From 64a5a0aec3952b8d7751380337e54133c4aace55 Mon Sep 17 00:00:00 2001 From: deanchen Date: Tue, 5 Jul 2022 05:39:20 +0800 Subject: [PATCH 1/5] feat: can visit keycloak behinde ambassador --- keycloak/README.md | 2 + keycloak/deployment/base/kustomization.yaml | 5 +++ keycloak/deployment/base/mapping.yaml | 10 +++++ keycloak/deployment/base/namespace.yaml | 4 ++ .../base/treetracker-keycloak-deployment.yml | 37 +++++++++++++++++++ .../base/treetracker-keycloak-service.yml | 17 +++++++++ .../overlays/development/kustomization.yaml | 2 + 7 files changed, 77 insertions(+) create mode 100644 keycloak/README.md create mode 100644 keycloak/deployment/base/kustomization.yaml create mode 100644 keycloak/deployment/base/mapping.yaml create mode 100644 keycloak/deployment/base/namespace.yaml create mode 100644 keycloak/deployment/base/treetracker-keycloak-deployment.yml create mode 100644 keycloak/deployment/base/treetracker-keycloak-service.yml create mode 100644 keycloak/deployment/overlays/development/kustomization.yaml diff --git a/keycloak/README.md b/keycloak/README.md new file mode 100644 index 00000000..f4edfb47 --- /dev/null +++ b/keycloak/README.md @@ -0,0 +1,2 @@ +# Solr + diff --git a/keycloak/deployment/base/kustomization.yaml b/keycloak/deployment/base/kustomization.yaml new file mode 100644 index 00000000..313903b5 --- /dev/null +++ b/keycloak/deployment/base/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- treetracker-keycloak-deployment.yml +- treetracker-keycloak-service.yml +- namespace.yaml +- mapping.yaml diff --git a/keycloak/deployment/base/mapping.yaml b/keycloak/deployment/base/mapping.yaml new file mode 100644 index 00000000..ca1b2450 --- /dev/null +++ b/keycloak/deployment/base/mapping.yaml @@ -0,0 +1,10 @@ +apiVersion: getambassador.io/v2 +kind: Mapping +metadata: + name: treetracker-keycloak-mapping + namespace: keycloak +spec: + hostname: "*" + prefix: /auth/ + service: treetracker-keycloak-service + rewrite: /auth/ diff --git a/keycloak/deployment/base/namespace.yaml b/keycloak/deployment/base/namespace.yaml new file mode 100644 index 00000000..80e7888e --- /dev/null +++ b/keycloak/deployment/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak diff --git a/keycloak/deployment/base/treetracker-keycloak-deployment.yml b/keycloak/deployment/base/treetracker-keycloak-deployment.yml new file mode 100644 index 00000000..00ca63d4 --- /dev/null +++ b/keycloak/deployment/base/treetracker-keycloak-deployment.yml @@ -0,0 +1,37 @@ +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "treetracker-keycloak" + namespace: "keycloak" + labels: + app: "treetracker-keycloak" +spec: + replicas: 1 + selector: + matchLabels: + app: "treetracker-keycloak" + template: + metadata: + labels: + app: "treetracker-keycloak" + spec: + containers: + - name: "keycloak" + image: quay.io/keycloak/keycloak:18.0.2 + args: ["start-dev"] + env: + - name: KEYCLOAK_ADMIN + value: "admin" + - name: KEYCLOAK_ADMIN_PASSWORD + value: "admin" + - name: KC_PROXY + value: "edge" + - name: KC_HTTP_RELATIVE_PATH + value: "/auth" + #- name: PROXY_ADDRESS_FORWARDING + #value: "true" + #- name: KC_HOSTNAME_PATH + #value: "auth" + ports: + - name: http + containerPort: 8080 diff --git a/keycloak/deployment/base/treetracker-keycloak-service.yml b/keycloak/deployment/base/treetracker-keycloak-service.yml new file mode 100644 index 00000000..346461fe --- /dev/null +++ b/keycloak/deployment/base/treetracker-keycloak-service.yml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: treetracker-keycloak-service + annotations: + labels: + app: treetracker-keycloak + name: treetracker-keycloak-service + namespace: keycloak +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: treetracker-keycloak diff --git a/keycloak/deployment/overlays/development/kustomization.yaml b/keycloak/deployment/overlays/development/kustomization.yaml new file mode 100644 index 00000000..6d0735b6 --- /dev/null +++ b/keycloak/deployment/overlays/development/kustomization.yaml @@ -0,0 +1,2 @@ +bases: + - ../../base From e68625e71dbcd1f57d1722a8fefdaf054e46891f Mon Sep 17 00:00:00 2001 From: deanchen Date: Tue, 5 Jul 2022 06:03:42 +0800 Subject: [PATCH 2/5] chore: timeout, debug --- keycloak/deployment/base/mapping.yaml | 1 + keycloak/deployment/base/treetracker-keycloak-deployment.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/keycloak/deployment/base/mapping.yaml b/keycloak/deployment/base/mapping.yaml index ca1b2450..eaf00ff9 100644 --- a/keycloak/deployment/base/mapping.yaml +++ b/keycloak/deployment/base/mapping.yaml @@ -8,3 +8,4 @@ spec: prefix: /auth/ service: treetracker-keycloak-service rewrite: /auth/ + timeout_ms: 60000 diff --git a/keycloak/deployment/base/treetracker-keycloak-deployment.yml b/keycloak/deployment/base/treetracker-keycloak-deployment.yml index 00ca63d4..81e3e72f 100644 --- a/keycloak/deployment/base/treetracker-keycloak-deployment.yml +++ b/keycloak/deployment/base/treetracker-keycloak-deployment.yml @@ -32,6 +32,8 @@ spec: #value: "true" #- name: KC_HOSTNAME_PATH #value: "auth" + - name: KC_LOG_LEVEL + value: "debug" ports: - name: http containerPort: 8080 From 6ec48f66e365f8f48b4a622cca10de526ecd0c03 Mon Sep 17 00:00:00 2001 From: deanchen Date: Tue, 5 Jul 2022 10:52:48 +0800 Subject: [PATCH 3/5] feat: ambassador listner --- ambassador/deployment.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 ambassador/deployment.yaml diff --git a/ambassador/deployment.yaml b/ambassador/deployment.yaml new file mode 100644 index 00000000..c72d74f1 --- /dev/null +++ b/ambassador/deployment.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: getambassador.io/v3alpha1 +kind: Listener +metadata: + name: edge-stack-listener-8080 + namespace: ambassador +spec: + port: 8080 + protocol: HTTP + securityModel: XFP + hostBinding: + namespace: + from: ALL +--- +apiVersion: getambassador.io/v3alpha1 +kind: Listener +metadata: + name: edge-stack-listener-8443 + namespace: ambassador +spec: + port: 8443 + protocol: HTTPS + securityModel: XFP + hostBinding: + namespace: + from: ALL + From 2aaa5616aa9dd7ba16466192502a811654f420ba Mon Sep 17 00:00:00 2001 From: deanchen Date: Fri, 8 Jul 2022 17:13:11 +0800 Subject: [PATCH 4/5] feat: successful auth by external auth --- ambassador/deployment.yaml | 71 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/ambassador/deployment.yaml b/ambassador/deployment.yaml index c72d74f1..14643783 100644 --- a/ambassador/deployment.yaml +++ b/ambassador/deployment.yaml @@ -25,3 +25,74 @@ spec: namespace: from: ALL +--- +#apiVersion: getambassador.io/v3alpha1 +#kind: Filter +#metadata: +# name: keycloak-filter +# namespace: ambassador +#spec: +# OAuth2: +# #authorizationURL: https://localhost/auth/realms/treetracker +# #authorizationURL: http://192.168.0.103/auth/realms/treetracker +# authorizationURL: https://test.dadiorxxx.com/auth/realms/master +# insecureTLS: true +# #authorizationURL: https://dev-k8s.treetracker.org/auth/realms/treetracker +# audience: ambassador +# clientID: ambassador +# secret: mANEOrGcmRsAx8tKX6Rky6WcDjdp3TXx +# protectedOrigins: +# - origin: https://test.dadiorxxx.com/backend +# +#--- +#apiVersion: getambassador.io/v3alpha1 +#kind: FilterPolicy +#metadata: +# name: httpbin-policy +# namespace: ambassador +#spec: +# rules: +# - host: "*" +# path: /backend/ +# filters: +# - name: keycloak-filter ## Enter the Filter name from above +# arguments: +# scope: +# - "offline_access" + +#--- +#apiVersion: getambassador.io/v3alpha1 +#kind: AuthService +#metadata: +# name: authentication +# namespace: ambassador +#spec: +# auth_service: "treetracker-auth-service.default:80" +# +--- +apiVersion: getambassador.io/v3alpha1 +kind: Filter +metadata: + name: "auth-filter" + namespace: "ambassador" +spec: + External: + auth_service: "http://treetracker-auth-service.default.svc.cluster.local" + proto: http + tls: false + +--- +apiVersion: getambassador.io/v3alpha1 +kind: FilterPolicy +metadata: + name: httpbin-policy + namespace: ambassador +spec: + rules: + - host: "*" + path: /backend/ + filters: + - name: auth-filter ## Enter the Filter name from above + arguments: + scope: + - "offline_access" From ab83020999a238e7ca06f8ba465f235eb36de406 Mon Sep 17 00:00:00 2001 From: deanchen Date: Tue, 26 Jul 2022 15:21:45 +0800 Subject: [PATCH 5/5] feat: keyclaok version, filter for ambassador --- ambassador/deployment.yaml | 11 +++++++++-- .../base/treetracker-keycloak-deployment.yml | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/ambassador/deployment.yaml b/ambassador/deployment.yaml index 14643783..88b59328 100644 --- a/ambassador/deployment.yaml +++ b/ambassador/deployment.yaml @@ -90,9 +90,16 @@ metadata: spec: rules: - host: "*" - path: /backend/ + path: /app/* filters: - name: auth-filter ## Enter the Filter name from above arguments: scope: - - "offline_access" + "offline_access" + - host: "*" + path: /api/* + filters: + - name: auth-filter ## Enter the Filter name from above + arguments: + scope: + "offline_access" diff --git a/keycloak/deployment/base/treetracker-keycloak-deployment.yml b/keycloak/deployment/base/treetracker-keycloak-deployment.yml index 81e3e72f..340b9fed 100644 --- a/keycloak/deployment/base/treetracker-keycloak-deployment.yml +++ b/keycloak/deployment/base/treetracker-keycloak-deployment.yml @@ -17,7 +17,7 @@ spec: spec: containers: - name: "keycloak" - image: quay.io/keycloak/keycloak:18.0.2 + image: quay.io/keycloak/keycloak:17.0.1 args: ["start-dev"] env: - name: KEYCLOAK_ADMIN @@ -33,7 +33,9 @@ spec: #- name: KC_HOSTNAME_PATH #value: "auth" - name: KC_LOG_LEVEL - value: "debug" + value: "trace" + - name: KC_FEATURES + value: scripts,upload_scripts ports: - name: http containerPort: 8080