feat: Make Keycloak work behind Istio

2022-05-11 16:31:37 +02:00 · 2022-05-11 16:31:37 +02:00 · 2404bfbbd9
commit 2404bfbbd9
parent ec19fb2720
9 changed files with 90 additions and 5 deletions
--- a/charts/kubezero-auth/Chart.yaml
+++ b/charts/kubezero-auth/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-auth
 description: KubeZero umbrella chart for all things Authentication and Identity management
 type: application
-version: 0.1.1
+version: 0.1.4
 appVersion: 18.0.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
--- a/charts/kubezero-auth/README.md
+++ b/charts/kubezero-auth/README.md
@ -1,6 +1,6 @@
 # kubezero-auth

-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)
+![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)

 KubeZero umbrella chart for all things Authentication and Identity management

@ -36,3 +36,7 @@ https://github.com/keycloak/keycloak/tree/main/operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | keycloak.enabled | bool | `false` |  |
+| keycloak.istio.enabled | bool | `false` |  |
+| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
+| keycloak.istio.url | string | `""` |  |
+| keycloak.metrics.enabled | bool | `false` |  |
--- a/charts/kubezero-auth/keycloak.patch
+++ b/charts/kubezero-auth/keycloak.patch
@ -1,5 +1,5 @@
--- templates/keycloak-operator/all.yaml.orig	2022-05-11 12:46:15.860204871 +0200
-+++ templates/keycloak-operator/all.yaml	2022-05-11 12:46:02.840068240 +0200
+--- templates/keycloak/operator.yaml.orig	2022-05-11 12:46:15.860204871 +0200
+++ templates/keycloak/operator.yaml	2022-05-11 12:46:02.840068240 +0200
@@ -1,3 +1,4 @@
 +{{- if .Values.keycloak.enabled }}
 ---
--- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
+++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
@ -0,0 +1,26 @@
+{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}-deny-not-in-ipblocks
+  namespace: istio-system
+  labels:
+    {{- include "kubezero-lib.labels" $ | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notIpBlocks:
+        {{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }}
+    to:
+    - operation:
+        hosts: ["{{ .Values.keycloak.istio.url }}"]
+    when:
+    - key: connection.sni
+      values:
+      - '*'
+{{- end }}
--- a/charts/kubezero-auth/templates/keycloak/istio-service.yaml
+++ b/charts/kubezero-auth/templates/keycloak/istio-service.yaml
@ -0,0 +1,18 @@
+{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.url }}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ template "kubezero-lib.fullname" $ }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubezero-lib.labels" $ | nindent 4 }}
+spec:
+  gateways:
+  - {{ .Values.keycloak.istio.gateway }}
+  hosts:
+  - {{ .Values.keycloak.istio.url }}
+  http:
+  - route:
+    - destination:
+        host: {{ template "kubezero-lib.fullname" $ }}-service
+{{- end }}
--- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml
+++ b/charts/kubezero-auth/templates/keycloak/keycloak.yaml
@ -0,0 +1,29 @@
+{{- if .Values.keycloak.enabled }}
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: Keycloak
+metadata:
+  name: {{ template "kubezero-lib.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  instances: 1
+  # Wait for next release, already fixed
+  #disableDefaultIngress: true
+  serverConfiguration:
+    - name: cache
+      value: local
+    - name: db
+      value: dev-mem
+    - name: hostname-strict-https
+      value: "false"
+    - name: proxy
+      value: passthrough
+    - name: http-enabled
+      value: "true"
+
+  #hostname: INSECURE-DISABLE
+  hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
+    
+  # We use Istio Ingress to terminate TLS
+  # mTls down the road
+  tlsSecret: INSECURE-DISABLE
+{{- end }}
--- a/charts/kubezero-auth/templates/keycloak-operator/all.yaml
+++ b/charts/kubezero-auth/templates/keycloak-operator/all.yaml
--- a/charts/kubezero-auth/update.sh
+++ b/charts/kubezero-auth/update.sh
@ -9,6 +9,6 @@ VERSION=$(yq eval '.appVersion' Chart.yaml)
 wget -q -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
 wget -q -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml

-wget -q -O templates/keycloak-operator/all.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
+wget -q -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml

 patch -i keycloak.patch -p0 --no-backup-if-mismatch
--- a/charts/kubezero-auth/values.yaml
+++ b/charts/kubezero-auth/values.yaml
@ -1,2 +1,10 @@
 keycloak:
  enabled: false
+
+  istio:
+    enabled: false
+    gateway: istio-ingress/private-ingressgateway
+    url: ""
+
+  metrics:
+    enabled: false