Deploy Keycloak as an OAuth provider

acs-service-setup/lib/service-setup.js

@@ -10,6 +10,7 @@ import { DumpLoader }           from "./dumps.js";
 import { fixups }               from "./fixups.js";
 import { setup_git_repos }      from "./git-repos.js";
 import { setup_local_uuids }    from "./local-uuids.js";
+import { create_openid_realm }  from "./openid-realm.js";
 
 export class ServiceSetup {
     constructor (opts) {
@@ -58,6 +59,9 @@ export class ServiceSetup {
         this.log("Migrating legacy Auth groups");
         await migrate_auth_groups(this);
 
+        this.log("Creating OpenID realm");
+        await create_openid_realm(this);
+
         this.log("Finished setup");
     }
 }

deploy/crds/local-secret.yaml

@@ -0,0 +1,51 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: localsecrets.factoryplus.app.amrc.co.uk
+spec:
+  group: factoryplus.app.amrc.co.uk
+  names:
+    kind: LocalSecret
+    plural: localsecrets
+    categories:
+      - all
+  scope: Namespaced
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: Secret
+          jsonPath: ".spec.secret"
+          type: string
+        - name: Key
+          jsonPath: ".spec.key"
+          type: string
+        - name: Format
+          jsonPath: ".spec.format"
+          type: string
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required: [secret, key, format]
+              properties:
+                secret:
+                  description: The name of the Secret to edit.
+                  type: string
+                key:
+                  description: The key to create within the Secret.
+                  type: string
+                format:
+                  description: >
+                    The format of the secret value. Currently must be Password.
+                  type: string
+                  enum: [Password]
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+      subresources:
+        status: {}

deploy/templates/grafana/grafana-admin-user.yaml

@@ -1,17 +1,11 @@
 {{ if .Values.grafana.enabled }}
-{{- if not (lookup "v1" "Secret" .Release.Namespace "grafana-admin-user") }}
-
 apiVersion: v1
 kind: Secret
 metadata:
   name: "grafana-admin-user"
   namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/resource-policy": "keep"
 type: Opaque
-data:
-  admin-user: {{ (printf "admin@%s" (.Values.identity.realm | required "values.identity.realm is required!") | b64enc) | quote }}
-  admin-password: {{ (printf "" | b64enc) | quote }}
-
-{{- end }}
+stringData:
+  admin-user: "_bootstrap"
+  admin-password: {{ randAlphaNum 20 | quote }}
 {{- end -}}

deploy/templates/grafana/grafana-ingress.yaml

@@ -10,8 +10,6 @@ spec:
   routes:
     - match: Host(`grafana.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}`)
       kind: Rule
-      middlewares:
-        - name: basic-auth
       services:
         - name: acs-grafana
           port: 80

deploy/templates/grafana/grafana-ini.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: acs-grafana-config
+data:
+  auth_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/auth
+  token_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/token
+  api_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/userinfo
+  root_url: {{ .Values.acs.secure | ternary "https://" "http://" }}grafana.{{.Values.acs.baseUrl}}
+  signout_redirect_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/logout?post_logout_redirect_uri={{ .Values.acs.secure | ternary "https://" "http://" }}grafana.{{.Values.acs.baseUrl}}&client_id=grafana

deploy/templates/hooks/post-delete.yaml

@@ -18,6 +18,7 @@ spec:
             - |
               echo "Starting cleanup..."
               for i in $(kubectl -n {{ .Release.Namespace }} get kerberos-keys -o name); do kubectl -n {{ .Release.Namespace }} patch $i --type=json -p='[{"op": "remove", "path": "/metadata/finalizers"}]'; done
+              for i in $(kubectl -n {{ .Release.Namespace }} get localsecrets -o name); do kubectl -n {{ .Release.Namespace }} patch $i --type=json -p='[{"op": "remove", "path": "/metadata/finalizers"}]'; done
               echo "Cleanup complete!"
       restartPolicy: Never
   backoffLimit: 3
@@ -45,7 +46,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation
 rules:
   - apiGroups: [ "factoryplus.app.amrc.co.uk" ]
-    resources: [ "kerberos-keys" ]
+    resources: [ "kerberos-keys", "localsecrets" ]
     verbs: [ "get", "list", "patch" ] # Specify only necessary actions
 
 ---

deploy/templates/identity/rbac.yaml

@@ -13,10 +13,10 @@ metadata:
   name: krb-keys-operator
 rules:
   -   apiGroups: [factoryplus.app.amrc.co.uk]
-      resources: [kerberos-keys]
+      resources: [kerberos-keys, localsecrets]
       verbs: [list, get, watch, patch]
   -   apiGroups: [factoryplus.app.amrc.co.uk]
-      resources: [kerberos-keys/status]
+      resources: [kerberos-keys/status, localsecrets/status]
       verbs: [list, get, create, update, delete, watch, patch]
   -   apiGroups: [""]
       resources: [secrets]

deploy/templates/mqtt/mqtt.yaml

@@ -57,6 +57,8 @@ spec:
             - name: VERBOSE
               value: {{.Values.mqtt.verbosity | quote | required "values.mqtt.verbosity is required!"}}
           volumeMounts:
+            # XXX This would be better without the subPath, but we need
+            # to use a Java system property to move krb5.conf.
             - mountPath: /etc/krb5.conf
               name: krb5-conf
               subPath: krb5.conf

deploy/templates/openid/local-secrets.yaml

@@ -0,0 +1,35 @@
+{{ if .Values.openid.enabled }}
+{{ range $clientName, $client := .Values.serviceSetup.config.openidClients }}
+---
+apiVersion: factoryplus.app.amrc.co.uk/v1
+kind: LocalSecret
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  name: "keycloak-client-{{ $clientName }}"
+spec:
+  format: Password
+  secret: "keycloak-clients"
+  key: "{{ $clientName }}"
+{{ end }}
+---
+apiVersion: factoryplus.app.amrc.co.uk/v1
+kind: LocalSecret
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  name: "keycloak-admin-bootstrap"
+spec:
+  format: Password
+  secret: "keycloak-clients"
+  key: "_bootstrap"
+---
+apiVersion: factoryplus.app.amrc.co.uk/v1
+kind: LocalSecret
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  name: "keycloak-admin-admin"
+spec:
+  format: Password
+  secret: "keycloak-clients"
+  key: "_admin"
+
+{{ end }}

deploy/templates/openid/openid-ingress.yaml

@@ -0,0 +1,23 @@
+{{ if .Values.openid.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: openid-ingressroute
+  namespace: {{ .Release.Namespace }}
+spec:
+  entryPoints:
+    - {{ .Values.acs.secure | ternary "websecure" "web" }}
+  routes:
+    - match: Host(`openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}`)
+      kind: Rule
+      services:
+        - name: openid
+          port: 80
+          namespace: {{ .Release.Namespace }}
+  {{- if .Values.acs.secure }}
+  tls:
+    secretName: {{ coalesce .Values.openid.tlsSecretName .Values.acs.tlsSecretName }}
+    domains:
+      - main: openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}
+  {{- end -}}
+{{- end -}}

deploy/templates/openid/openid.yaml

@@ -0,0 +1,111 @@
+{{ if .Values.openid.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openid
+  namespace: {{ .Release.Namespace }}
+  labels:
+    component: openid
+spec:
+  strategy:
+    type: Recreate
+  # We cannot allow more replicas with a RWO PVC backend
+  replicas: 1
+  selector:
+    matchLabels:
+      component: openid
+  template:
+    metadata:
+      labels:
+        component: openid
+        factory-plus.service: openid
+    spec:
+      {{- with .Values.acs.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: openid
+          image: "{{ .Values.openid.image.repository }}:{{ .Values.openid.image.tag }}"
+          imagePullPolicy: {{ .Values.openid.image.pullPolicy }}
+          args: ["start-dev"]
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: "_bootstrap"
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-clients
+                  key: _bootstrap
+            - name: KC_PROXY
+              value: "edge"
+            - name: KC_HEALTH_ENABLED
+              value: "true"
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 9000
+          volumeMounts:
+            # XXX This would be better without the subPath, but we need
+            # to use a Java system property to move krb5.conf.
+            - name: krb5-conf
+              mountPath: /etc/krb5.conf
+              subPath: krb5.conf
+            - name: openid-keytabs
+              mountPath: /etc/keytabs
+            - name: data
+              mountPath: /opt/keycloak/data
+      volumes:
+        - name: krb5-conf
+          configMap:
+            name: krb5-conf
+        - name: openid-keytabs
+          secret:
+            secretName: openid-keytabs
+        - name: data
+          persistentVolumeClaim:
+            claimName: keycloak-data
+---
+# XXX Could we use Postgres here instead?
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: keycloak-data
+  namespace: {{ .Release.Namespace }}
+  labels:
+    component: openid
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openid
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+  selector:
+    factory-plus.service: openid
+---
+apiVersion: factoryplus.app.amrc.co.uk/v1
+kind: KerberosKey
+metadata:
+  name: http.openid
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: Random
+  principal: HTTP/openid.{{ .Release.Namespace }}.svc.cluster.local@{{ .Values.identity.realm | required "values.identity.realm is required!" }}
+  additionalPrincipals:
+    - HTTP/openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}@{{ .Values.identity.realm | required "values.identity.realm is required!" }}
+  secret: openid-keytabs/server
+{{- end }}

deploy/templates/service-setup.yaml

@@ -24,6 +24,9 @@ spec:
             name: krb5-conf
         - name: manager-ccache-storage
           emptyDir: { }
+        - name: client-secrets
+          secret:
+            secretName: keycloak-clients
       initContainers:
         - name: service-setup
 {{ include "amrc-connectivity-stack.image" (list . .Values.serviceSetup) | indent 10 }}
@@ -32,6 +35,10 @@ spec:
               value: http://directory.{{ .Release.Namespace }}.svc.cluster.local
             - name: SERVICE_USERNAME
               value: admin
+            # Currently the openid realm setup relies on having the
+            # admin@ credentials available, with a password rather than
+            # a keytab. If service-setup is ever moved over to using its
+            # own account there will need to be changes to that code.
             - name: SERVICE_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -53,12 +60,15 @@ spec:
                   "secure"          (.Values.acs.secure | ternary "s" "")
                   "realm"           .Values.identity.realm
                   "directory"
-                    (include "amrc-connectivity-stack.external-url" 
+                    (include "amrc-connectivity-stack.external-url"
                       (list . "directory"))
                 | toRawJson | quote }}
           volumeMounts:
             - mountPath: /data
               name: git-checkouts
+            - name: client-secrets
+              mountPath: /etc/secret
+              readOnly: true
         - name: edge-helm-charts
 {{ include "amrc-connectivity-stack.image" (list . .Values.edgeHelm) | indent 10 }}
           env:
@@ -78,7 +88,7 @@ spec:
         - name: manager
           image: "{{ include "amrc-connectivity-stack.image-name" (list . .Values.manager ) }}-backend"
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
-          command: 
+          command:
               - /bin/sh
               - "-c"
               - |