Complete Bb-common Integration
General MR
Summary
- Replaces virtual service, authorization policies, service entries, and peer authentications with bb-common generated resources
- Updated test to use UI navigation instead of cy.visit to improve test stability
Relevant logs/screenshots
Before Bb-common Completion
kubectl get netpol -n keycloak
NAME POD-SELECTOR AGE
allow-egress-from-any-pod-to-kubeapi <none> 14m
allow-egress-from-keycloak-to-anywhere-tcp-port-443 app.kubernetes.io/name=keycloak 14m
allow-egress-from-keycloak-to-ns-tempo-pod-tempo-tcp-port-9411 app.kubernetes.io/name=keycloak 14m
allow-ingress-to-keycloak-from-gateway app.kubernetes.io/name=keycloak 14m
allow-ingress-to-keycloak-tcp-port-9000-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=keycloak 14m
default-egress-allow-all-in-ns <none> 14m
default-egress-allow-istiod <none> 14m
default-egress-allow-kube-dns <none> 14m
default-egress-deny-all <none> 14m
default-ingress-allow-all-in-ns <none> 14m
default-ingress-allow-prometheus-to-istio-sidecar <none> 14m
default-ingress-deny-all <none> 14mkubectl get ap -n keycloak
NAME ACTION AGE
allow-intranamespace-keycloak ALLOW 14m
allow-postgres-keycloak ALLOW 14m
keycloak-passthrough-ingressgateway-ingressgateway-authz-policy ALLOW 14mkubectl get se -n keycloak
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-keycloak ["keycloak.dev.bigbang.mil","repo1.dso.mil"] MESH_EXTERNAL DNS 14mkubectl get pa -n keycloak
NAME MODE AGE
default-keycloak STRICT 14m
ispn-ha-exception STRICT 14m
keycloak-postgresql-exception STRICT 14mAfter Bb-common Completion
kubectl get netpol -n keycloak
NAME POD-SELECTOR AGE
allow-egress-from-keycloak-to-cidr-15-205-173-153-32-tcp-port-443 app.kubernetes.io/name=keycloak 2m50s
allow-egress-from-keycloak-to-ns-tempo-pod-tempo-tcp-port-9411 app.kubernetes.io/name=keycloak 11m
allow-ingress-to-keycloak-8443-from-ns-istio-gateway-pod-passthrough-ingressgateway app.kubernetes.io/name=keycloak 2m49s
allow-ingress-to-keycloak-tcp-port-9000-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=keycloak 11m
default-egress-allow-all-in-ns <none> 11m
default-egress-allow-istiod <none> 11m
default-egress-allow-kube-dns <none> 11m
default-egress-deny-all <none> 11m
default-ingress-allow-all-in-ns <none> 11m
default-ingress-allow-prometheus-to-istio-sidecar <none> 11m
default-ingress-deny-all <none> 11mNote
There is no need to allow egress KubeAPI traffic so that was removed and the network policy in our test-values.yaml file was restricted to only the IP address that it needs access to instead of it being wide open.
kubectl get ap -n keycloak
NAME ACTION AGE
allow-ingress-to-keycloak-tcp-port-9000-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 2m53s
default-authz-allow-all-in-ns ALLOW 2m53s
default-authz-allow-nothing 2m53s
keycloak-passthrough-ingressgateway-authz-policy ALLOW 2m53skubectl get se -n keycloak
NAME HOSTS LOCATION RESOLUTION AGE
bb-tests-external ["repo1.dso.mil"] MESH_EXTERNAL DNS 2m57s
keycloak-internal ["keycloak.dev.bigbang.mil"] MESH_EXTERNAL DNS 2m57skubectl get pa -n keycloak
NAME MODE AGE
default-peer-auth STRICT 3m2s
ispn-ha-exception STRICT 12mkubectl get vs -n keycloak
NAME GATEWAYS HOSTS AGE
keycloak ["istio-gateway/passthrough-ingressgateway"] ["keycloak.dev.bigbang.mil"] 12m
Linked Issue
Upgrade Notices
Keycloak is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.
As part of the integration two new package level definitions have been created with their defaults shown below:
smtp-subnets:
to:
- ipBlock:
cidr: 192.168.0.0/16
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 10.0.0.0/8
ports:
- port: 587
protocol: TCP
ldap-subnets:
to:
- ipBlock:
cidr: 192.168.0.0/16
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 10.0.0.0/8
ports:
- port: 636
protocol: TCPThese definitions allow all traffic to any private IP address using the secure version of each protocol, but can be modified to suit a given environment's needs. They are disabled by default, but can easily be enabled by using the following in your values file:
from:
keycloak:
to:
definition:
ldap-subnets: true
smtp-subnets: trueUmbrella Branch
keycloak-bb-common