-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ingress for rewriting Keycloak requests from /auth to /
Keycloak based on Wilfly had a default relativ path of /auth. Since the migration to Quarkus this would be / by default. Existing clients can not be migrated in a big bang scenario. This adds the capability to serve the Keycloak requests on / and /auth at the same time. NGNIX-Ingress and OpenShift has been tested.
- Loading branch information
Gabriel Mainberger
committed
Mar 13, 2024
1 parent
008b8d1
commit fb8b4c4
Showing
50 changed files
with
1,629 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
local kap = import 'lib/kapitan.libjsonnet'; | ||
local kube = import 'lib/kube.libjsonnet'; | ||
local inv = kap.inventory(); | ||
local params = inv.parameters.keycloak; | ||
|
||
local ingress_name = 'keycloakx-auth-rewrite'; | ||
local keycloak_name = 'keycloakx'; | ||
local ingress_class_name = | ||
if params.ingressAuthRewrite.ingressClassName != null then | ||
{ ingressClassName: params.ingressAuthRewrite.ingressClassName } | ||
else | ||
{}; | ||
local ingress_path = | ||
if inv.parameters.facts.distribution == 'openshift4' then | ||
'/auth' | ||
else | ||
'/auth(/|$)(.*)'; | ||
|
||
local ingress = | ||
kube.Ingress(ingress_name) { | ||
metadata+: { | ||
annotations: params.ingressAuthRewrite.annotations, | ||
labels: params.labels, | ||
}, | ||
spec+: | ||
ingress_class_name | ||
{ | ||
rules: [ | ||
{ | ||
host: params.fqdn, | ||
http: | ||
{ | ||
paths: [ | ||
{ | ||
path: ingress_path, | ||
pathType: 'Prefix', | ||
backend: { | ||
service: { | ||
name: keycloak_name + '-http', | ||
port: { | ||
name: params.helm_values.ingress.servicePort, | ||
}, | ||
}, | ||
}, | ||
}, | ||
], | ||
}, | ||
}, | ||
], | ||
tls: [ | ||
{ | ||
hosts: [ | ||
params.fqdn, | ||
], | ||
secretName: params.ingressAuthRewrite.tls.secretName, | ||
}, | ||
], | ||
|
||
}, | ||
}; | ||
|
||
{ | ||
[if params.ingressAuthRewrite.enabled then '20_ingress_auth_rewrite']: ingress, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
= Change relative path /auth to / | ||
|
||
The current default relativ path of Keycloak is `/`. | ||
Keycloak based on Quarkus | ||
|
||
[source,yaml] | ||
---- | ||
parameters: | ||
keycloak: | ||
helm_values: | ||
http: | ||
# Default for Keycloak Quarkus | ||
relativePath: "/" | ||
---- | ||
|
||
== OpenID Connect Discovery | ||
|
||
Because of this change the well known openid configuration still shows the old path. | ||
|
||
``` | ||
Original path: https://x.x.x.x/auth/realms/my_realm/.well-known/openid-configuration | ||
Ajusted path: https://x.x.x.x/realms/my_realm/.well-known/openid-configuration | ||
``` | ||
|
||
The verification check does detect the different paths fail and prevent the login. | ||
|
||
``` | ||
ERROR: Failed to initialise OAuth2 Proxy: error intiailising provider: could not create provider data: error building OIDC ProviderVerifier: could not get verifier builder: error while discovery OIDC configuration: oidc: issuer did not match the issuer returned by provider, | ||
``` | ||
|
||
As a example for oauth2-proxy: To prevent the OIDC client does reject itself you can add the https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#command-line-options[parameter] to ignore the different paths: | ||
|
||
``` | ||
--insecure-oidc-skip-issuer-verification | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
applications: | ||
- prometheus | ||
|
||
parameters: | ||
kapitan: | ||
dependencies: | ||
- type: https | ||
source: https://raw.githubusercontent.com/projectsyn/component-prometheus/master/lib/prometheus.libsonnet | ||
output_path: vendor/lib/prometheus.libsonnet | ||
|
||
prometheus: | ||
defaultInstance: monitoring | ||
|
||
keycloak: | ||
namespaceLabels: | ||
test: testing | ||
extraEnv: | ||
FOO: | ||
value: "bar" | ||
KC_DB_URL_PORT: | ||
value: "patched" | ||
extraInitContainers: | ||
theme-provider: | ||
image: company/keycloak-theme:v1.0.0 | ||
imagePullPolicy: IfNotPresent | ||
command: | ||
- sh | ||
args: | ||
- -c | ||
- | | ||
echo "Copying theme..." | ||
cp -R /theme/* /company-theme | ||
volumeMounts: | ||
- name: theme | ||
mountPath: /company-theme | ||
extraVolumes: | ||
theme: | ||
emptyDir: {} | ||
extraVolumeMounts: | ||
test: | ||
name: theme | ||
readOnly: true | ||
mountPath: /opt/test | ||
ingressAuthRewrite: | ||
enabled: true | ||
helm_values: | ||
networkPolicy: | ||
enabled: true | ||
http: | ||
# Default for Keycloak Quarkus | ||
relativePath: "/" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package builtin_auth_rewrite | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/projectsyn/component-keycloak/common" | ||
"github.com/stretchr/testify/assert" | ||
networkingv1 "k8s.io/api/networking/v1" | ||
) | ||
|
||
var ( | ||
basePath = "../../compiled/builtin-auth-rewrite/builtin-auth-rewrite" | ||
ingressPath = "/20_ingress_auth_rewrite.yaml" | ||
) | ||
|
||
func Test_IngressApiVersion(t *testing.T) { | ||
subject := &networkingv1.Ingress{} | ||
scheme := common.NewSchemeWithDefault(t) | ||
ingress := common.DecodeWithSchema(t, basePath+ingressPath, subject, scheme).(*networkingv1.Ingress) | ||
assert.Equal(t, "keycloakx-auth-rewrite", ingress.Name) | ||
} |
6 changes: 6 additions & 0 deletions
6
tests/golden/builtin-auth-rewrite/builtin-auth-rewrite/apps/builtin-auth-rewrite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
spec: | ||
ignoreDifferences: | ||
- group: '' | ||
jsonPointers: | ||
- /imagePullSecrets | ||
kind: ServiceAccount |
9 changes: 9 additions & 0 deletions
9
...s/golden/builtin-auth-rewrite/builtin-auth-rewrite/builtin-auth-rewrite/00_namespace.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
annotations: {} | ||
labels: | ||
monitoring.syn.tools/monitoring: 'true' | ||
name: syn-builtin-auth-rewrite | ||
test: testing | ||
name: syn-builtin-auth-rewrite |
32 changes: 32 additions & 0 deletions
32
...-auth-rewrite/builtin-auth-rewrite/01_keycloak_helmchart/keycloakx/templates/ingress.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
annotations: | ||
cert-manager.io/cluster-issuer: letsencrypt-production | ||
nginx.ingress.kubernetes.io/backend-protocol: HTTPS | ||
route.openshift.io/termination: reencrypt | ||
labels: | ||
app.kubernetes.io/component: keycloak | ||
app.kubernetes.io/instance: builtin-auth-rewrite | ||
app.kubernetes.io/managed-by: commodore | ||
app.kubernetes.io/name: keycloak | ||
app.kubernetes.io/version: 22.0.5 | ||
helm.sh/chart: keycloakx-2.3.0 | ||
name: keycloakx | ||
namespace: syn-builtin-auth-rewrite | ||
spec: | ||
rules: | ||
- host: keycloak.example.com | ||
http: | ||
paths: | ||
- backend: | ||
service: | ||
name: keycloakx-http | ||
port: | ||
name: https | ||
path: / | ||
pathType: Prefix | ||
tls: | ||
- hosts: | ||
- keycloak.example.com | ||
secretName: ingress-tls |
Oops, something went wrong.