From 3c8842563e6840873f9867f46961e318ba064832 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 3 Nov 2022 14:41:46 +0100 Subject: [PATCH] feat: add metrics support to keycloak, block access to /metrics from ingress --- charts/kubezero-auth/Chart.yaml | 2 +- charts/kubezero-auth/README.md | 5 ++++- charts/kubezero-auth/README.md.gotmpl | 1 + charts/kubezero-auth/dashboards-keycloak.yaml | 8 ++++++++ .../templates/keycloak/grafana-dashboards.yaml | 13 +++++++++++++ .../keycloak/istio-authorization-policy.yaml | 14 ++++++++++++-- .../kubezero-auth/templates/keycloak/keycloak.yaml | 6 ++++++ charts/kubezero-auth/update.sh | 3 +++ 8 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 charts/kubezero-auth/dashboards-keycloak.yaml create mode 100644 charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml diff --git a/charts/kubezero-auth/Chart.yaml b/charts/kubezero-auth/Chart.yaml index 449c5ff7..a5c1a91b 100644 --- a/charts/kubezero-auth/Chart.yaml +++ b/charts/kubezero-auth/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-auth description: KubeZero umbrella chart for all things Authentication and Identity management type: application -version: 0.3.2 +version: 0.3.3 appVersion: 20.0.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-auth/README.md b/charts/kubezero-auth/README.md index dc2fdcff..c30c036c 100644 --- a/charts/kubezero-auth/README.md +++ b/charts/kubezero-auth/README.md @@ -1,6 +1,6 @@ # kubezero-auth -![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 19.0.1](https://img.shields.io/badge/AppVersion-19.0.1-informational?style=flat-square) +![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 20.0.0](https://img.shields.io/badge/AppVersion-20.0.0-informational?style=flat-square) KubeZero umbrella chart for all things Authentication and Identity management @@ -26,6 +26,7 @@ Kubernetes: `>= 1.20.0` ## Operator https://github.com/keycloak/keycloak/tree/main/operator +https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates ## Resources @@ -41,6 +42,8 @@ https://github.com/keycloak/keycloak/tree/main/operator | keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | keycloak.istio.url | string | `""` | | | keycloak.metrics.enabled | bool | `false` | | +| keycloak.podDisruptionBudget.minAvailable | int | `1` | | +| keycloak.replicas | int | `1` | | | postgresql.auth.database | string | `"keycloak"` | | | postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | | | postgresql.auth.username | string | `"keycloak"` | | diff --git a/charts/kubezero-auth/README.md.gotmpl b/charts/kubezero-auth/README.md.gotmpl index 5d55cd63..255f9dfc 100644 --- a/charts/kubezero-auth/README.md.gotmpl +++ b/charts/kubezero-auth/README.md.gotmpl @@ -18,6 +18,7 @@ ## Operator https://github.com/keycloak/keycloak/tree/main/operator +https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates ## Resources diff --git a/charts/kubezero-auth/dashboards-keycloak.yaml b/charts/kubezero-auth/dashboards-keycloak.yaml new file mode 100644 index 00000000..69c7be05 --- /dev/null +++ b/charts/kubezero-auth/dashboards-keycloak.yaml @@ -0,0 +1,8 @@ +configmap: grafana-dashboards-keycloak +condition: '.Values.keycloak.metrics.enabled' +gzip: true +# folder: +dashboards: +- name: keycloak + url: https://grafana.com/api/dashboards/13106/revisions/3/download + tags: ['Keycloak', 'Auth'] diff --git a/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml new file mode 100644 index 00000000..12de60fc --- /dev/null +++ b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml @@ -0,0 +1,13 @@ +{{- if .Values.keycloak.metrics.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards-keycloak" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" + {{- include "kubezero-lib.labels" . | nindent 4 }} +binaryData: + keycloak.json.gz: + H4sIAAAAAAAC/+2dWW/buBaA3/MrBGFw0QJuKrtJ2ulbkk46xSSTdJLO3IsiMGiJljmWSZWk4rhF/vvlol30pmxOypcWJmWSZ+E5H5dYP7Ycx+33EY4Tztz3zlfx2XF+qH9FDQYTKErdD+f9s79OT367+P23L+duJ6uOwABGsj6mZAL5CCasqAwg8ymKOSJYPlJU8FmsGg0AB4wk1IdFXRwlIcKfgnmN6vo/02GdFU+oB27Ev5cdLRKF3xJEoUGorP8YYDH6vGmkOg1BEpbGkyngY7X4ClKWyaV77pj7CCkYAgwavdSL837qFaWe3m73tr3F3ZlFoiAeGbsqF68skslsaK7BcNNUpi67214r2RgHvNnZeaV0ZcmMPXAwiAwOcVEtbvaRuyLAmIjxiFrpi7pTN0KM555ZDEXUDBIU8U+ypW6nKC0p3axM8QzEakzvHU4TWCofocBQinyCD0lEqGyQhgPwwus4vW5X/LO723G6L8tNZ1LvF7I4/3H2I0h5ZQiFj7DRgAAauGndjfr/citVfj04TABFIBg4IRBNAsePEsYhdYhQ6xWC021HiEuRz5yhkNyZzNi3KHDgdUyoeGxbjcCFAeI1BbghhlwFk+6brreni6TbXxAScRSLCk8VKlPjJIr0J9EoSIfW3fO6v771dt7tens7qjZCeKyiijavchpDlFlqMXeIYBQcEjxEYe4YaeQcgiTirFIqyn2hFTKplUoPi1CISwKUqobCmYQwWi1DEDFYqr8pPyxsEMcIh6zklnXnzBqlahSu26nXKD16jWIOr6W3u1/Oml/hxNxU6krdRsUViBKl065bqbrp3GrU3bmj/nD6z593OW6vNu7Sp8uKRfhI5K8RiQLWtPmEqEntggEjUcJhbSAiMMK4acqmWqRbZVEgpBDihkSloUsHq9XedNbogMJgUfNeve3K58stU02pf1eGCyqCXV3uuuoA90eQNnSah/zB7EIasWFBEmdR3MXJZCCaWOSAMh3GIkAiuKIddOd6km8HiMURmJ1IMy9QmdbtqwHwxyElCQ7cFvZJE13hbQs6bH59uTMuccl541rNe5a76BxFrNrtvFlR67hr7tVQerm17KnVjZZ6yxQFfLTIbD2vzeTKSvPxCGWg4IxU45E7Eh93S/NwKtXRKxVcV7OCOytN9psqb+VfK822UlfCQae/QxCo6VsjGiZo4GCmMnOjbb1u+LsO08WaBNAQ8qp3VnKvgA3lDYo9+klcUbY7JFRElSYuarmwoFTMGwNWVSI7Cxs1UklecwR8rvywklDcCIYQB0d5t9UvUzjUS6j9IhxkVr0sZEYTeKSTYpkcVPn5CA15s4JHmq8llvnQkZxdJhpOAWZaF6np5mhTO6+GkyOJQexgphZ1FTFMHpAqRxBiYApHilTNQSa1g2+Mp3+rebK1aKLemPNPU60pA2tPMC44njQb/tyM8s5Cimg5wYgvxBLmPkZK61jIet6Q1Zh9t6KsByagSsECBNpZE4HuG3bCiAxA1Gcq2Qv0kXxw3/izGXzzpSqr5ZtN4JtVyWQC5KR7Uy1DuL5B9eAEswQwbssvMxhFZLqoh+6253nd2/SxFMJ6xi5uQ0r3uRTdNcfhvcVxWNgx8eGpcQ67Poj8pmO4EWDcnbvfpyYFa4Y7pVXWgPSyrmRSuMgc+Vgey+XPz3vqBNCxSBGPkkSmjMK4n27z9xn6Pj+hiADcZ5BKQJ2TVmpSbnBeOUzPNc7LAq+bVdShK7sgOq+smFGUCx1nx7V5plgz5OvDUbukfVIJYWmw3tg43QDmOYH63eJArTRxkhpOC11qV50HZrWAQlCu/Fe4IBrO8uqEk3I1EWEJ8+yosFHdJkNMIMD3kiHkaVZFjkeN+NWNw6cf0G+3EfoYIV2OMBb+3liZ5dFe3a0wBnsRgQFTlwdYhcjdAaAN7lCXAY4hDrmc9F2vUg5Nj2/A4sFua95tEhCJOSofYqiCjxQESDugtzxdvF0X67vN/ZURCgKIzzVO1h1PXwMoqF+HlupAwFVo4Go/oelEqtfoRWijVC1D66UUhSN+brysI8HdUCqe/Udtk6rd0HKwJ1wFy3oXxjxRqCdCGLJ6OJCF07SXwn7SH8+IiMtZTpEF7uJELC/38Hz9MXfhAcXUF1k1hA0LLctQsRyQdKqEVY4SVXnT4MJmAaRqH80dRqR0ZUwvOE4rPl1UxsCHpoAmAqY/bvQiw0EMg2OhxkbdyimVAg5fmPLqt0QN9Wt3cvnSbZkzf/xwsvTh3Ny0yqDlcPl1tcz6Fwyz3Hi5TsrVc835fFa6iMrz+1yVjVIgo57xnLgWLtS86GeJD+EAXaEgEbpreGfpYmf59uQ1uEY1bx8k/ljbtrpQyfNHbR81u2RXe9o89fOJbIi1M3ANF7hUsbYWTVNec42UJ+prKzci4QFgjZtNaYBrPK4jXKO4JIwpi2z2OBteP2saPVub1gOvKj+GV/mgK/ciLV9Zvtp8vmosx9sBlrcYsORE2WcX5qvMFr+K0nEtdT4BItt9RkRmgjHhbv2EwaDvE4yhrxW+/sb2Hd0Jy0jplbM24HXWkP1K3t0Xs1WLvxGSn4DrVaU+2BCsPZEqdQ4N2rNwa+HWwu1GwO2T2fl62wbMenbny6LXauhlDmpqZsvvTymqLduKExGlHhgCjq7gq/8tyr6PQXVo7kYbwpgEg74MMH0KQcC+dr3GnttDQo4axD3A3WoqUCZ+dB2oUTw11FOqdZwAsbGjjXjFHK1PC30W+iz0Wehrtx3Xivp2LPVZ6rsT6nvNxJhfPzPsG8xEWhbA50Mx8ODr7iMjnx7Gg1Kf1oC07SNLz9bYzNws1sOQTwmVtJfaTwCflMbinsU9i3sW98p3mFPc6+0s2ePr7bShvXdPh/bsHbZndoeNk3j8YrfjzCUNn0wmAAesr0yvaKP1nbZDMukLUkib3PxrbRckdg7TwR6SRMppd4MsHlg8uAc8CKCPJiCqxtdnwAxLzwXf9FowQ+/2F7ZqhcuAova49uG7YQZjtrbI8OSuvZMYYhj0xZz5me6+n8zOPx87R0Jo51QoQF2ttYxgGcEygmWEtozQOEZqBwk9CwkWEjbnJrbkA00HbcFAJliVatnDXaAuRt2P0KT2E3vtxn4s22lzatJZX+np/SCcTO5A/59EYx8OnPXNcLhRsFaM35KaJTVLavdKat2fajdnp82f3/V27g/U6kg2n9MWHQ6ZfrTMQtxzh7j5909YRKZ38jMH56Ih57NuyCHYeYJbP2URLE+04YlffhmJRPMHlAHUJYN/oc/f/7oz71LTZjOHUZbdDZfFXkJ5TptF7RhkbyM2iyxoWNAogwYYyNfJ5X+8fzvY2NeNZX/RzZwXgHM4iTl7KdnjIS/w5nJFMhLckVi6LeeFTOMk4esIdbBRSFUzlP3T+7skq56393zQque9/XnZKn+dqZjGcoZKqd94eqq4zB/BCSiyiU7wIl7PovR1oHSsnxTJqHAhV+jXjwgYp5pz9xORCPKeZLiMAEc4XOW9qau8IVX/PHT956iyF6SWJ27+ZmPTW1CP0mbKs2mM4i80Op9h36DbbHKDYET8ea9EVdM2FzR7WyUm01fdLCCkL50UZW7lazESIYHmkKvKvhOVJd1U71nQ+6jesPr6RJ45fDgQIfs0fceqfi5J3+T73/C79+3oY2q14u22va2b/wNlgA7kM3oAAA== +{{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml index 641354ef..e2c7acbf 100644 --- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml +++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }} +{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: {{ .Release.Name }}-deny-not-in-ipblocks + name: {{ .Release.Name }}-deny-metrics-ipblocks namespace: istio-system labels: {{- include "kubezero-lib.labels" $ | nindent 4 }} @@ -12,6 +12,15 @@ spec: app: istio-ingressgateway action: DENY rules: + - to: + - operation: + hosts: ["{{ .Values.keycloak.istio.url }}"] + paths: ["/metrics*"] + when: + - key: connection.sni + values: + - '*' + {{- if .Values.keycloak.istio.ipBlocks }} - from: - source: notIpBlocks: @@ -23,4 +32,5 @@ spec: - key: connection.sni values: - '*' + {{- end }} {{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/keycloak.yaml b/charts/kubezero-auth/templates/keycloak/keycloak.yaml index 87af1215..dc484553 100644 --- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml +++ b/charts/kubezero-auth/templates/keycloak/keycloak.yaml @@ -4,6 +4,8 @@ kind: Keycloak metadata: name: {{ template "kubezero-lib.fullname" . }} namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: instances: {{ .Values.keycloak.replicas }} @@ -29,12 +31,16 @@ spec: - name: db value: dev-file {{- end }} + - name: metrics-enabled + value: {{ .Values.keycloak.metrics.enabled | quote }} - name: hostname-strict-https value: "false" - name: proxy value: edge - name: http-enabled value: "true" + - name: log-console-output + value: json ingress: diff --git a/charts/kubezero-auth/update.sh b/charts/kubezero-auth/update.sh index b1ab082c..393f71a9 100755 --- a/charts/kubezero-auth/update.sh +++ b/charts/kubezero-auth/update.sh @@ -14,3 +14,6 @@ wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keyclo wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml patch -i keycloak.patch -p0 --no-backup-if-mismatch + +# Fetch dashboards +../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml