RADAR-base · pvannierop · May 15, 2025 · May 15, 2025 · May 16, 2025 · May 16, 2025
diff --git a/charts/management-portal/Chart.yaml b/charts/management-portal/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.1.8"
 description: A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base.
 name: management-portal
-version: 1.6.0
+version: 1.7.0
 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png"
 sources:
 - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/management-portal

diff --git a/charts/management-portal/README.md b/charts/management-portal/README.md
@@ -3,7 +3,7 @@
 # management-portal
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/management-portal)](https://artifacthub.io/packages/helm/radar-base/management-portal)
 
-![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.8](https://img.shields.io/badge/AppVersion-2.1.8-informational?style=flat-square)
+![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.1.8](https://img.shields.io/badge/AppVersion-2.1.8-informational?style=flat-square)
 
 A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base.
 
@@ -88,6 +88,7 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant
 | startupProbe.failureThreshold | int | `30` | Failure threshold for startupProbe |
 | networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to |
 | keystore | string | `""` | base 64 encoded binary p12 keystore containing a ECDSA certificate with alias `radarbase-managementportal-ec` and a RSA certificate with alias `selfsigned`. |
+| public_jwks | string | `""` |  |
 | postgres.host | string | `nil` | host name of the postgres db |
 | postgres.port | string | `nil` | post of the postgres db |
 | postgres.database | string | `nil` | database name |
@@ -102,19 +103,24 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant
 | server_name | string | `"localhost"` | domain name of the server |
 | catalogue_server | string | `"catalog-server"` | Hostname of the catalogue-server |
 | identity_server.admin_email | string | `"admin@example.com"` | The admin email to link to the admin service account. This account should only be used to set up admin-users |
-| identity_server.server_url | string | `nil` | The publicly accessible server URL for the IDP; needed when deviating from http(s)://server_name/kratos |
-| identity_server.server_admin_url | string | `"http://kratos-admin"` | The admin server URL for the IDP used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides |
-| identity_server.login_url | string | `nil` | The publicly accessible login URL for the IDP; needed when deviating from http(s)://server_name/kratos-ui |
-| authserver.server_url | string | `"http://hydra:4444"` | The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth |
-| authserver.server_admin_url | string | `"http://hydra:4445"` | The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides |
-| authserver.login_url | string | `"http://localhost:4444"` | The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login |
+| identity_server.server_url | string | `"http://radar-kratos-public"` | The publicly accessible server URL for the IDP; needed when deviating from http(s)://server_name/kratos |
+| identity_server.server_admin_url | string | `"http://radar-kratos-admin"` | The admin server URL for the IDP used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides |
+| identity_server.login_url | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui"` | The publicly accessible login URL for the IDP; needed when deviating from http(s)://server_name/kratos-ui |
+| identity_server.user_activation_flow_type | string | `"recovery"` | The user activation flow type to use for Management Portal (e.g., recovery, verification) |
+| identity_server.user_activation_method | string | `"link"` | The user activation method to use for Management Portal (e.g., link, code) |
+| authserver.server_url | string | `"http://radar-hydra-public:4444"` | The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth |
+| authserver.server_admin_url | string | `"http://radar-hydra-admin:4445"` | The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides |
+| authserver.login_url | string | `"{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra"` | The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login |
+| authserver.client_secret | string | `""` |  |
 | managementportal.catalogue_server_enable_auto_import | bool | `false` | set to true, if automatic source-type import from catalogue server should be enabled |
 | managementportal.common_privacy_policy_url | string | `"http://info.thehyve.nl/radar-cns-privacy-policy"` | Override with a publicly resolvable url of the privacy-policy url for your set-up. This can be overridden on a project basis as well. |
 | managementportal.oauth_checking_key_aliases_0 | string | `"radarbase-managementportal-ec"` | Keystore alias to sign JWT tokens from Management Portal |
 | managementportal.oauth_checking_key_aliases_1 | string | `"selfsigned"` | Keystore alias to sign JWT tokens from Management Portal |
 | managementportal.oauth_require_aal2 | bool | `true` | Whether or not to require AAL2 level authentication (i.e. MFA) |
 | managementportal.frontend_client_secret | string | `"xxx"` | OAuth2 Client secret of the Management Portal frontend application |
 | managementportal.common_admin_password | string | `"xxx"` | Admin password of the default admin user created by the system |
+| managementportal.oauth_clients_file | string | `"/secrets/oauth_client_details.csv"` | The file where the OAuth2 client details are stored |
+| managementportal.base_url | string | `"http://localhost/managementportal"` | Base URL managementportal calls from inside the application container |
 | smtp.enabled | bool | `false` | set to true, if SMTP server should be enabled. Required to be true for production setup |
 | smtp.host | string | `"smtp"` | Hostname of the SMTP server |
 | smtp.port | int | `25` | Port of the SMTP server |

diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml
@@ -81,34 +81,52 @@ spec:
           - name: MANAGEMENTPORTAL_COMMON_BASEURL
             value: {{ printf "%s://%s" .Values.advertised_protocol .Values.server_name }}
           - name: MANAGEMENTPORTAL_COMMON_MANAGEMENT_PORTAL_BASE_URL
-            value: {{ printf "%s://%s/managementportal" .Values.advertised_protocol .Values.server_name }}
+            value: {{ .Values.managementportal.base_url }}
+{{/* TODO for now secret with client_id and client_secret replaced with job creating clients with fixed client names*/}}
+{{/*          - name: MANAGEMENTPORTAL_FRONTEND_CLIENTID*/}}
+{{/*            valueFrom:*/}}
+{{/*              secretKeyRef:*/}}
+{{/*                name: managementportalapp-oauth-client*/}}
+{{/*                key: CLIENT_ID*/}}
+{{/*          - name: MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET*/}}
+{{/*            valueFrom:*/}}
+{{/*              secretKeyRef:*/}}
+{{/*                name: managementportalapp-oauth-client*/}}
+{{/*                key: CLIENT_SECRET*/}}
+          - name: MANAGEMENTPORTAL_FRONTEND_CLIENTID
+            value: "ManagementPortalapp"
           - name: MANAGEMENTPORTAL_FRONTEND_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: {{ $secretName }}
-                key: managementportal_frontend_client_secret
-          - name: MANAGEMENTPORTAL_OAUTH_CLIENTS_FILE
-            value: /secrets/oauth_client_details.csv
+            value: "{{ .Values.authserver.client_secret }}"
           - name: MANAGEMENTPORTAL_CATALOGUE_SERVER_ENABLE_AUTO_IMPORT
             value: "{{ .Values.managementportal.catalogue_server_enable_auto_import }}"
+          - name: MANAGEMENTPORTAL_OAUTH_CLIENTS_FILE
+            value: "{{ .Values.managementportal.oauth_clients_file }}"
           - name: MANAGEMENTPORTAL_OAUTH_REQUIRE_AAL2
             value: "{{ .Values.managementportal.oauth_require_aal2 }}"
           - name: MANAGEMENTPORTAL_CATALOGUE_SERVER_SERVER_URL
             value: http://{{ .Values.catalogue_server }}:9010/source-types
           - name: MANAGEMENTPORTAL_IDENTITY_SERVER_ADMIN_EMAIL
             value: {{ .Values.identity_server.admin_email }}
           - name: MANAGEMENTPORTAL_IDENTITY_SERVER_SERVER_URL
-            value: {{ $idpServerUrl }}
+            value: {{ tpl .Values.identity_server.server_url . }}
           - name: MANAGEMENTPORTAL_IDENTITY_SERVER_LOGIN_URL
-            value: {{ $idpLoginUrl }}
+            value: {{ tpl .Values.identity_server.login_url . }}
           - name: MANAGEMENTPORTAL_IDENTITY_SERVER_SERVER_ADMIN_URL
-            value: {{ .Values.identity_server.server_admin_url }}
+            value: {{ tpl .Values.identity_server.server_admin_url . }}
+          - name: MANAGEMENTPORTAL_IDENTITY_SERVER_INTERNAL
+            value: "false"
+          - name: MANAGEMENTPORTAL_IDENTITY_SERVER_USER_ACTIVATION_FLOW_TYPE
+            value: {{ .Values.identity_server.user_activation_flow_type | quote }}
+          - name: MANAGEMENTPORTAL_IDENTITY_SERVER_USER_ACTIVATION_METHOD
+            value: {{ .Values.identity_server.user_activation_method | quote }}
           - name: MANAGEMENTPORTAL_AUTHSERVER_SERVERURL
-            value:  {{ $idpServerUrl }}
+            value:  {{ tpl .Values.authserver.server_url . }}
           - name: MANAGEMENTPORTAL_AUTHSERVER_LOGINURL
-            value: {{ $idpLoginUrl }}
+            value: {{ tpl .Values.authserver.login_url . }}
+          - name: MANAGEMENTPORTAL_AUTHSERVER_INTERNAL
+            value: "false"
           - name: MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL
-            value: {{ .Values.authserver.server_admin_url | quote }}
+            value: {{ tpl .Values.authserver.server_admin_url . }}
           - name: MANAGEMENTPORTAL_COMMON_ADMIN_PASSWORD
             valueFrom:
               secretKeyRef:
@@ -202,6 +220,7 @@ spec:
               mountPath: /config/
             - name: secrets-config
               mountPath: /secrets/
+              # Otherwise: Unable to read header from OAuth clients file: java.nio.file.NoSuchFileException: /mp-includes/config/oauth_client_details.csv
             - name: keystore
               mountPath: /mp-includes/config/
             {{- if .Values.postgres.ssl.enabled }}

diff --git a/charts/management-portal/templates/ingress.yaml b/charts/management-portal/templates/ingress.yaml
@@ -24,13 +24,13 @@ spec:
   tls:
     - hosts:
       {{- range $hosts }}
-        - {{ . | quote }}
+        - {{ ( tpl . $ ) | quote }}
       {{- end }}
       secretName: {{ .Values.ingress.tls.secretName }}
 {{- end }}
   rules:
   {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    - host: {{ ( tpl . $ ) | quote }}
       http:
         paths:
           - path: {{ $path | quote }}

diff --git a/charts/management-portal/templates/secrets-config.yaml b/charts/management-portal/templates/secrets-config.yaml
@@ -13,9 +13,9 @@ client_id;resource_ids;client_secret;scope;authorized_grant_types;redirect_uri;a
 {{- range $index, $redirect_uri := $client.redirect_uri -}}
   {{- if gt $index 0 -}},{{- end -}}
   {{- if regexMatch "^/" $redirect_uri -}}
-    https://{{ $.Values.server_name }}{{ $redirect_uri }}
+  {{ .Values.advertised_protocol }}://{{ $.Values.server_name }}{{ $redirect_uri }}
   {{- else -}}
-    {{ $redirect_uri }}
+    {{ tpl $redirect_uri $ }}
 {{- end -}}
 {{- end -}};
 {{- $client.authorities | default "" }};

diff --git a/charts/management-portal/templates/secrets-keystore.yaml b/charts/management-portal/templates/secrets-keystore.yaml
@@ -10,3 +10,4 @@ metadata:
 type: Opaque
 data:
   keystore.p12: {{ .Values.keystore }}
+  public-jwks.json: {{ .Values.public_jwks }}
diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml
@@ -244,6 +244,18 @@ networkpolicy:
       podSelector:
         matchLabels:
           app.kubernetes.io/name: '{{ .Values.postgres.host | default "radar-cloudnative-postgresql-cluster" | trunc 63 | trimSuffix "-" }}'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: hydra
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: kratos
   - to:
     - namespaceSelector:
         matchLabels:
@@ -265,6 +277,12 @@ keystore: ""
 # or with SOPS
 #   keystore: {{ exec "sops" (list "-d" "keystore.p12") | b64enc | quote }}
 
+# The public keys used for JWT signing in radar-kratos
+public_jwks: ""
+# With helmfile, this can be set in a production.yaml.gotmpl
+# file by setting
+#  public_jwks: {{ readFile "../etc/management-portal/public-jwks.json" | b64enc | quote }}
+
 # Configuration of the Postgres database to store data from Management Portal
 postgres:
   # -- host name of the postgres db
@@ -317,19 +335,24 @@ identity_server:
   # -- The admin email to link to the admin service account. This account should only be used to set up admin-users
   admin_email: admin@example.com
   # -- The publicly accessible server URL for the IDP; needed when deviating from http(s)://server_name/kratos
-  server_url:
+  server_url: http://radar-kratos-public
   # -- The admin server URL for the IDP used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides
-  server_admin_url: http://kratos-admin
+  server_admin_url: http://radar-kratos-admin
   # -- The publicly accessible login URL for the IDP; needed when deviating from http(s)://server_name/kratos-ui
-  login_url:
+  login_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/kratos-ui'
+  # -- The user activation flow type to use for Management Portal (e.g., recovery, verification)
+  user_activation_flow_type: "recovery"
+  # -- The user activation method to use for Management Portal (e.g., link, code)
+  user_activation_method: "link"
 
 authserver:
   # -- The publicly accessible server URL for the authserver; needed when deviating from http(s)://server_name/auth
-  server_url: http://hydra:4444
+  server_url: http://radar-hydra-public:4444
   # -- The admin server URL for the authserver used for service-to-service requests. Only needs to be accessible from inside the cluster where the managementportal resides
-  server_admin_url: http://hydra:4445
+  server_admin_url: http://radar-hydra-admin:4445
   # -- The publicly accessible login URL for the authserver; needed when deviating from http(s)://server_name/auth/login
-  login_url: http://localhost:4444
+  login_url: '{{ .Values.advertised_protocol }}://{{ .Values.server_name }}/hydra'
+  client_secret: ""
 
 managementportal:
   # -- set to true, if automatic source-type import from catalogue server should be enabled
@@ -346,6 +369,10 @@ managementportal:
   frontend_client_secret: xxx
   # -- Admin password of the default admin user created by the system
   common_admin_password: xxx
+   # -- The file where the OAuth2 client details are stored
+  oauth_clients_file: /secrets/oauth_client_details.csv
+  # -- Base URL managementportal calls from inside the application container
+  base_url: http://localhost/managementportal
 
 # Configurations of the SMTP server to send activation emails from Management Portal
 smtp:
@@ -608,7 +635,7 @@ oauth_clients:
     access_token_validity: 900
     refresh_token_validity: 78000
     redirect_uri:
-      - http://dashboard.localhost/login/generic_oauth
+      - '{{ .Values.advertised_protocol }}://dashboard.{{ .Values.server_name }}/login/generic_oauth'
     autoapprove:
       - USER.READ
 

diff --git a/charts/radar-fitbit-connector/README.md b/charts/radar-fitbit-connector/README.md
@@ -93,12 +93,12 @@ A Helm chart for RADAR-base fitbit connector. This application collects data fro
 | fitbit_api_url | string | `"https://api.fitbit.com"` | Fitbit API URL. |
 | fitbit_api_client | string | `""` | Fitbit API client id. |
 | fitbit_api_secret | string | `""` | Fitbit API client secret. |
-| oauthClientId | string | `"radar_fitbit_connector"` | OAuth2 client id from Management Portal |
-| oauthClientSecret | string | `"secret"` | OAuth2 client secret from Management Portal |
-| auth_url | string | `"http://management-portal:8080/managementportal/oauth/token"` | OAuth2 Auth URL for connector client to get access tokens |
+| oauthClientId | string | `"radar_fitbit_connector"` | OAuth2 client id from Hydra |
+| oauthClientSecret | string | `"secret"` | OAuth2 client secret from Hydra |
+| auth_url | string | `"http://radar-hydra-public:4444/oauth2/token"` | OAuth2 Auth URL for connector client to get access tokens |
 | managementportal_url | string | `"http://management-portal:8080/managementportal"` | URL of Management Portal. This will be used to create URLs to access Management Portal |
 | includeIntradayData | bool | `true` | Set to true, if intraday access data should be collected by the connector. This will be set in connector.properties. |
-| user_repository_class | string | `"ServiceUserRepositoryLegacy"` | Class of the user repository to use. This should be a class that implements the UserRepository interface. |
+| user_repository_class | string | `"ServiceUserRepository"` | Class of the user repository to use. This should be a class that implements the UserRepository interface. |
 | rest_source_poll_interval_ms | int | `60000` | How often to poll the source URL. Only use to speed up processing times during e2e testing. |
 | fitbit_user_poll_interval | int | `5000` | Polling interval per Fitbit user per request route in seconds. Only use to speed up processing times during e2e testing. |
 | application_loop_interval_ms | int | `300000` | How often to perform the main application loop (only controls how often to poll for new user registrations). Only use to speed up processing times during e2e testing. |

diff --git a/charts/radar-fitbit-connector/values.yaml b/charts/radar-fitbit-connector/values.yaml
@@ -197,6 +197,12 @@ networkpolicy:
       podSelector:
         matchLabels:
           app.kubernetes.io/name: 'management-portal'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'radar-hydra'
   - to:
     - namespaceSelector:
         matchLabels:
@@ -238,19 +244,19 @@ fitbit_api_client: ""
 # -- Fitbit API client secret.
 fitbit_api_secret: ""
 
-# -- OAuth2 client id from Management Portal
+# -- OAuth2 client id from Hydra
 oauthClientId: radar_fitbit_connector
-# -- OAuth2 client secret from Management Portal
+# -- OAuth2 client secret from Hydra
 oauthClientSecret: secret
 # -- OAuth2 Auth URL for connector client to get access tokens
-auth_url: http://management-portal:8080/managementportal/oauth/token
+auth_url: http://radar-hydra-public:4444/oauth2/token
 # -- URL of Management Portal. This will be used to create URLs to access Management Portal
 managementportal_url: http://management-portal:8080/managementportal
 # -- Set to true, if intraday access data should be collected by the connector. This will be set in connector.properties.
 includeIntradayData: true
 
 # -- Class of the user repository to use. This should be a class that implements the UserRepository interface.
-user_repository_class: ServiceUserRepositoryLegacy
+user_repository_class: ServiceUserRepository
 
 # -- How often to poll the source URL.
 # Only use to speed up processing times during e2e testing.