Merge branch '497-keycloak-release' into 'master'

Resolve "Keycloak new release" Closes #497 See merge request platform-one/big-bang/bigbang!541

Merge branch '497-keycloak-release' into 'master'
af516a6f · Michael McLeroy · e89e5651 · 7d7b3101 · af516a6f · af516a6f
Commit af516a6f authored 3 years ago by Michael McLeroy
--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -22,9 +22,6 @@ monitoring:
 serviceMonitor:
  enabled: {{ .Values.monitoring.enabled }}

-networkPolicies:
-  enabled: {{ .Values.networkPolicies.enabled }}
-
 {{- if .Values.addons.keycloak.database.host }}
 postgresql:
  enabled: false
@@ -33,15 +30,17 @@ postgresql:
 {{- if or .Values.addons.keycloak.database.host (and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key) }}
 secrets:
  {{- if and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key }}
-  certificates:
+  tlscert:
    stringData:
      tls.crt: {{ .Values.addons.keycloak.ingress.cert | quote }}
+  tlskey:
+    stringData:
      tls.key: {{ .Values.addons.keycloak.ingress.key  | quote }}
  {{- end }}

  {{- with .Values.addons.keycloak.database }}
  {{- if .host }}
-  db:
+  env:
    stringData:
      DB_USER: {{ .username | quote }}
      DB_PASSWORD: {{ .password | quote }}
@@ -53,10 +52,24 @@ secrets:
  {{- end }}
 {{- end }}

-{{- if .Values.addons.keycloak.database.host }}
-extraEnvFrom: |
-  - secretRef:
-      name: 'keycloak-db'
-{{- end }}
+{{- if and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key }}
+extraVolumesBigBang:
+  - name: tlscert
+    secret:
+      secretName: keycloak-tlscert
+  - name: tlskey
+    secret:
+      secretName: keycloak-tlskey

+extraVolumeMountsBigBang:
+  - name: tlscert
+    mountPath: /etc/x509/https/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: tlskey
+    mountPath: /etc/x509/https/tls.key
+    subPath: tls.key
+    readOnly: true
 {{- end }}
+
+{{- end }}
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -933,9 +933,10 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
      path: "./chart"
-      tag: "11.0.0-bb.1"
+      tag: "11.0.0-bb.4"

    # -- Certificate/Key pair to use as the certificate for exposing Keycloak
+    # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
    ingress:
      key: ""
      cert: ""

--- a/charter/packages/keycloak/Architecture.md
+++ b/charter/packages/keycloak/Architecture.md
@@ -48,11 +48,75 @@ Due to the sensitivity of Keycloak, Big Bang does not support deploying KeyCloak

 The upstream [Keycloak Helm chart](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) is customized for use in Platform One.  It contains the following modifications from a standard Keycloak deployment:

- DoD Certificate Authorities
- Customized Platform One registration
- Customizable Platform One realm, with IL2, IL4, and IL5 isolation (not loaded by default, but [available in the package's git repo](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json))
- Redirects for specific keycloak endpoints to work with Platform One deployments
- A customized image, based on Iron Bank's Keycloak, that adds a plugin to support the above features
+- Customized Platform One registration plugin
+
+Additional customization can be added through values.  For example:
+
+```yaml
+addons:
+  keycloak:
+    # Setup TLS key pair
+    # An alternative to this is to create a secret namged `tlskey` and `tlscert` using Kustomize in the customer template.  Then use the volume and volumemount configuration below to mount the files.  In this case, the `ingress.key` and `ingress.cert` would be left blank.
+    ingress:
+      key: |-
+        {insert keycloak TLS key}
+      cert: |-
+        {insert keycloak TLS cert}
+    values:
+      secrets:
+        # The `env` secret is used to add environmental variables to the keycloak pod
+        env:
+          stringData:
+            # Keycloak will use the `customreg.yaml` for configuring the custom registration process.
+            CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
+            # Keycloak will load a custom realm defined in `realm.json`
+            KEYCLOAK_IMPORT: /opt/jboss/keycloak/realm.json
+            # Keycloak will load a custom set of certificate authorities
+            X509_CA_BUNDLE: /etc/x509/https/cas.pem
+        # The `certauthority` secret holds the certificate authority keys.
+        # Using the customer template, kustomize could be used to create the secret instead of using the keycloak chart via values
+        certauthority:
+          stringData:
+            cas.pem: |-
+              {insert CAS.PEM content}
+        # The `customreg` secret holds the configuration for customer registration.
+        # Using the customer template, kustomize could be used to create the secret instead of using the keycloak chart via values
+        customreg:
+          stringData:
+            customreg.yaml: |-
+              {insert customreg.yaml content}
+        # The `realm` secret holds the custom realm configuration.
+        # Using the customer template, kustomize could be used to create the secret instead of using the keycloak chart via values
+        realm:
+          stringData:
+            realm.json: |-
+              {insert realm.json content}
+      # Create volumes for each secret above
+      extraVolumes: |-
+        - name: certauthority
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-certauthority
+        - name: customreg
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-customreg
+        - name: realm
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-realm
+      # Volume mount each volume in the appropriate location
+      extraVolumeMounts: |-
+        - name: certauthority
+          mountPath: /etc/x509/https/cas.pem
+          subPath: cas.pem
+          readOnly: true
+        - name: customreg
+          mountPath: /opt/jboss/keycloak/customreg.yaml
+          subPath: customreg.yaml
+          readOnly: true
+        - name: realm
+          mountPath: /opt/jboss/keycloak/realm.json
+          subPath: realm.json
+          readOnly: true
+```

 ### Keycloak Admin password

@@ -112,8 +176,8 @@ To workaround this situation, you have to isolate the applications by IP, port,
 ### GUI

 Keycloak has two main end point URLs:
-https://keycloak.bigbang.dev for authentication.
-https://keycloak.bigbang.dev/auth/admin for administration.
+[https://keycloak.bigbang.dev](https://keycloak.bigbang.dev) for authentication.
+[https://keycloak.bigbang.dev/auth/admin](https://keycloak.bigbang.dev/auth/admin) for administration.

 The `bigbang.dev` domain name can be customized by setting the `hostname` in `values.yaml`

@@ -190,6 +254,6 @@ addons:

 ## Dependent Packages

- PostgreSQL for in-cluster development/test database
 - Istio for ingress
 - (Optional) Monitoring for metrics
+- PostgreSQL database (development/test only)