ci: add idportenclient resource and use its secret

tronghn · tronghn · commit 49c4a4ba742b · 2025-01-07T11:50:02.000+01:00
This adds the idportenclient resource to version control so that you can
manage its configuration if needed.

Also refactor to use the secret directly to avoid having to manually copy
keys and values into the `personopplysninger-api-secret` secret.
diff --git a/.env.sample b/.env.sample
@@ -1,8 +1,9 @@
-AUTH_CLIENT_ID=yolo
-AUTH_CLIENT_JWK='{ "p": "yhLPxs0GjVCkeer259nCZSxVBvaxWZVqSFUZq10hIZP5ZWkKrMJoZ5UJhnknvurdxNYI9ffc6UgkqkeiC_kxdGLus3Ty3WbxMLgASNMY2wcoWA3tmTc2jO3XgaqcqlTbJWPI3QQpZFxJ4gzChJmlfuiH_qCNPP3mJh_ghKtEn8E",                        "kty": "RSA",                        "q": "tR6rLBqhdUNfJZxWACf7XuvHJQBsNN8UQPX78_XciiIkkyPEcFXUsSdr7LWdV1eIGlxNXNH9GVIlzqv7GR5aYgx7XpY7IbVk1E6j-WP0VTHg5Qhi5XtZBFoDoE6_xEpHg36RtEG2NS0iaoSD0ZE_uFNQliCMExRxSKb1tuejz-U",                        "d": "FwXw6LzPH-A4bxYesQl-WzLfKRgpH-s_79gVidVrJgqdVkro3eVo-5_cz8bYfRBovXRpKiiNPaypQPAQCIwTI4B9pyvA4d2ZkWmSYg3Age0S7lhSU8ksmTXyxcP8cWKTF9JuApaKvtSXd9Um0v-Y0nTYrDjIv07uDJcnNHLMmhrg7w8bBYnYGYOGSUhYBUcnglnf11pFcYs599TCuKFbY8q7hHPIGvuxF08nPvjmnUFQsLNiD-nGE6Pht62dlf91M9-QpfFoh4z8rGbII2rq4sHgGOy4Mjb69RqipDTKoSZei1B1T09_J894ZQ4Wmvv6IMIFMuLbvxNDAEjsCwCWAQ",                        "e": "AQAB",                        "use": "sig",                        "kid": "vxqPlFK91y63-9CL06i_WR9LEb7TosrnK9RG0FB2Tyw",                        "qi": "TV2U0EXQfFxVK8LJV2TNBOYLPcuQhLXcJyNHXpuUHe9Rr4NM82qH1d2gYPrzOv3nkVbEecRS2d0FZvdbDN035ULxqoJFfiEfPUDoyojsBqEXHPaLg8JZrtTdb2n_fOVHIN6NUuesJ8QJP8fxqW6_hQZm9y_14EacsLTB8_n-RSQ",                        "dp": "FVlfclV-97cpaWgVpfEvxJimcxHlMt3CWNoE2EICmhWUJ86tPgtcFHV-iCKMvHL78yvZzoLdaBgjJ4ph6Hnva6h4J6WXcyTJHqiR_x-uZJWhAYyXKbTXopQOTLjFzIkijhS4yAEEjoHhnGxUsMW64mmW1KQJyAPbKPP9OIcPvQE",                        "alg": "RS256",                        "dq": "UwWo3wGiCxeD0MC150Jshlk7oulrsFylcxWOlYiYvDTkYRIfJIMjiMUSQqIJapT0DWlMCQU0qFuweuj4o833DkS8dGIW3t_ARVV68oFv6XGArlvGwXxmFImSafRPERIfb9YfwenxNLTotrzhk7mp5LtEEF0A-GoBd5UYwuuxekU",                        "n": "jveCOUlMhUvVGSSSrlusenmhG-DP1EA6GIw8AgMg7US6HZk69k3iPQyTRmIZOWl2E27RP3KF8sD01RkzlV9Ru69_Vj2cr5P_ZNYg-rcl4WDma3xBsDvG0C4WHV5QLP7lU-o2vyb84UaLVoM99DjBUsEO61IO2Ne4F8zc6nXpH8TVQLbQq7dIXzk5elzmAjTVpMf1d5Q8tQgz43rIvS-8bXLNZxkPYlxXJbyVJPlTJW8vVurWoM5d7_Z7XdcAmeymJi3hFSyyuhYux8GfK28kbSgpaRivLx7mz2PJN33gn9a6-L4IdltdwLGg2KXyQgzHxSPGNd6gy3Da5l44kHL2pQ"}'
-AUTH_REDIRECT_URI=http://localhost:8080/lagreKontonummer
 AUTH_FRONTEND_URI='http://localhost:3000/person/personopplysninger/#utbetaling'
-IDPORTEN_WELL_KNOWN_URL=http://localhost:9090/default/.well-known/openid-configuration
+AUTH_REDIRECT_URI=http://localhost:8080/lagreKontonummer
 AUTH_ENCRYPTION_KEY=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
+IDPORTEN_CLIENT_ID=yolo
+# this is a randomly generated key for use with mock-oauth2-server and isn't actually used in any real environments
+IDPORTEN_CLIENT_JWK='{"p":"yhLPxs0GjVCkeer259nCZSxVBvaxWZVqSFUZq10hIZP5ZWkKrMJoZ5UJhnknvurdxNYI9ffc6UgkqkeiC_kxdGLus3Ty3WbxMLgASNMY2wcoWA3tmTc2jO3XgaqcqlTbJWPI3QQpZFxJ4gzChJmlfuiH_qCNPP3mJh_ghKtEn8E","kty":"RSA","q":"tR6rLBqhdUNfJZxWACf7XuvHJQBsNN8UQPX78_XciiIkkyPEcFXUsSdr7LWdV1eIGlxNXNH9GVIlzqv7GR5aYgx7XpY7IbVk1E6j-WP0VTHg5Qhi5XtZBFoDoE6_xEpHg36RtEG2NS0iaoSD0ZE_uFNQliCMExRxSKb1tuejz-U","d":"FwXw6LzPH-A4bxYesQl-WzLfKRgpH-s_79gVidVrJgqdVkro3eVo-5_cz8bYfRBovXRpKiiNPaypQPAQCIwTI4B9pyvA4d2ZkWmSYg3Age0S7lhSU8ksmTXyxcP8cWKTF9JuApaKvtSXd9Um0v-Y0nTYrDjIv07uDJcnNHLMmhrg7w8bBYnYGYOGSUhYBUcnglnf11pFcYs599TCuKFbY8q7hHPIGvuxF08nPvjmnUFQsLNiD-nGE6Pht62dlf91M9-QpfFoh4z8rGbII2rq4sHgGOy4Mjb69RqipDTKoSZei1B1T09_J894ZQ4Wmvv6IMIFMuLbvxNDAEjsCwCWAQ","e":"AQAB","use":"sig","kid":"vxqPlFK91y63-9CL06i_WR9LEb7TosrnK9RG0FB2Tyw","qi":"TV2U0EXQfFxVK8LJV2TNBOYLPcuQhLXcJyNHXpuUHe9Rr4NM82qH1d2gYPrzOv3nkVbEecRS2d0FZvdbDN035ULxqoJFfiEfPUDoyojsBqEXHPaLg8JZrtTdb2n_fOVHIN6NUuesJ8QJP8fxqW6_hQZm9y_14EacsLTB8_n-RSQ","dp":"FVlfclV-97cpaWgVpfEvxJimcxHlMt3CWNoE2EICmhWUJ86tPgtcFHV-iCKMvHL78yvZzoLdaBgjJ4ph6Hnva6h4J6WXcyTJHqiR_x-uZJWhAYyXKbTXopQOTLjFzIkijhS4yAEEjoHhnGxUsMW64mmW1KQJyAPbKPP9OIcPvQE","alg":"RS256","dq":"UwWo3wGiCxeD0MC150Jshlk7oulrsFylcxWOlYiYvDTkYRIfJIMjiMUSQqIJapT0DWlMCQU0qFuweuj4o833DkS8dGIW3t_ARVV68oFv6XGArlvGwXxmFImSafRPERIfb9YfwenxNLTotrzhk7mp5LtEEF0A-GoBd5UYwuuxekU","n":"jveCOUlMhUvVGSSSrlusenmhG-DP1EA6GIw8AgMg7US6HZk69k3iPQyTRmIZOWl2E27RP3KF8sD01RkzlV9Ru69_Vj2cr5P_ZNYg-rcl4WDma3xBsDvG0C4WHV5QLP7lU-o2vyb84UaLVoM99DjBUsEO61IO2Ne4F8zc6nXpH8TVQLbQq7dIXzk5elzmAjTVpMf1d5Q8tQgz43rIvS-8bXLNZxkPYlxXJbyVJPlTJW8vVurWoM5d7_Z7XdcAmeymJi3hFSyyuhYux8GfK28kbSgpaRivLx7mz2PJN33gn9a6-L4IdltdwLGg2KXyQgzHxSPGNd6gy3Da5l44kHL2pQ"}'
+IDPORTEN_WELL_KNOWN_URL=http://localhost:9090/default/.well-known/openid-configuration
 CORS_ALLOWED_ORIGINS=*
 CORS_ALLOWED_SCHEMES=http
diff --git a/nais/dev-gcp/personbruker.json b/nais/dev-gcp/personbruker.json
@@ -11,5 +11,7 @@
   "kontoregister-host": "sokos-kontoregister-person.intern.dev.nav.no",
   "min-replicas": 1,
   "max-replicas": 1,
-  "kafka-pool": "nav-dev"
+  "kafka-pool": "nav-dev",
+  "idporten-client-uri": "https://www.ansatt.dev.nav.no/person/personopplysninger",
+  "idporten-nav-base-uri": "https://login.ekstern.dev.nav.no"
 }
diff --git a/nais/idporten.yaml b/nais/idporten.yaml
@@ -0,0 +1,22 @@
+apiVersion: nais.io/v1
+kind: IDPortenClient
+metadata:
+  labels:
+    team: personbruker
+  name: personopplysninger-api
+  namespace: personbruker
+spec:
+  accessTokenLifetime: 30
+  clientURI: {{idporten-client-uri}}
+  frontchannelLogoutURI: {{idporten-nav-base-uri}}/oauth2/logout/frontchannel
+  integrationType: idporten
+  postLogoutRedirectURIs:
+    - {{idporten-client-uri}}
+  redirectURIs:
+    - {{idporten-client-uri}}
+    - {{idporten-nav-base-uri}}
+  {{#each ingresses}}
+    - "{{this}}/lagreKontonummer"
+  {{/each }}
+  secretName: idporten-personopplysninger-api
+  ssoDisabled: true
diff --git a/nais/nais.yaml b/nais/nais.yaml
@@ -49,6 +49,7 @@ spec:
          {{/each}}
   envFrom:
     - secret: personopplysninger-api-secret
+    - secret: idporten-personopplysninger-api
   secureLogs:
     enabled: true
   resources:
diff --git a/nais/prod-gcp/personbruker.json b/nais/prod-gcp/personbruker.json
@@ -11,5 +11,7 @@
   "kontoregister-host": "sokos-kontoregister-person.intern.nav.no",
   "min-replicas": 2,
   "max-replicas": 4,
-  "kafka-pool": "nav-prod"
-}
+  "kafka-pool": "nav-prod",
+  "idporten-client-uri": "https://www.nav.no/person/personopplysninger",
+  "idporten-nav-base-uri": "https://login.nav.no"
+}
diff --git a/src/main/kotlin/no/nav/personopplysninger/config/Environment.kt b/src/main/kotlin/no/nav/personopplysninger/config/Environment.kt
@@ -12,10 +12,10 @@ data class Environment(
 
     val redirectUri: String = System.getenv("AUTH_REDIRECT_URI"),
     val frontendUri: String = System.getenv("AUTH_FRONTEND_URI"),
-    val wellKnownUrl: String = System.getenv("IDPORTEN_WELL_KNOWN_URL"),
-    val clientId: String = System.getenv("AUTH_CLIENT_ID"),
-    val clientJwk: String = System.getenv("AUTH_CLIENT_JWK"),
     val encryptionKey: String = System.getenv("AUTH_ENCRYPTION_KEY"),
+    val clientId: String = System.getenv("IDPORTEN_CLIENT_ID"),
+    val clientJwk: String = System.getenv("IDPORTEN_CLIENT_JWK"),
+    val wellKnownUrl: String = System.getenv("IDPORTEN_WELL_KNOWN_URL"),
 
     val inst2Url: String = System.getenv("INST2_API_URL"),
     val kodeverkUrl: String = System.getenv("KODEVERK_REST_API_URL"),

Original file line number	Diff line number	Diff line change
`@@ -11,5 +11,7 @@`
`11`	`11`	`"kontoregister-host": "sokos-kontoregister-person.intern.dev.nav.no",`
`12`	`12`	`"min-replicas": 1,`
`13`	`13`	`"max-replicas": 1,`
`14`		`- "kafka-pool": "nav-dev"`
	`14`	`+ "kafka-pool": "nav-dev",`
	`15`	`+ "idporten-client-uri": "https://www.ansatt.dev.nav.no/person/personopplysninger",`
	`16`	`+ "idporten-nav-base-uri": "https://login.ekstern.dev.nav.no"`
`15`	`17`	`}`