@pepr/keycloak-authsvc

Pepr Module

This is a Pepr Module intended to be imported into your own Pepr Module. Pepr is a Kubernetes transformation system written in Typescript. To use this module:

• run npm i @pepr/keycloak-authsvc.
• add the import to your pepr.ts file: import KeycloakAuthSvc from "@pepr/keycloak-authsvc".
• add the KeycloakAuthSvc entry to the PeprModule capability array.

Keycloak Istio Authsvc Capability

This capability is designed to automate the manual steps required to integrate new applications into the Big Bang IdAM Solution

Pre-reqs

The installation must be complete for keycloak, authservice and istio. It's best to use the bigbang chart to deploy these.

Keycloak setup:

• Must be resolvable via https://keycloak.${domain} (or whatever domain you setup) inside the cluster, authservice requires TLS even with MTLS.
• The admin user and password must be stored in a secret in namespace keycloak, object keycloak-env
• pepr does not need special access to this namespace beyond the mutating webhook.

authservice setup:

• must be in namespace authservice
• must have a secret called authservice that contains the config.json
• pepr needs needs access to this namespace
  • full access to secrets (to read/write the client secrets, and update the authservice config)
  • will roll the authservice deployment via a restartedAt label (patch)

Istio setup:

• must have it's mesh aware of authservice (in the istio-system namespace, configmap istio)
• Istio objects must be created by the istio setup
  • peerauthentications.security.istio.io
  • authorizationpolicies.security.istio.io (authz)
  • requestauthentications.security.istio.io (authn)

How to trigger the SSO pepr module:

Realm setup:

If the realm is not created, there are two ways to create a realm (the realm can be pre-created)

• From a secret, this will create a pain old demo realm, with no configuration

    kubectl create secret generic configrealm -n keycloak --from-literal=realm=demo --from-literal=domain=bigbang.dev
    kubectl label secret configrealm -n keycloak todo=createrealm

• From a configmap export, A realm exported with keycloak's UI, can be imported in this method. Recommended to not export the clients. In this case all the realm info will be imported. Any clients that are in this import will be ignored, and it's recommended to remove them to keep this export smaller, and more flexible. Keycloak's database enforces some primary key issues, so importing more than one realm by modifying the realm name in the import is not recommended.

kubectl create cm configrealm -n podinfo --from-file=realmJson --from-literal=domain=bigbang.dev
kubectl label cm configrealm -n podinfo  todo=createrealm

Client setup:

Setting up a client for an application is the primary use of this module. To kick off the process, for an example app called podinfo

Before this application can be secured, the application deployment/statefulset that will be secured (via istio virtual service/gateway), must have this in it's spec:

spec:
  template:
    metadata:
      labels:
        protect: keycloak

All the virtual services, and the gateway should be setup during application deployment time. Before you create the client try to access the service externally and you should see a permission denied since it's not setup in authservice or keycloak yet.

kubectl create secret generic configclient -n podinfo --from-literal=realm=demo --from-literal=id=podinfo --from-literal=name=podinfo --from-literal=domain=bigbang.dev
kubectl label secret configclient -n podinfo  todo=createclient

This performs several tasks:

• reads the kubernetes secret
• contacts keycloak to generate the client secret
• write the keycloak data into the authservice namespace with a secret called mission-${name} in this case it would be mission-podinfo
• regenerates the namespace authservice named secret authservice to include the new client secret in its configuration
• restarts the authservice deployment

Deployment

TBD

How to deploy this module

Use pepr build and pepr deploy

How to validate this module is working properly

See above.