Deploy Keycloak as an OAuth provider

acs-service-setup/lib/openid-realm.js

@@ -0,0 +1,247 @@
+import crypto from "crypto";
+import fs from "fs/promises";
+import path from "path";
+import { URLSearchParams } from "url";
+
+/**
+ * Create the startup OpenID realm `factory_plus`.
+ *
+ * @async
+ * @param {ServiceSetup} service_setup - Contains the configuration for setting up the realm.
+ * @returns {Promise<void>} Resolves when the realm creation process finishes.
+ */
+export async function create_openid_realm(service_setup) {
+  await new RealmSetup(service_setup).run();
+}
+
+class RealmSetup {
+  constructor(service_setup) {
+    const { fplus } = service_setup;
+    this.log = fplus.debug.bound("oauth");
+
+    this.username = fplus.opts.username;
+    this.password = fplus.opts.password;
+    this.realm = "factory_plus";
+    this.base_url = service_setup.acs_config.domain;
+    this.secure = service_setup.acs_config.secure;
+    this.access_token = "";
+    this.refresh_token = "";
+    this.config = service_setup.config;
+  }
+
+  /**
+   * Run setup for the realm. This generates the full realm representation.
+   *
+   * A basic realm is created first and then populated with clients.
+   *
+   * @async
+   * @returns {Promise<void>}
+   */
+  async run() {
+    let base_realm = {
+      id: crypto.randomUUID(),
+      realm: this.realm,
+      displayName: "Factory+",
+      displayNameHtml: '<div class="kc-logo-text"><span>Factory+</span></div>',
+      enabled: true,
+      components: {
+        "org.keycloak.storage.UserStorageProvider": [
+          {
+            id: crypto.randomUUID(),
+            name: "Kerberos",
+            providerId: "kerberos",
+            subComponents: {},
+            config: {
+              serverPrincipal: [
+                `HTTP/openid.${this.base_url}@${this.base_url.toUpperCase()}`,
+              ],
+              allowPasswordAuthentication: ["false"],
+              debug: ["true"],
+              keyTab: ["/etc/keytabs/server"],
+              cachePolicy: ["DEFAULT"],
+              updateProfileFirstLogin: ["false"],
+              kerberosRealm: [this.base_url.toUpperCase()],
+              enabled: ["true"],
+            },
+          },
+        ],
+      },
+    };
+
+    await this.get_initial_access_token();
+    await this.create_basic_realm(base_realm, false);
+
+    const client_configs = Object.values(this.config.openidClients);
+    const enabled_clients = client_configs.filter(
+      (client) => client.enabled === true,
+    );
+    for (const client of enabled_clients) {
+      await this.create_client(client, false);
+    }
+  }
+
+  /**
+   * Create a new realm by POSTing to the OpenID service. Throws if the response is not ok.
+   *
+   * @async
+   * @param {Object} realm_representation - An object containing all the values that should be created for the realm.
+   * @param {Boolean} is_retry - Whether the request is a retry after a 401. If this is false and a 401 is returned, this will retry after refreshing the token.
+   * @returns {Promise<void>} Resolves when the realm is created.
+   */
+  async create_basic_realm(realm_representation, is_retry) {
+    const realm_url = `http${this.secure}://openid.${this.base_url}/admin/realms`;
+
+    this.log(`Attempting basic realm creation at: ${realm_url}`);
+
+    try {
+      const response = await fetch(realm_url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.access_token}`,
+        },
+        body: JSON.stringify(realm_representation),
+      });
+
+      if (!response.ok) {
+        const status = response.status;
+
+        if (status == 401 && !is_retry) {
+          await this.get_initial_access_token(this.refresh_token);
+          await this.create_basic_realm(realm_representation, true);
+        } else if (status == 503) {
+          await this.wait(10000);
+          await this.create_basic_realm(realm_representation, false);
+        } else {
+          const error = await response.text();
+          throw new Error(`${status}: ${error}`);
+        }
+      }
+    } catch (error) {
+      this.log(`Couldn't setup realm: ${error}`);
+    }
+  }
+
+  /**
+   * Create a new client by POSTing to the OpenID service. Throws if the response is not ok.
+   *
+   * @async
+   * @param {Object} client_representation - An object containing all the values that should be created for the client.
+   * @param {Boolean} is_retry - Whether the request is a retry after a 401. If this is false and a 401 is returned, this will retry after refreshing the token.
+   * @returns {Promise<void>} Resolves when the client is created.
+   */
+  async create_client(client_representation, is_retry) {
+    const secret_path = path.join(
+      "/etc/secret",
+      client_representation.redirectHost,
+    );
+    const content = await fs.readFile(secret_path, "utf8");
+    const client_secret = content.trim();
+
+    const client = {
+      id: crypto.randomUUID(),
+      clientId: client_representation.clientId,
+      name: client_representation.name,
+      rootUrl: `http${this.secure}://${client_representation.redirectHost}.${this.base_url}`,
+      adminUrl: `http${this.secure}://${client_representation.redirectHost}.${this.base_url}`,
+      baseUrl: `http${this.secure}://${client_representation.redirectHost}.${this.base_url}`,
+      enabled: true,
+      secret: client_secret,
+      redirectUris: [
+        `http${this.secure}://${client_representation.redirectHost}.${this.base_url}${client_representation.redirectPath}`,
+      ],
+    };
+
+    const client_url = `http${this.secure}://openid.${this.base_url}/admin/realms/${this.realm}/clients`;
+
+    this.log(`Attempting client creation at: ${client_url}`);
+
+    try {
+      const response = await fetch(client_url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.access_token}`,
+        },
+        body: JSON.stringify(client),
+      });
+
+      if (!response.ok) {
+        const status = response.status;
+
+        if (status == 401 && !is_retry) {
+          await this.get_initial_access_token(this.refresh_token);
+          await this.create_client(client_representation, true);
+        } else if (status == 503) {
+          await this.wait(10000);
+          await this.create_client(client_representation, false);
+        } else {
+          const error = await response.text();
+          throw new Error(`${status}: ${error}`);
+        }
+      }
+    } catch (error) {
+      this.log(`Couldn't setup client: ${error}`);
+    }
+  }
+
+  /**
+   * Fetch an initial access token for the user in the specified realm. This should only be used during realm setup.
+   *
+   * Sets the `access_token` and `refresh_token` properties of `OAuthRealm` as a side effect.
+   *
+   * @async
+   * @param {string | undefined} [refresh_token] - Optional refresh token. If this is passed we use it with bearer auth.
+   * @returns {Promise<[string, string]} Resolves to an access token and a refresh token.
+   */
+  async get_initial_access_token(refresh_token) {
+    const token_url = `http${this.secure}://openid.${this.base_url}/realms/master/protocol/openid-connect/token`;
+
+    this.log(`Attempting token request at: ${token_url}`);
+
+    const params = new URLSearchParams();
+    if (refresh_token != undefined) {
+      params.append("grant_type", "refresh_token");
+      params.append("client_id", "admin-cli");
+      params.append("refresh_token", refresh_token);
+    } else {
+      params.append("grant_type", "password");
+      params.append("client_id", "admin-cli");
+      params.append("username", this.username);
+      params.append("password", this.password);
+    }
+
+    try {
+      const response = await fetch(token_url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: params,
+      });
+
+      if (response.ok) {
+        const data = await response.json();
+        this.access_token = data.access_token;
+        this.refresh_token = data.refresh_token;
+
+        return [data.access_token, data.refresh_token];
+      } else if (response.status == 503) {
+        await this.wait(10000);
+        this.get_initial_access_token();
+      } else {
+        const status = response.status;
+        const error = await response.text();
+        throw new Error(`${status}: ${error}`);
+      }
+    } catch (error) {
+      this.log(
+        `Couldn't get an initial access token for realm setup: ${error}`,
+      );
+    }
+  }
+
+  async wait(milliseconds) {
+    return new Promise((resolve) => setTimeout(resolve, milliseconds));
+  }
+}

acs-service-setup/lib/service-setup.js

@@ -10,6 +10,7 @@ import { DumpLoader }           from "./dumps.js";
 import { fixups }               from "./fixups.js";
 import { setup_git_repos }      from "./git-repos.js";
 import { setup_local_uuids }    from "./local-uuids.js";
+import { create_openid_realm }  from "./openid-realm.js";
 
 export class ServiceSetup {
     constructor (opts) {
@@ -58,6 +59,9 @@ export class ServiceSetup {
         this.log("Migrating legacy Auth groups");
         await migrate_auth_groups(this);
 
+        this.log("Creating OpenID realm");
+        await create_openid_realm(this);
+
         this.log("Finished setup");
     }
 }

deploy/crds/local-secret.yaml

@@ -0,0 +1,51 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: localsecrets.factoryplus.app.amrc.co.uk
+spec:
+  group: factoryplus.app.amrc.co.uk
+  names:
+    kind: LocalSecret
+    plural: localsecrets
+    categories:
+      - all
+  scope: Namespaced
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: Secret
+          jsonPath: ".spec.secret"
+          type: string
+        - name: Key
+          jsonPath: ".spec.key"
+          type: string
+        - name: Format
+          jsonPath: ".spec.format"
+          type: string
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required: [secret, key, format]
+              properties:
+                secret:
+                  description: The name of the Secret to edit.
+                  type: string
+                key:
+                  description: The key to create within the Secret.
+                  type: string
+                format:
+                  description: >
+                    The format of the secret value. Currently must be Password.
+                  type: string
+                  enum: [Password]
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+      subresources:
+        status: {}

deploy/templates/grafana/grafani-ini.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: acs-grafana-config
+data:
+  auth_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/auth
+  token_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/token
+  api_url: {{ .Values.acs.secure | ternary "https://" "http://" }}openid.{{.Values.acs.baseUrl}}/realms/factory_plus/protocol/openid-connect/userinfo

deploy/templates/hooks/post-delete.yaml

@@ -18,6 +18,7 @@ spec:
             - |
               echo "Starting cleanup..."
               for i in $(kubectl -n {{ .Release.Namespace }} get kerberos-keys -o name); do kubectl -n {{ .Release.Namespace }} patch $i --type=json -p='[{"op": "remove", "path": "/metadata/finalizers"}]'; done
+              for i in $(kubectl -n {{ .Release.Namespace }} get localsecrets -o name); do kubectl -n {{ .Release.Namespace }} patch $i --type=json -p='[{"op": "remove", "path": "/metadata/finalizers"}]'; done
               echo "Cleanup complete!"
       restartPolicy: Never
   backoffLimit: 3
@@ -45,7 +46,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation
 rules:
   - apiGroups: [ "factoryplus.app.amrc.co.uk" ]
-    resources: [ "kerberos-keys" ]
+    resources: [ "kerberos-keys", "localsecrets" ]
     verbs: [ "get", "list", "patch" ] # Specify only necessary actions
 
 ---

deploy/templates/identity/rbac.yaml

@@ -13,10 +13,10 @@ metadata:
   name: krb-keys-operator
 rules:
   -   apiGroups: [factoryplus.app.amrc.co.uk]
-      resources: [kerberos-keys]
+      resources: [kerberos-keys, localsecrets]
       verbs: [list, get, watch, patch]
   -   apiGroups: [factoryplus.app.amrc.co.uk]
-      resources: [kerberos-keys/status]
+      resources: [kerberos-keys/status, localsecrets/status]
       verbs: [list, get, create, update, delete, watch, patch]
   -   apiGroups: [""]
       resources: [secrets]

deploy/templates/openid/local-secrets.yaml

@@ -0,0 +1,11 @@
+{{if .Values.openid.enabled}}
+apiVersion: factoryplus.app.amrc.co.uk/v1
+kind: LocalSecret
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: "keycloak-grafana-client"
+spec:
+  format: Password
+  secret: "keycloak-grafana-client"
+  key: "grafana"
+{{end }}

deploy/templates/openid/openid-ingress.yaml

@@ -0,0 +1,23 @@
+{{ if .Values.openid.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: openid-ingressroute
+  namespace: {{ .Release.Namespace }}
+spec:
+  entryPoints:
+    - {{ .Values.acs.secure | ternary "websecure" "web" }}
+  routes:
+    - match: Host(`openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}`)
+      kind: Rule
+      services:
+        - name: openid
+          port: 80
+          namespace: {{ .Release.Namespace }}
+  {{- if .Values.acs.secure }}
+  tls:
+    secretName: {{ coalesce .Values.openid.tlsSecretName .Values.acs.tlsSecretName }}
+    domains:
+      - main: openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}
+  {{- end -}}
+{{- end -}}