Maqaalkan waxaa loo qoray si loo ballaariyo horeba
Maqaalkan waxaan kuu sheegi doonaa sida loo rakibo loona habeeyo:
- Furaha waa mashruuc il furan. Taas oo bixisa hal dhibic oo laga soo galo codsiyada. Waxay la shaqeysaa borotokool badan, oo ay ku jiraan LDAP iyo OpenID oo aan xiisayno.
- furaha irid - Codsiga wakiil ka noqda oo kuu oggolaanaya inaad oggolaanshaha ku dhex gasho Keycloak.
- gangway - codsi soo saara qaabaynta kubectl kaas oo aad ku gali karto kuna xidhi karto Kubernetes API iyada oo loo marayo OpenID.
Sida rukhsadyadu uga shaqeeyaan Kubernetes.
Waxaan ku maareyn karnaa xuquuqaha isticmaalaha/kooxda anagoo adeegsanayna RBAC, maqaallo farabadan ayaa horey looga sameeyay arrintan, si faahfaahsan uga hadli maayo. Dhibaatadu waxay tahay inaad isticmaali karto RBAC si aad u xaddiddo xuquuqda isticmaalaha, laakiin Kubernetes waxba kama oga isticmaalayaasha. Waxaa soo baxday inaan u baahanahay habka gaarsiinta isticmaale ee Kubernetes. Si tan loo sameeyo, waxaan ku dari doonaa bixiyaha Kuberntes OpenID, kaas oo sheegi doona in isticmaalaha dhabta ah uu jiro, Kubernetes laftiisa ayaa siin doona xuquuqda.
Tababarka
- Waxaad u baahan doontaa Kubernetes cluster ama minikube
- Tusaha Hawl-galka
- Domains:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Shahaadada domains ama shahaado iskiis saxiixday
Ma sii joogi doono sida loo abuuro shahaado iskiis u saxeexan, waxaad u baahan tahay inaad abuurto 2 shahaado, tani waa xididka (Maamulka Shahaadada) iyo macmiilka duurjoogta ah ee *.example.org domain
Ka dib markaad hesho / bixiso shahaadooyin, macmiilka waa in lagu daraa Kubernetes, taas awgeed waxaan u abuurnaa sir:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
Marka xigta, waxaan u isticmaali doonaa kantarooleheena Ingress.
Rakibaadda furaha furaha
Waxaan go'aansaday in habka ugu fudud uu yahay in la isticmaalo xalal diyaarsan oo tan loo isticmaalo, kuwaas oo ah jaantusyada koofiyadda.
Ku rakib kaydka oo cusboonaysii:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Samee faylka keycloak.yml oo wata nuxurka soo socda:
furaha.yml
keycloak:
# ΠΠΌΡ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ°
username: "test_admin"
# ΠΠ°ΡΠΎΠ»Ρ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡ
password: "admin"
# ΠΡΠΈ ΡΠ»Π°Π³ΠΈ Π½ΡΠΆΠ½Ρ ΡΡΠΎ Π±Ρ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΡΡ Π·Π°Π³ΡΡΠΆΠ°ΡΡ Π² Keycloak ΡΠΊΡΠΈΠΏΡΡ ΠΏΡΡΠΌΠΎ ΡΠ΅ΡΠ΅Π· web ΠΌΠΎΡΠ΄Ρ. ΠΡΠΎ Π½Π°ΠΌ
ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡΡ ΡΡΠΎ Π±Ρ ΠΏΠΎΡΠΈΠ½ΠΈΡΡ ΠΎΠ΄ΠΈΠ½ Π±Π°Π³, ΠΎ ΠΊΠΎΡΠΎΡΠΎΠΌ Π½ΠΈΠΆΠ΅.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress, ΡΠΊΠ°Π·ΡΠ²Π°Π΅ΠΌ ΠΈΠΌΡ Ρ
ΠΎΡΡΠ° ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΠΊΠΎΡΠΎΡΡΠΉ ΠΌΡ ΠΏΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΎΡ
ΡΠ°Π½ΠΈΠ»ΠΈ Π² secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak Π΄Π»Ρ ΡΠ²ΠΎΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ ΡΡΠ΅Π±ΡΠ΅Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
, Π² ΡΠ΅ΡΡΠΎΠ²ΡΡ
ΡΠ΅Π»ΡΡ
Ρ ΡΠ°Π·Π²ΠΎΡΠ°ΡΠΈΠ²Π°Ρ Postgresql ΠΏΡΡΠΌΠΎ Π² Kuberntes, Π² ΠΏΡΠΎΠ΄Π°ΠΊΡΠ΅Π½Π΅ ΡΠ°ΠΊ Π»ΡΡΡΠ΅ Π½Π΅ Π΄Π΅Π»Π°ΡΡ!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
Dejinta Federaalka
Marka xigta, aad interface-ka shabakadda
Guji geeska bidix Kudar boqortooyo
Key
Qiimaha
magaca
kubernetes
Muuji Magaca
Kubureteska
Jooji xaqiijinta iimaylka isticmaalaha:
Baaxadda macmiilka -> iimaylka -> Khariidadaha -> iimaylka la xaqiijiyay (tirtir)
Waxaan sameynay federaal si aan uga soo dejino isticmaaleyaasha ActiveDirectory, waxaan kaga tagi doonaa shaashadaha hoose, waxaan u maleynayaa inay sii caddaan doonto.
Xiriirka isticmaalaha β> Ku dar bixiyeβ¦ β> ldap
Dejinta Federaalka
Haddii wax walba ay fiican yihiin, ka dib markaad riixdo badhanka Isku xidh dhammaan isticmaalayaasha waxaad arki doontaa fariin ku saabsan soo dejinta guusha leh ee isticmaalayaasha.
Marka xigta waxaan u baahanahay inaan khariidad u samayno kooxahayada
Xiriirka isticmaalaha --> ldap_localhost --> Mappers --> Abuur
Samaynta khariidad
Habaynta macmiilka
Waa lagama maarmaan in la abuuro macmiil, marka la eego Keycloak, kani waa codsi laga ogolaan doono isaga. Waxaan iftiimin doonaa qodobada muhiimka ah ee shaashadda ee casaanka ah.
Macaamiisha -> Abuur
Habaynta macmiilka
Aan u abuurno koox kooxeed:
Baaxadda macmiilka -> Abuur
Samee baaxadda
Una samee khariidad.
Baaxadda macmiilka -> kooxaha -> Khariidadaha -> Abuur
Mapper
Ku dar khariidadeynta kooxahayada Xajmiga Macmiilka ee caadiga ah:
Macmiil -> kubernetes -> Baaxadda Macmiilka -> Baaxadda Macmiilka
Xullo Kooxaha Π² Baaxadda Macmiilka ee la heli karo, saxaafadda Ku dar la doortay
Waxaan helnaa sirta (oo ku qor dunta) taasoo aan u isticmaali doono ogolaanshaha Keycloak:
Macaamiisha -> kubernetes -> Aqoonsiga -> Sirta
Tani waxay dhamaystiraysaa habaynta, laakiin waxaan lahaa qalad markii, oggolaanshaha guulaystay ka dib, aan helay qalad 403.
Hagaajin:
Baaxadda macmiilka -> doorarka -> Mappers -> Abuur
Khariidad
Xeerka Qoraalka
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Habaynta Kubernetes
Waxaan u baahanahay inaan sheegno halka ay ku taal shahaadadeena xididka ee goobta, iyo halka uu ku yaal bixiyaha OIDC.
Si tan loo sameeyo, tafatir faylka /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Cusbooneysii kubeadm config ee kutlada:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Dejinta auth-proxy
Waxaad isticmaali kartaa albaabka furaha si aad u ilaaliso codsigaaga shabakada. Marka laga soo tago xaqiiqda ah in wakiilkan gadaal uu u oggolaan doono isticmaalaha ka hor inta uusan tusin bogga, waxay sidoo kale u gudbin doontaa macluumaadka adiga kugu saabsan codsiga dhammaadka ee madaxyada. Markaa, haddii codsigaagu uu taageero OpenID, markaa isticmaaluhu isla markiiba waa la oggol yahay. Tixgeli tusaalaha Kubernetes Dashboardka
Rakibaadda Kubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
qiimaha_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Dejinta xuquuqaha gelitaanka:
Aan abuurno ClusterRoleBinding taasoo siin doonta kooxda xuquuqaha maamulka (clusterRole cluster-admin) ee isticmaalayaasha kooxda DataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Ku rakib albaabka furaha:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
qiyamka_proxy.yaml
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# ΠΠΎΠ²ΠΎΡΠΈΠΌ Π³Π΄Π΅ ΠΌΡ Π±ΡΠ΄Π΅ΠΌ Π°Π²ΡΠΎΡΠΈΠ·ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ°
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΌΡ ΡΠΎΠ·Π΄Π°Π»ΠΈ Π² Keycloak
ClientID: "kubernetes"
# Secret ΠΊΠΎΡΠΎΡΡΠΉ Ρ ΠΏΡΠΎΡΠΈΠ» Π·Π°ΠΏΠΈΡΠ°ΡΡ
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ΄Π° ΠΏΠ΅ΡΠ΅Π½Π°ΠΏΡΠ°Π²ΠΈΡΡ Π² ΡΠ»ΡΡΠ°Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΉ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ. Π€ΠΎΡΠΌΠ°Ρ <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# ΠΡΠΎΠΏΡΡΠΊΠ°Π΅ΠΌ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°, Π΅ΡΠ»ΠΈ Ρ Π½Π°Ρ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ
skipOpenidProviderTlsVerify: true
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΠΏΡΠ°Π² Π΄ΠΎΡΡΡΠΏΠ°, ΠΏΡΡΠΊΠ°Π΅ΠΌ Π½Π° Π²ΡΠ΅ path Π΅ΡΠ»ΠΈ ΠΌΡ Π² Π³ΡΡΠΏΠΏΠ΅ DataOPS
rules:
- "uri=/*|groups=DataOPS"
Taas ka dib, markaad isku daydo inaad aado
rakibidda gangway
Si ay ugu habboonaato, waxaad ku dari kartaa gangway kaas oo soo saari doona faylka qaabeynta ee kubectl, iyadoo la kaashanayo taas oo aan geli doono Kubernetes hoosta isticmaaleyaasheenna.
helm install --name gangway stable/gangway -f values_gangway.yaml
qiyamka_gangway.yaml
gangway:
# ΠΡΠΎΠΈΠ·Π²ΠΎΠ»ΡΠ½ΠΎΠ΅ ΠΈΠΌΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°
clusterName: "my-k8s"
# ΠΠ΄Π΅ Ρ Π½Π°Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅Ρ
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Π’Π΅ΠΎΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈ ΡΡΠ΄Π° ΠΌΠΎΠΆΠ½ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ groups ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΡ Π·Π°ΠΌΠ°ΠΏΠΈΠ»ΠΈ
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
clientID: "kubernetes"
# Π‘Π΅ΠΊΡΠ΅Ρ
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ»ΠΈ ΠΎΡΡΠ°Π²ΠΈΡΡ Π΄Π΅ΡΠΎΠ»ΡΠ½ΠΎΠ΅ Π·Π½Π°ΡΠ½ΠΈΠ΅, ΡΠΎ Π·Π° ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π±ΡΠ΄Π΅Ρ Π±ΡΠ°ΡΡΡ <b>Frist name</b> <b>Second name</b>, Π° ΠΏΡΠΈ "sub" Π΅Π³ΠΎ Π»ΠΎΠ³ΠΈΠ½
usernameClaim: "sub"
# ΠΠΎΠΌΠ΅Π½Π½ΠΎΠ΅ ΠΈΠΌΡ ΠΈΠ»ΠΈ IP Π°Π΄ΡΠ΅ΡΡ API ΡΠ΅ΡΠ²Π΅ΡΠ°
apiServerURL: "https://192.168.99.111:8443"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# ΠΡΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ, ΡΠΎ Π΅Π³ΠΎ(ΠΎΡΠΊΡΡΡΡΠΉ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ) Π½Π°Π΄ΠΎ ΡΠΊΠ°Π·Π°ΡΡ.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Waxay u egtahay sidan. Kuu ogolaanayaa inaad isla markiiba soo dejiso faylka isku xidhka oo aad soo saarto adoo isticmaalaya amarro kala duwan:
Source: www.habr.com