Use an Elastic IPs w/Secondary IP for Keycloak on a single EC2 instance

General MR

Summary

This introduces a new option -a, for provisioning a Secondary public IP to make it much easier to use both a Public and Passthrough Istio Gateway on a single EC2 without having to spin up two instances / use a MetalLB. When this feature is used, an IPv4 Public Address will not be auto-assigned, but instead two Elastic IPs will be attached.

I submitted a request to AWS to get the limit of 20 EIPs bumped to 100 EIPs (which was approved). This should be more than sufficient given that there are usually not more than 5-10 dev instances up at a time, and likely many people will not use/need this all the time.

Any unattached Elastic IPs will be cleaned up on the next run. I thought about doing this doing this as a shutdown script, however that would require an IAM Instance Profile, which is possible but not sure we want to do that.

Relevant logs/screenshots

N/A

docs/assets/configs/example/keycloak-dev-multi-public-ip-values.yaml

+comments: |
+  This example values override file is provided FOR DEVELOPMENT/DEMO/TEST PURPOSES ONLY
+
+domain: bigbang.dev
+
+flux:
+  interval: 1m
+  rollback:
+    cleanupOnFail: false
+
+istio:
+  enabled: true
+  ingressGateways:
+    public-ingressgateway:
+      type: "LoadBalancer"
+    passthrough-ingressgateway:
+      type: "LoadBalancer"
+      kubernetesResourceSpec:
+        service:
+          ports:
+            - port: 15022
+              name: status-port
+              protocol: TCP
+            - port: 81
+              targetPort: 8080
+              name: http2
+              protocol: TCP
+            - port: 444
+              targetPort: 8443
+              name: https
+              protocol: TCP
+
+  gateways:
+    public:
+      ingressGateway: "public-ingressgateway"
+      hosts:
+        - "*.{{ .Values.domain }}"
+    passthrough:
+      ingressGateway: "passthrough-ingressgateway"
+      hosts:
+        - "*.{{ .Values.domain }}"
+      tls:
+        mode: "PASSTHROUGH"
+
+addons:
+  keycloak:
+    enabled: true
+
+    ingress:
+      gateway: "passthrough"
+
+      # For development include the *.bigbang.dev cert from ./chart/ingress-certs.yaml
+      # key: |
+      #   -----BEGIN PRIVATE KEY-----
+      #   INSERT KEY HERE
+      #   -----END PRIVATE KEY-----
+      # cert: |
+      #   -----BEGIN CERTIFICATE-----
+      #   INSERT CERT HERE
+      #   -----END CERTIFICATE-----
+
+    values:
+      replicas: 1
+      command:
+        - "/opt/keycloak/bin/kc.sh"
+      args:
+        # - "start"
+        - "start-dev"
+        - "--import-realm"
+        # import-realm is not recommended for operational environments.
+
+      # https://www.keycloak.org/server/all-config
+      extraEnv: |-
+        - name: KC_HTTPS_CERTIFICATE_FILE
+          value: /opt/keycloak/conf/tls.crt
+        - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+          value: /opt/keycloak/conf/tls.key
+        - name: KC_HTTPS_TRUST_STORE_FILE
+          value: /opt/keycloak/conf/truststore.jks
+        - name: KC_HTTPS_TRUST_STORE_PASSWORD
+          value: password
+        - name: KC_HTTPS_CLIENT_AUTH
+          value: request
+        - name: KC_PROXY
+          value: passthrough
+        - name: KC_HTTP_ENABLED
+          value: "true"
+        - name: KC_HTTP_RELATIVE_PATH
+          value: /auth
+        - name: KC_HOSTNAME
+          value: keycloak.bigbang.dev
+        - name: KC_HOSTNAME_STRICT
+          value: "true"
+        - name: KC_HOSTNAME_STRICT_HTTPS
+          value: "true"
+        - name: KC_LOG_LEVEL
+          value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
+        - name: KC_CACHE
+          value: ispn
+        - name: KC_CACHE_STACK
+          value: kubernetes
+
+      secrets:
+        env:
+          stringData:
+            CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
+        customreg:
+          stringData:
+            customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
+        realm:
+          stringData:
+            realm.json: '{{ .Files.Get "resources/dev/baby-yoda.json" }}'
+        truststore:
+          data:
+            truststore.jks: |-
+              {{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
+        quarkusproperties:
+          stringData:
+            quarkus.properties: '{{ .Files.Get "resources/dev/quarkus.properties" }}'
+
+      extraInitContainers: |-
+        - name: plugin
+          image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:X.X.X
+          imagePullPolicy: Always
+          command:
+          - sh
+          - -c
+          - | 
+            cp /app/p1-keycloak-plugin.jar /init
+            ls -l /init
+          volumeMounts:
+          - name: plugin
+            mountPath: "/init"
+      extraVolumes: |-
+        - name: customreg
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-customreg
+        - name: realm
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-realm
+        - name: plugin
+          emptyDir: {}
+        - name: truststore
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-truststore
+        - name: quarkusproperties
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
+            defaultMode: 0777
+      extraVolumeMounts: |-
+        - name: customreg
+          mountPath: /opt/keycloak/conf/customreg.yaml
+          subPath: customreg.yaml
+          readOnly: true
+        - name: realm
+          mountPath: /opt/keycloak/data/import/realm.json
+          subPath: realm.json
+        - name: plugin
+          mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
+          subPath: p1-keycloak-plugin.jar
+        - name: truststore
+          mountPath: /opt/keycloak/conf/truststore.jks
+          subPath: truststore.jks
+        - name: quarkusproperties
+          mountPath: /opt/keycloak/conf/quarkus.properties
+          subPath: quarkus.properties
\ No newline at end of file