Skip to content

Commit

Permalink
Initial implementation
Browse files Browse the repository at this point in the history
  • Loading branch information
bastjan committed Dec 6, 2023
1 parent ef199e1 commit 349b0bf
Show file tree
Hide file tree
Showing 21 changed files with 724 additions and 3 deletions.
123 changes: 122 additions & 1 deletion class/defaults.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,125 @@
parameters:
lieutenant_keycloak_idp_controller:
=_metadata: {}
namespace: syn-lieutenant-keycloak-idp-controller
namespace: projectsyn-lieutenant-keycloak-idp-controller
namespaceMetadata: {}

secrets: {}
config_maps:
lieutenant-keycloak-idp-controller-templates:
data: ${lieutenant_keycloak_idp_controller:templates}

images:
lieutenant_keycloak_idp_controller:
registry: ghcr.io
image: projectsyn/lieutenant-keycloak-idp-controller
tag: v0.1.0-dev1
kube_rbac_proxy:
registry: gcr.io
image: kubebuilder/kube-rbac-proxy
tag: v0.14.1

manifests_version: ${lieutenant_keycloak_idp_controller:images:lieutenant_keycloak_idp_controller:tag}

kustomize_input:
namespace: ${lieutenant_keycloak_idp_controller:namespace}

controller:
env:
KEYCLOAK_BASE_URL:
KEYCLOAK_USER:
KEYCLOAK_PASSWORD:
KEYCLOAK_REALM:
KEYCLOAK_LOGIN_REALM: admin
KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true'
VAULT_ADDRESS:

args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect

- --keycloak-realm=$(KEYCLOAK_REALM)
- --keycloak-base-url=$(KEYCLOAK_BASE_URL)
- --keycloak-user=$(KEYCLOAK_USER)
- --keycloak-password=$(KEYCLOAK_PASSWORD)
- --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM)
- --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT)

- --client-template-file=/templates/client.jsonnet
- --client-role-mapping-template-file=/templates/client-roles.jsonnet

- --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- --vault-address=$(VAULT_ADDRESS)

templates:
vars.jsonnet: |
{
clientPrefix: 'cluster_',
formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name,
}
client.jsonnet: |
local context = std.extVar('context');
local vars = import 'vars.jsonnet';
{
clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ],
name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ],
description: '',
rootUrl: vars.formatRootUrl(context),
adminUrl: '',
baseUrl: '',
surrogateAuthRequired: false,
enabled: true,
alwaysDisplayInConsole: false,
clientAuthenticatorType: 'client-secret',
redirectUris: [
'/oauth2/callback',
],
webOrigins: [],
notBefore: 0,
bearerOnly: false,
consentRequired: false,
standardFlowEnabled: true,
implicitFlowEnabled: false,
directAccessGrantsEnabled: true,
serviceAccountsEnabled: false,
publicClient: false,
frontchannelLogout: true,
protocol: 'openid-connect',
attributes: {
'oidc.ciba.grant.enabled': 'false',
'backchannel.logout.session.required': 'true',
'oauth2.device.authorization.grant.enabled': 'false',
'display.on.consent.screen': 'false',
'backchannel.logout.revoke.offline.tokens': 'false',
},
authenticationFlowBindingOverrides: {},
fullScopeAllowed: true,
nodeReRegistrationTimeout: -1,
defaultClientScopes: [
'web-origins',
'acr',
'profile',
'roles',
'email',
],
optionalClientScopes: [
'address',
'phone',
'offline_access',
'microprofile-jwt',
],
access: {
view: true,
configure: true,
manage: true,
},
}
client-roles.jsonnet: |
local context = std.extVar('context');
[{
// https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode
role: 'restricted-access',
}]
20 changes: 20 additions & 0 deletions class/lieutenant-keycloak-idp-controller.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,23 @@ parameters:
- ${_base_directory}/component/main.jsonnet
input_type: jsonnet
output_path: lieutenant-keycloak-idp-controller/

- input_paths:
- ${_base_directory}/component/lieutenant-keycloak-idp-controller.jsonnet
input_type: jsonnet
output_path: ${_base_directory}/lieutenant-keycloak-idp-controller
output_type: yaml
- input_type: external
output_path: .
input_paths:
- ${_kustomize_wrapper}
env_vars:
INPUT_DIR: ${_base_directory}/lieutenant-keycloak-idp-controller
args:
- \${compiled_target_dir}/lieutenant-keycloak-idp-controller

# Cleanup
- input_paths:
- ${_base_directory}/lieutenant-keycloak-idp-controller
input_type: remove
output_path: .
82 changes: 82 additions & 0 deletions component/lieutenant-keycloak-idp-controller.jsonnet
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
// main template for openshift4-slos
local com = import 'lib/commodore.libjsonnet';
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';

local slo = import 'slos.libsonnet';

local inv = kap.inventory();
// The hiera parameters for the component
local params = inv.parameters.lieutenant_keycloak_idp_controller;

local upstreamNamespace = 'lieutenant-keycloak-idp-controller-system';

local removeUpstreamNamespace = kube.Namespace(upstreamNamespace) {
metadata: {
name: upstreamNamespace,
} + com.makeMergeable(params.namespaceMetadata),
};

local controllerPatch = {
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'lieutenant-keycloak-idp-controller-controller-manager',
namespace: upstreamNamespace,
},
spec: {
template: {
spec: {
containers: [ {
name: 'manager',
args: params.controller.args,
env: com.envList(params.controller.env),
volumeMounts: [ {
name: 'templates',
mountPath: '/templates',
} ],
} ],
volumes: [ {
name: 'templates',
configMap: {
name: 'lieutenant-keycloak-idp-controller-templates',
},
} ],
},
},
},
};

local patch = function(p) {
patch: std.manifestJsonMinified(p),
};

com.Kustomization(
'https://github.com/projectsyn/lieutenant-keycloak-idp-controller//config/default',
params.manifests_version,
{
'ghcr.io/projectsyn/lieutenant-keycloak-idp-controller': {
local image = params.images.lieutenant_keycloak_idp_controller,
newTag: image.tag,
newName: '%(registry)s/%(image)s' % image,
},
'gcr.io/kubebuilder/kube-rbac-proxy': {
local image = params.images.kube_rbac_proxy,
newTag: image.tag,
newName: '%(registry)s/%(image)s' % image,
},
},
params.kustomize_input {
patches+: [
patch(removeUpstreamNamespace),
patch(controllerPatch),
],
labels+: [
{
pairs: {
'app.kubernetes.io/managed-by': 'commodore',
},
},
],
},
)
8 changes: 7 additions & 1 deletion component/main.jsonnet
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
// main template for lieutenant-keycloak-idp-controller
// main template for lieutenant-keycloak-idp-controller\
local com = import 'lib/commodore.libjsonnet';
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local inv = kap.inventory();
// The hiera parameters for the component
local params = inv.parameters.lieutenant_keycloak_idp_controller;

local secrets = com.generateResources(params.secrets, kube.Secret);
local configMaps = com.generateResources(params.config_maps, kube.ConfigMap);

// Define outputs below
{
'10_secrets': secrets,
'10_config_maps': configMaps,
}
7 changes: 6 additions & 1 deletion tests/defaults.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# Overwrite parameters here

# parameters: {...}
parameters:
secrets:
keycloak-user:
stringData:
username: user
password: password
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
apiVersion: v1
data:
client-roles.jsonnet: |
local context = std.extVar('context');
[{
// https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode
role: 'restricted-access',
}]
client.jsonnet: |
local context = std.extVar('context');
local vars = import 'vars.jsonnet';
{
clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ],
name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ],
description: '',
rootUrl: vars.formatRootUrl(context),
adminUrl: '',
baseUrl: '',
surrogateAuthRequired: false,
enabled: true,
alwaysDisplayInConsole: false,
clientAuthenticatorType: 'client-secret',
redirectUris: [
'/oauth2/callback',
],
webOrigins: [],
notBefore: 0,
bearerOnly: false,
consentRequired: false,
standardFlowEnabled: true,
implicitFlowEnabled: false,
directAccessGrantsEnabled: true,
serviceAccountsEnabled: false,
publicClient: false,
frontchannelLogout: true,
protocol: 'openid-connect',
attributes: {
'oidc.ciba.grant.enabled': 'false',
'backchannel.logout.session.required': 'true',
'oauth2.device.authorization.grant.enabled': 'false',
'display.on.consent.screen': 'false',
'backchannel.logout.revoke.offline.tokens': 'false',
},
authenticationFlowBindingOverrides: {},
fullScopeAllowed: true,
nodeReRegistrationTimeout: -1,
defaultClientScopes: [
'web-origins',
'acr',
'profile',
'roles',
'email',
],
optionalClientScopes: [
'address',
'phone',
'offline_access',
'microprofile-jwt',
],
access: {
view: true,
configure: true,
manage: true,
},
}
vars.jsonnet: |
{
clientPrefix: 'cluster_',
formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name,
}
kind: ConfigMap
metadata:
annotations: {}
labels:
name: lieutenant-keycloak-idp-controller-templates
name: lieutenant-keycloak-idp-controller-templates
Loading

0 comments on commit 349b0bf

Please sign in to comment.