[Skip-CI] Add initial integration notes

doc/IntegrationNotes.md

@@ -0,0 +1,28 @@
+- ## Outline - Keycloak&Forgejo integration
+	- ### Forgejo-Seite
+		- Forgejo Test mit v8.0 hochziehen
+		- ### Config
+			- https://s3lph.me/ldap-to-oidc-migration-1-forgejo.html
+			- OpenID Connect Auto Discovery URL finden
+				- https://keycloak.discourse.group/t/changes-in-oidc-token-endpoints/18024/3
+					- `https://<full server dns name>/realms/<realm_name>`
+					- macht aber eine Zertifikatsprüfung -> tut nur mit prod zert
+				- key von keycloak eintragen
+			- forgejo-test user anlegen
+				- oidc auth source festlegen
+	- ## Keycloak-Seite
+        - Keycloak mit c4k/keycloak kc-upgrade-and-integration Branch hochziehen
+		- Admin login über keycloak.test.meissa.de/realms/master/account/
+		- [Getting started with kubernetes](https://www.keycloak.org/getting-started/getting-started-kube)
+			- Achtung URL für Userlogin ist <hostname>/realms/<realmname>/account
+		- Achtung: Pro realm angelegte user können sich auch nur pro realm einloggen
+		- Im master realm: https://keycloak.test.meissa.de/realms/master/account:
+			- Meissa realm anlegen
+			- "Forgejotest" user anlegen
+			- Forgejo-client anlegen
+				- Root url ist schema + hostname
+				- Client secret anlegen
+                    - Schalter bei Client Authentication umlegen
+					- Capability config
+						- https://stackoverflow.com/questions/44752273/do-keycloak-clients-have-a-client-secret/69726692#69726692
+					- Keys anlegen und public key bei forgejo eintragen

src/main/cljc/dda/c4k_keycloak/core.cljc

@@ -19,7 +19,9 @@
                       :postgres-size :2gb
                       :db-name "keycloak"
                       :pv-storage-size-gb 30
-                      :pvc-storage-class-name default-storage-class})
+                      :pvc-storage-class-name default-storage-class
+                      :max-rate 100
+                      :max-concurrent-requests 50})
 
 (def config? (s/keys :req-un [::kc/fqdn]
                      :opt-un [::kc/issuer
@@ -38,9 +40,10 @@
         (cm/concat-vec
          (ns/generate config)
          (postgres/generate-config config)
-         [(kc/generate-service config)
+         [(kc/generate-configmap config)
+          (kc/generate-service config)
           (kc/generate-deployment config)]
-         (kc/generate-ingress config)
+         (kc/generate-ratelimit-ingress config)
          (when (contains? config :mon-cfg)
            (mon/generate-config))))))
 

src/main/cljc/dda/c4k_keycloak/keycloak.cljc

@@ -1,53 +1,70 @@
 (ns dda.c4k-keycloak.keycloak
- (:require
+  (:require
-  [clojure.spec.alpha :as s]
+   [clojure.spec.alpha :as s]
-  #?(:cljs [dda.c4k-common.macros :refer-macros [inline-resources]])
+   #?(:cljs [dda.c4k-common.macros :refer-macros [inline-resources]])
-  #?(:clj [orchestra.core :refer [defn-spec]]
+   #?(:clj [orchestra.core :refer [defn-spec]]
-     :cljs [orchestra.core :refer-macros [defn-spec]])
+      :cljs [orchestra.core :refer-macros [defn-spec]])
-  [dda.c4k-common.yaml :as yaml]
+   [dda.c4k-common.yaml :as yaml]
-  [dda.c4k-common.common :as cm]
+   [dda.c4k-common.common :as cm]
-  [dda.c4k-common.base64 :as b64]
+   [dda.c4k-common.base64 :as b64]
-  [dda.c4k-common.ingress :as ing]
+   [dda.c4k-common.ingress :as ing]
-  [dda.c4k-common.predicate :as cp]))
+   [dda.c4k-common.predicate :as cp]))
 
 (s/def ::fqdn cp/fqdn-string?)
-(s/def ::namespace string?)
 (s/def ::issuer cp/letsencrypt-issuer?)
+(s/def ::namespace string?)
+(s/def ::max-rate int?)
+(s/def ::max-concurrent-requests int?)
 (s/def ::keycloak-admin-user cp/bash-env-string?)
 (s/def ::keycloak-admin-password cp/bash-env-string?)
 
 (def config? (s/keys :req-un [::fqdn]
                      :opt-un [::issuer
-                              ::namespace]))
+                              ::namespace
+                              ::max-rate
+                              ::max-concurrent-requests]))
 
-(def auth? (s/keys :req-un [::keycloak-admin-user 
+(def auth? (s/keys :req-un [::keycloak-admin-user
                             ::keycloak-admin-password]))
 
 #?(:cljs
    (defmethod yaml/load-resource :keycloak [resource-name]
      (get (inline-resources "keycloak") resource-name)))
 
-(defn-spec generate-ingress cp/map-or-seq?
+(defn-spec generate-ratelimit-ingress seq?
   [config config?]
-  (ing/generate-ingress-and-cert
+  (let [{:keys [fqdn max-rate max-concurrent-requests namespace]} config]
-   (merge
+    (ing/generate-simple-ingress (merge
-    {:service-name "keycloak"
+                                  {:service-name "keycloak"
-     :service-port 80
+                                   :service-port 80
-     :fqdns [(:fqdn config)]}
+                                   :fqdns [fqdn]
-    config)))
+                                   :average-rate max-rate
+                                   :burst-rate max-concurrent-requests
+                                   :namespace namespace}
+                                  config))))
 
 (defn-spec generate-secret cp/map-or-seq?
   [config config?
    auth auth?]
   (let [{:keys [namespace]} config
-        {:keys [keycloak-admin-user keycloak-admin-password]} auth]
+        {:keys [keycloak-admin-user keycloak-admin-password postgres-db-user postgres-db-password]} auth]
     (->
      (yaml/load-as-edn "keycloak/secret.yaml")
      (cm/replace-all-matching "NAMESPACE" namespace)
-     (cm/replace-key-value :keycloak-user (b64/encode keycloak-admin-user))
+     (cm/replace-all-matching "DBUSER" (b64/encode postgres-db-user))
-     (cm/replace-key-value :keycloak-password (b64/encode keycloak-admin-password)))))
+     (cm/replace-all-matching "DBPW" (b64/encode postgres-db-password))
+     (cm/replace-all-matching "ADMIN_USER" (b64/encode keycloak-admin-user))
+     (cm/replace-all-matching "ADMIN_PASS" (b64/encode keycloak-admin-password)))))
 
-(defn-spec generate-service cp/map-or-seq? 
+(defn-spec generate-configmap cp/map-or-seq?
+  [config config?]
+  (let [{:keys [namespace fqdn]} config]
+    (->
+     (yaml/load-as-edn "keycloak/configmap.yaml")
+     (cm/replace-all-matching "NAMESPACE" namespace)
+     (cm/replace-all-matching "FQDN" fqdn))))
+
+(defn-spec generate-service cp/map-or-seq?
   [config config?]
   (let [{:keys [namespace]} config]
     (->
@@ -57,8 +74,7 @@
 (defn-spec generate-deployment cp/map-or-seq?
   [config config?]
   (let [{:keys [fqdn namespace]} config]
-    (-> 
+    (->
      (yaml/load-as-edn "keycloak/deployment.yaml")
-     (cm/replace-all-matching "NAMESPACE" namespace)
+     (cm/replace-all-matching "NAMESPACE" namespace))))
-     (cm/replace-all-matching "FQDN" fqdn))))
   

src/main/resources/keycloak/configmap.yaml

@@ -0,0 +1,22 @@
+# Hostname config:
+# https://www.keycloak.org/server/hostname#_exposing_the_administration_console_on_a_separate_hostname
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keycloak-env
+  namespace: NAMESPACE
+data:
+  KC_HTTPS_CERTIFICATE_FILE: /etc/certs/tls.crt
+  KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/certs/tls.key
+  # We trust our traefik to properly set headers
+  # see: https://www.keycloak.org/server/reverseproxy & https://www.keycloak.org/server/hostname
+  # and: https://doc.traefik.io/traefik/getting-started/faq/#what-are-the-forwarded-headers-when-proxying-http-requests
+  KC_HOSTNAME: FQDN
+  KC_PROXY_HEADERS: xforwarded
+  KC_DB: postgres
+  KC_DB_URL_HOST: postgresql-service
+  KC_DB_URL_PORT: "5432"
+  # We need to enable http, as we are behind an ingress
+  KC_HTTP_ENABLED: "true"
+  # TODO Maybe also enable load shedding
+  # KC_HTTP_MAX_QUEUED_REQUESTS: 2000

src/main/resources/keycloak/deployment.yaml

@@ -15,9 +15,10 @@ spec:
       labels:
         app: keycloak
     spec:
+      # TODO: Add Resource allocations
       containers:
       - name: keycloak
-        image: quay.io/keycloak/keycloak:20.0.3
+        image: quay.io/keycloak/keycloak:25.0.4
         imagePullPolicy: IfNotPresent
         args:
         - start
@@ -25,48 +26,13 @@ spec:
         - name: keycloak-cert
           mountPath: /etc/certs
           readOnly: true
-        env:
+        envFrom:
-        - name: KC_HTTPS_CERTIFICATE_FILE
+          - configMapRef:
-          value: /etc/certs/tls.crt
+              name: keycloak-env
-        - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+          - secretRef:
-          value: /etc/certs/tls.key
-        - name: KC_HOSTNAME
-          value: FQDN
-        - name: KC_PROXY
-          value: edge         
-        - name: DB_VENDOR
-          value: POSTGRES
-        - name: DB_ADDR
-          value: postgresql-service
-        - name: DB_SCHEMA
-          value: public
-        - name: DB_DATABASE
-          valueFrom:
-            configMapKeyRef:
-              name: postgres-config
-              key: postgres-db
-        - name: DB_USER
-          valueFrom:
-            secretKeyRef:
-              name: postgres-secret
-              key: postgres-user
-        - name: DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: postgres-secret
-              key: postgres-password
-        - name: KEYCLOAK_ADMIN
-          valueFrom:
-            secretKeyRef:
               name: keycloak-secret
-              key: keycloak-user
-        - name: KEYCLOAK_ADMIN_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: keycloak-secret
-              key: keycloak-password
         ports:
-        - name: http
+        - name: keycloak
           containerPort: 8080
       volumes:
         - name: keycloak-cert

src/main/resources/keycloak/secret.yaml

@@ -5,5 +5,7 @@ metadata:
   namespace: NAMESPACE
 type: Opaque
 data:
-  keycloak-user: admin
+  KC_DB_USERNAME: DBUSER
-  keycloak-password: admin
+  KC_DB_PASSWORD: DBPW
+  KEYCLOAK_ADMIN: ADMIN_USER
+  KEYCLOAK_ADMIN_PASSWORD: ADMIN_PASS

src/test/cljc/dda/c4k_keycloak/keycloak_test.cljc

@@ -13,66 +13,30 @@
           :metadata {:name "keycloak-secret", :namespace "keycloak"}
           :type "Opaque"
           :data
-          {:keycloak-user "dXNlcg=="
+          {:KC_DB_USERNAME "a2V5Y2xvYWs="
-           :keycloak-password "cGFzc3dvcmQ="}}
+           :KC_DB_PASSWORD "ZGItcGFzc3dvcmQ="
-         (cut/generate-secret {:namespace "keycloak" :fqdn "test.de"} {:keycloak-admin-user "user" :keycloak-admin-password "password"}))))
+           :KEYCLOAK_ADMIN "dXNlcg=="
+           :KEYCLOAK_ADMIN_PASSWORD "cGFzc3dvcmQ="}}
+         (cut/generate-secret {:namespace "keycloak" :fqdn "test.de"} 
+                              {:keycloak-admin-user "user" :keycloak-admin-password "password"
+                               :postgres-db-user "keycloak"
+                               :postgres-db-password "db-password"}))))
+
+(deftest should-generate-configmap
+  (is (= {:apiVersion "v1",
+          :kind "ConfigMap",
+          :metadata {:name "keycloak-env", :namespace "keycloak"},
+          :data
+          {:KC_HTTPS_CERTIFICATE_FILE "/etc/certs/tls.crt",
+           :KC_HTTPS_CERTIFICATE_KEY_FILE "/etc/certs/tls.key",
+           :KC_HOSTNAME "test.de" ,
+           :KC_PROXY_HEADERS "xforwarded" ,
+           :KC_DB "postgres",
+           :KC_DB_URL_HOST "postgresql-service",
+           :KC_DB_URL_PORT "5432",
+           :KC_HTTP_ENABLED "true"}}
+         (cut/generate-configmap {:namespace "keycloak" :fqdn "test.de"}))))
 
 (deftest should-generate-deployment
-  (is (= {:apiVersion "apps/v1",
+  (is (= {:name "keycloak", :namespace "keycloak", :labels {:app "keycloak"}}
-          :kind "Deployment",
+         (:metadata (cut/generate-deployment {:fqdn "example.com" :namespace "keycloak"})))))
-          :metadata
-          {:name "keycloak", :namespace "keycloak", :labels {:app "keycloak"}},
-          :spec
-          {:replicas 1,
-           :selector {:matchLabels {:app "keycloak"}},
-           :template
-           {:metadata {:labels {:app "keycloak"}},
-            :spec
-            {:containers
-             [{:name "keycloak",
-               :image "quay.io/keycloak/keycloak:20.0.3",
-               :imagePullPolicy "IfNotPresent",
-               :args ["start"],
-               :volumeMounts
-               [{:name "keycloak-cert",
-                 :mountPath "/etc/certs",
-                 :readOnly true}],
-               :env
-               [{:name "KC_HTTPS_CERTIFICATE_FILE",
-                 :value "/etc/certs/tls.crt"}
-                {:name "KC_HTTPS_CERTIFICATE_KEY_FILE",
-                 :value "/etc/certs/tls.key"}
-                {:name "KC_HOSTNAME", :value "test.de"}
-                {:name "KC_PROXY", :value "edge"}
-                {:name "DB_VENDOR", :value "POSTGRES"}
-                {:name "DB_ADDR", :value "postgresql-service"}
-                {:name "DB_SCHEMA", :value "public"}
-                {:name "DB_DATABASE",
-                 :valueFrom
-                 {:configMapKeyRef
-                  {:name "postgres-config", :key "postgres-db"}}}
-                {:name "DB_USER",
-                 :valueFrom
-                 {:secretKeyRef
-                  {:name "postgres-secret", :key "postgres-user"}}}
-                {:name "DB_PASSWORD",
-                 :valueFrom
-                 {:secretKeyRef
-                  {:name "postgres-secret", :key "postgres-password"}}}
-                {:name "KEYCLOAK_ADMIN",
-                 :valueFrom
-                 {:secretKeyRef
-                  {:name "keycloak-secret", :key "keycloak-user"}}}
-                {:name "KEYCLOAK_ADMIN_PASSWORD",
-                 :valueFrom
-                 {:secretKeyRef
-                  {:name "keycloak-secret", :key "keycloak-password"}}}],
-               :ports [{:name "http", :containerPort 8080}]}],
-             :volumes
-             [{:name "keycloak-cert",
-               :secret
-               {:secretName "keycloak",
-                :items
-                [{:key "tls.crt", :path "tls.crt"}
-                 {:key "tls.key", :path "tls.key"}]}}]}}}}
-         (cut/generate-deployment {:fqdn "test.de" :namespace "keycloak"}))))