Merge branch '291-keycloak' into 'master'

Resolve "Integrate Keycloak package with BigBang"

Summary

This is the initial release of Keycloak with BigBang.  
IMPORTANT NOTE: Keycolak is only intended to be deployed by itself with only the core apps.  When keycloak is enabled the core apps conditionally deploy with a separate  ```*.admin.*``` domain like this ```*.admin.bigbang.dev```. Also, when Keycloak is enabled an additional server with tls.mode PASSTHROUGH is conditionally added to the istio ingressgateway.  
  
Zach Williamson and Cameron Banowsky from the CNAP team have been actively testing this branch with their new P1 SSO deployments. All known issues have been resolved.


Closes #291

See merge request platform-one/big-bang/bigbang!394

CODEOWNERS

@@ -98,9 +98,9 @@ chart/values.yaml               @lynnstill @ryan.j.garcia @kevin.wilder
 chart/templates/gitlab          @lynnstill @ryan.j.garcia @kevin.wilder
 
 ^[KeyCloak]
-chart/Chart.yaml                @megamind
-chart/values.yaml               @megamind
-chart/templates/keycloak        @megamind
+chart/Chart.yaml                @megamind @kevin.wilder @michaelmcleroy
+chart/values.yaml               @megamind @kevin.wilder @michaelmcleroy
+chart/templates/keycloak        @megamind @kevin.wilder @michaelmcleroy
 
 ^[Mattermost (and operator)]
 chart/Chart.yaml                @micah.nagel @branden.cobb

README.md

@@ -310,6 +310,19 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
 | addons.velero.values | object | `{"plugins":[]}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
 | addons.velero.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
+| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak |
+| addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` | Git repo for Keycloak Helm chart |
+| addons.keycloak.git.path | string | `"./chart"` | Path to helm chart in Git repository |
+| addons.keycloak.git.tag | string | `"x.x.x-bb.x"` | Git tag for Helm chart |
+| addons.keycloak.ingress.key | string | `-----BEGIN PRIVATE KEY-----...` | Private certificate key for Keycloak |
+| addons.keycloak.ingress.cert | string | `-----BEGIN CERTIFICATE-----...` | TLS certificate for Keycloak |
+| addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
+| addons.keycloak.database.type | string | `postgres` | Specifies the database type (e.g. `postgres`, `mysql`) |
+| addons.keycloak.database.port | string | `""` | Port of a pre-existing database to use. |
+| addons.keycloak.database.database | string | `""` | Database name to connect (Note: database name CANNOT contain hyphens). |
+| addons.keycloak.database.username | string | `""` | Username for access to the external database, the user must have all privileges on the database. |
+| addons.keycloak.database.password | string | `""` | Password for the username for access to the external database. |
+| addons.keycloak.values | map | `{}` | Additional values to pass through to the Keycloak Helm chart |
 
 ## Contributing
 

chart/admin.bigbang.dev-certs.yaml

+istio:
+  ingress:
+    key: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8bJtY3qQC0udg
+      WInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDNeJ2JoH96d1vLAm1YmHJ3
+      1aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwiDXjwv9JyOQgOrQqFxP7B
+      Qab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/iiGDJ+Jvomt8opWb4mC2jZ
+      MK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuTNptI3x6OySjbkYlBGhjK
+      MpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHcDxwCJQQJrzGNNc5YMpn8
+      1rvltDOTAgMBAAECggEACINbrXM5s8r1mzvE12S9mcba/25RQyyVo3AJ2rDt7z6z
+      Liespr79K2cwFeh6Laqrt8vGwPBWImeY3GMxgYHIp9pec6+gaHMoV3DZbd1igmdF
+      gS7L9BMqgra4lo1HRpFUH8cF3yvgStTwsaiWs4bOYZmNsFc1ocgw+0EqFRnR14vw
+      Q6pxlNlR0wND4WwEQ+PEFuGyaZpcnDA38vwaNyIVl99pRXXojvfco7dacYyce40o
+      O02mtl2yME4ssCgYPcThonPaUDjF594q7J2kqVRp6mJ0J9lvsxPRZ3NC1tOfVgzI
+      E/YVeNx7S9r0ONTJFLfRidd+udBKBCUM7NcKygqk8QKBgQDiQc0LPe7NWzfZ5Ks2
+      IeZZ1S7CX/Eyv7VW90YhOUTF9g9PmmH1v539vp9xdHlo9YaF2dXuf1GsMgpNQ4IZ
+      Nuz5xwvvmma3demqtOawTpHj3vHpZWOYTL0SEb5XwyPaZZIb33wxDidT8/0CpwPt
+      Tlq6GQ8HPYupHT6cJQcb7PgAmQKBgQDVMZ+0WucFAKeJSEj1zDZA0EzUqiFfLCpP
+      gko9+9yhPvl7Q6c+oOV0brx0ny+racLUsV0m8vzvvLFxHTubPa7CMKf5s7c3EPQv
+      8GqovlsvgzchwxRRs0KQMhQSZw1X2UDSBDci0AwZRXrJQp3odJk+0Pq5MslfCF6s
+      fwWxV6C1CwKBgBSvv3ePqg3MkUayyZShdNYxz5yl+P+S15mj8h2HhuoynSPCEcLO
+      Sjuw+hL9ezxFdo82Y4Dy0xzTVm3KBlMX2oLb2BOIImwTs9GPyKfGB0C2WZflVT3P
+      hlnolWagyN5m+vzhahFyIdZjMHbVnl5ME6+AKweWcPZ9XgQYvpWnDOXBAoGBAL0I
+      mTEUAQ+geuzxGTBI+DoT+GwAxkJbKNEDF81KC2E2M4Qmgp63j3zjy1ok4+G7jzOE
+      aLJmdfwkdbl0UCvgT5qEBg0UWvoKoFn5dLlWwAeq8zGOhe/DYNv2a3G9ykkAq8cM
+      Uc8eZfvqbWsTFGzPJipaplWcQI1xIHEW1/ddWXPtAoGBAInFXBnVDJiZkhq1adt9
+      3S/YVoMigw6ZD4j7E5g/5QBCs2rnZex20YFuJDvf+HAD/3eohJ6n75QRSZc0sn9j
+      XO49WKI7Qd2XTEL6dGvxGyFRTqrC5dUd3v/wq4XjUz1bI6VTvvHvf7EPCGh1NJ8v
+      PcJzvO/HdugGAG1xWnN7HT4g
+      -----END PRIVATE KEY-----
+    cert: |
+      -----BEGIN CERTIFICATE-----
+      MIIFLDCCBBSgAwIBAgISA87F5ACBGZuzPeSeGr2wqcY8MA0GCSqGSIb3DQEBCwUA
+      MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+      EwJSMzAeFw0yMTA0MTQxNDIzMTRaFw0yMTA3MTMxNDIzMTRaMB4xHDAaBgNVBAMM
+      EyouYWRtaW4uYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+      AoIBAQC8bJtY3qQC0udgWInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDN
+      eJ2JoH96d1vLAm1YmHJ31aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwi
+      DXjwv9JyOQgOrQqFxP7BQab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/ii
+      GDJ+Jvomt8opWb4mC2jZMK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuT
+      NptI3x6OySjbkYlBGhjKMpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHc
+      DxwCJQQJrzGNNc5YMpn81rvltDOTAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
+      BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
+      HQYDVR0OBBYEFLp8IoeSyLzb/tJ57pxDqGX4t/4nMB8GA1UdIwQYMBaAFBQusxe3
+      WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
+      cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
+      ci5vcmcvMB4GA1UdEQQXMBWCEyouYWRtaW4uYmlnYmFuZy5kZXYwTAYDVR0gBEUw
+      QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
+      L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCU
+      ILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXjQ+rZ5AAAEAwBHMEUC
+      IQCOtTENOPlAwvmnqNxm9LHWo1TkNpLZqdCQWffa3zc2sAIgVpNs+pLLUmJfwq0+
+      FRSQJB9FyrH7js53BSZ1WyfY6GwAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
+      l2iZfiLw1wAAAXjQ+razAAAEAwBHMEUCIQDCliAyo7EV92Kmp5zeoVfeqklvPPYi
+      p43KG/yc6gbiBwIgHpQYiQ5MCcJHnnol3Ku35ZYJw8jcWy7aW2S9gHR3eeUwDQYJ
+      KoZIhvcNAQELBQADggEBACUBLIHwOvyAsXlRGxqDKBGcl8BmbelWgp+XXsf9MZd0
+      hYYrPlnQL95C5R78FXmYlG24J4uHLMTvz+gYe/WRv4Cjr8It+EaoGATZ8zGa2OlY
+      FTfx6dLk/h2KPF9N45o5rsUtlTlTfJYGz58p30XefLwOdIrez8UtEV2fWevAWwYw
+      ZGLvPczwDABye0OUou+M+BoZQOI6hrcQ3IXGlf/VQKzBp1dOOxZB7bx3mOzg1CI6
+      1AebDLxybOev4Ke25jbtst6i4HG1feFXm4yL1utNsn15uBVoQVfKeLVvMO3Y2Hyi
+      DZvLATJX4qq0e2wDcETc8fxshOUnYhpzrbUctVBBncA=
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+      MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+      DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+      MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+      AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+      jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+      Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+      U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+      gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+      /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+      oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+      BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+      ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+      p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+      AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+      Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+      LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+      r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+      AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+      ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+      S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+      qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+      O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+      UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+      -----END CERTIFICATE-----

chart/templates/NOTES.txt

@@ -150,3 +150,12 @@ PLATFORM ONE MATTERMOST WARNING:
   Make sure to go back and edit your values or ensure you add the license through the mattermost settings page.
 {{- end }}
 {{- end }}
+
+{{ if $.Values.addons.keycloak.enabled }}
+PLATFORM ONE KEYCLOAK WARNING:
+  You have enabled keycloak in the values configuration.
+  Core packages are automatically moved to an `admin` subdomain (e.g. prometheus.admin.bigbang.dev).
+  Addons are not accessible and not supported in the same cluster as Keycloak.
+  Keycloak is still in a BETA status.  This means we don't fully recommend it for production workloads quite yet, but will be rolling out support in the near future to move it to STABLE.
+  Specifically, the way that multiple ingressgateways are created and specified within BigBang will make the automatic `admin` creation of core packages obsolete, and will also allow Keycloak to better function alongside other addons.
+{{- end }}

chart/templates/istio/controlplane/values.yaml

@@ -12,4 +12,20 @@ imagePullSecrets:
   - private-registry
 
 openshift: {{ .Values.openshift }}
+
+{{- if .Values.addons.keycloak.enabled }}
+extraServers:
+- port:
+    name: https-keycloak
+    protocol: TLS
+    number: 8443
+  hosts:
+    - keycloak.{{ .Values.hostname }}
+  tls:
+    mode: PASSTHROUGH
+
+gateway:
+  hosts:
+    - "*.admin.{{ .Values.hostname }}"
+{{- end }}
 {{- end -}}

chart/templates/jaeger/values.yaml

@@ -8,6 +8,9 @@ imagePullSecrets:
 hostname: {{ .Values.hostname }}
 istio:
   enabled: {{ .Values.istio.enabled }}
+  jaeger:
+    hosts:
+    - tracing{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 elasticsearch:

chart/templates/keycloak/gitrepository.yaml

+{{- if and (not .Values.offline) .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/component: "security-tools"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.addons.keycloak.git.repo }}
+  ref:
+    {{- include "validRef" .Values.addons.keycloak.git | nindent 4 }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
\ No newline at end of file

chart/templates/keycloak/helmrelease.yaml

+{{- $fluxSettingsKeycloak := merge .Values.addons.keycloak.flux .Values.flux -}}
+{{- if .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+{{ $component := "security-tools" }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/component: {{ $component }}
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  releaseName: {{ $name }}
+  targetNamespace: {{ $name }}
+  chart:
+    spec:
+      chart: {{ .Values.addons.keycloak.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: {{ $name }}
+        namespace: {{ .Release.Namespace }}
+
+
+  {{- toYaml $fluxSettingsKeycloak | nindent 2 }}
+
+  valuesFrom:
+    - name: {{ .Release.Name }}-{{ $name }}-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-{{ $name }}-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-{{ $name }}-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.monitoring.enabled }}
+  dependsOn:
+  {{- if .Values.gatekeeper.enabled }}
+  - name: gatekeeper
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.istio.enabled }}
+  - name: istio
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.monitoring.enabled }}
+  - name: monitoring
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/keycloak/imagepullsecret.yaml

+{{- if .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+{{ $component := "security-tools" }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: {{ $name }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/component: {{ $component }}
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/keycloak/namespace.yaml

+{{- if .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ $name }}
+  labels:
+    istio-injection: disabled-because-keycloak-hates-istio
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/component: "security-tools"
+    {{- include "commonLabels" . | nindent 4}}
+{{- end }}
\ No newline at end of file

chart/templates/keycloak/values.yaml

+{{- if .Values.addons.keycloak.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.addons.keycloak "name" "keycloak" "defaults" (include "bigbang.defaults.keycloak" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.keycloak" -}}
+replicas: 2
+
+imagePullSecrets:
+- name: private-registry
+
+hostname: {{ .Values.hostname }}
+
+istio:
+  enabled: {{ .Values.istio.enabled }}
+  keycloak:
+    enabled: true
+    hosts:
+      - keycloak.{{ .Values.hostname }}
+
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+serviceMonitor:
+  enabled: {{ .Values.monitoring.enabled }}
+
+{{- if .Values.addons.keycloak.database.host }}
+postgresql:
+  enabled: false
+{{- end }}
+
+{{- if or .Values.addons.keycloak.database.host (and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key) }}
+secrets:
+  {{- if and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key }}
+  certificates:
+    stringData:
+      tls.crt: {{ .Values.addons.keycloak.ingress.cert | quote }}
+      tls.key: {{ .Values.addons.keycloak.ingress.key  | quote }}
+  {{- end }}
+
+  {{- with .Values.addons.keycloak.database }}
+  {{- if .host }}
+  db:
+    stringData:
+      DB_USER: {{ .username | quote }}
+      DB_PASSWORD: {{ .password | quote }}
+      DB_VENDOR: {{ default "postgres" .type }}
+      DB_ADDR: {{ .host }}
+      DB_PORT: {{ .port | quote }}
+      DB_DATABASE: {{ .database }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.addons.keycloak.database.host }}
+extraEnvFrom: |
+  - secretRef:
+      name: 'keycloak-db'
+{{- end }}
+
+{{- end }}
\ No newline at end of file

chart/templates/kiali/values.yaml

@@ -6,6 +6,9 @@
 hostname: {{ .Values.hostname }}
 istio:
   enabled: {{ .Values.istio.enabled }}
+  kiali:
+    hosts:
+      - kiali{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 elasticsearch:

chart/templates/logging/elasticsearch-kibana/values.yaml

@@ -6,6 +6,9 @@
 hostname: {{ .Values.hostname }}
 istio:
   enabled: {{ .Values.istio.enabled }}
+  kibana:
+    hosts:
+      - kibana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
 
 {{- with .Values.logging.sso }}
 {{- if .enabled }}

chart/templates/monitoring/values.yaml

@@ -10,20 +10,28 @@ flux:
 
 istio:
   enabled: {{ .Values.istio.enabled }}
-  {{- if .Values.monitoring.sso.enabled }}
   prometheus:
     enabled: true
+    {{- if .Values.monitoring.sso.enabled }}
     service: authservice-haproxy-sso
     port: 8080
     namespace: authservice
+    {{- end }}
+    hosts:
+    - prometheus{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
   alertmanager:
     enabled: true
+    {{- if .Values.monitoring.sso.enabled }}
     service: authservice-haproxy-sso
     port: 8080
     namespace: authservice
+    {{- end }}
+    hosts:
+    - alertmanager{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
   grafana:
     enabled: true
-  {{- end }}
+    hosts:
+    - grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
 
 global:
   imagePullSecrets:
@@ -40,7 +48,7 @@ grafana:
   grafana.ini:
     {{- if .Values.istio.enabled }}
     server:
-      root_url: https://grafana.{{ .Values.hostname }}/
+      root_url: https://grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}/
     {{- end }}
 
     auth:

chart/templates/twistlock/values.yaml

@@ -14,4 +14,7 @@ imagePullSecrets:
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  console:
+    hosts:
+      - twistlock{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
 {{- end -}}

chart/values.yaml

@@ -69,7 +69,7 @@ sso:
 
   # -- OIDC token URL template string (to be used as default)
   token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
-    
+
   # -- OIDC auth URL template string (to be used as default)
   auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
 
@@ -864,3 +864,44 @@ addons:
   #
   # ----------------------------------------------------------------------------------------------------------------------
 
+  # ----------------------------------------------------------------------------------------------------------------------
+  # Keycloak
+  #
+  keycloak:
+    # -- Toggle deployment of Keycloak.
+    enabled: false
+    git:
+      repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
+      path: "./chart"
+      tag: "11.0.0-bb.0"
+
+    # -- Certificate/Key pair to use as the certificate for exposing Keycloak
+    ingress:
+      key: ""
+      cert: ""
+
+    database:
+      # -- Hostname of a pre-existing database to use for Keycloak.
+      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
+      host: ""
+
+      # -- Pre-existing database type (e.g. postgres) to use for Keycloak.
+      type: postgres
+
+      # -- Port of a pre-existing database to use for Keycloak.
+      port: 5432
+
+      # -- Database name to connect to on host.
+      database: "" # example: keycloak
+
+      # -- Username to connect as to external database, the user must have all privileges on the database.
+      username: ""
+
+      # -- Database password for the username used to connect to the existing database.
+      password: ""
+
+    # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
+    flux: {}
+
+    # -- Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
+    values: {}
\ No newline at end of file

charter/BigBangPackages.md

@@ -320,7 +320,8 @@ Dependencies:
 Owners:
 
 * @megamind
-* @joshwolf
+* @kevin.wilder
+* @michaelmcleroy
 
 Understudy:
 

charter/packages/keycloak/Architecture.md

+# Keycloak
+
+## Overview
+
+[Keycloak](https://www.keycloak.org/) provides open source identity and access management for modern applications and services.  This document will cover the architectural touchpoints for the Big Bang Keycloak package, which has been extended to include customizable registration and group segmentation.
+
+### Keycloak Architecture
+
+```mermaid
+graph LR
+
+  urlkc(Keycloak URL) -->|HTTPS| ig
+  urlpr(Prometheus URL) -->|HTTPS| ig
+
+  subgraph "Keycloak Ingress"
+    ig(Gateway) -->|TLS Passthrough| servkc{{"Service<BR>Keycloak"}}
+    ig(Gateway) -->|HTTP| servpr{{"Service<BR>Prometheus"}}
+  end
+
+  subgraph "Monitoring"
+    servpr --> prom(Prometheus)
+    prom(Prometheus) --> monitor
+    monitor(Service Monitor) --> servkc
+  end
+
+  subgraph "Keycloak Cluster"
+    servkc <--> pod0("Keycloak Pod 0")
+    servkc <--> pod1("Keycloak Pod 1")
+  end
+
+  subgraph "Database"
+    pod0 --> db[(Keycloak DB)]
+    pod1 --> db[(Keycloak DB)]
+  end
+```
+
+## Integration w/ Big Bang
+
+Big Bang's integration with Keycloak requires special considerations and configuration compared to other applications.  This document will help you get it setup correctly.
+
+### Keycloak with Other Apps
+
+Due to the sensitivity of Keycloak, Big Bang does not support deploying KeyCloak and any other add-ons.  But, Keycloak can be deployed with the core Big Bang applications (e.g. Istio, Monitoring, Logging).  The URL to access these core apps is under the `admin` subdomain to avoid [a problem with overlapping certificates](#certificate-overlap-problem).  For example, in the `bigbang.dev` domain, to access Prometheus, you would go to `https://prometheus.admin.bigbang.dev`.  Keycloak would still be accessed at `https://keycloak.bigbang.dev`.
+
+> The `admin` subdomain is only used when Keycloak is enabled
+
+### Keycloak's Custom Image
+
+The upstream [Keycloak Helm chart](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) is customized for use in Platform One.  It contains the following modifications from a standard Keycloak deployment:
+
+- DoD Certificate Authorities
+- Customized Platform One registration
+- Customizable Platform One realm, with IL2, IL4, and IL5 isolation (not loaded by default, but [available in the package's git repo](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json))
+- Redirects for specific keycloak endpoints to work with Platform One deployments
+- A customized image, based on Iron Bank's Keycloak, that adds a plugin to support the above features
+
+### Keycloak Admin password
+
+Big Bang creates a default admin user for logging into the admin console.  To override the default admin credentials in Keycloak, set the following in Big Bang's `values.yaml`:
+
+```yaml
+addons:
+  keycloak:
+    values:
+      secrets:
+        credentials:
+          stringData:
+            adminuser: your_admin_username
+            password: your_admin_password
+```
+
+### Keycloak TLS
+
+To properly configure Keycloak TLS, you must provide Keycloak a certificate in `addons.keycloak.ingress` that does not overlap with any TLS terminated app certificate.  See [the details](#certificate-overlap-problem) for further information on why this is a problem.
+
+In the Big Bang implementation, [core apps use the `admin` subdomain](#keycloak-with-other-apps).  You need two wildcard SAN certificates, one for `*.admin.yourdomain` and one for `*.yourdomain` for this implementation.  The `*.admin.yourdomain` cert goes into `istio.ingress` and the `*.yourdomain` cert goes into `addons.keycloak.ingress`.
+
+In the following example for Big Bang, we provide a certificate for `*.admin.bigbang.dev` to TLS terminated apps and a `*.bigbang.dev` certificate to Keycloak.
+
+```yaml
+hostname: bigbang.dev
+istio:
+  ingress:
+    key: |-
+      <Private Key for *.admin.bigbang.dev>
+    cert: |-
+      <Certificate for *.admin.bigbang.dev>
+addons:
+  keycloak:
+    enabled: true
+    ingress:
+      key: |-
+        <Private key for *.bigbang.dev>
+      cert: |-
+        <Certificate for *.bigbang.dev>
+```
+
+#### Certificate Overlap Problem
+
+> This problem automatically worked around by Big Bang if you have non-overlapping certificates as [recommended above](#keycloak-tls).  Youc an skip this section unless you want the gritty details.
+
+Modern browsers will reuse established TLS connections when the destination's IP and port are the same and the current certificate is valid.  See the [HTTP/2 spec](https://httpwg.org/specs/rfc7540.html#rfc.section.9.1.1) for details.  If our cluster has a single load balancer and listens on port 443 for multiple apps, then the IP address and port for all apps in the cluster will be the same from the browser's point of view.  Normally, this isn't a problem because Big Bang uses TLS termination for all applications.  The encryption occurs between Istio and the browser no matter which hostname you use, so the connection can be reused without problems.
+
+With Keycloak, we need to passthrough TLS rather than terminate it at Istio.  If we have other apps, like Kiali, that are TLS terminated, Istio needs two server entries in its Gateway to passthrough TLS for hosts matching `keycloak.bigbang.dev` and to terminate TLS for other hosts.  If the certificate used for TLS is valid for both Keycloak and other apps (e.g. the cert includes a SAN of `*.bigbang.dev`), then the browser thinks it can reuse connections between the applications (the IP, port, and cert are the same).  If you access a TLS terminated app first (e.g. `kiali.bigbang.dev`), then try to access `keycloak.bigbang.dev`, the browser tries to reuse the connection to the terminated app, resulting in a [data leak](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11767) to the terminated app and a 404 error in the browser.  Istio is [supposed to handle this](https://github.com/istio/istio/issues/13589) situation, but does not.
+
+To workaround this situation, you have to isolate the applications by IP, port, or certificate so the browser will not reuse the connection between them.  You can use external load balancers or different ingress ports to create unique IPs or ports for the applications.  Or you can create non-overlapping certs for the applications.  This does not prevent you from using wildcard certs, since you could have one cert for `*.bigbang.dev` and another for `*.admin.bigbang.dev` that don't overlap.  Alternatively, you can create one cert for `kiali.bigbang.dev` and other TLS terminated apps and another cert for `keycloak.bigbang.dev`.
+
+> All of the core and addon apps are TLS terminated except Keycloak.
+
+## Big Bang Touchpoints
+
+### GUI
+
+Keycloak has two main end point URLs:
+https://keycloak.bigbang.dev for authentication.
+https://keycloak.bigbang.dev/auth/admin for administration.
+
+The `bigbang.dev` domain name can be customized by setting the `hostname` in `values.yaml`
+
+### Database
+
+An external shared database is required for Keycloak operation in production.  It should be setup according to [the Keycloak database configuration documentation](https://www.keycloak.org/docs/latest/server_installation/#_database).
+
+> For development ad test, a Postgres database is provided inside the cluster.  This should **NOT** be used in production.
+
+The following values can be customized in `values.yaml` to connect to your external database:
+
+```yaml
+addons:
+  keycloak:
+    database:
+      host: mydb.mydomain.com
+      type: postgres
+      port: 5432
+      database: keycloak
+      username: kcuser
+      password: p@ssw0rd
+```
+
+### Logging
+
+Logging is automatic for Keycloak when the Logging package is enabled in Big Bang.  Fluentbit captures the logs and ships them to Elastic.
+
+### Monitoring
+
+When the Monitoring package is enabled, Big Bang will turn on Keycloak's production of Prometheus metrics and setup a Service Monitor to scrape those metrics.  By default, metrics for the `datasources` (db), `undertow` (http), and `jgroup` subsystems are enabled.
+
+### Health Checks
+
+Liveness and readiness probes are included in the Keycloak Helm chart for all deployments. The probes check the endpoint at `/auth/realm/master/` on port 8080 of the pods.  This means the probes will still succeed even if you have an invalid certificate loaded into Keycloak.
+
+If you wish to adjust the probes, you can override the values in `values.yaml`:
+
+```yaml
+addons:
+  keycloak:
+    values:
+      livenessProbe: |
+        httpGet:
+          path: /auth/realms/master
+          port: http
+          scheme: HTTP
+        initialDelaySeconds: 120
+        failureThreshold: 15
+        periodSeconds: 15
+      readinessProbe: |
+        httpGet:
+          path: /auth/realms/master
+          port: http
+          scheme: HTTP
+        initialDelaySeconds: 120
+        failureThreshold: 15
+        timeoutSeconds: 2
+```
+
+## Licensing
+
+Keycloak is available under the [Apache License 2.0](https://github.com/keycloak/keycloak/blob/master/LICENSE.txt) for free.
+
+## High Availability
+
+By default Big Bang deploys Keycloak with two replicas in a high availability cluster configuration.  It is already configured to support cache sharing, anti-affinity, failovers, and rolling updates.  If you wish to increase or decrease the number of replicas, you can set the following in `values.yaml`:
+
+```yaml
+addons:
+  keycloak:
+    values:
+      replicas: 2
+```
+
+## Dependent Packages
+
+- PostgreSQL for in-cluster development/test database
+- Istio for ingress
+- (Optional) Monitoring for metrics

docs/airgap/scripts/values.yaml

@@ -114,4 +114,8 @@ addons:
   mattermost:
     enabled: false
     git:
-      repo: ssh://git@host.k3d.internal/home/git/repos/mattermost
\ No newline at end of file
+      repo: ssh://git@host.k3d.internal/home/git/repos/mattermost
+  keycloak:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/keycloak
\ No newline at end of file

scripts/deploy/01_deploy_bigbang.sh

@@ -17,6 +17,11 @@ else
   done
 fi
 
+# if keycloak enabled add ingress passthrough cert to addons.keycloak.ingress
+if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
+  yq eval-all 'select(fileIndex == 0) * select(filename == "tests/ci/keycloak-certs/keycloak-passthrough-values.yaml")' $CI_VALUES_FILE tests/ci/keycloak-certs/keycloak-passthrough-values.yaml > tmpfile && mv tmpfile $CI_VALUES_FILE
+fi
+
 # deploy BigBang using dev sized scaling
 echo "Installing BigBang with the following configurations:"
 cat $CI_VALUES_FILE
@@ -27,11 +32,24 @@ helm upgrade -i bigbang chart -n bigbang --create-namespace \
   --set registryCredentials[0].registry=registry1.dso.mil \
   -f ${CI_VALUES_FILE}
 
-# apply secrets kustomization pointing to current branch
-echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
-if [ -z "$CI_COMMIT_TAG" ]; then
-  cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+# if keycloak is enabled use *.admin.bigbang.dev cert
+# otherwise use *.bigbang.dev
+if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
+  # apply secrets kustomization pointing to current branch
+  echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
+  if [ -z "$CI_COMMIT_TAG" ]; then
+    cat tests/ci/keycloak.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+  else
+    # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
+    cat tests/ci/keycloak.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+  fi
 else
-  # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
-  cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
-fi
\ No newline at end of file
+  # apply secrets kustomization pointing to current branch
+  echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
+  if [ -z "$CI_COMMIT_TAG" ]; then
+    cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+  else
+    # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
+    cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+  fi
+fi