meissa/c4k-keycloak
6
0
Fork 0
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity

Compare commits

base: meissa:kc-upgrade-and-integration
Branches Tags
meissa:master
meissa:kc-upgrade-and-integration
meissa:investigate-spec-bug
meissa:refactorings
meissa:map_function
meissa:1.3.1
meissa:1.3.0
meissa:1.2.0
meissa:1.0.1
meissa:0.2.4
meissa:0.2.3
meissa:0.2.2
meissa:0.2.1
meissa:0.2.0
..
compare: meissa:master
Branches Tags
meissa:kc-upgrade-and-integration
meissa:investigate-spec-bug
meissa:master
meissa:refactorings
meissa:map_function
meissa:1.3.1
meissa:1.3.0
meissa:1.2.0
meissa:1.0.1
meissa:0.2.4
meissa:0.2.3
meissa:0.2.2
meissa:0.2.1
meissa:0.2.0

No commits in common. "kc-upgrade-and-integration" and "master" have entirely different histories.
kc-upgrade ... master

7 changed files with 134 additions and 135 deletions
Show stats Expand all files Collapse all files

28
doc/IntegrationNotes.md
View file

@ -1,28 +0,0 @@
- ## Outline - Keycloak&Forgejo integration
- ### Forgejo-Seite
- Forgejo Test mit v8.0 hochziehen
- ### Config
- https://s3lph.me/ldap-to-oidc-migration-1-forgejo.html
- OpenID Connect Auto Discovery URL finden
- https://keycloak.discourse.group/t/changes-in-oidc-token-endpoints/18024/3
- `https://<full server dns name>/realms/<realm_name>`
- macht aber eine Zertifikatsprüfung -> tut nur mit prod zert
- key von keycloak eintragen
- forgejo-test user anlegen
- oidc auth source festlegen
- ## Keycloak-Seite
- Keycloak mit c4k/keycloak kc-upgrade-and-integration Branch hochziehen
- Admin login über keycloak.test.meissa.de/realms/master/account/
- [Getting started with kubernetes](https://www.keycloak.org/getting-started/getting-started-kube)
- Achtung URL für Userlogin ist <hostname>/realms/<realmname>/account
- Achtung: Pro realm angelegte user können sich auch nur pro realm einloggen
- Im master realm: https://keycloak.test.meissa.de/realms/master/account:
- Meissa realm anlegen
- "Forgejotest" user anlegen
- Forgejo-client anlegen
- Root url ist schema + hostname
- Client secret anlegen
- Schalter bei Client Authentication umlegen
- Capability config
- https://stackoverflow.com/questions/44752273/do-keycloak-clients-have-a-client-secret/69726692#69726692
- Keys anlegen und public key bei forgejo eintragen

9
src/main/cljc/dda/c4k_keycloak/core.cljc
View file

@ -19,9 +19,7 @@
:postgres-size :2gb :postgres-size :2gb
:db-name "keycloak" :db-name "keycloak"
:pv-storage-size-gb 30 :pv-storage-size-gb 30
:pvc-storage-class-name default-storage-class :pvc-storage-class-name default-storage-class})
:max-rate 100
:max-concurrent-requests 50})
(def config? (s/keys :req-un [::kc/fqdn] (def config? (s/keys :req-un [::kc/fqdn]
:opt-un [::kc/issuer :opt-un [::kc/issuer
@ -40,10 +38,9 @@
(cm/concat-vec (cm/concat-vec
(ns/generate config) (ns/generate config)
(postgres/generate-config config) (postgres/generate-config config)
[(kc/generate-configmap config) [(kc/generate-service config)
(kc/generate-service config)
(kc/generate-deployment config)] (kc/generate-deployment config)]
(kc/generate-ratelimit-ingress config) (kc/generate-ingress config)
(when (contains? config :mon-cfg) (when (contains? config :mon-cfg)
(mon/generate-config)))))) (mon/generate-config))))))

40
src/main/cljc/dda/c4k_keycloak/keycloak.cljc
View file

@ -11,18 +11,14 @@
[dda.c4k-common.predicate :as cp])) [dda.c4k-common.predicate :as cp]))
(s/def ::fqdn cp/fqdn-string?) (s/def ::fqdn cp/fqdn-string?)
(s/def ::issuer cp/letsencrypt-issuer?)
(s/def ::namespace string?) (s/def ::namespace string?)
(s/def ::max-rate int?) (s/def ::issuer cp/letsencrypt-issuer?)
(s/def ::max-concurrent-requests int?)
(s/def ::keycloak-admin-user cp/bash-env-string?) (s/def ::keycloak-admin-user cp/bash-env-string?)
(s/def ::keycloak-admin-password cp/bash-env-string?) (s/def ::keycloak-admin-password cp/bash-env-string?)
(def config? (s/keys :req-un [::fqdn] (def config? (s/keys :req-un [::fqdn]
:opt-un [::issuer :opt-un [::issuer
::namespace ::namespace]))
::max-rate
::max-concurrent-requests]))
(def auth? (s/keys :req-un [::keycloak-admin-user (def auth? (s/keys :req-un [::keycloak-admin-user
::keycloak-admin-password])) ::keycloak-admin-password]))
@ -31,38 +27,25 @@
(defmethod yaml/load-resource :keycloak [resource-name] (defmethod yaml/load-resource :keycloak [resource-name]
(get (inline-resources "keycloak") resource-name))) (get (inline-resources "keycloak") resource-name)))
(defn-spec generate-ratelimit-ingress seq? (defn-spec generate-ingress cp/map-or-seq?
[config config?] [config config?]
(let [{:keys [fqdn max-rate max-concurrent-requests namespace]} config] (ing/generate-ingress-and-cert
(ing/generate-simple-ingress (merge (merge
{:service-name "keycloak" {:service-name "keycloak"
:service-port 80 :service-port 80
:fqdns [fqdn] :fqdns [(:fqdn config)]}
:average-rate max-rate config)))
:burst-rate max-concurrent-requests
:namespace namespace}
config))))
(defn-spec generate-secret cp/map-or-seq? (defn-spec generate-secret cp/map-or-seq?
[config config? [config config?
auth auth?] auth auth?]
(let [{:keys [namespace]} config (let [{:keys [namespace]} config
{:keys [keycloak-admin-user keycloak-admin-password postgres-db-user postgres-db-password]} auth] {:keys [keycloak-admin-user keycloak-admin-password]} auth]
(-> (->
(yaml/load-as-edn "keycloak/secret.yaml") (yaml/load-as-edn "keycloak/secret.yaml")
(cm/replace-all-matching "NAMESPACE" namespace) (cm/replace-all-matching "NAMESPACE" namespace)
(cm/replace-all-matching "DBUSER" (b64/encode postgres-db-user)) (cm/replace-key-value :keycloak-user (b64/encode keycloak-admin-user))
(cm/replace-all-matching "DBPW" (b64/encode postgres-db-password)) (cm/replace-key-value :keycloak-password (b64/encode keycloak-admin-password)))))
(cm/replace-all-matching "ADMIN_USER" (b64/encode keycloak-admin-user))
(cm/replace-all-matching "ADMIN_PASS" (b64/encode keycloak-admin-password)))))
(defn-spec generate-configmap cp/map-or-seq?
[config config?]
(let [{:keys [namespace fqdn]} config]
(->
(yaml/load-as-edn "keycloak/configmap.yaml")
(cm/replace-all-matching "NAMESPACE" namespace)
(cm/replace-all-matching "FQDN" fqdn))))
(defn-spec generate-service cp/map-or-seq? (defn-spec generate-service cp/map-or-seq?
[config config?] [config config?]
@ -76,5 +59,6 @@
(let [{:keys [fqdn namespace]} config] (let [{:keys [fqdn namespace]} config]
(-> (->
(yaml/load-as-edn "keycloak/deployment.yaml") (yaml/load-as-edn "keycloak/deployment.yaml")
(cm/replace-all-matching "NAMESPACE" namespace)))) (cm/replace-all-matching "NAMESPACE" namespace)
(cm/replace-all-matching "FQDN" fqdn))))

22
src/main/resources/keycloak/configmap.yaml
View file

@ -1,22 +0,0 @@
# Hostname config:
# https://www.keycloak.org/server/hostname#_exposing_the_administration_console_on_a_separate_hostname
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-env
namespace: NAMESPACE
data:
KC_HTTPS_CERTIFICATE_FILE: /etc/certs/tls.crt
KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/certs/tls.key
# We trust our traefik to properly set headers
# see: https://www.keycloak.org/server/reverseproxy & https://www.keycloak.org/server/hostname
# and: https://doc.traefik.io/traefik/getting-started/faq/#what-are-the-forwarded-headers-when-proxying-http-requests
KC_HOSTNAME: FQDN
KC_PROXY_HEADERS: xforwarded
KC_DB: postgres
KC_DB_URL_HOST: postgresql-service
KC_DB_URL_PORT: "5432"
# We need to enable http, as we are behind an ingress
KC_HTTP_ENABLED: "true"
# TODO Maybe also enable load shedding
# KC_HTTP_MAX_QUEUED_REQUESTS: 2000

48
src/main/resources/keycloak/deployment.yaml
View file

@ -15,10 +15,9 @@ spec:
labels: labels:
app: keycloak app: keycloak
spec: spec:
# TODO: Add Resource allocations
containers: containers:
- name: keycloak - name: keycloak
image: quay.io/keycloak/keycloak:25.0.4 image: quay.io/keycloak/keycloak:20.0.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- start - start
@ -26,13 +25,48 @@ spec:
- name: keycloak-cert - name: keycloak-cert
mountPath: /etc/certs mountPath: /etc/certs
readOnly: true readOnly: true
envFrom: env:
- configMapRef: - name: KC_HTTPS_CERTIFICATE_FILE
name: keycloak-env value: /etc/certs/tls.crt
- secretRef: - name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /etc/certs/tls.key
- name: KC_HOSTNAME
value: FQDN
- name: KC_PROXY
value: edge
- name: DB_VENDOR
value: POSTGRES
- name: DB_ADDR
value: postgresql-service
- name: DB_SCHEMA
value: public
- name: DB_DATABASE
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres-db
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgres-user
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgres-password
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: keycloak-secret name: keycloak-secret
key: keycloak-user
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secret
key: keycloak-password
ports: ports:
- name: keycloak - name: http
containerPort: 8080 containerPort: 8080
volumes: volumes:
- name: keycloak-cert - name: keycloak-cert

6
src/main/resources/keycloak/secret.yaml
View file

@ -5,7 +5,5 @@ metadata:
namespace: NAMESPACE namespace: NAMESPACE
type: Opaque type: Opaque
data: data:
KC_DB_USERNAME: DBUSER keycloak-user: admin
KC_DB_PASSWORD: DBPW keycloak-password: admin
KEYCLOAK_ADMIN: ADMIN_USER
KEYCLOAK_ADMIN_PASSWORD: ADMIN_PASS

86
src/test/cljc/dda/c4k_keycloak/keycloak_test.cljc
View file

@ -13,30 +13,66 @@
:metadata {:name "keycloak-secret", :namespace "keycloak"} :metadata {:name "keycloak-secret", :namespace "keycloak"}
:type "Opaque" :type "Opaque"
:data :data
{:KC_DB_USERNAME "a2V5Y2xvYWs=" {:keycloak-user "dXNlcg=="
:KC_DB_PASSWORD "ZGItcGFzc3dvcmQ=" :keycloak-password "cGFzc3dvcmQ="}}
:KEYCLOAK_ADMIN "dXNlcg==" (cut/generate-secret {:namespace "keycloak" :fqdn "test.de"} {:keycloak-admin-user "user" :keycloak-admin-password "password"}))))
:KEYCLOAK_ADMIN_PASSWORD "cGFzc3dvcmQ="}}
(cut/generate-secret {:namespace "keycloak" :fqdn "test.de"}
{:keycloak-admin-user "user" :keycloak-admin-password "password"
:postgres-db-user "keycloak"
:postgres-db-password "db-password"}))))
(deftest should-generate-configmap
(is (= {:apiVersion "v1",
:kind "ConfigMap",
:metadata {:name "keycloak-env", :namespace "keycloak"},
:data
{:KC_HTTPS_CERTIFICATE_FILE "/etc/certs/tls.crt",
:KC_HTTPS_CERTIFICATE_KEY_FILE "/etc/certs/tls.key",
:KC_HOSTNAME "test.de" ,
:KC_PROXY_HEADERS "xforwarded" ,
:KC_DB "postgres",
:KC_DB_URL_HOST "postgresql-service",
:KC_DB_URL_PORT "5432",
:KC_HTTP_ENABLED "true"}}
(cut/generate-configmap {:namespace "keycloak" :fqdn "test.de"}))))
(deftest should-generate-deployment (deftest should-generate-deployment
(is (= {:name "keycloak", :namespace "keycloak", :labels {:app "keycloak"}} (is (= {:apiVersion "apps/v1",
(:metadata (cut/generate-deployment {:fqdn "example.com" :namespace "keycloak"}))))) :kind "Deployment",
:metadata
{:name "keycloak", :namespace "keycloak", :labels {:app "keycloak"}},
:spec
{:replicas 1,
:selector {:matchLabels {:app "keycloak"}},
:template
{:metadata {:labels {:app "keycloak"}},
:spec
{:containers
[{:name "keycloak",
:image "quay.io/keycloak/keycloak:20.0.3",
:imagePullPolicy "IfNotPresent",
:args ["start"],
:volumeMounts
[{:name "keycloak-cert",
:mountPath "/etc/certs",
:readOnly true}],
:env
[{:name "KC_HTTPS_CERTIFICATE_FILE",
:value "/etc/certs/tls.crt"}
{:name "KC_HTTPS_CERTIFICATE_KEY_FILE",
:value "/etc/certs/tls.key"}
{:name "KC_HOSTNAME", :value "test.de"}
{:name "KC_PROXY", :value "edge"}
{:name "DB_VENDOR", :value "POSTGRES"}
{:name "DB_ADDR", :value "postgresql-service"}
{:name "DB_SCHEMA", :value "public"}
{:name "DB_DATABASE",
:valueFrom
{:configMapKeyRef
{:name "postgres-config", :key "postgres-db"}}}
{:name "DB_USER",
:valueFrom
{:secretKeyRef
{:name "postgres-secret", :key "postgres-user"}}}
{:name "DB_PASSWORD",
:valueFrom
{:secretKeyRef
{:name "postgres-secret", :key "postgres-password"}}}
{:name "KEYCLOAK_ADMIN",
:valueFrom
{:secretKeyRef
{:name "keycloak-secret", :key "keycloak-user"}}}
{:name "KEYCLOAK_ADMIN_PASSWORD",
:valueFrom
{:secretKeyRef
{:name "keycloak-secret", :key "keycloak-password"}}}],
:ports [{:name "http", :containerPort 8080}]}],
:volumes
[{:name "keycloak-cert",
:secret
{:secretName "keycloak",
:items
[{:key "tls.crt", :path "tls.crt"}
{:key "tls.key", :path "tls.key"}]}}]}}}}
(cut/generate-deployment {:fqdn "test.de" :namespace "keycloak"}))))