feat: add metrics support to keycloak, block access to /metrics from ingress
This commit is contained in:
parent
9363460690
commit
3c8842563e
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-auth
|
name: kubezero-auth
|
||||||
description: KubeZero umbrella chart for all things Authentication and Identity management
|
description: KubeZero umbrella chart for all things Authentication and Identity management
|
||||||
type: application
|
type: application
|
||||||
version: 0.3.2
|
version: 0.3.3
|
||||||
appVersion: 20.0.0
|
appVersion: 20.0.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-auth
|
# kubezero-auth
|
||||||
|
|
||||||
![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 19.0.1](https://img.shields.io/badge/AppVersion-19.0.1-informational?style=flat-square)
|
![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 20.0.0](https://img.shields.io/badge/AppVersion-20.0.0-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero umbrella chart for all things Authentication and Identity management
|
KubeZero umbrella chart for all things Authentication and Identity management
|
||||||
|
|
||||||
@ -26,6 +26,7 @@ Kubernetes: `>= 1.20.0`
|
|||||||
## Operator
|
## Operator
|
||||||
|
|
||||||
https://github.com/keycloak/keycloak/tree/main/operator
|
https://github.com/keycloak/keycloak/tree/main/operator
|
||||||
|
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
@ -41,6 +42,8 @@ https://github.com/keycloak/keycloak/tree/main/operator
|
|||||||
| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||||
| keycloak.istio.url | string | `""` | |
|
| keycloak.istio.url | string | `""` | |
|
||||||
| keycloak.metrics.enabled | bool | `false` | |
|
| keycloak.metrics.enabled | bool | `false` | |
|
||||||
|
| keycloak.podDisruptionBudget.minAvailable | int | `1` | |
|
||||||
|
| keycloak.replicas | int | `1` | |
|
||||||
| postgresql.auth.database | string | `"keycloak"` | |
|
| postgresql.auth.database | string | `"keycloak"` | |
|
||||||
| postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | |
|
| postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | |
|
||||||
| postgresql.auth.username | string | `"keycloak"` | |
|
| postgresql.auth.username | string | `"keycloak"` | |
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
## Operator
|
## Operator
|
||||||
|
|
||||||
https://github.com/keycloak/keycloak/tree/main/operator
|
https://github.com/keycloak/keycloak/tree/main/operator
|
||||||
|
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
|
8
charts/kubezero-auth/dashboards-keycloak.yaml
Normal file
8
charts/kubezero-auth/dashboards-keycloak.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
configmap: grafana-dashboards-keycloak
|
||||||
|
condition: '.Values.keycloak.metrics.enabled'
|
||||||
|
gzip: true
|
||||||
|
# folder:
|
||||||
|
dashboards:
|
||||||
|
- name: keycloak
|
||||||
|
url: https://grafana.com/api/dashboards/13106/revisions/3/download
|
||||||
|
tags: ['Keycloak', 'Auth']
|
@ -0,0 +1,13 @@
|
|||||||
|
{{- if .Values.keycloak.metrics.enabled }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards-keycloak" | trunc 63 | trimSuffix "-" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
grafana_dashboard: "1"
|
||||||
|
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||||
|
binaryData:
|
||||||
|
keycloak.json.gz:
|
||||||
|
H4sIAAAAAAAC/+2dWW/buBaA3/MrBGFw0QJuKrtJ2ulbkk46xSSTdJLO3IsiMGiJljmWSZWk4rhF/vvlol30pmxOypcWJmWSZ+E5H5dYP7Ycx+33EY4Tztz3zlfx2XF+qH9FDQYTKErdD+f9s79OT367+P23L+duJ6uOwABGsj6mZAL5CCasqAwg8ymKOSJYPlJU8FmsGg0AB4wk1IdFXRwlIcKfgnmN6vo/02GdFU+oB27Ev5cdLRKF3xJEoUGorP8YYDH6vGmkOg1BEpbGkyngY7X4ClKWyaV77pj7CCkYAgwavdSL837qFaWe3m73tr3F3ZlFoiAeGbsqF68skslsaK7BcNNUpi67214r2RgHvNnZeaV0ZcmMPXAwiAwOcVEtbvaRuyLAmIjxiFrpi7pTN0KM555ZDEXUDBIU8U+ypW6nKC0p3axM8QzEakzvHU4TWCofocBQinyCD0lEqGyQhgPwwus4vW5X/LO723G6L8tNZ1LvF7I4/3H2I0h5ZQiFj7DRgAAauGndjfr/citVfj04TABFIBg4IRBNAsePEsYhdYhQ6xWC021HiEuRz5yhkNyZzNi3KHDgdUyoeGxbjcCFAeI1BbghhlwFk+6brreni6TbXxAScRSLCk8VKlPjJIr0J9EoSIfW3fO6v771dt7tens7qjZCeKyiijavchpDlFlqMXeIYBQcEjxEYe4YaeQcgiTirFIqyn2hFTKplUoPi1CISwKUqobCmYQwWi1DEDFYqr8pPyxsEMcIh6zklnXnzBqlahSu26nXKD16jWIOr6W3u1/Oml/hxNxU6krdRsUViBKl065bqbrp3GrU3bmj/nD6z593OW6vNu7Sp8uKRfhI5K8RiQLWtPmEqEntggEjUcJhbSAiMMK4acqmWqRbZVEgpBDihkSloUsHq9XedNbogMJgUfNeve3K58stU02pf1eGCyqCXV3uuuoA90eQNnSah/zB7EIasWFBEmdR3MXJZCCaWOSAMh3GIkAiuKIddOd6km8HiMURmJ1IMy9QmdbtqwHwxyElCQ7cFvZJE13hbQs6bH59uTMuccl541rNe5a76BxFrNrtvFlR67hr7tVQerm17KnVjZZ6yxQFfLTIbD2vzeTKSvPxCGWg4IxU45E7Eh93S/NwKtXRKxVcV7OCOytN9psqb+VfK822UlfCQae/QxCo6VsjGiZo4GCmMnOjbb1u+LsO08WaBNAQ8qp3VnKvgA3lDYo9+klcUbY7JFRElSYuarmwoFTMGwNWVSI7Cxs1UklecwR8rvywklDcCIYQB0d5t9UvUzjUS6j9IhxkVr0sZEYTeKSTYpkcVPn5CA15s4JHmq8llvnQkZxdJhpOAWZaF6np5mhTO6+GkyOJQexgphZ1FTFMHpAqRxBiYApHilTNQSa1g2+Mp3+rebK1aKLemPNPU60pA2tPMC44njQb/tyM8s5Cimg5wYgvxBLmPkZK61jIet6Q1Zh9t6KsByagSsECBNpZE4HuG3bCiAxA1Gcq2Qv0kXxw3/izGXzzpSqr5ZtN4JtVyWQC5KR7Uy1DuL5B9eAEswQwbssvMxhFZLqoh+6253nd2/SxFMJ6xi5uQ0r3uRTdNcfhvcVxWNgx8eGpcQ67Poj8pmO4EWDcnbvfpyYFa4Y7pVXWgPSyrmRSuMgc+Vgey+XPz3vqBNCxSBGPkkSmjMK4n27z9xn6Pj+hiADcZ5BKQJ2TVmpSbnBeOUzPNc7LAq+bVdShK7sgOq+smFGUCx1nx7V5plgz5OvDUbukfVIJYWmw3tg43QDmOYH63eJArTRxkhpOC11qV50HZrWAQlCu/Fe4IBrO8uqEk3I1EWEJ8+yosFHdJkNMIMD3kiHkaVZFjkeN+NWNw6cf0G+3EfoYIV2OMBb+3liZ5dFe3a0wBnsRgQFTlwdYhcjdAaAN7lCXAY4hDrmc9F2vUg5Nj2/A4sFua95tEhCJOSofYqiCjxQESDugtzxdvF0X67vN/ZURCgKIzzVO1h1PXwMoqF+HlupAwFVo4Go/oelEqtfoRWijVC1D66UUhSN+brysI8HdUCqe/Udtk6rd0HKwJ1wFy3oXxjxRqCdCGLJ6OJCF07SXwn7SH8+IiMtZTpEF7uJELC/38Hz9MXfhAcXUF1k1hA0LLctQsRyQdKqEVY4SVXnT4MJmAaRqH80dRqR0ZUwvOE4rPl1UxsCHpoAmAqY/bvQiw0EMg2OhxkbdyimVAg5fmPLqt0QN9Wt3cvnSbZkzf/xwsvTh3Ny0yqDlcPl1tcz6Fwyz3Hi5TsrVc835fFa6iMrz+1yVjVIgo57xnLgWLtS86GeJD+EAXaEgEbpreGfpYmf59uQ1uEY1bx8k/ljbtrpQyfNHbR81u2RXe9o89fOJbIi1M3ANF7hUsbYWTVNec42UJ+prKzci4QFgjZtNaYBrPK4jXKO4JIwpi2z2OBteP2saPVub1gOvKj+GV/mgK/ciLV9Zvtp8vmosx9sBlrcYsORE2WcX5qvMFr+K0nEtdT4BItt9RkRmgjHhbv2EwaDvE4yhrxW+/sb2Hd0Jy0jplbM24HXWkP1K3t0Xs1WLvxGSn4DrVaU+2BCsPZEqdQ4N2rNwa+HWwu1GwO2T2fl62wbMenbny6LXauhlDmpqZsvvTymqLduKExGlHhgCjq7gq/8tyr6PQXVo7kYbwpgEg74MMH0KQcC+dr3GnttDQo4axD3A3WoqUCZ+dB2oUTw11FOqdZwAsbGjjXjFHK1PC30W+iz0Wehrtx3Xivp2LPVZ6rsT6nvNxJhfPzPsG8xEWhbA50Mx8ODr7iMjnx7Gg1Kf1oC07SNLz9bYzNws1sOQTwmVtJfaTwCflMbinsU9i3sW98p3mFPc6+0s2ePr7bShvXdPh/bsHbZndoeNk3j8YrfjzCUNn0wmAAesr0yvaKP1nbZDMukLUkib3PxrbRckdg7TwR6SRMppd4MsHlg8uAc8CKCPJiCqxtdnwAxLzwXf9FowQ+/2F7ZqhcuAova49uG7YQZjtrbI8OSuvZMYYhj0xZz5me6+n8zOPx87R0Jo51QoQF2ttYxgGcEygmWEtozQOEZqBwk9CwkWEjbnJrbkA00HbcFAJliVatnDXaAuRt2P0KT2E3vtxn4s22lzatJZX+np/SCcTO5A/59EYx8OnPXNcLhRsFaM35KaJTVLavdKat2fajdnp82f3/V27g/U6kg2n9MWHQ6ZfrTMQtxzh7j5909YRKZ38jMH56Ih57NuyCHYeYJbP2URLE+04YlffhmJRPMHlAHUJYN/oc/f/7oz71LTZjOHUZbdDZfFXkJ5TptF7RhkbyM2iyxoWNAogwYYyNfJ5X+8fzvY2NeNZX/RzZwXgHM4iTl7KdnjIS/w5nJFMhLckVi6LeeFTOMk4esIdbBRSFUzlP3T+7skq56393zQque9/XnZKn+dqZjGcoZKqd94eqq4zB/BCSiyiU7wIl7PovR1oHSsnxTJqHAhV+jXjwgYp5pz9xORCPKeZLiMAEc4XOW9qau8IVX/PHT956iyF6SWJ27+ZmPTW1CP0mbKs2mM4i80Op9h36DbbHKDYET8ea9EVdM2FzR7WyUm01fdLCCkL50UZW7lazESIYHmkKvKvhOVJd1U71nQ+6jesPr6RJ45fDgQIfs0fceqfi5J3+T73/C79+3oY2q14u22va2b/wNlgA7kM3oAAA==
|
||||||
|
{{- end }}
|
@ -1,8 +1,8 @@
|
|||||||
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }}
|
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }}
|
||||||
apiVersion: security.istio.io/v1beta1
|
apiVersion: security.istio.io/v1beta1
|
||||||
kind: AuthorizationPolicy
|
kind: AuthorizationPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Release.Name }}-deny-not-in-ipblocks
|
name: {{ .Release.Name }}-deny-metrics-ipblocks
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
labels:
|
labels:
|
||||||
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||||
@ -12,6 +12,15 @@ spec:
|
|||||||
app: istio-ingressgateway
|
app: istio-ingressgateway
|
||||||
action: DENY
|
action: DENY
|
||||||
rules:
|
rules:
|
||||||
|
- to:
|
||||||
|
- operation:
|
||||||
|
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
||||||
|
paths: ["/metrics*"]
|
||||||
|
when:
|
||||||
|
- key: connection.sni
|
||||||
|
values:
|
||||||
|
- '*'
|
||||||
|
{{- if .Values.keycloak.istio.ipBlocks }}
|
||||||
- from:
|
- from:
|
||||||
- source:
|
- source:
|
||||||
notIpBlocks:
|
notIpBlocks:
|
||||||
@ -24,3 +33,4 @@ spec:
|
|||||||
values:
|
values:
|
||||||
- '*'
|
- '*'
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
@ -4,6 +4,8 @@ kind: Keycloak
|
|||||||
metadata:
|
metadata:
|
||||||
name: {{ template "kubezero-lib.fullname" . }}
|
name: {{ template "kubezero-lib.fullname" . }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
instances: {{ .Values.keycloak.replicas }}
|
instances: {{ .Values.keycloak.replicas }}
|
||||||
|
|
||||||
@ -29,12 +31,16 @@ spec:
|
|||||||
- name: db
|
- name: db
|
||||||
value: dev-file
|
value: dev-file
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
- name: metrics-enabled
|
||||||
|
value: {{ .Values.keycloak.metrics.enabled | quote }}
|
||||||
- name: hostname-strict-https
|
- name: hostname-strict-https
|
||||||
value: "false"
|
value: "false"
|
||||||
- name: proxy
|
- name: proxy
|
||||||
value: edge
|
value: edge
|
||||||
- name: http-enabled
|
- name: http-enabled
|
||||||
value: "true"
|
value: "true"
|
||||||
|
- name: log-console-output
|
||||||
|
value: json
|
||||||
|
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
|
@ -14,3 +14,6 @@ wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keyclo
|
|||||||
|
|
||||||
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
|
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
|
||||||
patch -i keycloak.patch -p0 --no-backup-if-mismatch
|
patch -i keycloak.patch -p0 --no-backup-if-mismatch
|
||||||
|
|
||||||
|
# Fetch dashboards
|
||||||
|
../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml
|
||||||
|
Loading…
Reference in New Issue
Block a user