feat: add keycloak support

ulagbulag · Jul 15, 2024 · c24ed08 · c24ed08
1 parent 4fef96c
commit c24ed08
Show file tree

Hide file tree

Showing 14 changed files with 1,267 additions and 16 deletions.
diff --git a/templates/csi/rook-ceph/values-cluster.yaml b/templates/csi/rook-ceph/values-cluster.yaml
@@ -239,8 +239,8 @@ ingress:
       cert-manager.io/cluster-issuer: ingress-nginx-controller.vine.svc.ops.openark
       kubernetes.io/ingress.class: ingress-nginx-controller.vine.svc.ops.openark
       nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-      nginx.ingress.kubernetes.io/auth-url: http://$host/oauth2/auth
-      nginx.ingress.kubernetes.io/auth-signin: http://$host/oauth2/start?rd=$escaped_request_uri
+      nginx.ingress.kubernetes.io/auth-url: https://$http_x_forwarded_auth/oauth2/auth
+      nginx.ingress.kubernetes.io/auth-signin: https://$http_x_forwarded_auth/oauth2/start?rd=$http_x_forwarded_proto://$http_x_forwarded_host$escaped_request_uri
       nginx.ingress.kubernetes.io/backend-protocol: HTTPS
       nginx.ingress.kubernetes.io/cors-allow-origin: "*"
       nginx.ingress.kubernetes.io/enable-cors: "true"

diff --git a/templates/dash/dash-gateway.yaml b/templates/dash/dash-gateway.yaml
@@ -89,8 +89,8 @@ metadata:
     cert-manager.io/cluster-issuer: ingress-nginx-controller.vine.svc.ops.openark
     kubernetes.io/ingress.class: ingress-nginx-controller.vine.svc.ops.openark
     nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-    nginx.ingress.kubernetes.io/auth-url: http://$host/oauth2/auth
-    nginx.ingress.kubernetes.io/auth-signin: http://$host/oauth2/start?rd=$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-url: https://$http_x_forwarded_auth/oauth2/auth
+    nginx.ingress.kubernetes.io/auth-signin: https://$http_x_forwarded_auth/oauth2/start?rd=$http_x_forwarded_proto://$http_x_forwarded_host$escaped_request_uri
     nginx.ingress.kubernetes.io/enable-cors: "true"
     nginx.ingress.kubernetes.io/proxy-body-size: 200M
     nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"

diff --git a/templates/ingress/nginx-ingress/install.sh b/templates/ingress/nginx-ingress/install.sh
@@ -55,6 +55,7 @@ helm upgrade --install "${NAMESPACE}-${DOMAIN_NAME/./-}-ingress-nginx" \
     --set controller.ingressClass="${DOMAIN_NAME}" \
     --set controller.ingressClassResource.name="${DOMAIN_NAME}" \
     --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx/${DOMAIN_NAME}" \
+    --set controller.proxySetHeaders.X-Forwarded-Auth="auth.${DOMAIN_NAME}" \
     --set controller.service.loadBalancerIP="${LOADBALANCER_IP}" \
     --values "./values.yaml"
 

diff --git a/templates/ingress/nginx-ingress/values.yaml b/templates/ingress/nginx-ingress/values.yaml
@@ -34,6 +34,10 @@ controller:
                   - ControlPlane
                   - Gateway
 
+  # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
+  proxySetHeaders:
+    X-Forwarded-Auth: auth.example.com
+
   ## This section refers to the creation of the IngressClass resource
   ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
   ingressClassResource:

diff --git a/templates/monitoring/grafana/values.yaml b/templates/monitoring/grafana/values.yaml
@@ -67,8 +67,8 @@ grafana:
     ## Annotations for Grafana Ingress
     ##
     annotations:
-      nginx.ingress.kubernetes.io/auth-url: http://$host/oauth2/auth
-      nginx.ingress.kubernetes.io/auth-signin: http://$host/oauth2/start?rd=$escaped_request_uri
+      nginx.ingress.kubernetes.io/auth-url: https://$http_x_forwarded_auth/oauth2/auth
+      nginx.ingress.kubernetes.io/auth-signin: https://$http_x_forwarded_auth/oauth2/start?rd=$http_x_forwarded_proto://$http_x_forwarded_host$escaped_request_uri
       nginx.ingress.kubernetes.io/cors-allow-origin: "*"
       nginx.ingress.kubernetes.io/enable-cors: "true"
       nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"

diff --git a/templates/monitoring/tempo/values.yaml b/templates/monitoring/tempo/values.yaml
@@ -263,8 +263,8 @@ queryFrontend:
     # ingressClassName: nginx
     # -- Annotations for the Jaeger ingress
     annotations:
-      nginx.ingress.kubernetes.io/auth-url: http://$host/oauth2/auth
-      nginx.ingress.kubernetes.io/auth-signin: http://$host/oauth2/start?rd=$escaped_request_uri
+      nginx.ingress.kubernetes.io/auth-url: https://$http_x_forwarded_auth/oauth2/auth
+      nginx.ingress.kubernetes.io/auth-signin: https://$http_x_forwarded_auth/oauth2/start?rd=$http_x_forwarded_proto://$http_x_forwarded_host$escaped_request_uri
       nginx.ingress.kubernetes.io/cors-allow-origin: "*"
       nginx.ingress.kubernetes.io/enable-cors: "true"
       nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"

diff --git a/templates/vine/dex/install.sh b/templates/vine/dex/install.sh
@@ -37,7 +37,7 @@ PUBLIC_DOMAIN_NAME="${PUBLIC_DOMAIN_NAME:-"http://${DOMAIN_NAME}"}"
 
 echo "- Configuring Helm channel ... "
 
-helm repo add "${NAMESPACE}" "${HELM_CHART}"
+helm repo add "${NAMESPACE}-dex" "${HELM_CHART}"
 
 ###########################################################
 #   Install Dex                                           #
@@ -46,9 +46,10 @@ helm repo add "${NAMESPACE}" "${HELM_CHART}"
 echo "- Installing Operator ... "
 
 helm upgrade --install "dex" \
-    "${NAMESPACE}/dex" \
+    "${NAMESPACE}-dex/dex" \
     --create-namespace \
     --namespace "${NAMESPACE}" \
+    --set config.connectors[0].config.redirectURI="${PUBLIC_DOMAIN_NAME}/dex/callback" \
     --set config.issuer="${PUBLIC_DOMAIN_NAME}/dex/" \
     --set config.staticClients[0].redirectURIs[0]="http://${DOMAIN_NAME}/oauth2/callback" \
     --set image.repository="quay.io/ulagbulag/openark-vine-dex" \

diff --git a/templates/vine/keycloak/.gitignore b/templates/vine/keycloak/.gitignore
@@ -0,0 +1,3 @@
+/oauth2-proxy*.yaml
+/test-*.yaml
+/values*.yaml
diff --git a/templates/vine/keycloak/install.sh b/templates/vine/keycloak/install.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+# Copyright (c) 2024 Ho Kim ([email protected]). All rights reserved.
+# Use of this source code is governed by a GPL-3-style license that can be
+# found in the LICENSE file.
+
+# Prehibit errors
+set -e -o pipefail
+# Verbose
+set -x
+
+###########################################################
+#   Configuration                                         #
+###########################################################
+
+# Configure default environment variables
+HELM_CHART_DEFAULT="https://charts.bitnami.com/bitnami"
+NAMESPACE_DEFAULT="vine"
+
+# Set environment variables
+HELM_CHART="${HELM_CHART:-$HELM_CHART_DEFAULT}"
+NAMESPACE="${NAMESPACE:-$NAMESPACE_DEFAULT}"
+
+###########################################################
+#   Check Environment Variables                           #
+###########################################################
+
+export DOMAIN_NAME="$(
+    kubectl -n kiss get configmap kiss-config -o yaml |
+        yq -r '.data.domain_name'
+)"
+
+###########################################################
+#   Configure Helm Channel                                #
+###########################################################
+
+echo "- Configuring Helm channel ... "
+
+helm repo add "${NAMESPACE}-keycloak" "${HELM_CHART}"
+
+###########################################################
+#   Install Dex                                           #
+###########################################################
+
+echo "- Installing Operator ... "
+
+helm upgrade --install "keycloak" \
+    "${NAMESPACE}-keycloak/keycloak" \
+    --create-namespace \
+    --namespace "${NAMESPACE}" \
+    --set ingress.annotations."cert-manager\.io/cluster-issuer"="${DOMAIN_NAME}" \
+    --set ingress.hostname="auth.${DOMAIN_NAME}" \
+    --set ingress.ingressClassName="${DOMAIN_NAME}" \
+    --values "./values.yaml"
+
+###########################################################
+#   Install Stunnel                                       #
+###########################################################
+
+echo "- Installing Stunnel ... "
+
+kubectl apply -f "stunnel.yaml"
+
+# Finished!
+echo "Installed!"
diff --git a/templates/vine/keycloak/stunnel.yaml b/templates/vine/keycloak/stunnel.yaml
@@ -0,0 +1,127 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-ldap-cert
+  namespace: vine
+type: Opaque
+stringData:
+  # TODO(user): specify the endpoint and client certificates
+  connect: ldap.google.com:636
+  # ldap-client.crt: ""
+  # ldap-client.key: ""
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak-stunnel
+  namespace: vine
+  labels:
+    name: keycloak-stunnel
+    serviceType: internal
+spec:
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      name: keycloak-stunnel
+  template:
+    metadata:
+      labels:
+        name: keycloak-stunnel
+        serviceType: internal
+    spec:
+      affinity:
+        nodeAffinity:
+          # KISS normal control plane nodes should be preferred
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/kiss-ephemeral-control-plane
+                    operator: DoesNotExist
+            # KISS compute nodes should be preferred
+            - weight: 2
+              preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/kiss
+                    operator: In
+                    values:
+                      - Compute
+            # KISS gateway nodes should be more preferred
+            - weight: 4
+              preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/kiss
+                    operator: In
+                    values:
+                      - Gateway
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/kiss
+                    operator: In
+                    values:
+                      - ControlPlane
+                      - Compute
+                      - Gateway
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: stunnel
+          image: docker.io/dweomer/stunnel:latest
+          imagePullPolicy: Always
+          env:
+            - name: STUNNEL_ACCEPT
+              value: "389"
+            - name: STUNNEL_CLIENT
+              value: "yes"
+            - name: STUNNEL_CONNECT
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-ldap-cert
+                  key: connect
+            - name: STUNNEL_SERVICE
+              value: ldap
+          ports:
+            - name: ldap
+              protocol: TCP
+              containerPort: 389
+          resources:
+            requests:
+              cpu: 30m
+              memory: 20Mi
+            limits:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: cert
+              mountPath: /etc/stunnel/stunnel.pem
+              subPath: ldap-client.crt
+              readOnly: true
+            - name: cert
+              mountPath: /etc/stunnel/stunnel.key
+              subPath: ldap-client.key
+              readOnly: true
+      volumes:
+        - name: cert
+          secret:
+            secretName: keycloak-ldap-cert
+            defaultMode: 420
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-stunnel
+  namespace: vine
+spec:
+  selector:
+    name: keycloak-stunnel
+  ports:
+    - name: ldap
+      port: 389
+      protocol: TCP
+      targetPort: 389