UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit 0afef3da authored by kevin.wilder's avatar kevin.wilder Committed by Ryan Garcia
Browse files

Keycloak quarkus

parent b9ce3404
No related branches found
No related tags found
1 merge request!2279Keycloak quarkus
Hide whitespace changes
Inline Side-by-side
Showing
with 396 additions and 74 deletions
chart/templates/argocd/values.yaml
+ 2
1
View file @ 0afef3da
......@@ -159,7 +159,8 @@ configs:
sso:
enabled: {{ .Values.addons.argocd.sso.enabled }}
rbac:
policy.csv: {{- toYaml .Values.addons.argocd.sso.groups | nindent 4 }}
policy.csv: |
{{- .Values.addons.argocd.sso.groups | nindent 6 }}
keycloakClientSecret: {{ .Values.addons.argocd.sso.client_secret }}
config:
oidc.config: |
......
chart/templates/keycloak/values.yaml
+ 18
0
View file @ 0afef3da
......@@ -82,12 +82,20 @@ secrets:
{{- if .host }}
env:
stringData:
# keep legacy ENVs for backwards compatibility
DB_USER: {{ .username | quote }}
DB_PASSWORD: {{ .password | quote }}
DB_VENDOR: {{ default "postgres" .type }}
DB_ADDR: {{ .host }}
DB_PORT: {{ .port | quote }}
DB_DATABASE: {{ .database }}
# Quarkus ENVs
KC_DB_USERNAME: {{ .username | quote }}
KC_DB_PASSWORD: {{ .password | quote }}
KC_DB: {{ default "postgres" .type }}
KC_DB_URL_HOST: {{ .host }}
KC_DB_URL_PORT: {{ .port | quote }}
KC_DB_URL_DATABASE: {{ .database }}
{{- end }}
{{- end }}
{{- end }}
......@@ -102,6 +110,7 @@ extraVolumesBigBang:
secretName: keycloak-tlskey
extraVolumeMountsBigBang:
# keep /etc/x509/https/ for legacy backwards compatibility
- name: tlscert
mountPath: /etc/x509/https/tls.crt
subPath: tls.crt
......@@ -110,6 +119,15 @@ extraVolumeMountsBigBang:
mountPath: /etc/x509/https/tls.key
subPath: tls.key
readOnly: true
# Quarkus cert paths
- name: tlscert
mountPath: /opt/keycloak/conf/tls.crt
subPath: tls.crt
readOnly: true
- name: tlskey
mountPath: /opt/keycloak/conf/tls.key
subPath: tls.key
readOnly: true
{{- end }}
{{- end }}
chart/templates/mattermost/mattermost/values.yaml
+ 5
0
View file @ 0afef3da
......@@ -86,4 +86,9 @@ minio:
elasticsearch:
enabled: true
{{- end }}
mattermostEnvs:
# required for Keycloak >= 20.X to work with gitlab auth pointed to Keycloak
MM_GITLABSETTINGS_SCOPE: openid
{{- end -}}
chart/values.yaml
+ 1
1
View file @ 0afef3da
......@@ -1403,7 +1403,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
path: "./chart"
tag: "18.2.1-bb.6"
tag: "18.3.0-bb.0"
database:
# -- Hostname of a pre-existing database to use for Keycloak.
......
docs/assets/configs/example/dev-sso-values.yaml
+ 2
2
View file @ 0afef3da
......@@ -185,8 +185,8 @@ monitoring:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-alertmanager
grafana:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-grafana
scopes: "Grafana"
scopes: "openid Grafana"
twistlock:
# SSO (SAML) requires a license and enabling the init job - see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/blob/main/docs/initialization.md
sso:
......
docs/assets/configs/example/keycloak-dev-values.yaml
+ 92
49
View file @ 0afef3da
comments: |
This example values override file is provided FOR DEVELOPMENT PURPOSES ONLY
Operational deployments use a different configuration including but not limited to:
- a custom realm would not automatically be loaded.
- needed secrets would be created independently through a GitOps process rather than using the keycolak chart to create secrets
- the certificate would not be inlined in the values.yaml but instead the keycloak-tlscert and keycloak-tlskey secrets are created independently through a GitOps process
- an external database would be used
- master realm would be disabled to prevent admin login
If you are deploying this development configuration on a k3d cluster, multiple istio ingress is not supported by default.
You must follow the instructions in the development environment addendum to configure k3d with MetalLB.
/docs/developer/development-environment.md#multi-ingress-gateway-support-with-metallb-and-k3d
Here are some of the URL paths that are available in Keycloak
Admin UI. Default credentials for development are admin:password
https://keycloak.bigbang.dev/auth/admin
User registration and/or account page
https://keycloak.bigbang.dev/
For a keycloak realm config file that already has some sso clients configured, reach out to one of the Keycloak package codeowners.
Within the Keycloak admin UI delete the existing custom realm, and then import the new one.
If the cert in the example values override file has expired. Get a current *.bigbang.dev cert at /chart/ingress-certs.yaml.
Then open a Gitlab issue so we can update the example file with the new cert.
This example values override file is provided FOR DEVELOPMENT/DEMO/TEST PURPOSES ONLY
domain: bigbang.dev
......@@ -50,53 +28,118 @@ addons:
ingress:
gateway: "passthrough"
key: |
-----BEGIN PRIVATE KEY-----
INSERT KEY HERE
-----END PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
INSERT CERT HERE
-----END CERTIFICATE-----
# For development include the *.bigbang.dev cert from ./chart/ingress-certs.yaml
# key: |
# -----BEGIN PRIVATE KEY-----
# INSERT KEY HERE
# -----END PRIVATE KEY-----
# cert: |
# -----BEGIN CERTIFICATE-----
# INSERT CERT HERE
# -----END CERTIFICATE-----
values:
replicas: 1
command:
- "/opt/keycloak/bin/kc.sh"
args:
# - "start"
- "start-dev"
- "--import-realm"
# import-realm is not recommended for operational environments.
# https://www.keycloak.org/server/all-config
extraEnv: |-
- name: KC_HTTPS_CERTIFICATE_FILE
value: /opt/keycloak/conf/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /opt/keycloak/conf/tls.key
- name: KC_HTTPS_TRUST_STORE_FILE
value: /opt/keycloak/conf/truststore.jks
- name: KC_HTTPS_TRUST_STORE_PASSWORD
value: password
- name: KC_HTTPS_CLIENT_AUTH
value: request
- name: KC_PROXY
value: passthrough
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_HOSTNAME
value: keycloak.bigbang.dev
- name: KC_HOSTNAME_STRICT
value: "true"
- name: KC_HOSTNAME_STRICT_HTTPS
value: "true"
- name: KC_LOG_LEVEL
value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: kubernetes
secrets:
env:
stringData:
CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
KEYCLOAK_IMPORT: /opt/jboss/keycloak/realm.json
X509_CA_BUNDLE: /etc/x509/https/cas.pem
certauthority:
stringData:
cas.pem: '{{ .Files.Get "resources/dev/dod_cas.pem" }}'
CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
customreg:
stringData:
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
realm:
stringData:
realm.json: '{{ .Files.Get "resources/dev/baby-yoda.json" }}'
extraVolumes: |-
- name: certauthority
secret:
secretName: {{ include "keycloak.fullname" . }}-certauthority
truststore:
data:
truststore.jks: |-
{{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
quarkusproperties:
stringData:
quarkus.properties: '{{ .Files.Get "resources/dev/quarkus.properties" }}'
extraInitContainers: |-
- name: plugin
image: registry.dso.mil/platform-one/big-bang/apps/product-tools/keycloak-p1-auth-plugin/init-container:X.X.X
imagePullPolicy: Always
command:
- sh
- -c
- |
cp /app/p1-keycloak-plugin.jar /init
ls -l /init
volumeMounts:
- name: plugin
mountPath: "/init"
extraVolumes: |-
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
- name: realm
secret:
secretName: {{ include "keycloak.fullname" . }}-realm
- name: plugin
emptyDir: {}
- name: truststore
secret:
secretName: {{ include "keycloak.fullname" . }}-truststore
- name: quarkusproperties
secret:
secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
defaultMode: 0777
extraVolumeMounts: |-
- name: certauthority
mountPath: /etc/x509/https/cas.pem
subPath: cas.pem
readOnly: true
- name: customreg
mountPath: /opt/jboss/keycloak/customreg.yaml
mountPath: /opt/keycloak/conf/customreg.yaml
subPath: customreg.yaml
readOnly: true
- name: realm
mountPath: /opt/jboss/keycloak/realm.json
mountPath: /opt/keycloak/data/import/realm.json
subPath: realm.json
readOnly: true
- name: plugin
mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
subPath: p1-keycloak-plugin.jar
- name: truststore
mountPath: /opt/keycloak/conf/truststore.jks
subPath: truststore.jks
- name: quarkusproperties
mountPath: /opt/keycloak/conf/quarkus.properties
subPath: quarkus.properties
\ No newline at end of file
docs/assets/configs/example/keycloak-prod-values.yaml 0 → 100644
+ 194
0
View file @ 0afef3da
comments: |
Operational deployments use a different configuration including but not limited to:
- a custom realm would not automatically be loaded.
- needed secrets would be created independently through a GitOps process rather than using the keycolak chart to create secrets
- the certificate would not be inlined in the values.yaml but instead the keycloak-tlscert and keycloak-tlskey secrets are created independently through a GitOps process
- an external database would be used
- master realm would be disabled or restricted to prevent admin login
Here are some of the URL paths that are available in Keycloak
Admin UI. Default credentials for development are admin:password
https://keycloak.bigbang.dev/auth/admin
User registration and/or account page
https://keycloak.bigbang.dev/
For an example "baby-yoda" keycloak realm file that already has sso clients configured see
https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json
Within the Keycloak Admin Console UI import your custom realm.json file.
domain: bigbang.dev
flux:
interval: 1m
rollback:
cleanupOnFail: false
istio:
ingressGateways:
passthrough-ingressgateway:
type: "LoadBalancer"
gateways:
passthrough:
ingressGateway: "passthrough-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
tls:
mode: "PASSTHROUGH"
addons:
keycloak:
enabled: true
ingress:
gateway: "passthrough"
key: |
-----BEGIN PRIVATE KEY-----
INSERT KEY HERE
-----END PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
INSERT CERT HERE
-----END CERTIFICATE-----
values:
replicas: 1
command:
- "/opt/keycloak/bin/kc.sh"
args:
- "start"
# - "--import-realm"
# import-realm is not recommended for production/operational environments.
# For a new production deployment a realm file can be manually imported from the Admin Console
# https://www.keycloak.org/server/all-config
extraEnv: |-
- name: KC_HTTPS_CERTIFICATE_FILE
value: /opt/keycloak/conf/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /opt/keycloak/conf/tls.key
- name: KC_HTTPS_TRUST_STORE_FILE
value: /opt/keycloak/conf/truststore.jks
- name: KC_HTTPS_TRUST_STORE_PASSWORD
value: password
- name: KC_HTTPS_CLIENT_AUTH
value: request
- name: KC_PROXY
value: passthrough
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_HOSTNAME
value: keycloak.bigbang.dev
- name: KC_HOSTNAME_STRICT
value: "true"
- name: KC_HOSTNAME_STRICT_HTTPS
value: "true"
- name: KC_LOG_LEVEL
value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: kubernetes
secrets:
env:
stringData:
# the admin credentials should be separated into a separate SOPS encrypted values file
KEYCLOAK_ADMIN: "admin"
KEYCLOAK_ADMIN_PASSWORD: "your-super-secure-password"
CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
customreg:
stringData:
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
realm:
stringData:
realm.json: '{{ .Files.Get "resources/dev/baby-yoda.json" }}'
truststore:
data:
truststore.jks: |-
{{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
# This config example includes quarkus properties for changing the realm name to something other than "baby-yoda"
# The p1-keycloak-plugin has a custom quarkus extention for custom routing and redirects
# the quarkus.properties file is how you configure it
quarkusproperties:
stringData:
quarkus.properties: |-
quarkus.http.non-application-root-path=/
quarkus.kc-routing-redirects.urls./=/auth/realms/YOUR-REALM-NAME/account
quarkus.kc-routing-redirects.urls./auth=/auth/realms/YOUR-REALM-NAME/account
quarkus.kc-routing-redirects.urls./register=/auth/realms/YOUR-REALM-NAME/protocol/openid-connect/registrations?client_id=account&response_type=code
quarkus.kc-routing-redirects.path-prefixes./oauth/authorize=/auth/realms/YOUR-REALM-NAME/protocol/openid-connect/auth
quarkus.kc-routing-redirects.path-filters./api/v4/user=/auth/realms/YOUR-REALM-NAME/protocol/openid-connect/userinfo
quarkus.kc-routing-redirects.path-filters./oauth/token=/auth/realms/YOUR-REALM-NAME/protocol/openid-connect/token
# This config includes an example of injecting a custom theme jar on startup
# Instructions for building a custom theme can be found in the Big Bang Keycloak repository
# https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/development/README.md
extraInitContainers: |-
- name: plugin
image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:X.X.X
imagePullPolicy: Always
command:
- sh
- -c
- |
cp /app/p1-keycloak-plugin.jar /init
ls -l /init
volumeMounts:
- name: plugin
mountPath: "/init"
- name: custom-theme
image: YOUR-REGISTRY-NAME/PATH-TO-IMAGE/YOUR-CUSTOM-THEME-IMAGE-NAME:X.X.X
imagePullPolicy: Always
command:
- sh
- -c
- |
cp /app/YOUR-CUSTOM-THEME-JAR-NAME.jar /init
ls -l /init
volumeMounts:
- name: custom-theme
mountPath: "/init"
extraVolumes: |-
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
- name: realm
secret:
secretName: {{ include "keycloak.fullname" . }}-realm
- name: plugin
emptyDir: {}
- name: truststore
secret:
secretName: {{ include "keycloak.fullname" . }}-truststore
- name: quarkusproperties
secret:
secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
defaultMode: 0777
- name: custom-theme
emptyDir: {}
extraVolumeMounts: |-
- name: customreg
mountPath: /opt/keycloak/conf/customreg.yaml
subPath: customreg.yaml
readOnly: true
- name: realm
mountPath: /opt/keycloak/data/import/realm.json
subPath: realm.json
- name: plugin
mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
subPath: p1-keycloak-plugin.jar
- name: truststore
mountPath: /opt/keycloak/conf/truststore.jks
subPath: truststore.jks
- name: quarkusproperties
mountPath: /opt/keycloak/conf/quarkus.properties
subPath: quarkus.properties
- name: custom-theme
mountPath: /opt/keycloak/providers/custom-theme.jar
subPath: custom-theme.jar
\ No newline at end of file
docs/understanding-bigbang/configuration/sample-prod-config.md
+ 3
0
View file @ 0afef3da
......@@ -327,6 +327,9 @@ addons:
service_registration "kubernetes" {}
```
## Keycloak
See the [production configuration example](../../../docs/assets/configs/example/keycloak-prod-values.yaml).
## High Availability (HA)
Each package in Big Bang includes documentation of its own High Availability configuration independently in [Package Architecture](../package-architecture).
tests/test-values.yaml
+ 79
21
View file @ 0afef3da
......@@ -1437,53 +1437,111 @@ addons:
replicas: 1
resources:
requests:
cpu: 10m
memory: 16Mi
cpu: 250m
memory: 250Mi
limits: {}
# Disabling helm tests for keycloak until they are working on rke2
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://keycloak.bigbang.dev"
command:
- "/opt/keycloak/bin/kc.sh"
args:
- "start"
- "--import-realm"
extraEnv: |-
- name: KC_HTTPS_CERTIFICATE_FILE
value: /opt/keycloak/conf/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /opt/keycloak/conf/tls.key
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_HTTPS_CLIENT_AUTH
value: request
- name: KC_PROXY
value: passthrough
- name: KC_HTTPS_TRUST_STORE_FILE
value: /opt/keycloak/conf/truststore.jks
- name: KC_HTTPS_TRUST_STORE_PASSWORD
value: password
- name: KC_HOSTNAME
value: keycloak.bigbang.dev
- name: KC_HOSTNAME_STRICT
value: "true"
- name: KC_HOSTNAME_STRICT_HTTPS
value: "true"
- name: KC_LOG_LEVEL
value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: kubernetes
secrets:
env:
stringData:
CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
KEYCLOAK_IMPORT: /opt/jboss/keycloak/realm.json
X509_CA_BUNDLE: /etc/x509/https/cas.pem
certauthority:
stringData:
cas.pem: '{{ .Files.Get "resources/dev/dod_cas.pem" }}'
CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
customreg:
stringData:
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda-ci.yaml" }}'
realm:
stringData:
realm.json: '{{ .Files.Get "resources/dev/baby-yoda-ci.json" }}'
realm.json: '{{ .Files.Get "resources/dev/baby-yoda.json" }}'
truststore:
data:
truststore.jks: |-
{{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
quarkusproperties:
stringData:
quarkus.properties: '{{ .Files.Get "resources/dev/quarkus.properties" }}'
extraInitContainers: |-
- name: plugin
image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:3.0.0
imagePullPolicy: Always
command:
- sh
- -c
- |
cp /app/p1-keycloak-plugin.jar /init
ls -l /init
volumeMounts:
- name: plugin
mountPath: "/init"
extraVolumes: |-
- name: certauthority
secret:
secretName: {{ include "keycloak.fullname" . }}-certauthority
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
- name: realm
secret:
secretName: {{ include "keycloak.fullname" . }}-realm
- name: plugin
emptyDir: {}
- name: truststore
secret:
secretName: {{ include "keycloak.fullname" . }}-truststore
- name: quarkusproperties
secret:
secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
defaultMode: 0777
extraVolumeMounts: |-
- name: certauthority
mountPath: /etc/x509/https/cas.pem
subPath: cas.pem
readOnly: true
- name: customreg
mountPath: /opt/jboss/keycloak/customreg.yaml
mountPath: /opt/keycloak/conf/customreg.yaml
subPath: customreg.yaml
readOnly: true
- name: realm
mountPath: /opt/jboss/keycloak/realm.json
mountPath: /opt/keycloak/data/import/realm.json
subPath: realm.json
readOnly: true
- name: plugin
mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
subPath: p1-keycloak-plugin.jar
- name: truststore
mountPath: /opt/keycloak/conf/truststore.jks
subPath: truststore.jks
- name: quarkusproperties
mountPath: /opt/keycloak/conf/quarkus.properties
subPath: quarkus.properties
vault:
enabled: false
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED - NO CUI