2gis · mprudnikov3 · Jan 24, 2025 · Jan 10, 2025 · Jan 10, 2025 · Jan 24, 2025
diff --git a/Breaking-Changes.md b/Breaking-Changes.md
@@ -1,9 +1,15 @@
 # 2GIS On-Premise Breaking-Changes
 
+## [1.34.0]
+
+### keys
+- A temporary flag, `--migrate-data`, has been added for this release. This flag triggers the data migration required for the Routing API data in the service.
+- Ensure that `keys` service is upgraded prior to upgrading any of the `navi` services.
+
 ## [1.33.0]
 
 ### pro-api
-- permissions.settings.enabled was removed, permissions api is now always mandatory 
+- permissions.settings.enabled was removed, permissions api is now always mandatory
 - postgres.connectionString, postgres.connectionStringReadonly, postgres.password were changed to postgres.api.rw / postgres.api.ro settings
 
 

diff --git a/charts/keys/Chart.yaml b/charts/keys/Chart.yaml
@@ -4,7 +4,7 @@ type: application
 description: A Helm chart for Kubernetes to deploy API Keys service
 
 version: 1.33.1
-appVersion: 1.105.0
+appVersion: 1.108.2
 
 maintainers:
 - name: 2gis

diff --git a/charts/keys/README.md b/charts/keys/README.md
@@ -31,7 +31,7 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
 | `imagePullSecrets`         | Kubernetes image pull secrets.    | `[]`                           |
 | `imagePullPolicy`          | Pull policy.                      | `IfNotPresent`                 |
 | `backend.image.repository` | Backend service image repository. | `2gis-on-premise/keys-backend` |
-| `backend.image.tag`        | Backend service image tag.        | `1.105.0`                      |
+| `backend.image.tag`        | Backend service image tag.        | `1.108.2`                      |
 | `admin.image.repository`   | Admin service image repository.   | `2gis-on-premise/keys-ui`      |
 | `admin.image.tag`          | Admin service image tag.          | `0.10.3`                       |
 | `redis.image.repository`   | Redis image repository.           | `2gis-on-premise/keys-redis`   |
@@ -88,6 +88,15 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
 | `api.adminSessionTTL`                       | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h`          |
 | `api.logLevel`                              | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`.                                                                                                                                  | `warning`       |
 | `api.signPrivateKey`                        | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API.                                                                                                                                           | `""`            |
+| `api.oidc.enable`                           | If OIDC authentication is enabled.                                                                                                                                                                                         | `false`         |
+| `api.oidc.enableSignlePartnerMode`          | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used).                                                                                                | `false`         |
+| `api.oidc.url`                              | URL of the OIDC provider.                                                                                                                                                                                                  | `""`            |
+| `api.oidc.retryCount`                       | Maximum number of retries for requests to OIDC provider.                                                                                                                                                                   | `3`             |
+| `api.oidc.timeout`                          | Timeout for requests to OIDC provider.                                                                                                                                                                                     | `3s`            |
+| `api.oidc.defaultPartner`                   | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API**                                                                                                              |                 |
+| `api.oidc.defaultPartner.id`                | Default partner's Id.                                                                                                                                                                                                      | `""`            |
+| `api.oidc.defaultPartner.name`              | Default partner's Name.                                                                                                                                                                                                    | `""`            |
+| `api.oidc.defaultPartner.role`              | Role of the user in the default partner. Can be: 'user', 'admin'.                                                                                                                                                          | `""`            |
 | `api.replicas`                              | A replica count for the pod.                                                                                                                                                                                               | `1`             |
 | `api.revisionHistoryLimit`                  | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment).                                                                             | `3`             |
 | `api.strategy.type`                         | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`.                                                                                                                                                       | `RollingUpdate` |

diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl
@@ -125,6 +125,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
   value: "{{ .Values.featureFlags.enableAudit }}"
 - name: KEYS_FEATURE_FLAGS_PUBLIC_API_SIGN
   value: "{{ .Values.featureFlags.enablePublicAPISign }}"
+- name: KEYS_FEATURE_FLAGS_EXTERNAL_COMPANIES
+  value: "{{ .Values.api.oidc.enableSignlePartnerMode }}"
+- name: KEYS_FEATURE_FLAGS_OIDC
+  value: "{{ .Values.api.oidc.enable }}"
 {{- end }}
 
 {{- define "keys.env.api" -}}
@@ -137,6 +141,20 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
       name: {{ include "keys.secret.deploys.name" . }}
       key: signPrivateKey
 {{- end }}
+{{- if .Values.featureFlags.enableOIDC }}
+- name: KEYS_OIDC_ENDPOINT
+  value: "{{ required "A valid .Values.api.oidc.url required" .Values.api.oidc.url }}"
+- name: KEYS_OIDC_CLIENT_TIMEOUT
+  value: "{{ .Values.api.oidc.timeout }}"
+- name: KEYS_OIDC_CLIENT_RETRY_COUNT
+  value: "{{ .Values.api.oidc.retryCount }}"
+- name: KEYS_OIDC_DEFAULT_PARTNER_ID
+  value: "{{ required "A valid .Values.api.oidc.defaultPartner.id required" .Values.api.oidc.defaultPartner.id }}"
+- name: KEYS_OIDC_DEFAULT_PARTNER_NAME
+  value: "{{ required "A valid .Values.api.oidc.defaultPartner.name required" .Values.api.oidc.defaultPartner.name }}"
+- name: KEYS_OIDC_DEFAULT_ROLE
+  value: "{{ required "A valid .Values.api.oidc.defaultPartner.role required" .Values.api.oidc.defaultPartner.role }}"
+{{- end }}
 {{- end }}
 
 {{- define "keys.env.import" -}}

diff --git a/charts/keys/templates/import/job.yaml b/charts/keys/templates/import/job.yaml
@@ -25,7 +25,7 @@ spec:
         - name: migrate
           image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
-          command: [ "keysctl", "import" ]
+          command: [ "keysctl", "import", "--migrate-data" ]
           resources:
             {{- toYaml .Values.import.resources | nindent 12 }}
           env:

diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml
@@ -31,7 +31,7 @@ featureFlags:
 backend:
   image:
     repository: 2gis-on-premise/keys-backend
-    tag: 1.105.0
+    tag: 1.108.2
 
 # @section Admin service settings
 
@@ -156,6 +156,27 @@ api:
       # ...
       # -----END CERTIFICATE-----
 
+  # @param api.oidc.enable If OIDC authentication is enabled.
+  # @param api.oidc.enableSignlePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used).
+  # @param api.oidc.url URL of the OIDC provider.
+  # @param api.oidc.retryCount Maximum number of retries for requests to OIDC provider.
+  # @param api.oidc.timeout Timeout for requests to OIDC provider.
+  # @extra api.oidc.defaultPartner **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API**
+  # @param api.oidc.defaultPartner.id Default partner's Id.
+  # @param api.oidc.defaultPartner.name Default partner's Name.
+  # @param api.oidc.defaultPartner.role Role of the user in the default partner. Can be: 'user', 'admin'.
+
+  oidc:
+    enable: false
+    enableSignlePartnerMode: false
+    url: ''
+    retryCount: 3
+    timeout: 3s
+    defaultPartner:
+      id: ''
+      name: ''
+      role: ''
+
   # @param api.replicas A replica count for the pod.
 
   replicas: 1