From ddd01ed5bc92a0fb4b6966535e0e1c0c03b77d66 Mon Sep 17 00:00:00 2001 From: Robin5605 Date: Fri, 13 Oct 2023 12:01:12 -0500 Subject: [PATCH 1/8] Add keycloak manifests --- kubernetes/manifests/keycloak/README.md | 12 ++++++++ kubernetes/manifests/keycloak/deployment.yaml | 30 +++++++++++++++++++ kubernetes/manifests/keycloak/ingress.yaml | 20 +++++++++++++ kubernetes/manifests/keycloak/service.yaml | 13 ++++++++ 4 files changed, 75 insertions(+) create mode 100644 kubernetes/manifests/keycloak/README.md create mode 100644 kubernetes/manifests/keycloak/deployment.yaml create mode 100644 kubernetes/manifests/keycloak/ingress.yaml create mode 100644 kubernetes/manifests/keycloak/service.yaml diff --git a/kubernetes/manifests/keycloak/README.md b/kubernetes/manifests/keycloak/README.md new file mode 100644 index 0000000..c6ab27e --- /dev/null +++ b/kubernetes/manifests/keycloak/README.md @@ -0,0 +1,12 @@ +# Keycloak + +[Keycloak](https://www.keycloak.org/) configuration + +## Secrets +This deployment expects a number of secrets and environment variables to exist in a secret called `keycloak-secrets`. + + +| Environment | Description | +|-------------------------|------------------------------------| +| KEYCLOAK_ADMIN | Keycloak Admin Panel Username | +| KEYCLOAK_PASSWORD | Keycloak Admin Panel Password | diff --git a/kubernetes/manifests/keycloak/deployment.yaml b/kubernetes/manifests/keycloak/deployment.yaml new file mode 100644 index 0000000..1aa0b73 --- /dev/null +++ b/kubernetes/manifests/keycloak/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + labels: + app: keycloak +spec: + replicas: 1 + selector: + matchLabels: + app: keycloak + template: + metadata: + labels: + app: keycloak + spec: + containers: + - name: keycloak + image: quay.io/keycloak/keycloak:22.0 + args: ["start-dev"] + envFrom: + - secretRef: + name: keycloak-secrets + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /realms/master + port: 8080 diff --git a/kubernetes/manifests/keycloak/ingress.yaml b/kubernetes/manifests/keycloak/ingress.yaml new file mode 100644 index 0000000..ea16ba1 --- /dev/null +++ b/kubernetes/manifests/keycloak/ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: keycloak +spec: + ingressClassName: nginx + tls: + - hosts: + - keycloak.vipyrsec.com + rules: + - host: keycloak.vipyrsec.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: keycloak + port: + number: 8080 diff --git a/kubernetes/manifests/keycloak/service.yaml b/kubernetes/manifests/keycloak/service.yaml new file mode 100644 index 0000000..fe784cc --- /dev/null +++ b/kubernetes/manifests/keycloak/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: keycloak + labels: + app: keycloak +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + selector: + app: keycloak From 3b998659cf56ba41be26017660b2440662188b94 Mon Sep 17 00:00:00 2001 From: Robin5605 Date: Tue, 24 Oct 2023 17:55:14 -0500 Subject: [PATCH 2/8] Document database connection string secret --- kubernetes/manifests/keycloak/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/manifests/keycloak/README.md b/kubernetes/manifests/keycloak/README.md index c6ab27e..40ac477 100644 --- a/kubernetes/manifests/keycloak/README.md +++ b/kubernetes/manifests/keycloak/README.md @@ -10,3 +10,4 @@ This deployment expects a number of secrets and environment variables to exist i |-------------------------|------------------------------------| | KEYCLOAK_ADMIN | Keycloak Admin Panel Username | | KEYCLOAK_PASSWORD | Keycloak Admin Panel Password | +| KC_DB_URL | Keycloak Database Connection URL | From febc52a895cd7ddd48402224e838219108b42a3e Mon Sep 17 00:00:00 2001 From: Robin5605 Date: Tue, 24 Oct 2023 19:50:37 -0500 Subject: [PATCH 3/8] Add keycloak namespace --- kubernetes/manifests/keycloak/deployment.yaml | 1 + kubernetes/manifests/keycloak/ingress.yaml | 1 + kubernetes/manifests/keycloak/namespace.yaml | 4 ++++ kubernetes/manifests/keycloak/service.yaml | 1 + 4 files changed, 7 insertions(+) create mode 100644 kubernetes/manifests/keycloak/namespace.yaml diff --git a/kubernetes/manifests/keycloak/deployment.yaml b/kubernetes/manifests/keycloak/deployment.yaml index 1aa0b73..a268b9e 100644 --- a/kubernetes/manifests/keycloak/deployment.yaml +++ b/kubernetes/manifests/keycloak/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: keycloak + namespace: keycloak labels: app: keycloak spec: diff --git a/kubernetes/manifests/keycloak/ingress.yaml b/kubernetes/manifests/keycloak/ingress.yaml index ea16ba1..490138c 100644 --- a/kubernetes/manifests/keycloak/ingress.yaml +++ b/kubernetes/manifests/keycloak/ingress.yaml @@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: keycloak + namespace: keycloak spec: ingressClassName: nginx tls: diff --git a/kubernetes/manifests/keycloak/namespace.yaml b/kubernetes/manifests/keycloak/namespace.yaml new file mode 100644 index 0000000..aef1b6d --- /dev/null +++ b/kubernetes/manifests/keycloak/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak diff --git a/kubernetes/manifests/keycloak/service.yaml b/kubernetes/manifests/keycloak/service.yaml index fe784cc..bae46af 100644 --- a/kubernetes/manifests/keycloak/service.yaml +++ b/kubernetes/manifests/keycloak/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: keycloak + namespace: keycloak labels: app: keycloak spec: From be81c24037b26500e7a63c34e005f218e56014a1 Mon Sep 17 00:00:00 2001 From: Robin <74519799+Robin5605@users.noreply.github.com> Date: Tue, 24 Oct 2023 19:52:14 -0500 Subject: [PATCH 4/8] Add keycloak manifest directory to dependabot config Signed-off-by: Robin <74519799+Robin5605@users.noreply.github.com> --- .github/dependabot.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 8110d15..f2dd63b 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -29,3 +29,8 @@ updates: directory: "kubernetes/manifests/dragonfly/mainframe" schedule: interval: "monthly" + + - package-ecosystem: "docker" + directory: "kubernetes/manifests/keycloak" + schedule: + interval: "monthly" From 27cd116dfdf5f38bb737554fcee0ca9023d584f1 Mon Sep 17 00:00:00 2001 From: Robin <74519799+Robin5605@users.noreply.github.com> Date: Tue, 24 Oct 2023 20:35:50 -0500 Subject: [PATCH 5/8] Don't start in development mode Signed-off-by: Robin <74519799+Robin5605@users.noreply.github.com> --- kubernetes/manifests/keycloak/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/manifests/keycloak/deployment.yaml b/kubernetes/manifests/keycloak/deployment.yaml index a268b9e..96a841e 100644 --- a/kubernetes/manifests/keycloak/deployment.yaml +++ b/kubernetes/manifests/keycloak/deployment.yaml @@ -18,7 +18,7 @@ spec: containers: - name: keycloak image: quay.io/keycloak/keycloak:22.0 - args: ["start-dev"] + args: ["start"] envFrom: - secretRef: name: keycloak-secrets From 198fa6dad6975a09cb543dd0564c7dcc33040058 Mon Sep 17 00:00:00 2001 From: Robin5605 Date: Tue, 24 Oct 2023 20:52:32 -0500 Subject: [PATCH 6/8] Update README.md --- kubernetes/manifests/keycloak/README.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/kubernetes/manifests/keycloak/README.md b/kubernetes/manifests/keycloak/README.md index 40ac477..1b1e453 100644 --- a/kubernetes/manifests/keycloak/README.md +++ b/kubernetes/manifests/keycloak/README.md @@ -5,9 +5,18 @@ ## Secrets This deployment expects a number of secrets and environment variables to exist in a secret called `keycloak-secrets`. +Keycloak hostname configuration documentation: https://www.keycloak.org/server/hostname +Keycloak database configuration documentation: https://www.keycloak.org/server/db#_relevant_options -| Environment | Description | -|-------------------------|------------------------------------| -| KEYCLOAK_ADMIN | Keycloak Admin Panel Username | -| KEYCLOAK_PASSWORD | Keycloak Admin Panel Password | -| KC_DB_URL | Keycloak Database Connection URL | + +| Environment | Description | +|-----------------------------|------------------------------------| +| KEYCLOAK_ADMIN | Keycloak Admin Panel Username | +| KEYCLOAK_PASSWORD | Keycloak Admin Panel Password | +| KC_DB | Keycloak Database (e.g postgres) | +| KC_DB_URL_HOST | Keycloak database host | +| KC_DB_URL_PORT | Keycloak database port | +| KC_DB_USERNAME | Keycloak database username | +| KC_DB_PASSWORD | Keycloak database password | +| KC_DB_URL_DATABASE | Keycloak database name | +| KC_HOSTNAME | Keycloak hostname | From 29f35bc7d9216119533333d7b47ccab4a162921f Mon Sep 17 00:00:00 2001 From: Robin5605 Date: Thu, 14 Mar 2024 19:15:09 -0500 Subject: [PATCH 7/8] Add ConfigMap with X-Forwarded Add a ConfigMap that configures Keycloak to parse the X-Forwarded-* headers for getting the origin user's IP address --- kubernetes/manifests/keycloak/configmap.yaml | 9 +++++++++ kubernetes/manifests/keycloak/deployment.yaml | 2 ++ 2 files changed, 11 insertions(+) create mode 100644 kubernetes/manifests/keycloak/configmap.yaml diff --git a/kubernetes/manifests/keycloak/configmap.yaml b/kubernetes/manifests/keycloak/configmap.yaml new file mode 100644 index 0000000..dd9420f --- /dev/null +++ b/kubernetes/manifests/keycloak/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: keycloak-config + namespace: keycloak + labels: + app: keycloak +data: + KC_PROXY_HEADERS: "xforwarded" diff --git a/kubernetes/manifests/keycloak/deployment.yaml b/kubernetes/manifests/keycloak/deployment.yaml index 96a841e..9a9a5a5 100644 --- a/kubernetes/manifests/keycloak/deployment.yaml +++ b/kubernetes/manifests/keycloak/deployment.yaml @@ -22,6 +22,8 @@ spec: envFrom: - secretRef: name: keycloak-secrets + - configMapRef: + name: keycloak-config ports: - name: http containerPort: 8080 From 4074ba7d0a7ed899bcf047fc5956c3a832196697 Mon Sep 17 00:00:00 2001 From: Robin5605 Date: Thu, 14 Mar 2024 19:27:01 -0500 Subject: [PATCH 8/8] Forward client certificates to Keycloak --- kubernetes/manifests/keycloak/configmap.yaml | 1 + kubernetes/manifests/keycloak/ingress.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/kubernetes/manifests/keycloak/configmap.yaml b/kubernetes/manifests/keycloak/configmap.yaml index dd9420f..e1bdfec 100644 --- a/kubernetes/manifests/keycloak/configmap.yaml +++ b/kubernetes/manifests/keycloak/configmap.yaml @@ -7,3 +7,4 @@ metadata: app: keycloak data: KC_PROXY_HEADERS: "xforwarded" + KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT: "SSL_CLIENT_CERT" diff --git a/kubernetes/manifests/keycloak/ingress.yaml b/kubernetes/manifests/keycloak/ingress.yaml index 490138c..2ca1f2b 100644 --- a/kubernetes/manifests/keycloak/ingress.yaml +++ b/kubernetes/manifests/keycloak/ingress.yaml @@ -3,6 +3,8 @@ kind: Ingress metadata: name: keycloak namespace: keycloak + annotations: + nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" spec: ingressClassName: nginx tls: