feat: Make Keycloak work behind Istio

2022-05-11 16:31:37 +02:00 · 2022-05-11 16:31:37 +02:00 · 2404bfbbd9
commit 2404bfbbd9
parent ec19fb2720
9 changed files with 90 additions and 5 deletions
--- a/charts/kubezero-auth/Chart.yaml
+++ b/charts/kubezero-auth/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-auth
 description: KubeZero umbrella chart for all things Authentication and Identity management
 type: application
-version: 0.1.1
+version: 0.1.4
 appVersion: 18.0.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
--- a/charts/kubezero-auth/README.md
+++ b/charts/kubezero-auth/README.md
@ -1,6 +1,6 @@
 # kubezero-auth
-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)
+![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)
 KubeZero umbrella chart for all things Authentication and Identity management
@ -36,3 +36,7 @@ https://github.com/keycloak/keycloak/tree/main/operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | keycloak.enabled | bool | `false` |  |
 | keycloak.istio.enabled | bool | `false` |  |
 | keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | keycloak.istio.url | string | `""` |  |
 | keycloak.metrics.enabled | bool | `false` |  |
--- a/charts/kubezero-auth/keycloak.patch
+++ b/charts/kubezero-auth/keycloak.patch
@ -1,5 +1,5 @@
--- templates/keycloak-operator/all.yaml.orig	2022-05-11 12:46:15.860204871 +0200
+--- templates/keycloak/operator.yaml.orig	2022-05-11 12:46:15.860204871 +0200
-+++ templates/keycloak-operator/all.yaml	2022-05-11 12:46:02.840068240 +0200
+++ templates/keycloak/operator.yaml	2022-05-11 12:46:02.840068240 +0200
@@ -1,3 +1,4 @@
 +{{- if .Values.keycloak.enabled }}
 ---
--- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
+++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
@ -0,0 +1,26 @@
 {{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: {{ .Release.Name }}-deny-not-in-ipblocks
  namespace: istio-system
  labels:
    {{- include "kubezero-lib.labels" $ | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notIpBlocks:
        {{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }}
    to:
    - operation:
        hosts: ["{{ .Values.keycloak.istio.url }}"]
    when:
    - key: connection.sni
      values:
      - '*'
 {{- end }}
--- a/charts/kubezero-auth/templates/keycloak/istio-service.yaml
+++ b/charts/kubezero-auth/templates/keycloak/istio-service.yaml
@ -0,0 +1,18 @@
 {{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.url }}
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: {{ template "kubezero-lib.fullname" $ }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" $ | nindent 4 }}
 spec:
  gateways:
  - {{ .Values.keycloak.istio.gateway }}
  hosts:
  - {{ .Values.keycloak.istio.url }}
  http:
  - route:
    - destination:
        host: {{ template "kubezero-lib.fullname" $ }}-service
 {{- end }}
--- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml
+++ b/charts/kubezero-auth/templates/keycloak/keycloak.yaml
@ -0,0 +1,29 @@
 {{- if .Values.keycloak.enabled }}
 apiVersion: k8s.keycloak.org/v2alpha1
 kind: Keycloak
 metadata:
  name: {{ template "kubezero-lib.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  instances: 1
  # Wait for next release, already fixed
  #disableDefaultIngress: true
  serverConfiguration:
    - name: cache
      value: local
    - name: db
      value: dev-mem
    - name: hostname-strict-https
      value: "false"
    - name: proxy
      value: passthrough
    - name: http-enabled
      value: "true"
  #hostname: INSECURE-DISABLE
  hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
  # We use Istio Ingress to terminate TLS
  # mTls down the road
  tlsSecret: INSECURE-DISABLE
 {{- end }}
--- a/charts/kubezero-auth/templates/keycloak-operator/all.yaml
+++ b/charts/kubezero-auth/templates/keycloak-operator/all.yaml
--- a/charts/kubezero-auth/update.sh
+++ b/charts/kubezero-auth/update.sh
@ -9,6 +9,6 @@ VERSION=$(yq eval '.appVersion' Chart.yaml)
 wget -q -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
 wget -q -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
-wget -q -O templates/keycloak-operator/all.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
+wget -q -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
 patch -i keycloak.patch -p0 --no-backup-if-mismatch
--- a/charts/kubezero-auth/values.yaml
+++ b/charts/kubezero-auth/values.yaml
@ -1,2 +1,10 @@
 keycloak:
  enabled: false
  istio:
    enabled: false
    gateway: istio-ingress/private-ingressgateway
    url: ""
  metrics:
    enabled: false