Merge pull request #49 from cetic/feature/keycloak

Add Keycloak authentication
cetic · May 27, 2022 · 211e003 · 211e003
2 parents ec8a02f + 8150729
commit 211e003
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 8 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,8 +1,8 @@
 ---
 apiVersion: v2
 name: fadi
-version: 0.3.0
-appVersion: 0.3.0
+version: 0.3.1
+appVersion: 0.3.1
 description: FADI is a Cloud Native platform for Big Data based on mature open source tools. 
 keywords:
   - fadi
@@ -139,3 +139,7 @@ dependencies:
   version: ~1.7.1
   repository: https://charts.jetstack.io
   condition: cert-manager.enabled
+- name: keycloak
+  version: ~2.4.7
+  repository: https://charts.bitnami.com/bitnami
+  condition: keycloak.enabled
diff --git a/templates/cert.yaml b/templates/cert.yaml
@@ -75,4 +75,22 @@ spec:
 ---
 {{- end }}
 
+{{- if .Values.keycloak.traefikIngress.tls -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.keycloak.traefikIngress.host }}
+  namespace: default
+  labels:
+    "use-http01-solver": "true"
+spec:
+  secretName: {{ .Values.keycloak.traefikIngress.host }}
+  issuerRef:
+    name: fadi-letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - {{ .Values.keycloak.traefikIngress.host }}
+---
+{{- end }}
+
 {{ end }}
diff --git a/templates/ingressroutes.yaml b/templates/ingressroutes.yaml
@@ -167,6 +167,45 @@ spec:
 ---
 {{- end }}
 
+{{- if and (.Values.keycloak.enabled) (.Values.keycloak.traefikIngress.enabled) -}}
+{{- if .Values.keycloak.traefikIngress.tls }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: keycloak
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - kind: Rule
+    match: Host(`{{ .Values.keycloak.traefikIngress.host }}`) && PathPrefix(`/`)
+    services:
+      - name: {{ .Release.Name }}-keycloak
+        port: 80
+  tls:
+    secretName: {{ .Values.keycloak.traefikIngress.host }}  
+---
+{{- end }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: keycloak-http
+spec:
+  entryPoints:
+    - web
+  routes:
+  - kind: Rule
+    match: Host(`{{ .Values.keycloak.traefikIngress.host }}`) && PathPrefix(`/`)
+    services:
+    - name: {{ .Release.Name }}-keycloak
+      port: 80
+    {{- if .Values.keycloak.traefikIngress.tls }}
+    middlewares:
+      - name: https-redirect
+    {{- end }}
+---
+{{- end }}
+
 {{- if .Values.clusterIssuer.enabled }}
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware

diff --git a/values.yaml b/values.yaml
@@ -140,7 +140,7 @@ postgresql:
       psql -c "create database zabbix;" postgres admin
 
 minio:
-  enabled: true
+  enabled: false
   persistence:
     enabled: true
     size: 50Gi
@@ -170,6 +170,17 @@ grafana:
       enabled: true
       allow_sign_up: true
       config_file: /etc/grafana/ldap.toml
+    auth.generic_oauth:
+      enabled: false
+      scopes: openid email profile
+      name: Keycloak
+      tls_skip_verify_insecure: false
+      allow_sign_up: true
+      client_id: <your_client_id>
+      client_secret: <your_client_secret>
+      auth_url: http://<your_keycloak_URL>/auth/realms/<your_realm>/protocol/openid-connect/auth
+      token_url: http://<your_keycloak_URL>/auth/realms/<your_realm>/protocol/openid-connect/token
+      api_url: http://<your_keycloak_URL>/auth/realms/<your_realm>/protocol/openid-connect/userinfo
     auth.azuread:
       name: Azure AD
       enabled: false
@@ -182,7 +193,7 @@ grafana:
       allowed_domains:
       allowed_groups:
     server:
-      root_url: https://grafana.example.cetic.be  # change to your grafana domainname
+      root_url: http://grafana.example.cetic.be  # change to your grafana domainname
   # Enable persistence
   persistence:
     enabled: true
@@ -287,7 +298,20 @@ jupyterhub:
       #   tenant_id: <your_tenant_id>
       # JupyterHub:
       #   authenticator_class: azuread
-  # ---- auth ----
+    # ---- Uncomment this blok to enable Keycloak authentication ----
+      # GenericOAuthenticator:
+      #   client_id: <your_client_id>
+      #   client_secret: <your_client_secret>
+      #   oauth_callback_url: http://<your_jupyterhub_domain_name>/hub/oauth_callback
+      #   authorize_url: http://<your_keycloak_URL>/auth/realms/<your_realm>/protocol/openid-connect/auth
+      #   token_url: http://<your_keycloak_URL>/auth/realms/<your_realm>/protocol/openid-connect/token
+      #   userdata_url: http://<your_keycloak_URL>/auth/realms/<your_realm>/protocol/openid-connect/userinfo
+      #   login_service: keycloak
+      #   username_key: email 
+      #   userdata_params:
+      #     state: state
+      # JupyterHub:
+      #   authenticator_class: generic-oauth
   prePuller:
     hook:
       enabled: false
@@ -311,7 +335,7 @@ nifi:
     httpsPort: 8443
     webProxyHost: nifi.example.cetic.be # set it by the same host than nifi.traefikIngress.host if traefik ingress is enabled
     clusterPort: 6007
-    customLibPath: "/opt/configuration_resources/custom_lib"
+    # customLibPath: "/opt/configuration_resources/custom_lib"
   auth:
     admin: CN=admin, OU=NIFI
     SSL:
@@ -336,8 +360,8 @@ nifi:
       authExpiration: 12 hours
     oidc:
       enabled: false
-      discoveryUrl: https://login.microsoftonline.com/<your_tenant_id>/v2.0/.well-known/openid-configuration
-      clientId: <your_application_id>
+      discoveryUrl: https://<your_keycloak_URL>/auth/realms/<your_realm>/.well-known/openid-configuration
+      clientId: <your_client_id>
       clientSecret: <your_client_secret>
       claimIdentifyingUser: email
       admin: <your_admin_email>
@@ -645,3 +669,32 @@ clusterIssuer:
   enabled: false
   prod: false
   email: <your_e-mail_address>
+
+keycloak:
+  enabled: true
+  service:
+    type: ClusterIP
+  auth:
+    ## Create administrator user on boot.
+    ##
+    createAdminUser: true
+    ## Keycloak administrator user and password
+    ##
+    adminUser: admin
+    adminPassword: "password1"
+    ## Wildfly management user and password
+    ##
+    managementUser: manager
+    managementPassword: "password2"
+  postgresql:
+    enabled: false
+  externalDatabase:
+    host: "fadi-postgresql"
+    port: 5432
+    user: admin
+    password: "Z2JHHezi4aAA"
+    database: postgres
+  traefikIngress:
+    enabled: true
+    tls: false
+    host: keycloak.example.cetic.be  # change to your keycloak domainname