-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
21 changed files
with
724 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,125 @@ | ||
parameters: | ||
lieutenant_keycloak_idp_controller: | ||
=_metadata: {} | ||
namespace: syn-lieutenant-keycloak-idp-controller | ||
namespace: projectsyn-lieutenant-keycloak-idp-controller | ||
namespaceMetadata: {} | ||
|
||
secrets: {} | ||
config_maps: | ||
lieutenant-keycloak-idp-controller-templates: | ||
data: ${lieutenant_keycloak_idp_controller:templates} | ||
|
||
images: | ||
lieutenant_keycloak_idp_controller: | ||
registry: ghcr.io | ||
image: projectsyn/lieutenant-keycloak-idp-controller | ||
tag: v0.1.0-dev1 | ||
kube_rbac_proxy: | ||
registry: gcr.io | ||
image: kubebuilder/kube-rbac-proxy | ||
tag: v0.14.1 | ||
|
||
manifests_version: ${lieutenant_keycloak_idp_controller:images:lieutenant_keycloak_idp_controller:tag} | ||
|
||
kustomize_input: | ||
namespace: ${lieutenant_keycloak_idp_controller:namespace} | ||
|
||
controller: | ||
env: | ||
KEYCLOAK_BASE_URL: | ||
KEYCLOAK_USER: | ||
KEYCLOAK_PASSWORD: | ||
KEYCLOAK_REALM: | ||
KEYCLOAK_LOGIN_REALM: admin | ||
KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true' | ||
VAULT_ADDRESS: | ||
|
||
args: | ||
- --health-probe-bind-address=:8081 | ||
- --metrics-bind-address=127.0.0.1:8080 | ||
- --leader-elect | ||
|
||
- --keycloak-realm=$(KEYCLOAK_REALM) | ||
- --keycloak-base-url=$(KEYCLOAK_BASE_URL) | ||
- --keycloak-user=$(KEYCLOAK_USER) | ||
- --keycloak-password=$(KEYCLOAK_PASSWORD) | ||
- --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM) | ||
- --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT) | ||
|
||
- --client-template-file=/templates/client.jsonnet | ||
- --client-role-mapping-template-file=/templates/client-roles.jsonnet | ||
|
||
- --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token | ||
- --vault-address=$(VAULT_ADDRESS) | ||
|
||
templates: | ||
vars.jsonnet: | | ||
{ | ||
clientPrefix: 'cluster_', | ||
formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name, | ||
} | ||
client.jsonnet: | | ||
local context = std.extVar('context'); | ||
local vars = import 'vars.jsonnet'; | ||
{ | ||
clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ], | ||
name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ], | ||
description: '', | ||
rootUrl: vars.formatRootUrl(context), | ||
adminUrl: '', | ||
baseUrl: '', | ||
surrogateAuthRequired: false, | ||
enabled: true, | ||
alwaysDisplayInConsole: false, | ||
clientAuthenticatorType: 'client-secret', | ||
redirectUris: [ | ||
'/oauth2/callback', | ||
], | ||
webOrigins: [], | ||
notBefore: 0, | ||
bearerOnly: false, | ||
consentRequired: false, | ||
standardFlowEnabled: true, | ||
implicitFlowEnabled: false, | ||
directAccessGrantsEnabled: true, | ||
serviceAccountsEnabled: false, | ||
publicClient: false, | ||
frontchannelLogout: true, | ||
protocol: 'openid-connect', | ||
attributes: { | ||
'oidc.ciba.grant.enabled': 'false', | ||
'backchannel.logout.session.required': 'true', | ||
'oauth2.device.authorization.grant.enabled': 'false', | ||
'display.on.consent.screen': 'false', | ||
'backchannel.logout.revoke.offline.tokens': 'false', | ||
}, | ||
authenticationFlowBindingOverrides: {}, | ||
fullScopeAllowed: true, | ||
nodeReRegistrationTimeout: -1, | ||
defaultClientScopes: [ | ||
'web-origins', | ||
'acr', | ||
'profile', | ||
'roles', | ||
'email', | ||
], | ||
optionalClientScopes: [ | ||
'address', | ||
'phone', | ||
'offline_access', | ||
'microprofile-jwt', | ||
], | ||
access: { | ||
view: true, | ||
configure: true, | ||
manage: true, | ||
}, | ||
} | ||
client-roles.jsonnet: | | ||
local context = std.extVar('context'); | ||
[{ | ||
// https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode | ||
role: 'restricted-access', | ||
}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
// main template for openshift4-slos | ||
local com = import 'lib/commodore.libjsonnet'; | ||
local kap = import 'lib/kapitan.libjsonnet'; | ||
local kube = import 'lib/kube.libjsonnet'; | ||
|
||
local slo = import 'slos.libsonnet'; | ||
|
||
local inv = kap.inventory(); | ||
// The hiera parameters for the component | ||
local params = inv.parameters.lieutenant_keycloak_idp_controller; | ||
|
||
local upstreamNamespace = 'lieutenant-keycloak-idp-controller-system'; | ||
|
||
local removeUpstreamNamespace = kube.Namespace(upstreamNamespace) { | ||
metadata: { | ||
name: upstreamNamespace, | ||
} + com.makeMergeable(params.namespaceMetadata), | ||
}; | ||
|
||
local controllerPatch = { | ||
apiVersion: 'apps/v1', | ||
kind: 'Deployment', | ||
metadata: { | ||
name: 'lieutenant-keycloak-idp-controller-controller-manager', | ||
namespace: upstreamNamespace, | ||
}, | ||
spec: { | ||
template: { | ||
spec: { | ||
containers: [ { | ||
name: 'manager', | ||
args: params.controller.args, | ||
env: com.envList(params.controller.env), | ||
volumeMounts: [ { | ||
name: 'templates', | ||
mountPath: '/templates', | ||
} ], | ||
} ], | ||
volumes: [ { | ||
name: 'templates', | ||
configMap: { | ||
name: 'lieutenant-keycloak-idp-controller-templates', | ||
}, | ||
} ], | ||
}, | ||
}, | ||
}, | ||
}; | ||
|
||
local patch = function(p) { | ||
patch: std.manifestJsonMinified(p), | ||
}; | ||
|
||
com.Kustomization( | ||
'https://github.com/projectsyn/lieutenant-keycloak-idp-controller//config/default', | ||
params.manifests_version, | ||
{ | ||
'ghcr.io/projectsyn/lieutenant-keycloak-idp-controller': { | ||
local image = params.images.lieutenant_keycloak_idp_controller, | ||
newTag: image.tag, | ||
newName: '%(registry)s/%(image)s' % image, | ||
}, | ||
'gcr.io/kubebuilder/kube-rbac-proxy': { | ||
local image = params.images.kube_rbac_proxy, | ||
newTag: image.tag, | ||
newName: '%(registry)s/%(image)s' % image, | ||
}, | ||
}, | ||
params.kustomize_input { | ||
patches+: [ | ||
patch(removeUpstreamNamespace), | ||
patch(controllerPatch), | ||
], | ||
labels+: [ | ||
{ | ||
pairs: { | ||
'app.kubernetes.io/managed-by': 'commodore', | ||
}, | ||
}, | ||
], | ||
}, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,16 @@ | ||
// main template for lieutenant-keycloak-idp-controller | ||
// main template for lieutenant-keycloak-idp-controller\ | ||
local com = import 'lib/commodore.libjsonnet'; | ||
local kap = import 'lib/kapitan.libjsonnet'; | ||
local kube = import 'lib/kube.libjsonnet'; | ||
local inv = kap.inventory(); | ||
// The hiera parameters for the component | ||
local params = inv.parameters.lieutenant_keycloak_idp_controller; | ||
|
||
local secrets = com.generateResources(params.secrets, kube.Secret); | ||
local configMaps = com.generateResources(params.config_maps, kube.ConfigMap); | ||
|
||
// Define outputs below | ||
{ | ||
'10_secrets': secrets, | ||
'10_config_maps': configMaps, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,8 @@ | ||
# Overwrite parameters here | ||
|
||
# parameters: {...} | ||
parameters: | ||
secrets: | ||
keycloak-user: | ||
stringData: | ||
username: user | ||
password: password |
78 changes: 78 additions & 0 deletions
78
...lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_config_maps.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
apiVersion: v1 | ||
data: | ||
client-roles.jsonnet: | | ||
local context = std.extVar('context'); | ||
[{ | ||
// https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode | ||
role: 'restricted-access', | ||
}] | ||
client.jsonnet: | | ||
local context = std.extVar('context'); | ||
local vars = import 'vars.jsonnet'; | ||
{ | ||
clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ], | ||
name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ], | ||
description: '', | ||
rootUrl: vars.formatRootUrl(context), | ||
adminUrl: '', | ||
baseUrl: '', | ||
surrogateAuthRequired: false, | ||
enabled: true, | ||
alwaysDisplayInConsole: false, | ||
clientAuthenticatorType: 'client-secret', | ||
redirectUris: [ | ||
'/oauth2/callback', | ||
], | ||
webOrigins: [], | ||
notBefore: 0, | ||
bearerOnly: false, | ||
consentRequired: false, | ||
standardFlowEnabled: true, | ||
implicitFlowEnabled: false, | ||
directAccessGrantsEnabled: true, | ||
serviceAccountsEnabled: false, | ||
publicClient: false, | ||
frontchannelLogout: true, | ||
protocol: 'openid-connect', | ||
attributes: { | ||
'oidc.ciba.grant.enabled': 'false', | ||
'backchannel.logout.session.required': 'true', | ||
'oauth2.device.authorization.grant.enabled': 'false', | ||
'display.on.consent.screen': 'false', | ||
'backchannel.logout.revoke.offline.tokens': 'false', | ||
}, | ||
authenticationFlowBindingOverrides: {}, | ||
fullScopeAllowed: true, | ||
nodeReRegistrationTimeout: -1, | ||
defaultClientScopes: [ | ||
'web-origins', | ||
'acr', | ||
'profile', | ||
'roles', | ||
'email', | ||
], | ||
optionalClientScopes: [ | ||
'address', | ||
'phone', | ||
'offline_access', | ||
'microprofile-jwt', | ||
], | ||
access: { | ||
view: true, | ||
configure: true, | ||
manage: true, | ||
}, | ||
} | ||
vars.jsonnet: | | ||
{ | ||
clientPrefix: 'cluster_', | ||
formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name, | ||
} | ||
kind: ConfigMap | ||
metadata: | ||
annotations: {} | ||
labels: | ||
name: lieutenant-keycloak-idp-controller-templates | ||
name: lieutenant-keycloak-idp-controller-templates |
Empty file.
Oops, something went wrong.