feat: auth w/ gatekeeper (#3)

* feat: auth w/ gatekeeper

* fix: chart typo

* fix: chart typo 2

* fix(auth): keycloak client secret

* feat: reference generated secret from keycloak client

* fix: client id

* fix: yaml indentation

* fix: use namespace for client id as it changes per ns but not per build

* fix: use namespace for clientId in deployment as well

* fix: auth only

* fix: audience mapper only

* fix: roles and username mapper

* fix: refactor some variables out and set gatekeeper resources for HPA to be happy

* fix: more refactoring

* chore: resource settings test

* fix: missing resource change from HPA tests

* fix: calculate redirectUris

* feat(auth): tenant mapper

* feat(auth): rm tenant mapper - did not work

* fix(auth): update keycloak details

* fix(auth): add /* of domain as valid redirects

charts/demo-app/templates/deployment.yaml

@@ -26,6 +26,32 @@ spec:
 {{- end }}
     spec:
       containers:
+      - image: quay.io/keycloak/keycloak-gatekeeper:9.0.3
+        name: gatekeeper-sidecar
+        ports:
+        - containerPort: {{ .Values.keycloak.proxyPort }}
+        env:
+          - name: KEYCLOAK_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Namespace }}
+                key: secret
+        args:
+        - --resources=uri=/|white-listed=true
+        - --resources=uri=/dist|white-listed=true
+        - --resources=uri=/css|white-listed=true
+        - --resources=uri=/metrics|white-listed=true
+        - --resources=uri=/favicon.ico|white-listed=true
+        - --resources=uri=/about
+        - --discovery-url={{ .Values.keycloak.url }}/auth/realms/{{ .Values.keycloak.realm }}
+        - --client-id={{ .Release.Namespace }}
+        - --client-secret=$(KEYCLOAK_CLIENT_SECRET)
+        - --listen=0.0.0.0:{{ .Values.keycloak.proxyPort }} # listen on all interfaces
+        - --enable-logging=true
+        - --enable-json-logging=true
+        - --upstream-url=http://127.0.0.1:{{ .Values.service.internalPort }} # To connect with the main container's port
+        resources:
+{{ toYaml .Values.gatekeeper.resources | indent 12 }}
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}

charts/demo-app/templates/keycloak-client.yaml

@@ -0,0 +1,46 @@
+apiVersion: k8s.kiwigrid.com/v1beta1
+kind: KeycloakClient
+metadata:
+  name: {{ .Release.Namespace }}
+spec:
+  keycloak: {{ .Values.keycloak.keycloak }}
+  realm: {{ .Values.keycloak.realm }}
+  clientId: {{ .Release.Namespace }}
+  clientType: confidential
+  directAccessGrantsEnabled: true
+  standardFlowEnabled: true
+  implicitFlowEnabled: false
+  redirectUris:
+{{- if .Values.keycloak.redirectUris.allowAll }}
+    - https://*
+{{- else }}
+{{- if .Values.keycloak.redirectUris.includeNamespace }}
+    - https://{{ .Values.keycloak.redirectUris.serviceName }}-{{ .Release.Namespace}}.{{ .Values.keycloak.redirectUris.domain }}/*
+    - https://{{ .Values.keycloak.redirectUris.serviceName }}-{{ .Release.Namespace}}.{{ .Values.keycloak.redirectUris.domain }}
+{{- else }}
+    - https://{{ .Values.keycloak.redirectUris.serviceName }}.{{ .Values.keycloak.redirectUris.domain }}/*
+    - https://{{ .Values.keycloak.redirectUris.serviceName }}.{{ .Values.keycloak.redirectUris.domain }}
+{{- end }}
+{{- end }}
+  mapper:
+    - name: audience
+      protocolMapper: oidc-audience-mapper
+      config:
+        claim.name: audience
+        access.token.claim: "true"
+        included.client.audience: {{ .Release.Namespace }}
+    - name: username
+      protocolMapper: oidc-usermodel-property-mapper
+      config:
+        access.token.claim: "true"
+        claim.name: username
+        jsonType.label: String
+        user.attribute: username
+    - name: roles
+      protocolMapper: oidc-usermodel-client-role-mapper
+      config:
+        access.token.claim: "true"
+        claim.name: roles
+        jsonType.label: String
+        multivalued: "true"
+

charts/demo-app/templates/service.yaml

@@ -19,7 +19,11 @@ spec:
   type: {{ .Values.service.type }}
   ports:
   - port: {{ .Values.service.externalPort }}
+{{- if .Values.keycloak.proxyPort }}
+    targetPort: {{ .Values.keycloak.proxyPort }}
+{{- else }}
     targetPort: {{ .Values.service.internalPort }}
+{{- end }}
     protocol: TCP
     name: http
   selector:

charts/demo-app/values.yaml

@@ -44,6 +44,24 @@ canary:
   # Please overwrite the `canary.host` in `values.yaml` in each environment repository (e.g., staging, production)
   host: acme.com
 
+keycloak:
+  proxyPort: 3000
+  clientSecret:
+  url: https://auth-jx-staging.cloudnativeentrepreneur.dev # no trailing slash
+  keycloak: keycloak
+  realm: members
+  redirectUris:
+    allowAll: true
+    domain: changeme
+    includeNamespace: false
+    serviceName: changeme
+
+gatekeeper:
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+
 service:
   name: demo-app
   type: ClusterIP
@@ -54,11 +72,11 @@ service:
     fabric8.io/ingress.annotations: 'kubernetes.io/ingress.class: nginx'
 resources:
   limits:
-    cpu: 400m
-    memory: 256Mi
+    cpu: 800m
+    memory: 80Mi
   requests:
-    cpu: 200m
-    memory: 128Mi
+    cpu: 400m
+    memory: 50Mi
 probePath: /
 livenessProbe:
   initialDelaySeconds: 60

charts/preview/values.yaml

@@ -1,10 +1,13 @@
 
+domain: &domain cloudnativeentrepreneur.dev
+serviceName: &serviceName demo-app
+
 expose:
   Annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: hook-succeeded
   config:
-    domain: cloudnativeentrepreneur.dev
+    domain: *domain
     exposer: Ingress
     http: "false"
     tlsSecretName: tls-cloudnativeentrepreneur-dev-p
@@ -23,4 +26,11 @@ preview:
   image:
     repository:
     tag:
-    pullPolicy: IfNotPresent
+    pullPolicy: IfNotPresent
+  keycloak:
+    clientSecret: vault:staging/auth/keycloak:clientSecret
+    redirectUris:
+      allowAll: false
+      includeNamespace: true
+      domain: *domain
+      serviceName: *serviceName