Merge pull request #1 from projectsyn/initial-implementation

Initial implementation
projectsyn · Dec 8, 2023 · 6881efc · 6881efc
2 parents ef199e1 + b794f53
commit 6881efc
Show file tree

Hide file tree

Showing 21 changed files with 951 additions and 4 deletions.
diff --git a/.yamllint.yml b/.yamllint.yml
@@ -22,3 +22,4 @@ ignore: |
   manifests/
   vendor/
   compiled/
+  tests/golden/
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -2,3 +2,167 @@ parameters:
   lieutenant_keycloak_idp_controller:
     =_metadata: {}
     namespace: syn-lieutenant-keycloak-idp-controller
+    namespaceMetadata: {}
+
+    secrets: {}
+    config_maps:
+      lieutenant-keycloak-idp-controller-templates:
+        data: ${lieutenant_keycloak_idp_controller:templates}
+
+    images:
+      lieutenant_keycloak_idp_controller:
+        registry: ghcr.io
+        image: projectsyn/lieutenant-keycloak-idp-controller
+        tag: v0.1.0
+      kube_rbac_proxy:
+        registry: gcr.io
+        image: kubebuilder/kube-rbac-proxy
+        tag: v0.14.1
+
+    manifests_version: ${lieutenant_keycloak_idp_controller:images:lieutenant_keycloak_idp_controller:tag}
+
+    kustomize_input:
+      namespace: ${lieutenant_keycloak_idp_controller:namespace}
+
+    controller:
+      env:
+        KEYCLOAK_BASE_URL:
+        KEYCLOAK_USER:
+        KEYCLOAK_PASSWORD:
+        KEYCLOAK_REALM:
+        KEYCLOAK_LOGIN_REALM: master
+        KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true'
+        VAULT_ADDRESS:
+
+      args:
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=127.0.0.1:8080
+        - --leader-elect
+
+        - --keycloak-realm=$(KEYCLOAK_REALM)
+        - --keycloak-base-url=$(KEYCLOAK_BASE_URL)
+        - --keycloak-user=$(KEYCLOAK_USER)
+        - --keycloak-password=$(KEYCLOAK_PASSWORD)
+        - --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM)
+        - --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT)
+
+        - --client-template-file=/templates/client.jsonnet
+        - --client-role-mapping-template-file=/templates/client-roles.jsonnet
+
+        - --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+        - --vault-address=$(VAULT_ADDRESS)
+
+        - --keycloak-client-ignore-paths=/protocolMappers/0/id
+
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 10m
+          memory: 32Mi
+
+    templates:
+      vars.jsonnet: |
+        {
+          clientPrefix: 'cluster_',
+          ocpIntegrationName: 'idp',
+        }
+
+      client.jsonnet: |
+        local context = std.extVar('context');
+        local vars = import 'vars.jsonnet';
+
+        local redirectUris = function(context)
+          if std.objectHas(context.cluster.status, 'facts') && std.objectHas(context.cluster.status.facts, 'openshiftOAuthRoute') then
+            [
+              'https://%s/oauth2callback/%s' % [ std.parseJson(context.cluster.status.facts.openshiftOAuthRoute), vars.ocpIntegrationName ],
+            ]
+          else
+            [
+              // Defaults for https://github.com/int128/kubelogin
+              'http://localhost:8000/callback',
+              'http://localhost:18000/callback',
+            ];
+
+        local clientId = '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ];
+
+        {
+          clientId: clientId,
+          name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ],
+          description: '',
+          rootUrl: '',
+          adminUrl: '',
+          baseUrl: '',
+          surrogateAuthRequired: false,
+          enabled: true,
+          alwaysDisplayInConsole: false,
+          clientAuthenticatorType: 'client-secret',
+          redirectUris: redirectUris(context),
+          webOrigins: [],
+          notBefore: 0,
+          bearerOnly: false,
+          consentRequired: false,
+          standardFlowEnabled: true,
+          implicitFlowEnabled: false,
+          directAccessGrantsEnabled: true,
+          serviceAccountsEnabled: false,
+          publicClient: false,
+          frontchannelLogout: true,
+          protocol: 'openid-connect',
+          protocolMappers: [
+            {
+              name: 'client roles',
+              protocol: 'openid-connect',
+              protocolMapper: 'oidc-usermodel-client-role-mapper',
+              consentRequired: false,
+              config: {
+                'userinfo.token.claim': 'true',
+                multivalued: 'true',
+                // Yes this is somehow the default value
+                'user.attribute': 'foo',
+                'id.token.claim': 'true',
+                'access.token.claim': 'true',
+                'claim.name': 'roles',
+                'jsonType.label': 'String',
+                'usermodel.clientRoleMapping.clientId': clientId,
+              },
+            },
+          ],
+          attributes: {
+            'oidc.ciba.grant.enabled': 'false',
+            'backchannel.logout.session.required': 'true',
+            'oauth2.device.authorization.grant.enabled': 'false',
+            'display.on.consent.screen': 'false',
+            'backchannel.logout.revoke.offline.tokens': 'false',
+          },
+          authenticationFlowBindingOverrides: {},
+          fullScopeAllowed: false,
+          nodeReRegistrationTimeout: -1,
+          defaultClientScopes: [
+            'web-origins',
+            'acr',
+            'profile',
+            'roles',
+            'email',
+          ],
+          optionalClientScopes: [
+            'address',
+            'phone',
+            'offline_access',
+            'microprofile-jwt',
+          ],
+          access: {
+            view: true,
+            configure: true,
+            manage: true,
+          },
+        }
+
+      client-roles.jsonnet: |
+        local context = std.extVar('context');
+
+        [{
+          // https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode
+          role: 'restricted-access',
+        }]
diff --git a/class/lieutenant-keycloak-idp-controller.yml b/class/lieutenant-keycloak-idp-controller.yml
@@ -9,3 +9,23 @@ parameters:
           - ${_base_directory}/component/main.jsonnet
         input_type: jsonnet
         output_path: lieutenant-keycloak-idp-controller/
+
+      - input_paths:
+          - ${_base_directory}/component/lieutenant-keycloak-idp-controller.jsonnet
+        input_type: jsonnet
+        output_path: ${_base_directory}/lieutenant-keycloak-idp-controller
+        output_type: yaml
+      - input_type: external
+        output_path: .
+        input_paths:
+          - ${_kustomize_wrapper}
+        env_vars:
+          INPUT_DIR: ${_base_directory}/lieutenant-keycloak-idp-controller
+        args:
+          - \${compiled_target_dir}/lieutenant-keycloak-idp-controller
+
+      # Cleanup
+      - input_paths:
+          - ${_base_directory}/lieutenant-keycloak-idp-controller
+        input_type: remove
+        output_path: .
diff --git a/component/lieutenant-keycloak-idp-controller.jsonnet b/component/lieutenant-keycloak-idp-controller.jsonnet
@@ -0,0 +1,90 @@
+// main template for openshift4-slos
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local slo = import 'slos.libsonnet';
+
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.lieutenant_keycloak_idp_controller;
+
+local upstreamNamespace = 'lieutenant-keycloak-idp-controller-system';
+
+local removeUpstreamNamespace = kube.Namespace(upstreamNamespace) {
+  metadata: {
+    name: upstreamNamespace,
+  } + com.makeMergeable(params.namespaceMetadata),
+};
+
+local controllerPatch = {
+  apiVersion: 'apps/v1',
+  kind: 'Deployment',
+  metadata: {
+    name: 'lieutenant-keycloak-idp-controller-controller-manager',
+    namespace: upstreamNamespace,
+  },
+  spec: {
+    template: {
+      metadata: {
+        annotations: std.foldl(
+          function(prev, k) prev { ['configmap/%s' % k]: std.md5(std.manifestJsonMinified(params.config_maps[k])) },
+          std.objectFields(params.config_maps),
+          {}
+        ),
+      },
+      spec: {
+        containers: [ {
+          name: 'manager',
+          args: params.controller.args,
+          env: com.envList(params.controller.env),
+          resources: params.controller.resources,
+          volumeMounts: [ {
+            name: 'templates',
+            mountPath: '/templates',
+          } ],
+        } ],
+        volumes: [ {
+          name: 'templates',
+          configMap: {
+            name: 'lieutenant-keycloak-idp-controller-templates',
+          },
+        } ],
+      },
+    },
+  },
+};
+
+local patch = function(p) {
+  patch: std.manifestJsonMinified(p),
+};
+
+com.Kustomization(
+  'https://github.com/projectsyn/lieutenant-keycloak-idp-controller//config/default',
+  params.manifests_version,
+  {
+    'ghcr.io/projectsyn/lieutenant-keycloak-idp-controller': {
+      local image = params.images.lieutenant_keycloak_idp_controller,
+      newTag: image.tag,
+      newName: '%(registry)s/%(image)s' % image,
+    },
+    'gcr.io/kubebuilder/kube-rbac-proxy': {
+      local image = params.images.kube_rbac_proxy,
+      newTag: image.tag,
+      newName: '%(registry)s/%(image)s' % image,
+    },
+  },
+  params.kustomize_input {
+    patches+: [
+      patch(removeUpstreamNamespace),
+      patch(controllerPatch),
+    ],
+    labels+: [
+      {
+        pairs: {
+          'app.kubernetes.io/managed-by': 'commodore',
+        },
+      },
+    ],
+  },
+)
diff --git a/component/main.jsonnet b/component/main.jsonnet
@@ -1,10 +1,16 @@
-// main template for lieutenant-keycloak-idp-controller
+// main template for lieutenant-keycloak-idp-controller\
+local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.lieutenant_keycloak_idp_controller;
 
+local secrets = com.generateResources(params.secrets, kube.Secret);
+local configMaps = com.generateResources(params.config_maps, kube.ConfigMap);
+
 // Define outputs below
 {
+  '10_secrets': secrets,
+  '10_config_maps': configMaps,
 }