GluuFederation
diff --git a/‎charts/gluu-all-in-one/README.md
+28-4 b/‎charts/gluu-all-in-one/README.md
+28-4
diff --git a/‎charts/gluu-all-in-one/templates/cronjobs.yaml
+104-2 b/‎charts/gluu-all-in-one/templates/cronjobs.yaml
+104-2
diff --git a/‎charts/gluu-all-in-one/values.yaml
+65-2 b/‎charts/gluu-all-in-one/values.yaml
+65-2
@@ -35,7 +35,7 @@ Kubernetes: `>=v1.22.0-0`
 | adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. |
 | alb.ingress | bool | `false` | switches the service to Nodeport for ALB ingress |
 | auth-server | object | `{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","enabled":true,"ingress":{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"authServerProtectedRegister":false,"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedToken":false,"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"authzenAdditionalAnnotations":{},"authzenConfigEnabled":true,"authzenConfigLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}},"lockEnabled":false}` | Parameters used globally across all services helm charts. |
-| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","enabled":true,"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"0.0.0-nightly"},"initKeysLife":48,"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours |
+| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","enabled":true,"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/cloudtools","tag":"0.0.0-nightly"},"initKeysLife":48,"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours |
 | auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} |
 | auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} |
 | auth-server-key-rotation.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. |
@@ -45,7 +45,7 @@ Kubernetes: `>=v1.22.0-0`
 | auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob. |
 | auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
 | auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets |
-| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image  to use for deploying. |
+| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/cloudtools"` | Image  to use for deploying. |
 | auth-server-key-rotation.image.tag | string | `"0.0.0-nightly"` | Image  tag to use for deploying. |
 | auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours |
 | auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours |
@@ -140,6 +140,30 @@ Kubernetes: `>=v1.22.0-0`
 | certManager.certificate.issuerName | string | `""` |  |
 | certManager.certificate.tlsSecretName | string | `"tls-certificate"` |  |
 | city | string | `"Austin"` | City. Used for certificate creation. |
+| cleanup | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","enabled":true,"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/cloudtools","tag":"0.0.0-nightly"},"interval":60,"lifecycle":{},"limit":1000,"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Cleanup expired entries in persistence |
+| cleanup.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} |
+| cleanup.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} |
+| cleanup.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. |
+| cleanup.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh |
+| cleanup.dnsConfig | object | `{}` | Add custom dns config |
+| cleanup.dnsPolicy | string | `""` | Add custom dns policy |
+| cleanup.enabled | bool | `true` | Boolean flag to enable/disable the cleanup cronjob chart. |
+| cleanup.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
+| cleanup.image.pullSecrets | list | `[]` | Image Pull Secrets |
+| cleanup.image.repository | string | `"ghcr.io/janssenproject/jans/cloudtools"` | Image  to use for deploying. |
+| cleanup.image.tag | string | `"0.0.0-nightly"` | Image  tag to use for deploying. |
+| cleanup.interval | int | `60` | Interval of running the cleanup process (in minutes) |
+| cleanup.limit | int | `1000` | Max. numbers of entries to cleanup |
+| cleanup.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
+| cleanup.resources.limits.cpu | string | `"300m"` | CPU limit. |
+| cleanup.resources.limits.memory | string | `"300Mi"` | Memory limit. |
+| cleanup.resources.requests.cpu | string | `"300m"` | CPU request. |
+| cleanup.resources.requests.memory | string | `"300Mi"` | Memory request. |
+| cleanup.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
+| cleanup.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
+| cleanup.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
+| cleanup.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
+| cleanup.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
 | cnAwsConfigFile | string | `"/etc/jans/conf/aws_config_file"` |  |
 | cnAwsSecretsReplicaRegionsFile | string | `"/etc/jans/conf/aws_secrets_replica_regions"` |  |
 | cnAwsSharedCredentialsFile | string | `"/etc/jans/conf/aws_shared_credential_file"` |  |
@@ -292,7 +316,7 @@ Kubernetes: `>=v1.22.0-0`
 | istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. |
 | istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. |
 | istio.tlsSecretName | string | `"tls-certificate"` |  |
-| kc-scheduler | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","enabled":false,"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/kc-scheduler","tag":"0.0.0-nightly"},"interval":10,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for synchronizing Keycloak SAML clients |
+| kc-scheduler | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","enabled":false,"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/cloudtools","tag":"0.0.0-nightly"},"interval":10,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for synchronizing Keycloak SAML clients |
 | kc-scheduler.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} |
 | kc-scheduler.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} |
 | kc-scheduler.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. |
@@ -302,7 +326,7 @@ Kubernetes: `>=v1.22.0-0`
 | kc-scheduler.enabled | bool | `false` | Boolean flag to enable/disable the kc-scheduler cronjob chart. |
 | kc-scheduler.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
 | kc-scheduler.image.pullSecrets | list | `[]` | Image Pull Secrets |
-| kc-scheduler.image.repository | string | `"ghcr.io/janssenproject/jans/kc-scheduler"` | Image  to use for deploying. |
+| kc-scheduler.image.repository | string | `"ghcr.io/janssenproject/jans/cloudtools"` | Image  to use for deploying. |
 | kc-scheduler.image.tag | string | `"0.0.0-nightly"` | Image  tag to use for deploying. |
 | kc-scheduler.interval | int | `10` | Interval of running the scheduler (in minutes) |
 | kc-scheduler.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
 
@@ -86,7 +86,7 @@ spec:
               resources:
 {{- toYaml (index .Values "auth-server-key-rotation" "resources") | nindent 16 }}
               {{- end }}
-              args: ["patch", "auth", "--opts", "interval:{{ index .Values "auth-server-key-rotation" "keysLife" }}", "--opts", "key-strategy:{{ index .Values "auth-server-key-rotation" "keysStrategy" }}", "--opts", "privkey-push-delay:{{ index .Values "auth-server-key-rotation" "keysPushDelay" }}", "--opts", "privkey-push-strategy:{{ index .Values "auth-server-key-rotation" "keysPushStrategy" }}"]
+              args: ["certmanager", "patch", "auth", "--opts", "interval:{{ index .Values "auth-server-key-rotation" "keysLife" }}", "--opts", "key-strategy:{{ index .Values "auth-server-key-rotation" "keysStrategy" }}", "--opts", "privkey-push-delay:{{ index .Values "auth-server-key-rotation" "keysPushDelay" }}", "--opts", "privkey-push-strategy:{{ index .Values "auth-server-key-rotation" "keysPushStrategy" }}"]
           volumes:
           {{- with (index .Values "auth-server-key-rotation" "volumes") }}
 {{- toYaml . | nindent 12 }}
@@ -148,7 +148,7 @@ spec:
                     {{- toYaml . | replace "- " "" | nindent 20}}
                     {{- end }}
                     /app/bin/entrypoint.sh
-                {{- end}}    
+                {{- end}}
               {{- end}}
               image: "{{ index .Values "kc-scheduler" "image" "repository" }}:{{ index .Values "kc-scheduler" "image" "tag" }}"
               env:
@@ -181,6 +181,7 @@ spec:
               resources:
 {{- toYaml (index .Values "kc-scheduler" "resources") | nindent 16 }}
               {{- end }}
+              args: ["kc-sync"]
           volumes:
           {{- with (index .Values "kc-scheduler" "volumes") }}
 {{- toYaml . | nindent 12 }}
@@ -196,3 +197,104 @@ spec:
                 - {{ .Values.fqdn }}
           {{- end }}
 {{- end }}
+
+---
+
+{{ if .Values.cleanup.enabled -}}
+kind: CronJob
+apiVersion: batch/v1
+metadata:
+  name: {{ include "flex-all-in-one.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-{{ include "flex-all-in-one.name" . }}-cleanup
+{{ include "flex-all-in-one.labels" . | indent 4 }}
+{{- if (index .Values "cleanup" "additionalLabels") }}
+{{ toYaml (index .Values "cleanup" "additionalLabels") | indent 4 }}
+{{- end }}
+{{- if (index .Values "cleanup" "additionalAnnotations") }}
+  annotations:
+{{ toYaml (index .Values "cleanup" "additionalAnnotations") | indent 4 }}
+{{- end }}
+spec:
+  schedule: "@every {{ index .Values "cleanup" "interval" }}m"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            sidecar.istio.io/inject: "false"
+        spec:
+        {{- with (index .Values "cleanup" "image" "pullSecrets") }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 8 }}
+        {{- end }}
+          dnsPolicy: {{ index .Values "cleanup" "dnsPolicy" | quote }}
+        {{- with (index .Values "cleanup" "dnsConfig") }}
+          dnsConfig:
+{{ toYaml . | indent 12 }}
+        {{- end }}
+          containers:
+            - name: {{ include "flex-all-in-one.name" . }}-cleanup
+              {{- if or (index .Values "cleanup" "customScripts") (index .Values "cleanup" "customCommand") }}
+              command:
+                {{- if index .Values "cleanup" "customCommand" }}
+                {{- toYaml (index .Values "cleanup" "customCommand") | nindent 18 }}
+                {{- else }}
+                - /bin/sh
+                - -c
+                - |
+                    {{- with (index .Values "cleanup" "customScripts") }}
+                    {{- toYaml . | replace "- " "" | nindent 20}}
+                    {{- end }}
+                    /app/bin/entrypoint.sh
+                {{- end}}
+              {{- end}}
+              image: "{{ index .Values "cleanup" "image" "repository" }}:{{ index .Values "cleanup" "image" "tag" }}"
+              env:
+                {{- include "flex-all-in-one.usr-envs" . | indent 16 }}
+                {{- include "flex-all-in-one.usr-secret-envs" . | indent 16 }}
+              imagePullPolicy: {{ index .Values "cleanup" "image" "pullPolicy" }}
+              lifecycle:
+{{- toYaml (index .Values "cleanup" "lifecycle") | nindent 16 }}
+              volumeMounts:
+              {{- with (index .Values "cleanup" "volumeMounts") }}
+{{- toYaml . | nindent 16 }}
+              {{- end }}
+              {{- with (include "flex-all-in-one.config.schema" . | fromYaml).volumeMounts }}
+{{- toYaml . | nindent 16 }}
+              {{- end }}
+              envFrom:
+                - configMapRef:
+                    name: {{ .Release.Name }}-config-cm
+                {{ if .Values.usrEnvs.secret }}
+                - secretRef:
+                    name: {{ .Release.Name }}-global-user-custom-envs
+                {{- end }}
+                {{ if .Values.usrEnvs.normal }}
+                - configMapRef:
+                    name: {{ .Release.Name }}-global-user-custom-envs
+                {{- end }}
+              {{- if .Values.testEnviroment }}
+              resources: {}
+              {{- else }}
+              resources:
+{{- toYaml (index .Values "cleanup" "resources") | nindent 16 }}
+              {{- end }}
+              args: ["cleanup", "--limit", "{{ .Values.cleanup.limit }}"]
+          volumes:
+          {{- with (index .Values "cleanup" "volumes") }}
+{{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with (include "flex-all-in-one.config.schema" . | fromYaml).volumes }}
+{{- toYaml . | nindent 12 }}
+          {{- end }}
+          restartPolicy: Never
+          {{- if not .Values.isFqdnRegistered  }}
+          hostAliases:
+            - ip: {{ .Values.lbIp }}
+              hostnames:
+                - {{ .Values.fqdn }}
+          {{- end }}
+{{- end }}
@@ -310,7 +310,7 @@ auth-server-key-rotation:
     # -- Image pullPolicy to use for deploying.
     pullPolicy: IfNotPresent
     # -- Image  to use for deploying.
-    repository: ghcr.io/janssenproject/jans/certmanager
+    repository: ghcr.io/janssenproject/jans/cloudtools
     # -- Image  tag to use for deploying.
     tag: 0.0.0-nightly
     # -- Image Pull Secrets
@@ -809,7 +809,7 @@ kc-scheduler:
     # -- Image pullPolicy to use for deploying.
     pullPolicy: IfNotPresent
     # -- Image  to use for deploying.
-    repository: ghcr.io/janssenproject/jans/kc-scheduler
+    repository: ghcr.io/janssenproject/jans/cloudtools
     # -- Image  tag to use for deploying.
     tag: 0.0.0-nightly
     # -- Image Pull Secrets
@@ -851,3 +851,66 @@ kc-scheduler:
   customCommand: []
   # -- Boolean flag to enable/disable the kc-scheduler cronjob chart.
   enabled: false
+
+# -- Cleanup expired entries in persistence
+cleanup:
+  # -- Add custom normal and secret envs to the service
+  usrEnvs:
+    # -- Add custom normal envs to the service
+    # variable1: value1
+    normal: {}
+    # -- Add custom secret envs to the service
+    # variable1: value1
+    secret: {}
+  # -- Add custom dns policy
+  dnsPolicy: ""
+  # -- Add custom dns config
+  dnsConfig: {}
+  image:
+    # -- Image pullPolicy to use for deploying.
+    pullPolicy: IfNotPresent
+    # -- Image  to use for deploying.
+    repository: ghcr.io/janssenproject/jans/cloudtools
+    # -- Image  tag to use for deploying.
+    tag: 0.0.0-nightly
+    # -- Image Pull Secrets
+    pullSecrets: [ ]
+  # -- Resource specs.
+  resources:
+    limits:
+      # -- CPU limit.
+      cpu: 300m
+      # -- Memory limit.
+      memory: 300Mi
+    requests:
+      # -- CPU request.
+      cpu: 300m
+      # -- Memory request.
+      memory: 300Mi
+  # -- Interval of running the cleanup process (in minutes)
+  interval: 60
+  # -- Max. numbers of entries to cleanup
+  limit: 1000
+  # -- Configure any additional volumes that need to be attached to the pod
+  volumes: []
+  # -- Configure any additional volumesMounts that need to be attached to the containers
+  volumeMounts: []
+  # Actions on lifecycle events such as postStart and preStop
+  # Example
+  # lifecycle:
+  #   postStart:
+  #     exec:
+  #       command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"]
+  lifecycle: {}
+  # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"}
+  additionalLabels: { }
+  # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"}
+  additionalAnnotations: {}
+  # -- Add custom scripts that have been mounted to run before the entrypoint.
+  # - /tmp/custom.sh
+  # - /tmp/custom2.sh
+  customScripts: []
+  # -- Add custom job's command. If passed, it will override the default conditional command.
+  customCommand: []
+  # -- Boolean flag to enable/disable the cleanup cronjob chart.
+  enabled: true