Ichi chinyorwa chakanyorwa kuti chiwedzere pane zvatove
Muchikamu chino ini ndichakuudza nzira yekuisa uye kugadzirisa:
- keycloak iri open source project. Iyo inopa imwe poindi yekupinda yezvikumbiro. Inoshanda nemaprotocol akawanda, anosanganisira LDAP uye OpenID yatiri kufarira.
- keycloak murindi wepagedhi - reverse proxy application iyo inokutendera kuti ubatanidze mvumo kuburikidza neKeycloak.
- gangway -chishandiso chinogadzira gadziriso yekubectl iyo iwe yaunogona kupinda nayo uye ubatanidze kuKubernetes API kuburikidza neOpenID.
Mashandisiro anoita mvumo muKubernetes.
Tinogona kubata kodzero dzevashandisi / boka tichishandisa RBAC, boka rezvinyorwa zvakatogadzirwa nezve izvi, ini handisi kuzogara pane izvi zvakadzama. Dambudziko nderekuti unogona kushandisa RBAC kudzora kodzero dzevashandisi, asi Kubernetes hapana chaanoziva nezvevashandisi. Zvinoitika kuti isu tinoda mushandisi wekutumira nzira muKubernetes. Kuti tiite izvi, tichawedzera mupi weKuberntes OpenID, iyo ichataura kuti mushandisi akadaro aripo, uye Kubernetes pachake achamupa kodzero.
Kugadzirira kwe
- Iwe unozoda Kubernetes cluster kana minikube
- Active Directory
- Domains:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Chitupa chemadomasi kana chitupa chekuzvisaina
Ini handisi kuzogara pamusoro pekugadzira chitupa chekuzvisaina, iwe unofanirwa kugadzira zvitupa zviviri, uyu ndiwo mudzi (Chiremera Chiremera) uye mutengi wemusango we * .example.org domain
Mushure mekugamuchira / kuburitsa zvitupa, mutengi anofanira kuwedzerwa kuKubernetes, nekuda kweizvi isu tinozvigadzirira chakavanzika:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
Tevere, isu tichaishandisa kune yedu Ingress controller.
Keycloak Installation
Ndakasarudza kuti nzira iri nyore ndeye kushandisa yakagadzirira-yakagadzirwa mhinduro kune iyi, iyo helm machati.
Isa repository uye uvandudze iyo:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Gadzira keycloak.yml faira ine zvinotevera zvirimo:
keycloak.yml
keycloak:
# ΠΠΌΡ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ°
username: "test_admin"
# ΠΠ°ΡΠΎΠ»Ρ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡ
password: "admin"
# ΠΡΠΈ ΡΠ»Π°Π³ΠΈ Π½ΡΠΆΠ½Ρ ΡΡΠΎ Π±Ρ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΡΡ Π·Π°Π³ΡΡΠΆΠ°ΡΡ Π² Keycloak ΡΠΊΡΠΈΠΏΡΡ ΠΏΡΡΠΌΠΎ ΡΠ΅ΡΠ΅Π· web ΠΌΠΎΡΠ΄Ρ. ΠΡΠΎ Π½Π°ΠΌ
ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡΡ ΡΡΠΎ Π±Ρ ΠΏΠΎΡΠΈΠ½ΠΈΡΡ ΠΎΠ΄ΠΈΠ½ Π±Π°Π³, ΠΎ ΠΊΠΎΡΠΎΡΠΎΠΌ Π½ΠΈΠΆΠ΅.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress, ΡΠΊΠ°Π·ΡΠ²Π°Π΅ΠΌ ΠΈΠΌΡ Ρ
ΠΎΡΡΠ° ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΠΊΠΎΡΠΎΡΡΠΉ ΠΌΡ ΠΏΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΎΡ
ΡΠ°Π½ΠΈΠ»ΠΈ Π² secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak Π΄Π»Ρ ΡΠ²ΠΎΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ ΡΡΠ΅Π±ΡΠ΅Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
, Π² ΡΠ΅ΡΡΠΎΠ²ΡΡ
ΡΠ΅Π»ΡΡ
Ρ ΡΠ°Π·Π²ΠΎΡΠ°ΡΠΈΠ²Π°Ρ Postgresql ΠΏΡΡΠΌΠΎ Π² Kuberntes, Π² ΠΏΡΠΎΠ΄Π°ΠΊΡΠ΅Π½Π΅ ΡΠ°ΠΊ Π»ΡΡΡΠ΅ Π½Π΅ Π΄Π΅Π»Π°ΡΡ!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
Federation setup
Zvadaro, enda kune web interface
Dzvanya mukona yekuruboshwe Add realm
Key
ukoshi
zita
kubernetes
Ratidza zita
Kubernetes
Dzima ongororo ye email yemushandisi:
Client scopes -> Email -> Mappers -> Email yakasimbiswa (Delete)
Isu takamisa mubatanidzwa kupinza vashandisi kubva kuActiveDirectory, ini ndichasiya zviratidziro pazasi, ndinofunga zvichave zvakajeka.
Mubatanidzwa wevashandisi -> Wedzera mupi⦠-> ldap
Federation setup
Kana zvese zvakanaka, saka mushure mekudzvanya bhatani Batanidza vashandisi vese iwe uchaona meseji pamusoro pekubudirira kupinza kwevashandisi.
Tevere tinofanira kumepu mapoka edu
Mushandisi wemubatanidzwa --> ldap_localhost -> Mamepu -> Gadzira
Kugadzira mepu
Client setup
Izvo zvinodikanwa kugadzira mutengi, maererano neKeycloak, ichi chikumbiro chinozobvumidzwa kubva kwaari. Ini ndicharatidza zvakakosha mapoinzi mune iyo skrini mune tsvuku.
Vatengi -> Gadzira
Client setup
Ngatigadzire scoupe yemapoka:
Client Scopes -> Gadzira
Gadzira nzvimbo
Uye uvagadzirire mepu:
Client Scopes β> mapoka β> Mappers β> Gadzira
Mapper
Wedzera mamepu emapoka edu kune Default Client Scopes:
Vatengi -> kubernetes -> Client Scopes -> Default Client Scopes
Sarudza mapoka Π² Inowanikwa Client Scopes, Press Wedzera zvakasarudzwa
Isu tinotora chakavanzika (uye nyora kune iyo tambo) yatichashandisa kubvumidza muKeycloak:
Clients -> kubernetes -> Credentials -> Chakavanzika
Izvi zvinopedzisa kuseta, asi ndakakanganisa apo, mushure mekubudirira kwemvumo, ndakagamuchira kukanganisa 403.
Gadzirisa:
Client Scopes β> mabasa β> Mappers β> Gadzira
Mappers
Script kodhi
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Kugadzirisa Kubernetes
Isu tinofanirwa kutsanangura kuti chitupa chedu chemidzi kubva kune saiti chiri papi, uye panowanikwa mupi weOIDC.
Kuti uite izvi, gadzirisa iyo faira /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Gadziridza kubeadm config musumbu:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Kuseta auth-proxy
Iwe unogona kushandisa keycloak muchengeti wegedhi kuchengetedza yako webhu application. Pamusoro pekuti iyi reverse proxy inobvumidza mushandisi asati aratidza peji, inozopfuudza ruzivo nezvewe kune yekupedzisira application mumusoro. Saka, kana application yako ikatsigira OpenID, ipapo mushandisi anobva apihwa mvumo. Funga nezvemuenzaniso weKubernetes Dashboard
Kuisa Kubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Kuseta kodzero dzekuwana:
Ngatigadzirei ClusterRoleBinding iyo inopa cluster admin kodzero (yakajairwa ClusterRole cluster-admin) yevashandisi muboka reDataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Isa keycloak gedhi:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# ΠΠΎΠ²ΠΎΡΠΈΠΌ Π³Π΄Π΅ ΠΌΡ Π±ΡΠ΄Π΅ΠΌ Π°Π²ΡΠΎΡΠΈΠ·ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ°
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΌΡ ΡΠΎΠ·Π΄Π°Π»ΠΈ Π² Keycloak
ClientID: "kubernetes"
# Secret ΠΊΠΎΡΠΎΡΡΠΉ Ρ ΠΏΡΠΎΡΠΈΠ» Π·Π°ΠΏΠΈΡΠ°ΡΡ
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ΄Π° ΠΏΠ΅ΡΠ΅Π½Π°ΠΏΡΠ°Π²ΠΈΡΡ Π² ΡΠ»ΡΡΠ°Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΉ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ. Π€ΠΎΡΠΌΠ°Ρ <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# ΠΡΠΎΠΏΡΡΠΊΠ°Π΅ΠΌ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°, Π΅ΡΠ»ΠΈ Ρ Π½Π°Ρ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ
skipOpenidProviderTlsVerify: true
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΠΏΡΠ°Π² Π΄ΠΎΡΡΡΠΏΠ°, ΠΏΡΡΠΊΠ°Π΅ΠΌ Π½Π° Π²ΡΠ΅ path Π΅ΡΠ»ΠΈ ΠΌΡ Π² Π³ΡΡΠΏΠΏΠ΅ DataOPS
rules:
- "uri=/*|groups=DataOPS"
Mushure meizvozvo, paunoedza kuenda
gangway installation
Kuti zvive nyore, iwe unogona kuwedzera gangway iyo inogadzira iyo config faira ye kubectl, nerubatsiro rwatichapinda muKubernetes pasi pemushandisi wedu.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# ΠΡΠΎΠΈΠ·Π²ΠΎΠ»ΡΠ½ΠΎΠ΅ ΠΈΠΌΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°
clusterName: "my-k8s"
# ΠΠ΄Π΅ Ρ Π½Π°Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅Ρ
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Π’Π΅ΠΎΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈ ΡΡΠ΄Π° ΠΌΠΎΠΆΠ½ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ groups ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΡ Π·Π°ΠΌΠ°ΠΏΠΈΠ»ΠΈ
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
clientID: "kubernetes"
# Π‘Π΅ΠΊΡΠ΅Ρ
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ»ΠΈ ΠΎΡΡΠ°Π²ΠΈΡΡ Π΄Π΅ΡΠΎΠ»ΡΠ½ΠΎΠ΅ Π·Π½Π°ΡΠ½ΠΈΠ΅, ΡΠΎ Π·Π° ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π±ΡΠ΄Π΅Ρ Π±ΡΠ°ΡΡΡ <b>Frist name</b> <b>Second name</b>, Π° ΠΏΡΠΈ "sub" Π΅Π³ΠΎ Π»ΠΎΠ³ΠΈΠ½
usernameClaim: "sub"
# ΠΠΎΠΌΠ΅Π½Π½ΠΎΠ΅ ΠΈΠΌΡ ΠΈΠ»ΠΈ IP Π°Π΄ΡΠ΅ΡΡ API ΡΠ΅ΡΠ²Π΅ΡΠ°
apiServerURL: "https://192.168.99.111:8443"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# ΠΡΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ, ΡΠΎ Π΅Π³ΠΎ(ΠΎΡΠΊΡΡΡΡΠΉ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ) Π½Π°Π΄ΠΎ ΡΠΊΠ°Π·Π°ΡΡ.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Zvinoita seizvi. Inokutendera iwe kurodha nekukurumidza config faira uye kuigadzira uchishandisa seti yemirairo:
Source: www.habr.com