feat: add metrics support to keycloak, block access to /metrics from ingress

2022-11-03 14:41:46 +01:00 · 2022-11-03 14:41:46 +01:00 · 4e533e5703
parent ae7962358b
commit 4e533e5703
8 changed files with 48 additions and 4 deletions
--- a/charts/kubezero-auth/Chart.yaml
+++ b/charts/kubezero-auth/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-auth
 description: KubeZero umbrella chart for all things Authentication and Identity management
 type: application
-version: 0.3.2
+version: 0.3.3
 appVersion: 20.0.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
--- a/charts/kubezero-auth/README.md
+++ b/charts/kubezero-auth/README.md
@ -1,6 +1,6 @@
 # kubezero-auth

-![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 19.0.1](https://img.shields.io/badge/AppVersion-19.0.1-informational?style=flat-square)
+![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 20.0.0](https://img.shields.io/badge/AppVersion-20.0.0-informational?style=flat-square)

 KubeZero umbrella chart for all things Authentication and Identity management

@ -26,6 +26,7 @@ Kubernetes: `>= 1.20.0`
 ## Operator

 https://github.com/keycloak/keycloak/tree/main/operator
+https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates

 ## Resources

@ -41,6 +42,8 @@ https://github.com/keycloak/keycloak/tree/main/operator
 | keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | keycloak.istio.url | string | `""` |  |
 | keycloak.metrics.enabled | bool | `false` |  |
+| keycloak.podDisruptionBudget.minAvailable | int | `1` |  |
+| keycloak.replicas | int | `1` |  |
 | postgresql.auth.database | string | `"keycloak"` |  |
 | postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` |  |
 | postgresql.auth.username | string | `"keycloak"` |  |
--- a/charts/kubezero-auth/README.md.gotmpl
+++ b/charts/kubezero-auth/README.md.gotmpl
@ -18,6 +18,7 @@
 ## Operator

 https://github.com/keycloak/keycloak/tree/main/operator
+https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates

 ## Resources

--- a/charts/kubezero-auth/dashboards-keycloak.yaml
+++ b/charts/kubezero-auth/dashboards-keycloak.yaml
@ -0,0 +1,8 @@
+configmap: grafana-dashboards-keycloak
+condition: '.Values.keycloak.metrics.enabled'
+gzip: true
+# folder: 
+dashboards:
+- name: keycloak
+  url: https://grafana.com/api/dashboards/13106/revisions/3/download
+  tags: ['Keycloak', 'Auth']
--- a/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml
+++ b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml
@ -0,0 +1,13 @@
+{{- if .Values.keycloak.metrics.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards-keycloak" | trunc 63 | trimSuffix "-" }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    grafana_dashboard: "1"
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+binaryData:
+  keycloak.json.gz:
+    H4sIAAAAAAAC/+2dWW/buBaA3/MrBGFw0QJuKrtJ2ulbkk46xSSTdJLO3IsiMGiJljmWSZWk4rhF/vvlol30pmxOypcWJmWSZ+E5H5dYP7Ycx+33EY4Tztz3zlfx2XF+qH9FDQYTKErdD+f9s79OT367+P23L+duJ6uOwABGsj6mZAL5CCasqAwg8ymKOSJYPlJU8FmsGg0AB4wk1IdFXRwlIcKfgnmN6vo/02GdFU+oB27Ev5cdLRKF3xJEoUGorP8YYDH6vGmkOg1BEpbGkyngY7X4ClKWyaV77pj7CCkYAgwavdSL837qFaWe3m73tr3F3ZlFoiAeGbsqF68skslsaK7BcNNUpi67214r2RgHvNnZeaV0ZcmMPXAwiAwOcVEtbvaRuyLAmIjxiFrpi7pTN0KM555ZDEXUDBIU8U+ypW6nKC0p3axM8QzEakzvHU4TWCofocBQinyCD0lEqGyQhgPwwus4vW5X/LO723G6L8tNZ1LvF7I4/3H2I0h5ZQiFj7DRgAAauGndjfr/citVfj04TABFIBg4IRBNAsePEsYhdYhQ6xWC021HiEuRz5yhkNyZzNi3KHDgdUyoeGxbjcCFAeI1BbghhlwFk+6brreni6TbXxAScRSLCk8VKlPjJIr0J9EoSIfW3fO6v771dt7tens7qjZCeKyiijavchpDlFlqMXeIYBQcEjxEYe4YaeQcgiTirFIqyn2hFTKplUoPi1CISwKUqobCmYQwWi1DEDFYqr8pPyxsEMcIh6zklnXnzBqlahSu26nXKD16jWIOr6W3u1/Oml/hxNxU6krdRsUViBKl065bqbrp3GrU3bmj/nD6z593OW6vNu7Sp8uKRfhI5K8RiQLWtPmEqEntggEjUcJhbSAiMMK4acqmWqRbZVEgpBDihkSloUsHq9XedNbogMJgUfNeve3K58stU02pf1eGCyqCXV3uuuoA90eQNnSah/zB7EIasWFBEmdR3MXJZCCaWOSAMh3GIkAiuKIddOd6km8HiMURmJ1IMy9QmdbtqwHwxyElCQ7cFvZJE13hbQs6bH59uTMuccl541rNe5a76BxFrNrtvFlR67hr7tVQerm17KnVjZZ6yxQFfLTIbD2vzeTKSvPxCGWg4IxU45E7Eh93S/NwKtXRKxVcV7OCOytN9psqb+VfK822UlfCQae/QxCo6VsjGiZo4GCmMnOjbb1u+LsO08WaBNAQ8qp3VnKvgA3lDYo9+klcUbY7JFRElSYuarmwoFTMGwNWVSI7Cxs1UklecwR8rvywklDcCIYQB0d5t9UvUzjUS6j9IhxkVr0sZEYTeKSTYpkcVPn5CA15s4JHmq8llvnQkZxdJhpOAWZaF6np5mhTO6+GkyOJQexgphZ1FTFMHpAqRxBiYApHilTNQSa1g2+Mp3+rebK1aKLemPNPU60pA2tPMC44njQb/tyM8s5Cimg5wYgvxBLmPkZK61jIet6Q1Zh9t6KsByagSsECBNpZE4HuG3bCiAxA1Gcq2Qv0kXxw3/izGXzzpSqr5ZtN4JtVyWQC5KR7Uy1DuL5B9eAEswQwbssvMxhFZLqoh+6253nd2/SxFMJ6xi5uQ0r3uRTdNcfhvcVxWNgx8eGpcQ67Poj8pmO4EWDcnbvfpyYFa4Y7pVXWgPSyrmRSuMgc+Vgey+XPz3vqBNCxSBGPkkSmjMK4n27z9xn6Pj+hiADcZ5BKQJ2TVmpSbnBeOUzPNc7LAq+bVdShK7sgOq+smFGUCx1nx7V5plgz5OvDUbukfVIJYWmw3tg43QDmOYH63eJArTRxkhpOC11qV50HZrWAQlCu/Fe4IBrO8uqEk3I1EWEJ8+yosFHdJkNMIMD3kiHkaVZFjkeN+NWNw6cf0G+3EfoYIV2OMBb+3liZ5dFe3a0wBnsRgQFTlwdYhcjdAaAN7lCXAY4hDrmc9F2vUg5Nj2/A4sFua95tEhCJOSofYqiCjxQESDugtzxdvF0X67vN/ZURCgKIzzVO1h1PXwMoqF+HlupAwFVo4Go/oelEqtfoRWijVC1D66UUhSN+brysI8HdUCqe/Udtk6rd0HKwJ1wFy3oXxjxRqCdCGLJ6OJCF07SXwn7SH8+IiMtZTpEF7uJELC/38Hz9MXfhAcXUF1k1hA0LLctQsRyQdKqEVY4SVXnT4MJmAaRqH80dRqR0ZUwvOE4rPl1UxsCHpoAmAqY/bvQiw0EMg2OhxkbdyimVAg5fmPLqt0QN9Wt3cvnSbZkzf/xwsvTh3Ny0yqDlcPl1tcz6Fwyz3Hi5TsrVc835fFa6iMrz+1yVjVIgo57xnLgWLtS86GeJD+EAXaEgEbpreGfpYmf59uQ1uEY1bx8k/ljbtrpQyfNHbR81u2RXe9o89fOJbIi1M3ANF7hUsbYWTVNec42UJ+prKzci4QFgjZtNaYBrPK4jXKO4JIwpi2z2OBteP2saPVub1gOvKj+GV/mgK/ciLV9Zvtp8vmosx9sBlrcYsORE2WcX5qvMFr+K0nEtdT4BItt9RkRmgjHhbv2EwaDvE4yhrxW+/sb2Hd0Jy0jplbM24HXWkP1K3t0Xs1WLvxGSn4DrVaU+2BCsPZEqdQ4N2rNwa+HWwu1GwO2T2fl62wbMenbny6LXauhlDmpqZsvvTymqLduKExGlHhgCjq7gq/8tyr6PQXVo7kYbwpgEg74MMH0KQcC+dr3GnttDQo4axD3A3WoqUCZ+dB2oUTw11FOqdZwAsbGjjXjFHK1PC30W+iz0Wehrtx3Xivp2LPVZ6rsT6nvNxJhfPzPsG8xEWhbA50Mx8ODr7iMjnx7Gg1Kf1oC07SNLz9bYzNws1sOQTwmVtJfaTwCflMbinsU9i3sW98p3mFPc6+0s2ePr7bShvXdPh/bsHbZndoeNk3j8YrfjzCUNn0wmAAesr0yvaKP1nbZDMukLUkib3PxrbRckdg7TwR6SRMppd4MsHlg8uAc8CKCPJiCqxtdnwAxLzwXf9FowQ+/2F7ZqhcuAova49uG7YQZjtrbI8OSuvZMYYhj0xZz5me6+n8zOPx87R0Jo51QoQF2ttYxgGcEygmWEtozQOEZqBwk9CwkWEjbnJrbkA00HbcFAJliVatnDXaAuRt2P0KT2E3vtxn4s22lzatJZX+np/SCcTO5A/59EYx8OnPXNcLhRsFaM35KaJTVLavdKat2fajdnp82f3/V27g/U6kg2n9MWHQ6ZfrTMQtxzh7j5909YRKZ38jMH56Ih57NuyCHYeYJbP2URLE+04YlffhmJRPMHlAHUJYN/oc/f/7oz71LTZjOHUZbdDZfFXkJ5TptF7RhkbyM2iyxoWNAogwYYyNfJ5X+8fzvY2NeNZX/RzZwXgHM4iTl7KdnjIS/w5nJFMhLckVi6LeeFTOMk4esIdbBRSFUzlP3T+7skq56393zQque9/XnZKn+dqZjGcoZKqd94eqq4zB/BCSiyiU7wIl7PovR1oHSsnxTJqHAhV+jXjwgYp5pz9xORCPKeZLiMAEc4XOW9qau8IVX/PHT956iyF6SWJ27+ZmPTW1CP0mbKs2mM4i80Op9h36DbbHKDYET8ea9EVdM2FzR7WyUm01fdLCCkL50UZW7lazESIYHmkKvKvhOVJd1U71nQ+6jesPr6RJ45fDgQIfs0fceqfi5J3+T73/C79+3oY2q14u22va2b/wNlgA7kM3oAAA==
+{{- end }}
--- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
+++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
@ -1,8 +1,8 @@
-{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }}
+{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: {{ .Release.Name }}-deny-not-in-ipblocks
+  name: {{ .Release.Name }}-deny-metrics-ipblocks
  namespace: istio-system
  labels:
    {{- include "kubezero-lib.labels" $ | nindent 4 }}
@ -12,6 +12,15 @@ spec:
      app: istio-ingressgateway
  action: DENY
  rules:
+  - to:
+    - operation:
+        hosts: ["{{ .Values.keycloak.istio.url }}"]
+        paths: ["/metrics*"]
+    when:
+    - key: connection.sni
+      values:
+      - '*'
+  {{- if .Values.keycloak.istio.ipBlocks }}
  - from:
    - source:
        notIpBlocks:
@ -23,4 +32,5 @@ spec:
    - key: connection.sni
      values:
      - '*'
+  {{- end }}
 {{- end }}
--- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml
+++ b/charts/kubezero-auth/templates/keycloak/keycloak.yaml
@ -4,6 +4,8 @@ kind: Keycloak
 metadata:
  name: {{ template "kubezero-lib.fullname" . }}
  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  instances: {{ .Values.keycloak.replicas }}

@ -29,12 +31,16 @@ spec:
    - name: db
      value: dev-file
    {{- end }}
+    - name: metrics-enabled
+      value: {{ .Values.keycloak.metrics.enabled | quote }}
    - name: hostname-strict-https
      value: "false"
    - name: proxy
      value: edge
    - name: http-enabled
      value: "true"
+    - name: log-console-output
+      value: json


  ingress:
--- a/charts/kubezero-auth/update.sh
+++ b/charts/kubezero-auth/update.sh
@ -14,3 +14,6 @@ wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keyclo

 wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
 patch -i keycloak.patch -p0 --no-backup-if-mismatch
+
+# Fetch dashboards
+../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml