Skip to content

Commit

Permalink
fix: enable keycloak with pre-configured agent in helm chart (#791)
Browse files Browse the repository at this point in the history
Signed-off-by: Pat Losoponkul <[email protected]>
Signed-off-by: Kranium Gikos Mendoza <[email protected]>
Co-authored-by: Kranium Gikos Mendoza <[email protected]>
Signed-off-by: Shota Jolbordi <[email protected]>
  • Loading branch information
2 people authored and Shota Jolbordi committed Mar 18, 2024
1 parent 64dbb74 commit 474cd94
Show file tree
Hide file tree
Showing 8 changed files with 266 additions and 4 deletions.
7 changes: 5 additions & 2 deletions infrastructure/charts/agent/Chart.lock
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,8 @@ dependencies:
- name: vault
repository: https://helm.releases.hashicorp.com
version: 0.24.1
digest: sha256:f9ee9a8708d36ff7fcf9334fe17404147be8c124ead65830ee72bd4f43c262cd
generated: "2023-06-16T14:40:33.224500592+10:00"
- name: keycloak
repository: https://charts.bitnami.com/bitnami
version: 17.2.0
digest: sha256:33f82ebad234a60fd00365d1dcc6ed884beeac1c13ee4cbeca08a1478eded850
generated: "2023-11-16T20:59:38.47688305+07:00"
4 changes: 4 additions & 0 deletions infrastructure/charts/agent/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,7 @@ dependencies:
- name: vault
version: 0.24.1
repository: https://helm.releases.hashicorp.com
- name: keycloak
version: "17.2.0"
repository: "https://charts.bitnami.com/bitnami"
condition: keycloak.enabled
92 changes: 92 additions & 0 deletions infrastructure/charts/agent/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-bootstrap-script
data:
init.sh: |
#!/usr/bin/env bash
set -e
set -u
KEYCLOAK_BASE_URL=$KEYCLOAK_BASE_URL
KEYCLOAK_ADMIN_USER=$KEYCLOAK_ADMIN_USER
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
REALM_NAME=$REALM_NAME
PRISM_AGENT_CLIENT_ID=$PRISM_AGENT_CLIENT_ID
PRISM_AGENT_CLIENT_SECRET=$PRISM_AGENT_CLIENT_SECRET
function get_admin_token() {
local response=$(
curl --request POST "$KEYCLOAK_BASE_URL/realms/master/protocol/openid-connect/token" \
--fail -s -v \
--data-urlencode "grant_type=password" \
--data-urlencode "client_id=admin-cli" \
--data-urlencode "username=$KEYCLOAK_ADMIN_USER" \
--data-urlencode "password=$KEYCLOAK_ADMIN_PASSWORD"
)
local access_token=$(echo $response | jq -r '.access_token')
echo $access_token
}
function is_client_exists() {
local access_token=$1
local client_id=$2
local http_status=$(
curl --request GET "$KEYCLOAK_BASE_URL/admin/realms/$REALM_NAME/clients/$client_id" \
-s -w "%{http_code}" \
-o /dev/null \
-H "Authorization: Bearer $access_token"
)
if [ $http_status == 200 ]; then
echo "true"
else
echo "false"
fi
}
function create_client() {
local access_token=$1
local client_id=$2
local client_secret=$3
curl --request POST "$KEYCLOAK_BASE_URL/admin/realms/$REALM_NAME/clients" \
--fail -s \
-H "Authorization: Bearer $access_token" \
-H "Content-Type: application/json" \
--data-raw "{
\"id\": \"$client_id\",
\"directAccessGrantsEnabled\": true,
\"authorizationServicesEnabled\": true,
\"serviceAccountsEnabled\": true,
\"secret\": \"$client_secret\"
}"
}
echo "Getting admin access token ..."
ADMIN_ACCESS_TOKEN=$(get_admin_token)
CLIENT_EXIST=$(is_client_exists $ADMIN_ACCESS_TOKEN $PRISM_AGENT_CLIENT_ID)
if [ $CLIENT_EXIST == "false" ]; then
echo "Creating a new $PRISM_AGENT_CLIENT_ID client ..."
create_client $ADMIN_ACCESS_TOKEN $PRISM_AGENT_CLIENT_ID $PRISM_AGENT_CLIENT_SECRET
fi
{{- if .Values.keycloak.enabled }}

---

apiVersion: v1
kind: ConfigMap
metadata:
name: prism-agent-realm-import
data:
prism-agent.json: |
{
"realm": {{ .Values.server.keycloak.realm | quote }},
"enabled": true
}
{{- end }}
52 changes: 52 additions & 0 deletions infrastructure/charts/agent/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,35 @@ spec:
- name: wait-postgress-ready
image: busybox
command: ['sh', '-c', "until nc -z {{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.{{.Release.Namespace}} 5432; do echo waiting for postgress-operator; sleep 2; done;"]
{{- if .Values.server.keycloak.enabled }}
- name: wait-keycloak-ready
image: badouralix/curl-jq:ubuntu
command: ['/bin/bash', '-c', 'until curl http://{{ .Release.Name }}-keycloak/health/ready; do sleep 2; done && echo "Keycloak is ready."']
{{- if .Values.server.keycloak.bootstrap }}
- name: keycloak-bootstrap
image: badouralix/curl-jq:ubuntu
command: ['/bin/bash', '-c', '/scripts/init.sh']
env:
- name: KEYCLOAK_BASE_URL
value: http://{{ .Release.Name }}-keycloak
- name: KEYCLOAK_ADMIN_USER
value: {{ .Values.server.keycloak.admin.username }}
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
{{- toYaml .Values.server.keycloak.admin.password | nindent 12 }}
- name: REALM_NAME
value: {{ .Values.server.keycloak.realm }}
- name: PRISM_AGENT_CLIENT_ID
value: {{ .Values.server.keycloak.client.clientId }}
- name: PRISM_AGENT_CLIENT_SECRET
valueFrom:
{{- toYaml .Values.server.keycloak.client.clientSecret | nindent 12 }}
volumeMounts:
- name: keycloak-bootstrap-script
mountPath: /scripts
readOnly: true
{{- end }}
{{- end }}
containers:
- name: prism-agent-server
image: "{{ .Values.server.image.repository }}/{{ .Values.server.image.tag }}:{{ .Values.server.image.version | default .Chart.AppVersion }}"
Expand Down Expand Up @@ -165,7 +194,30 @@ spec:
key: root-token
optional: false
{{- end }}
{{- if .Values.server.keycloak.enabled }}
- name: KEYCLOAK_ENABLED
value: "true"
- name: KEYCLOAK_URL
value: http://{{ .Release.Name }}-keycloak
- name: KEYCLOAK_REALM
value: {{ .Values.server.keycloak.realm }}
- name: KEYCLOAK_CLIENT_ID
value: {{ .Values.server.keycloak.client.clientId }}
- name: KEYCLOAK_CLIENT_SECRET
valueFrom:
{{- toYaml .Values.server.keycloak.client.clientSecret | nindent 14 }}
{{- end }}
{{- range $key, $value := .Values.server.additionalEnvVariables }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- if .Values.server.keycloak.bootstrap }}
volumes:
- name: keycloak-bootstrap-script
configMap:
name: keycloak-bootstrap-script
defaultMode: 0500
items:
- key: "init.sh"
path: "init.sh"
{{- end }}
27 changes: 27 additions & 0 deletions infrastructure/charts/agent/templates/postgresql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,30 @@ spec:
agent: agent-admin
postgresql:
version: "14"

{{- if .Values.keycloak.enabled }}
---

apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
name: "{{ .Values.database.postgres.managingTeam }}-keycloak-postgres-cluster"
namespace: {{ .Release.Namespace }}
labels:
{{ template "labels.common" . }}
spec:
teamId: "{{ .Values.database.postgres.managingTeam }}"
volume:
size: "{{ .Values.database.postgres.databaseSize }}"
numberOfInstances: {{ .Values.database.postgres.numberOfInstances }}
users:
keycloak-admin:
- superuser
- createdb
keycloak-user: []
databases:
keycloak: keycloak-admin
postgresql:
version: "14"

{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: StringSecret
metadata:
name: "agent-keycloak-client-secret"
namespace: {{ .Release.Namespace }}
spec:
forceRegenerate: false
fields:
- fieldName: "secret"
encoding: "base64"
length: "16"

---

apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: StringSecret
metadata:
name: "keycloak-admin-secret"
namespace: {{ .Release.Namespace }}
labels:
{{ template "labels.common" . }}
spec:
forceRegenerate: false
fields:
- fieldName: "password"
encoding: "base64"
length: "32"
- fieldName: "postgres-password"
encoding: "base64"
length: "32"
50 changes: 49 additions & 1 deletion infrastructure/charts/agent/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,23 @@ server:
cpu: 250m
memory: 512Mi
additionalEnvVariables: []
devMode: false
useVault: true
keycloak:
enabled: false
realm: prism-agent
bootstrap: true
admin:
username: atala
password:
secretKeyRef:
name: keycloak-admin-secret
key: password
client:
clientId: prism-agent
clientSecret:
secretKeyRef:
name: agent-keycloak-client-secret
key: secret

database:
postgres:
Expand Down Expand Up @@ -86,3 +101,36 @@ vault:
backend = "kv"
version = 2
}
keycloak:
enabled: false
# --hostname-url should be the frontend url that user will be logging in with keycloak
extraStartupArgs: "--hostname-url=http://localhost:8080 --import-realm --features=declarative-user-profile"
tls:
enabled: true
autoGenerated: true
# this section controls the admin username/password for getting on keycloak
auth:
existingSecret: keycloak-admin-secret
passwordSecretKey: password
adminUser: atala
postgresql:
enabled: false
externalDatabase:
existingSecret: "keycloak-admin.atala-keycloak-postgres-cluster.credentials.postgresql.acid.zalan.do"
existingSecretPasswordKey: password
host: "atala-keycloak-postgres-cluster.{{.Release.Namespace}}"
port: "5432"
user: keycloak-admin
database: keycloak
extraVolumes:
- name: prism-agent-realm-import-volume
configMap:
name: prism-agent-realm-import
items:
- key: prism-agent.json
path: prism-agent.json
extraVolumeMounts:
- name: prism-agent-realm-import-volume
mountPath: /opt/bitnami/keycloak/data/import
readOnly: true
8 changes: 7 additions & 1 deletion infrastructure/shared/docker-compose-mt-keycloak.yml
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,12 @@ services:
API_KEY_ENABLED:
API_KEY_AUTHENTICATE_AS_DEFAULT_USER:
API_KEY_AUTO_PROVISIONING:
KEYCLOAK_ENABLED: true
KEYCLOAK_URL: http://keycloak:8080
KEYCLOAK_REALM: atala-demo
KEYCLOAK_CLIENT_ID: prism-agent
KEYCLOAK_CLIENT_SECRET: prism-agent-demo-secret
KEYCLOAK_UMA_AUTO_UPGRADE_RPT: true
depends_on:
db:
condition: service_healthy
Expand Down Expand Up @@ -147,7 +153,7 @@ services:
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
command: start-dev --health-enabled=true
command: start-dev --hostname-url=http://localhost:9980 --health-enabled=true

keycloak-wait:
image: badouralix/curl-jq:ubuntu
Expand Down

0 comments on commit 474cd94

Please sign in to comment.