-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bootstrap keycloak for backstage oidc
Signed-off-by: phac008 <[email protected]>
- Loading branch information
Showing
6 changed files
with
737 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: {{ .Release.Name }}-configmap | ||
| data: | ||
| sx-cnp-oss.realm.json: |- | ||
| {{ .Files.Get "sx-cnp-oss.realm.json" | indent 4}} | ||
| poststart.sh: |- | ||
| {{ .Files.Get "poststart.sh" | indent 4}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: Ingress | ||
| metadata: | ||
| name: "{{ .Values.deployments.keycloak.service.name }}" | ||
| annotations: | ||
| # for operator | ||
| #nginx.ingress.kubernetes.io/backend-protocol: HTTPS | ||
| # for dev | ||
| nginx.ingress.kubernetes.io/backend-protocol: HTTP | ||
| # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||
| # nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" | ||
| spec: | ||
| tls: | ||
| - hosts: | ||
| - "{{ .Values.deployments.ingress.host }}" | ||
| secretName: "{{ .Values.secrets.tls.name }}" | ||
| rules: | ||
| - host: "{{ .Values.deployments.ingress.host }}" | ||
| http: | ||
| paths: | ||
| - path: / | ||
| pathType: Prefix | ||
| backend: | ||
| service: | ||
| name: "{{ .Values.deployments.keycloak.service.name }}" | ||
| port: | ||
| number: {{.Values.deployments.keycloak.ports.containerPort}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: "{{ .Values.deployments.keycloak.service.name }}" | ||
| labels: | ||
| app: "{{ .Values.deployments.keycloak.service.name }}" | ||
| spec: | ||
| ports: | ||
| - name: "{{ .Values.deployments.keycloak.service.name }}" | ||
| port: {{.Values.deployments.keycloak.ports.containerPort}} | ||
| # port: {{.Values.deployments.securePort}} | ||
| # targetPort: {{.Values.deployments.keycloak.ports.containerPort}} | ||
| selector: | ||
| app: "{{ .Values.deployments.keycloak.service.name }}" | ||
| type: ClusterIP | ||
| --- | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: "{{ .Values.deployments.keycloak.service.name }}" | ||
| labels: | ||
| app: "{{ .Values.deployments.keycloak.service.name }}" | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| app: "{{ .Values.deployments.keycloak.service.name }}" | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: "{{ .Values.deployments.keycloak.service.name }}" | ||
| spec: | ||
| containers: | ||
| - name: "{{ .Values.deployments.keycloak.service.name }}" | ||
| image: quay.io/keycloak/keycloak:{{ .Values.deployments.keycloak.version }} | ||
| args: ["start-dev"] | ||
| env: | ||
| - name: KEYCLOAK_ADMIN | ||
| valueFrom: | ||
| secretKeyRef: | ||
| key: KEYCLOAK_ADMIN | ||
| name: "{{ .Values.secrets.keycloak.name }}" | ||
| - name: KEYCLOAK_ADMIN_PASSWORD | ||
| valueFrom: | ||
| secretKeyRef: | ||
| key: KEYCLOAK_ADMIN_PASSWORD | ||
| name: "{{ .Values.secrets.keycloak.name }}" | ||
| - name: KC_PROXY | ||
| value: "edge" | ||
| - name: KC_HEALTH_ENABLED | ||
| value: "true" | ||
| - name: KC_METRICS_ENABLED | ||
| value: "true" | ||
| - name: KC_HOSTNAME_STRICT_HTTPS | ||
| value: "true" | ||
| - name: KC_LOG_LEVEL | ||
| value: INFO | ||
| - name: DB_VENDOR | ||
| value: POSTGRES | ||
| - name: KC_PORT | ||
| value: "{{.Values.deployments.keycloak.ports.containerPort}}" | ||
| - name: DB_ADDR | ||
| value: "{{ .Values.deployments.postgres.service.name }}" | ||
| - name: DB_DATABASE | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: "{{ .Values.secrets.postgres.name }}" | ||
| key: POSTGRES_DB | ||
| - name: DB_USER | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: "{{ .Values.secrets.postgres.name }}" | ||
| key: POSTGRES_USER | ||
| - name: DB_PASSWORD | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: "{{ .Values.secrets.postgres.name }}" | ||
| key: POSTGRES_PASSWORD | ||
| ports: | ||
| - name: http | ||
| containerPort: | ||
| {{.Values.deployments.keycloak.ports.containerPort}} | ||
| lifecycle: | ||
| postStart: | ||
| exec: | ||
| command: ["/bin/bash", "-c", "cd /opt/keycloak/bin; ./poststart.sh > /tmp/poststart.log"] | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /health/ready | ||
| port: {{.Values.deployments.keycloak.ports.containerPort}} | ||
| initialDelaySeconds: 250 | ||
| periodSeconds: 10 | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /health/live | ||
| port: {{.Values.deployments.keycloak.ports.containerPort}} | ||
| initialDelaySeconds: 500 | ||
| periodSeconds: 30 | ||
| resources: | ||
| limits: | ||
| memory: 512Mi | ||
| cpu: "1" | ||
| requests: | ||
| memory: 256Mi | ||
| cpu: "0.2" | ||
| volumeMounts: | ||
| - mountPath: /opt/keycloak/bin/poststart.sh | ||
| name: keycloak-hookvolume | ||
| subPath: poststart.sh | ||
| volumes: | ||
| - configMap: | ||
| defaultMode: 493 | ||
| name: keycloak-configmap | ||
| name: keycloak-hookvolume |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| #!/bin/bash | ||
| # | ||
| # Bootstrap Backstage Client | ||
| # | ||
|
|
||
| # creates user, set credentials, adds to group | ||
| function create_user() { | ||
| username=$1 | ||
| group=$2 | ||
| email="$3" | ||
| firstName="$4" | ||
| lastName="$5" | ||
|
|
||
| if [[ -n "$firstName" && -n "$lastName" ]]; then | ||
| ./kcadm.sh create users -r sx-cnp-oss -s username=$username -s enabled=true -s emailVerified=true -s email="$email" -s firstName=$firstName -s lastName=$lastName | ||
| else | ||
| ./kcadm.sh create users -r sx-cnp-oss -s username=$username -s enabled=true -s emailVerified=true -s email="$email" | ||
| fi | ||
|
|
||
| ./kcadm.sh set-password -r sx-cnp-oss --username $username --new-password test --temporary=false | ||
|
|
||
| # fetch user and group id | ||
| userid=$(./kcadm.sh get users -r sx-cnp-oss -q username=$username --fields id --format csv --noquotes) | ||
| groupid=$(./kcadm.sh get groups -r sx-cnp-oss --noquotes --format csv | grep ",$group" | cut -d, -f1) | ||
|
|
||
| # no group membership yet, but add | ||
| ./kcadm.sh update users/$userid/groups/$groupid -r sx-cnp-oss -s realm=sx-cnp-oss -s userId=$userid -s groupId=$groupid -n | ||
| ./kcadm.sh get users/$userid/groups -r sx-cnp-oss | ||
| } | ||
|
|
||
| ###### MAIN ###################### | ||
| sleepSeconds="${1:-30}" | ||
| echo "going to wait for initialization/stabilization of server, sleeping for $sleepSeconds" | ||
| #sleep $sleepSeconds | ||
| sleep 60 | ||
|
|
||
| cd /opt/keycloak/bin | ||
|
|
||
| # login | ||
| ./kcadm.sh config credentials --realm master --user admin --password admin --server http://localhost:8080 | ||
|
|
||
| # create realm | ||
| ./kcadm.sh create realms -f /tmp/sx-cnp-oss.realm.json | ||
| #./kcadm.sh create clients -r sx-cnp-oss -f /tmp/backstage.exported.json | ||
| #./kcadm.sh create partialImport -r sx-cnp-oss -s ifResourceExists=FAIL -o -f /tmp/sx-cnp-oss.realm.json | ||
|
|
||
| # create realm | ||
| #./kcadm.sh create realms -s realm=sx-cnp-oss -s enabled=true -o | ||
|
|
||
| # disable 'rsa-enc-generated' key for realm to avoid JWKS 'RSA-OAEP' key types which jwt module cannot parse | ||
| component_id=$(./kcadm.sh get components -r sx-cnp-oss -q name=rsa-enc-generated --fields id --format csv --noquotes) | ||
| ./kcadm.sh update components/$component_id -r sx-cnp-oss -s 'config.active=["false"]' | ||
| ./kcadm.sh update components/$component_id -r sx-cnp-oss -s 'config.enabled=["false"]' | ||
|
|
||
| # creates users in various groups | ||
| create_user demouser group1 [email protected] demuser sx-cnp-oss | ||
| create_user phac users [email protected] Philipp Achmueller | ||
| create_user jokl users [email protected] Johannes Kleinlercher | ||
| create_user backstageadmin admins [email protected] Backstage Admin | ||
|
|
||
| # create client from json placed into container (secret will be generated upon import) | ||
| #./kcadm.sh create clients -r sx-cnp-oss -f /tmp/backstage.exported.json | ||
|
|
||
| # get secret for 'backstage' that was just generated upon import | ||
| clientid=$(./kcadm.sh get clients -r sx-cnp-oss -q clientId=backstage --fields id --format csv --noquotes) | ||
| clientsecret=$(./kcadm.sh get clients/$clientid/client-secret -r sx-cnp-oss --fields value --format csv --noquotes) | ||
| outfile=/tmp/keycloak.properties | ||
| touch $outfile | ||
| chmod 666 $outfile | ||
| echo "realm=sx-cnp-oss" >> $outfile | ||
| echo "clientid=backstage" >> $outfile | ||
| echo "clientsecret=$clientsecret" >> $outfile |
Oops, something went wrong.