refactor: simplified oidc, overloading with keycloak if exists [ci skip]

Author: Maurice Faber

.cspell.json

@@ -29,6 +29,7 @@
     "oo",
     "oo mkilled",
     "RAGRS",
+    "jwks",
     "RAGZRS",
     "registr",
     "roboll",
@@ -99,5 +100,6 @@
     "sitespeed",
     "testmode",
     "untrusted"
-  ]
+  ],
+  "language": "en"
 }

.values/.vscode/settings.json

@@ -16,6 +16,7 @@
   },
   "prettier.enable": true,
   "sops.defaults.gcpCredentialsPath": "gcp-key.json",
+  "sops.enabled": true,
   "yaml.schemas": {
     "http://json-schema.org/draft/2019-09/schema#": ".vscode/values-schema.yaml",
     ".vscode/values-schema.yaml": "env/*.yaml"

charts/otomi-api/values.yaml

@@ -73,7 +73,6 @@ secrets:
   GIT_USER: 
   GIT_EMAIL:
   GIT_PASSWORD:
-  OIDC_CLIENT_SECRET:
 
 env:
   GIT_REPO_URL:

charts/team-ns/templates/_helpers.tpl

@@ -108,9 +108,7 @@ metadata:
   {{- end }}
 {{- end }}
 {{- if .hasAuth }}
-  {{- if .hasKeycloak }}
     nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-  {{- end }}
     nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.istio-system.svc.cluster.local/oauth2/auth"
     nginx.ingress.kubernetes.io/auth-signin: "https://auth.{{ .cluster.domain }}/oauth2/start?rd=/oauth2/redirect/$http_host$escaped_request_uri"
 {{- end }}

charts/team-ns/templates/ingress.yaml

@@ -31,30 +31,30 @@
 {{- end }}
 
 # apps.* that need their path rewritten to /
-{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "private" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi "isApps" true "hasForward" false "hasAuth" true "services" $private "hasKeycloak" $hasKeycloak) }}
+{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "private" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi "isApps" true "hasForward" false "hasAuth" true "services" $private) }}
 ---
 
 # apps.* that need their path forwarded instead of rewritten to /
 {{- if gt (len $privateForward) 0 }}
-{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "private-forward" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" true "hasForward" true "hasAuth" true "services" $privateForward "hasKeycloak" $hasKeycloak) }}
+{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "private-forward" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" true "hasForward" true "hasAuth" true "services" $privateForward) }}
 ---
 {{- end }}
 
 # apps with custom domains
 {{- if gt (len $privateCustom) 0 }}
-{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "private-custom" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" false "hasForward" false "hasAuth" true "services" $privateCustom "hasKeycloak" $hasKeycloak) }}
+{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "private-custom" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" false "hasForward" false "hasAuth" true "services" $privateCustom) }}
 ---
 {{- end }}
 
 # public services
 {{- if gt (len $public) 0 }}
-{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "public" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" false "hasForward" false "hasAuth" false "services" $public "hasKeycloak" $hasKeycloak) }}
+{{ include "ingress" (dict "dot" . "provider" "nginx" "name" "public" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" false "hasForward" false "hasAuth" false "services" $public) }}
 ---
 {{- end }}
 
 {{- if $v.otomi.hasCloudLB }}
 # external LB ingress
-{{ include "ingress" (dict "dot" . "provider" $v.cluster.provider "name" "external" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" false "hasForward" false "hasAuth" false "services" $v.services "hasKeycloak" $hasKeycloak) }}
+{{ include "ingress" (dict "dot" . "provider" $v.cluster.provider "name" "external" "teamId" $v.teamId "domain" $v.domain "cluster" $v.cluster "otomi" $v.otomi  "isApps" false "hasForward" false "hasAuth" false "services" $v.services) }}
 ---
 {{- end }}
 

charts/team-ns/templates/istio-virtualservices.yaml

@@ -1,4 +1,5 @@
 {{- $v := .Values }}
+{{- $k := $v.charts.keycloak | default dict }}
 {{- if or (eq $v.teamId "admin") ($v.otomi.isMultitenant) }}
 {{- $ := . }}
 {{- range $s := $v.services }}
@@ -79,7 +80,8 @@ spec:
               set:
                 X-Forwarded-Proto: https
 ---
-{{- if and $v.hasKeycloak (not (hasKey $s "isPublic")) (hasKey $s "authz") }}
+{{- if and (not (hasKey $s "isPublic")) (hasKey $s "authz") }}
+# grrr
 {{- $workload := ($s.authz.workload | toYaml | replace "__TEAM" $v.teamId) }}
 apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
@@ -90,12 +92,19 @@ spec:
   selector:
     matchLabels: {{ $workload | nindent 6 }}
   jwtRules:
+  {{- if $k.enabled }}
     - issuer: https://keycloak.{{ $v.cluster.domain }}/realms/master
       jwksUri: https://keycloak.{{ $v.cluster.domain }}/realms/master/protocol/openid-connect/certs
-      forwardOriginalToken: {{ $s.authz.forwardOriginalToken | default false }}
       audiences:
-        - otomi
+        - {{ $k.idp.clientID }}
+  {{- else }}
+    - issuer: {{ $v.oidc.issuer }}
+      # jwksUri: {{ $v.oidc.jwksUri }}
+  {{- end }}
+      forwardOriginalToken: {{ $s.authz.forwardOriginalToken | default false }}
 ---    
+{{- if $k.enabled }}
+{{- $principal := printf "https://keycloak.%s/realms/master/*" $v.cluster.domain }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -110,7 +119,7 @@ spec:
       # {}
       from: 
         - source:
-            requestPrincipals: ['https://keycloak.{{ $v.cluster.domain }}/realms/master/*']
+            requestPrincipals: [{{ $principal }}]
       {{- if not $s.isShared }}
       when:
         - key: request.auth.claims[groups]
@@ -130,10 +139,11 @@ spec:
             {{- end }}
     - from:
         - source:
-            notRequestPrincipals: ['https://keycloak.{{ $v.cluster.domain }}/realms/master/*']
+            notRequestPrincipals: [{{ $principal }}]
 ---
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}

helmfile.d/helmfile-15.ingress-core.yaml

@@ -19,6 +19,7 @@ releases:
       - name: admin
         teamId: admin
         charts: {{- $v.charts | toYaml | nindent 10 }}
+        oidc: {{- $v.oidc | toYaml | nindent 10 }}
         cluster: {{- $v.cluster | toYaml | nindent 10 }}
         otomi: {{- $v.otomi | toYaml | nindent 10 }}
         domain: {{ $adminDomain }}

helmfile.d/helmfile-60.teams.yaml

@@ -26,7 +26,7 @@ releases:
       - cluster: {{- $v.cluster | toYaml | nindent 10 }}
         charts: {{- $v.charts | toYaml | nindent 10 }}
         otomi: {{- $v.otomi | toYaml | nindent 10 }}
-        hasKeycloak: {{ $v.charts.keycloak | get "enabled" true }}
+        oidc: {{- $v.oidc | toYaml | nindent 10 }}
         domain: {{ $domain }}
         certStage: {{ $cm.stage }}
         knative:

helmfile.d/snippets/grafana.gotmpl

@@ -1,29 +1,21 @@
-{{- if not .hasOauth2 }}
-"auth.anonymous":
-  enabled: true
-  org_role: Admin
-  org_name: Main Org.
-{{- else }}
 "auth.generic_oauth":
   tls_skip_verify_insecure: {{ eq .stage "staging" }}
   enabled: true
   name: OAuth
   org_role: Admin
   allow_sign_up: true
-  # allow_sign_up: false
   oauth_auto_login: true # false = so we can login with admin / bladibla
-  client_id: {{ .keycloak.clientID }}
-  client_secret: {{ .keycloak.clientSecret }}
+  client_id: {{ .hasKeycloak | ternary .keycloak.clientID .oidc.clientID }}
+  client_secret: {{ .hasKeycloak | ternary .keycloak.clientSecret .oidc.clientSecret }}
   scopes: openid
-  auth_url: {{ .hasKeycloak | ternary (printf "%s/protocol/openid-connect/auth" .keycloakBase) (.oidc | getOrNil "oauth2.authUrl") }}
-  token_url: {{ .hasKeycloak | ternary (printf "%s/protocol/openid-connect/token" .keycloakBase) (.oidc | getOrNil "oauth2.tokenUrl") }}
-  api_url: {{ .hasKeycloak | ternary (printf "%s/protocol/openid-connect/userinfo" .keycloakBase) (.oidc | get "oauth2.apiUrl" (.oidc | getOrNil "oauth2.tokenUrl")) }}
+  auth_url: {{ .hasKeycloak | ternary (printf "%s/protocol/openid-connect/auth" .keycloakBase) (.oidc | getOrNil "authUrl") }}
+  token_url: {{ .hasKeycloak | ternary (printf "%s/protocol/openid-connect/token" .keycloakBase) (.oidc | getOrNil "tokenUrl") }}
+  api_url: {{ .hasKeycloak | ternary (printf "%s/protocol/openid-connect/userinfo" .keycloakBase) (.oidc | get "apiUrl" (.oidc | getOrNil "tokenUrl")) }}
   {{- if .hasKeycloak }}
   role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin' || 'Editor'
   {{- else }}
   role_attribute_path: 'Admin'
   {{- end }}
-{{- end }}
 log:
   level: error
 users:

values-schema.yaml

@@ -1153,6 +1153,7 @@ properties:
       name:
         type: string
   oidc:
+    description: Holds many parts used in different locations. Please see keycloak, istio and oauth-proxy all consuming parts.
     type: object
     additionalProperties: false
     properties:
@@ -1162,6 +1163,14 @@ properties:
         type: string
       issuer:
         type: string
+      jwksUri:
+        type: string
+      authUrl:
+        '$ref': '#/definitions/url'
+      tokenUrl:
+        '$ref': '#/definitions/url'
+      apiUrl:
+        '$ref': '#/definitions/url'
       tenantID:
         type: string
       scope:
@@ -1170,17 +1179,6 @@ properties:
         type: string
       teamAdminGroupID:
         type: string
-      oauth2:
-        description: Can be used in case no keycloak is chosen, to fall back to oauth2 urls. Handy for apps like grafana.
-        type: object
-        properties:
-          authUrl:
-            '$ref': '#/definitions/url'
-          tokenUrl:
-            '$ref': '#/definitions/url'
-          apiUrl:
-            '$ref': '#/definitions/url'
-        required: [authUrl, tokenUrl]
   otomi:
     type: object
     additionalProperties: false

values/istio-operator/istio-operator-raw.gotmpl

@@ -10,9 +10,8 @@
 {{- $realm := $k | get "realm" "master" }}
 {{- $keycloakBase := printf "https://keycloak.%s/realms/%s" $v.cluster.domain $realm }}
 {{- $o := $v.oidc }}
-{{- $hasOauth2 := or $hasKeycloak (hasKey $o "oauth2") }}
 {{- $appsDomain := printf "apps.%s" $v.cluster.domain }}
-{{- $grafanaIni := tpl (readFile "../../helmfile.d/snippets/grafana.gotmpl") (dict "keycloakBase" $keycloakBase "hasKeycloak" $hasKeycloak "hasOauth2" $hasOauth2 "oidc" $v.oidc "stage"  $stage "keycloak" ($k | get "idp")) | toString }}
+{{- $grafanaIni := tpl (readFile "../../helmfile.d/snippets/grafana.gotmpl") (dict "keycloakBase" $keycloakBase "hasKeycloak" $hasKeycloak "oidc" $v.oidc "stage"  $stage "keycloak" ($k | get "idp")) | toString }}
 resources:
   - apiVersion: install.istio.io/v1alpha1
     kind: IstioOperator

values/jobs/harbor.gotmpl

@@ -34,8 +34,8 @@ tasks:
     secret:
       HARBOR_PASSWORD:  {{ $h | get "adminPassword" "bladibla" }}
       HARBOR_USER: admin
-      OIDC_CLIENT_ID: {{ $o.clientID }}
-      OIDC_CLIENT_SECRET: {{ $o.clientSecret }}
+      OIDC_CLIENT_ID: {{ $hasKeycloak | ternary $k.idp.clientID $o.clientID }}
+      OIDC_CLIENT_SECRET: {{ $hasKeycloak | ternary $k.idp.clientSecret $o.clientSecret }}
     env:
       HARBOR_BASE_URL: "http://harbor-harbor-core.harbor/api/v2.0"
       TEAM_NAMES: '{{ $teamNames | toJson }}'

values/jobs/keycloak.gotmpl

@@ -39,7 +39,7 @@ tasks:
       KEYCLOAK_ADMIN: {{ $k | get "admin.username" "admin" }}
       KEYCLOAK_ADMIN_PASSWORD: {{ $k | get "admin.password" "bladibla" }}
       KEYCLOAK_REALM: master
-      KEYCLOAK_CLIENT_ID: {{ $k.idp | get "clientID" "otomi" }}
+      KEYCLOAK_CLIENT_ID: {{ $k.idp.clientID }}
       KEYCLOAK_CLIENT_SECRET: {{ $k.idp.clientSecret }}
       TENANT_ID: {{ $v.oidc.tenantID }}
       TENANT_CLIENT_ID: {{ $v.oidc.clientID }}

values/oauth2-proxy/oauth2-proxy-raw.gotmpl

@@ -18,9 +18,6 @@ resources:
         {{- end }}
         kubernetes.io/ingress.class: nginx
         ingress.kubernetes.io/ssl-redirect: {{ if $v.otomi.hasCloudLB }}"false"{{ else }}"true"{{ end }}
-        {{- if $hasKeycloak }}
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        {{- end }}
         nginx.ingress.kubernetes.io/configuration-snippet: |
           # rewrite auth redirects to original hosts
           rewrite ^/oauth2/redirect/(.*) https://$1 redirect;

values/oauth2-proxy/oauth2-proxy.gotmpl

@@ -12,8 +12,8 @@ image:
   repository: quay.io/oauth2-proxy/oauth2-proxy
 
 config:
-  clientID: {{ $o.clientID }}
-  clientSecret: {{ $o.clientSecret }}
+  clientID: {{ $hasKeycloak | ternary $k.idp.clientID $o.clientID }}
+  clientSecret: {{ $hasKeycloak | ternary $k.idp.clientSecret $o.clientSecret }}
   cookieSecret: {{ $v | getOrNil "charts.oauth2-proxy.config.cookieSecret" | default "blajajaaa" }}
 
 replicas: 2

values/otomi-api/otomi-api.gotmpl

@@ -25,10 +25,9 @@ secrets:
   {{- if $v.sops.enabled }}
   GCLOUD_SERVICE_KEY: '{{ $o.tools.gcloudServiceKey }}'
   {{- end }}
-  OIDC_CLIENT_SECRET: {{ $v.oidc.clientSecret }}
 
 env:
-  # DEBUG: '*'
+  DEBUG: '*'
   GIT_REPO_URL: {{ $o.git.repoUrl }}
   GIT_BRANCH: {{ $o | get "git.branch" "master" }}
   CLUSTER_ID: {{ printf "%s/%s" $c.provider $c.name }}
@@ -39,7 +38,7 @@ env:
   {{- end }}
   USE_SOPS: {{ $v.sops.enabled }}
   CORE_VERSION: '{{ $version }}'
-  {{- if (not ($v.charts.keycloak | get "enabled" false)) }}
+  {{- if (not ($v.charts.keycloak | get "enabled" true)) }}
   NO_AUTHZ: true
   {{- end }}
 

values/prometheus-operator/prometheus-operator.gotmpl

@@ -6,10 +6,9 @@
 {{- $hasKeycloak := $k | get "enabled" true }}
 {{- $realm := $k | get "realm" "master" }}
 {{- $keycloakBase := printf "https://keycloak.%s/realms/%s" $v.cluster.domain $realm }}
-{{- $hasOauth2 := or $hasKeycloak (hasKey $v.oidc "oauth2") }}
 {{- $appsDomain := printf "apps.%s" $v.cluster.domain }}
 {{- $slackTpl := tpl (readFile "../../helmfile.d/snippets/slack.gotmpl") $v | toString }}
-{{- $grafanaIni := tpl (readFile "../../helmfile.d/snippets/grafana.gotmpl") (dict "keycloakBase" $keycloakBase "hasKeycloak" $hasKeycloak "hasOauth2" $hasOauth2 "oidc" $v.oidc "stage" $stage "keycloak" ($k | get "idp")) | toString }}
+{{- $grafanaIni := tpl (readFile "../../helmfile.d/snippets/grafana.gotmpl") (dict "keycloakBase" $keycloakBase "hasKeycloak" $hasKeycloak "oidc" $v.oidc "stage" $stage "keycloak" ($k | get "idp")) | toString }}
 nameOverride: po
 fullnameOverride: po
 coreDns: