Passwordless + providerId: webauthn-register-passwordless + enabled: true + defaultAction: false + priority: 80 + config: {} + - alias: delete_credential + name: Delete Credential + providerId: delete_credential + enabled: true + defaultAction: false + priority: 100 + config: {} + - alias: update_user_locale + name: Update User Locale + providerId: update_user_locale + enabled: true + defaultAction: false + priority: 1000 + config: {} + browserFlow: browser + registrationFlow: registration + directGrantFlow: direct grant + resetCredentialsFlow: reset credentials + clientAuthenticationFlow: clients + dockerAuthenticationFlow: docker auth + firstBrokerLoginFlow: first broker login + attributes: + cibaBackchannelTokenDeliveryMode: poll + cibaExpiresIn: '120' + cibaAuthRequestedUserHint: login_hint + oauth2DeviceCodeLifespan: '600' + clientOfflineSessionMaxLifespan: '0' + oauth2DevicePollingInterval: '5' + clientSessionIdleTimeout: '0' + parRequestUriLifespan: '60' + clientSessionMaxLifespan: '0' + clientOfflineSessionIdleTimeout: '0' + cibaInterval: '5' + realmReusableOtpCode: 'false' + keycloakVersion: 25.0.2 + userManagedAccessAllowed: false + organizationsEnabled: false + clientProfiles: + profiles: [] + clientPolicies: + policies: [] diff --git a/glasskube/trieve/kustomization.yaml b/glasskube/trieve/kustomization.yaml new file mode 100644 index 0000000000..50a09d4f55 --- /dev/null +++ b/glasskube/trieve/kustomization.yaml @@ -0,0 +1,41 @@ +namespace: default +commonLabels: + app.kubernetes.io/name: trieve + app.kubernetes.io/part-of: trieve + app.kubernetes.io/instance: trieve +resources: + - configmap.yaml + - clickhouse.yaml + - keycloak + - server + - ui + - worker + - ingest + - embeddings + +images: + - name: ghcr.io/huggingface/text-embeddings-inference + newTag: cpu-1.4 + - name: trieve/ingest + newTag: sha-d8b18ca + - name: trieve/sync_qdrant + newTag: sha-d8b18ca + - name: trieve/server + newTag: sha-d8b18ca + - name: trieve/analytics-site + newTag: sha-ed22f21 + - name: trieve/chat + newTag: sha-ed22f21 + - name: trieve/dashboard + newTag: sha-ed22f21 + - name: trieve/search + newTag: sha-ed22f21 + - name: trieve/delete-worker + newName: trieve/delete_worker + newTag: sha-d8b18ca + - name: trieve/file-worker + newName: trieve/file_worker + newTag: sha-d8b18ca + - name: trieve/group-worker + newName: trieve/group_worker + newTag: sha-d8b18ca diff --git a/glasskube/trieve/server/deployment.yaml b/glasskube/trieve/server/deployment.yaml new file mode 100644 index 0000000000..4af588d3e9 --- /dev/null +++ b/glasskube/trieve/server/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-server +spec: + template: + spec: + containers: + - name: server + resources: + requests: + cpu: "1" + image: trieve/server + ports: + - containerPort: 8090 + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: trieve-postgresql-server-app + key: uri + - name: QDRANT_API_KEY + valueFrom: + secretKeyRef: + name: trieve-qdrant-qdrant-apikey + key: api-key + envFrom: + - configMapRef: + name: trieve-server-config diff --git a/glasskube/trieve/server/ingress.yaml b/glasskube/trieve/server/ingress.yaml new file mode 100644 index 0000000000..532a7b6525 --- /dev/null +++ b/glasskube/trieve/server/ingress.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: trieve-server +spec: + rules: + - host: api.localtrieve.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: trieve-server + port: + name: server diff --git a/glasskube/trieve/server/kustomization.yaml b/glasskube/trieve/server/kustomization.yaml new file mode 100644 index 0000000000..92afaaaf23 --- /dev/null +++ b/glasskube/trieve/server/kustomization.yaml @@ -0,0 +1,7 @@ +commonLabels: + app.kubernetes.io/component: trieve-server +resources: + - deployment.yaml + - service.yaml + - postgres.yaml + - ingress.yaml diff --git a/glasskube/trieve/server/postgres.yaml b/glasskube/trieve/server/postgres.yaml new file mode 100644 index 0000000000..29f6616edc --- /dev/null +++ b/glasskube/trieve/server/postgres.yaml @@ -0,0 +1,15 @@ +kind: Cluster +apiVersion: postgresql.cnpg.io/v1 +metadata: + name: trieve-postgresql-server +spec: + enableSuperuserAccess: false + instances: 2 + bootstrap: + initdb: + database: trieve + owner: trieve + storage: + size: 2Gi + monitoring: + enablePodMonitor: true \ No newline at end of file diff --git a/glasskube/trieve/server/service.yaml b/glasskube/trieve/server/service.yaml new file mode 100644 index 0000000000..00394a418e --- /dev/null +++ b/glasskube/trieve/server/service.yaml @@ -0,0 +1,9 @@ +kind: Service +apiVersion: v1 +metadata: + name: trieve-server +spec: + type: ClusterIP + ports: + - port: 8090 + name: server diff --git a/glasskube/trieve/ui/analytics/kustomization.yaml b/glasskube/trieve/ui/analytics/kustomization.yaml new file mode 100644 index 0000000000..bb19d35739 --- /dev/null +++ b/glasskube/trieve/ui/analytics/kustomization.yaml @@ -0,0 +1,16 @@ +commonLabels: + app.kubernetes.io/component: trieve-ui-analytics +nameSuffix: -analytics +resources: + - ../base +patches: + - target: + kind: Ingress + name: trieve-ui + patch: |- + - op: add + path: /spec/rules/0/host + value: analytics.localtrieve.com +images: + - name: ui + newName: trieve/analytics-site diff --git a/glasskube/trieve/ui/base/deployment.yaml b/glasskube/trieve/ui/base/deployment.yaml new file mode 100644 index 0000000000..bdf8242a82 --- /dev/null +++ b/glasskube/trieve/ui/base/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-ui +spec: + selector: {} + template: + spec: + containers: + - name: ui + image: ui + ports: + - containerPort: 80 + envFrom: + - configMapRef: + name: trieve-ui-config + resources: {} diff --git a/glasskube/trieve/ui/base/ingress.yaml b/glasskube/trieve/ui/base/ingress.yaml new file mode 100644 index 0000000000..f0e3185d16 --- /dev/null +++ b/glasskube/trieve/ui/base/ingress.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: trieve-ui +spec: + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: trieve-ui + port: + name: http diff --git a/glasskube/trieve/ui/base/kustomization.yaml b/glasskube/trieve/ui/base/kustomization.yaml new file mode 100644 index 0000000000..f6f370e41e --- /dev/null +++ b/glasskube/trieve/ui/base/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - deployment.yaml + - service.yaml + - ingress.yaml diff --git a/glasskube/trieve/ui/base/service.yaml b/glasskube/trieve/ui/base/service.yaml new file mode 100644 index 0000000000..3af9348e03 --- /dev/null +++ b/glasskube/trieve/ui/base/service.yaml @@ -0,0 +1,9 @@ +kind: Service +apiVersion: v1 +metadata: + name: trieve-ui +spec: + type: ClusterIP + ports: + - port: 80 + name: http diff --git a/glasskube/trieve/ui/chat/kustomization.yaml b/glasskube/trieve/ui/chat/kustomization.yaml new file mode 100644 index 0000000000..923bc9c372 --- /dev/null +++ b/glasskube/trieve/ui/chat/kustomization.yaml @@ -0,0 +1,16 @@ +commonLabels: + app.kubernetes.io/component: trieve-ui-chat +nameSuffix: -chat +resources: + - ../base +patches: + - target: + kind: Ingress + name: trieve-ui + patch: |- + - op: add + path: /spec/rules/0/host + value: chat.localtrieve.com +images: + - name: ui + newName: trieve/chat diff --git a/glasskube/trieve/ui/configmap.yaml b/glasskube/trieve/ui/configmap.yaml new file mode 100644 index 0000000000..ef870083b1 --- /dev/null +++ b/glasskube/trieve/ui/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trieve-ui-config +data: + VITE_API_HOST: "http://api.localtrieve.com/api" + VITE_SEARCH_UI_URL: "http://search.localtrieve.com" + VITE_DASHBOARD_URL: "http://dashboard.localtrieve.com" + VITE_CHAT_UI_URL: "http://chat.localtrieve.com" + VITE_ANALYTICS_UI_URL: "http://analytics.localtrieve.com" diff --git a/glasskube/trieve/ui/dashboard/configmap.yaml b/glasskube/trieve/ui/dashboard/configmap.yaml new file mode 100644 index 0000000000..707bda3b2b --- /dev/null +++ b/glasskube/trieve/ui/dashboard/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trieve-ui-dashboard-config +data: + VITE_DASHBOARD_URL: "http://dashboard.localtrieve.com" diff --git a/glasskube/trieve/ui/dashboard/kustomization.yaml b/glasskube/trieve/ui/dashboard/kustomization.yaml new file mode 100644 index 0000000000..e9db323f0e --- /dev/null +++ b/glasskube/trieve/ui/dashboard/kustomization.yaml @@ -0,0 +1,16 @@ +commonLabels: + app.kubernetes.io/component: trieve-ui-dashboard +nameSuffix: -dashboard +resources: + - ../base +patches: + - target: + kind: Ingress + name: trieve-ui + patch: |- + - op: add + path: /spec/rules/0/host + value: dashboard.localtrieve.com +images: + - name: ui + newName: trieve/dashboard diff --git a/glasskube/trieve/ui/kustomization.yaml b/glasskube/trieve/ui/kustomization.yaml new file mode 100644 index 0000000000..a50fb025ee --- /dev/null +++ b/glasskube/trieve/ui/kustomization.yaml @@ -0,0 +1,6 @@ +resources: + - configmap.yaml + - analytics + - chat + - dashboard + - search diff --git a/glasskube/trieve/ui/search/configmap.yaml b/glasskube/trieve/ui/search/configmap.yaml new file mode 100644 index 0000000000..fca4fa7166 --- /dev/null +++ b/glasskube/trieve/ui/search/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trieve-ui-search-config +data: + VITE_DASHBOARD_URL: "http://search.localtrieve.com" diff --git a/glasskube/trieve/ui/search/kustomization.yaml b/glasskube/trieve/ui/search/kustomization.yaml new file mode 100644 index 0000000000..cfd4b2fadc --- /dev/null +++ b/glasskube/trieve/ui/search/kustomization.yaml @@ -0,0 +1,16 @@ +commonLabels: + app.kubernetes.io/component: trieve-ui-search +nameSuffix: -search +resources: + - ../base +patches: + - target: + kind: Ingress + name: trieve-ui + patch: |- + - op: add + path: /spec/rules/0/host + value: search.localtrieve.com +images: + - name: ui + newName: trieve/search diff --git a/glasskube/trieve/worker/base/deployment.yaml b/glasskube/trieve/worker/base/deployment.yaml new file mode 100644 index 0000000000..87571e4bb3 --- /dev/null +++ b/glasskube/trieve/worker/base/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trieve-worker +spec: + selector: {} + template: + spec: + containers: + - name: worker + image: worker + ports: + - containerPort: 80 + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: trieve-postgresql-server-app + key: uri + - name: QDRANT_API_KEY + valueFrom: + secretKeyRef: + name: trieve-qdrant-qdrant-apikey + key: api-key + envFrom: + - configMapRef: + name: trieve-server-config + resources: + limits: + cpu: "1" + memory: 200Mi diff --git a/glasskube/trieve/worker/base/kustomization.yaml b/glasskube/trieve/worker/base/kustomization.yaml new file mode 100644 index 0000000000..9519a26d6d --- /dev/null +++ b/glasskube/trieve/worker/base/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - deployment.yaml diff --git a/glasskube/trieve/worker/delete/kustomization.yaml b/glasskube/trieve/worker/delete/kustomization.yaml new file mode 100644 index 0000000000..64ee8cb0d7 --- /dev/null +++ b/glasskube/trieve/worker/delete/kustomization.yaml @@ -0,0 +1,8 @@ +commonLabels: + app.kubernetes.io/component: worker-delete +nameSuffix: -delete +resources: + - ../base +images: + - name: worker + newName: trieve/delete-worker diff --git a/glasskube/trieve/worker/file/kustomization.yaml b/glasskube/trieve/worker/file/kustomization.yaml new file mode 100644 index 0000000000..d0b3479c94 --- /dev/null +++ b/glasskube/trieve/worker/file/kustomization.yaml @@ -0,0 +1,8 @@ +commonLabels: + app.kubernetes.io/component: worker-file +nameSuffix: -file +resources: + - ../base +images: + - name: worker + newName: trieve/file-worker diff --git a/glasskube/trieve/worker/group/kustomization.yaml b/glasskube/trieve/worker/group/kustomization.yaml new file mode 100644 index 0000000000..a72a049d5e --- /dev/null +++ b/glasskube/trieve/worker/group/kustomization.yaml @@ -0,0 +1,8 @@ +commonLabels: + app.kubernetes.io/component: worker-file +nameSuffix: -group +resources: + - ../base +images: + - name: worker + newName: trieve/file-worker diff --git a/glasskube/trieve/worker/kustomization.yaml b/glasskube/trieve/worker/kustomization.yaml new file mode 100644 index 0000000000..86b43a1fa3 --- /dev/null +++ b/glasskube/trieve/worker/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - delete + - file + - group + - sync-qdrant diff --git a/glasskube/trieve/worker/sync-qdrant/kustomization.yaml b/glasskube/trieve/worker/sync-qdrant/kustomization.yaml new file mode 100644 index 0000000000..67e27b023b --- /dev/null +++ b/glasskube/trieve/worker/sync-qdrant/kustomization.yaml @@ -0,0 +1,16 @@ +commonLabels: + app.kubernetes.io/component: worker-sync-qdrant +nameSuffix: -sync-qdrant +resources: + - ../base +images: + - name: worker + newName: trieve/sync_qdrant +patches: + - target: + kind: Deployment + name: trieve-worker + patch: |- + - op: add + path: /spec/replicas + value: 0 # this deployment functions more like a "Job" \ No newline at end of file