feat: Make Keycloak work behind Istio
This commit is contained in:
parent
ec19fb2720
commit
2404bfbbd9
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-auth
|
||||
description: KubeZero umbrella chart for all things Authentication and Identity management
|
||||
type: application
|
||||
version: 0.1.1
|
||||
version: 0.1.4
|
||||
appVersion: 18.0.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-auth
|
||||
|
||||
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)
|
||||
![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)
|
||||
|
||||
KubeZero umbrella chart for all things Authentication and Identity management
|
||||
|
||||
@ -36,3 +36,7 @@ https://github.com/keycloak/keycloak/tree/main/operator
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| keycloak.enabled | bool | `false` | |
|
||||
| keycloak.istio.enabled | bool | `false` | |
|
||||
| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||
| keycloak.istio.url | string | `""` | |
|
||||
| keycloak.metrics.enabled | bool | `false` | |
|
||||
|
@ -1,5 +1,5 @@
|
||||
--- templates/keycloak-operator/all.yaml.orig 2022-05-11 12:46:15.860204871 +0200
|
||||
+++ templates/keycloak-operator/all.yaml 2022-05-11 12:46:02.840068240 +0200
|
||||
--- templates/keycloak/operator.yaml.orig 2022-05-11 12:46:15.860204871 +0200
|
||||
+++ templates/keycloak/operator.yaml 2022-05-11 12:46:02.840068240 +0200
|
||||
@@ -1,3 +1,4 @@
|
||||
+{{- if .Values.keycloak.enabled }}
|
||||
---
|
||||
|
@ -0,0 +1,26 @@
|
||||
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: {{ .Release.Name }}-deny-not-in-ipblocks
|
||||
namespace: istio-system
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: istio-ingressgateway
|
||||
action: DENY
|
||||
rules:
|
||||
- from:
|
||||
- source:
|
||||
notIpBlocks:
|
||||
{{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }}
|
||||
to:
|
||||
- operation:
|
||||
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
||||
when:
|
||||
- key: connection.sni
|
||||
values:
|
||||
- '*'
|
||||
{{- end }}
|
18
charts/kubezero-auth/templates/keycloak/istio-service.yaml
Normal file
18
charts/kubezero-auth/templates/keycloak/istio-service.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.url }}
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: {{ template "kubezero-lib.fullname" $ }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||
spec:
|
||||
gateways:
|
||||
- {{ .Values.keycloak.istio.gateway }}
|
||||
hosts:
|
||||
- {{ .Values.keycloak.istio.url }}
|
||||
http:
|
||||
- route:
|
||||
- destination:
|
||||
host: {{ template "kubezero-lib.fullname" $ }}-service
|
||||
{{- end }}
|
29
charts/kubezero-auth/templates/keycloak/keycloak.yaml
Normal file
29
charts/kubezero-auth/templates/keycloak/keycloak.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
{{- if .Values.keycloak.enabled }}
|
||||
apiVersion: k8s.keycloak.org/v2alpha1
|
||||
kind: Keycloak
|
||||
metadata:
|
||||
name: {{ template "kubezero-lib.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
instances: 1
|
||||
# Wait for next release, already fixed
|
||||
#disableDefaultIngress: true
|
||||
serverConfiguration:
|
||||
- name: cache
|
||||
value: local
|
||||
- name: db
|
||||
value: dev-mem
|
||||
- name: hostname-strict-https
|
||||
value: "false"
|
||||
- name: proxy
|
||||
value: passthrough
|
||||
- name: http-enabled
|
||||
value: "true"
|
||||
|
||||
#hostname: INSECURE-DISABLE
|
||||
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
|
||||
|
||||
# We use Istio Ingress to terminate TLS
|
||||
# mTls down the road
|
||||
tlsSecret: INSECURE-DISABLE
|
||||
{{- end }}
|
@ -9,6 +9,6 @@ VERSION=$(yq eval '.appVersion' Chart.yaml)
|
||||
wget -q -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
|
||||
wget -q -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
|
||||
|
||||
wget -q -O templates/keycloak-operator/all.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
|
||||
wget -q -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
|
||||
|
||||
patch -i keycloak.patch -p0 --no-backup-if-mismatch
|
||||
|
@ -1,2 +1,10 @@
|
||||
keycloak:
|
||||
enabled: false
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
gateway: istio-ingress/private-ingressgateway
|
||||
url: ""
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
|
Loading…
Reference in New Issue
Block a user