#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
metadata:
name: jwt-proxy-webhook
namespace: default
+ annotations:
+ cert-manager.io/inject-ca-from: default/webhook-server-cert
webhooks:
- name: rapps-webhook.default.svc.cluster.local
admissionReviewVersions:
app.kubernetes.io/name: rapp-helloworld-invoker1
clientConfig:
service:
- name: jwt-proxy-admission-controller
+ name: jwt-proxy-admission-controller
namespace: default
path: "/inject-sidecar"
- caBundle: "${CA_PEM_B64}"
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
Prerequisites: Istio should be installed on your cluster with the demo profile. You may need to add istioctl to you $PATH variable.
istioctl install --set profile=demo
Please refer to the istio documentation for more information.
-You will also need cfssl installed on your system: sudo apt install golang-cfssl
Please refer to the K8s documentation: Manage TLS Certificates in a Cluster
The deployments have been implemented and tested using minikube.
If you are not using minikube, references to "minikube ip" should be changed to the appropiate value for you host.
+The ipAddresses field in cluster-issuer.yaml not referring to the generic localhost ip should be changed to your own ip.
To replicate these tests you will need to setup the various host path referenced in the yaml files on your own machine.
chartmuseum.yaml: path: /var/chartmuseum/charts
-keycloak.yaml: path: /var/keycloak/certs
postgres.yaml: path: "/var/keycloak/data2"
-rapps-keycloak-mgr.yaml: path: /var/rapps/certs
-rapps-webhook.yaml: "-hostPath", "/var/rapps/certs"
or change them to match your own setup.
-The certs directory contains 3 shell scripts for creating the server, client and webhook certs: server_certs.sh, client_certs.sh and webhook_certs.sh
-Keystores/Truststores generated by the server_certs.sh script: server.keystore and server.truststore go in the "/var/keycloak/certs" directory
-Certs generated by the client_certs.sh script: client.crt, client.key and rootCA.crt go in the "/var/rapps/certs" directory
-The webhook_certs.sh script generates certs for use in the MutatingWebhookConfiguration.yaml and the rapps-webhook.yaml files.
-To configure MutatingWebhookConfiguration.yaml run the following commands:
-1. ca_pem_b64="$(openssl base64 -A <"./certs/ca.pem")"
-2. sed -i 's/${CA_PEM_B64}/'"$ca_pem_b64"'/g' MutatingWebhookConfiguration.yaml
-
-To configure rapps-webhook.yaml append the rapps-webhook-tls.yaml file to the end of it
-1. cat rapps-webhook.yaml ./certs/rapps-webhook-tls.yaml >> rapps-webhook.yaml.tmp
-2. mv rapps-webhook.yaml.tmp rapps-webhook.yaml
-
Create the istio-nonrtric namespace and enable it for istio injection
kubectl create ns istio-nonrtric
helm package rapp-helloworld-invoker2
scp -i $(minikube ssh-key) rapp-helloworld-invoker2-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
+Start cert-manager using the following command:
+ ./cert-manager.sh deploy
-Start keycloak and postgres in the default namespace with istio injection:
+Copy keycloak client certs into the istio-nonrtric namespace by running:
+ ./copy_tls_secret.sh -n cm-keycloak-client-certs -s default -d istio-nonrtric
-Run ./keycloak.sh deploy
+Start keycloak and postgres in the default namespace with istio injection by running:
+
+ ./keycloak.sh deploy
To start the management pods run:
You can also uninstall individual rapp using the undeploy_rapp.sh script.
e.g. ./undeploy_rapp.sh rapp-helloworld-provider
-Remove postgres and keycloak with the following commands:
+Remove postgres and keycloak with the following command:
./keycloak.sh undeploy
+
+Remove cert-manager with the following command:
+ ./cert-manager.sh undeploy
--- /dev/null
+#!/bin/bash
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+
+if [ -z "$1" ]
+ then
+ echo "No argument supplied"
+ exit 1
+fi
+
+OPERATION=$1
+WORKDIR=$(dirname "$(realpath "$0")")
+
+if [ "$OPERATION" == "deploy" ]; then
+ echo "Deploying cert-manager application..."
+ echo "-------------------------------------"
+ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
+ echo ""
+ echo "Waiting for pods to start..."
+ echo "----------------------------"
+ kubectl wait deployment -n cert-manager cert-manager --for=condition=available --timeout=300s
+ kubectl wait deployment -n cert-manager cert-manager-cainjector --for=condition=available --timeout=300s
+ kubectl wait deployment -n cert-manager cert-manager-webhook --for=condition=available --timeout=300s
+ echo ""
+ echo "Checking pod status..."
+ echo "----------------------"
+ kubectl get pods -n cert-manager
+ echo ""
+ # Once the pods are up and running we still need to wait for the certificate controller process to start
+ # before certificates can be issued
+ echo "Waiting for certificate controller..."
+ echo "------------------------------------"
+ sleep 100
+ echo ""
+ echo "Creating certificates..."
+ echo "------------------------"
+ kubectl apply -f $WORKDIR/cluster-issuer.yaml
+ kubectl apply -f $WORKDIR/issuer.yaml
+ kubectl apply -f $WORKDIR/webhook-server-certificate.yaml
+ kubectl apply -f $WORKDIR/keycloak-server-certificate.yaml
+ kubectl apply -f $WORKDIR/keycloak-client-certificate.yaml
+elif [ "$OPERATION" == "undeploy" ]; then
+ echo "Deleting certificates..."
+ echo "------------------------"
+ kubectl delete -f $WORKDIR/cluster-issuer.yaml
+ kubectl delete -f $WORKDIR/issuer.yaml
+ kubectl delete -f $WORKDIR/webhook-server-certificate.yaml
+ kubectl delete -f $WORKDIR/keycloak-server-certificate.yaml
+ kubectl delete -f $WORKDIR/keycloak-client-certificate.yaml
+ kubectl delete secret -n default cm-cluster-issuer-rootca-secret
+ kubectl delete secret -n default cm-keycloak-client-certs
+ kubectl delete secret -n default cm-keycloak-server-certs
+ kubectl delete secret -n default cm-webhook-server-certs
+ echo "Undeploying cert-manager application..."
+ echo "---------------------------------------"
+ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
+else
+ echo "Unrecogized operation ${OPERATION}"
+ exit 1
+fi
+
+exit 0
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
realm: demo
client: demoprovider-cli
authenticator: client-jwt
+ caCrt: "/certs/ca.crt"
+ tlsCrt: "/certs/tls.crt"
+ tlsKey: "/certs/tls.key"
roles:
- role : provider-viewer
grants:
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
realm: demo
client: demoprovider-cli
authenticator: client-jwt
+ caCrt: "/certs/ca.crt"
+ tlsCrt: "/certs/tls.crt"
+ tlsKey: "/certs/tls.key"
roles:
- role : provider-viewer
grants:
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
realm: demo
client: demoprovider-cli
authenticator: client-jwt
+ tlsCrt: "/certs/tls.crt"
+ email: "client@mail.com"
+ subjectDN: oran
+ mappingSource: "Subject's Alternative Name E-mail"
roles:
- role : provider-viewer
grants:
--- /dev/null
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: selfsigned-rootca-cluster-issuer
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: selfsigned-rootca
+ namespace: default
+spec:
+ isCA: true
+ duration: 2160h # 90d
+ renewBefore: 360h # 15d
+ commonName: selfsigned-rootca
+ subject:
+ organizations:
+ - oran
+ organizationalUnits:
+ - oran
+ countries:
+ - Ireland
+ localities:
+ - Dublin
+ streetAddresses:
+ - Main Street
+ secretName: cm-cluster-issuer-rootca-secret
+ privateKey:
+ rotationPolicy: Always
+ algorithm: RSA
+ encoding: PKCS1
+ size: 2048
+ issuerRef:
+ name: selfsigned-rootca-cluster-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io
+ dnsNames:
+ - localhost
+ - minikube
+ ipAddresses:
+ - 127.0.0.1
+ - 192.168.49.2
+ emailAddresses:
+ - ca@mail.com
+---
--- /dev/null
+#!/bin/bash
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+
+function usage()
+{
+ echo ""
+ echo "Usage: $0 -n secretName -s sourceNamespace -d destinationNamespace"
+ echo -e "\t-n Name of the secret"
+ echo -e "\t-s Namespace of the secret"
+ echo -e "\t-d Namespace to copy the secret to"
+ exit 1
+}
+
+while getopts "n:s:d:" opt
+do
+ case "$opt" in
+ n ) secretName="$OPTARG" ;;
+ s ) sourceNS="$OPTARG" ;;
+ d ) destinationNS="$OPTARG" ;;
+ ? ) usage ;;
+ esac
+done
+
+# Check if any of the paramters are empty
+if [ -z "$secretName" ] || [ -z "$sourceNS" ] || [ -z "$destinationNS" ]
+then
+ echo "Some or all of the parameters are empty";
+ usage
+fi
+
+# Check if the secret exits
+kubectl get secret $secretName -n $sourceNS >/dev/null 2>/dev/null
+if [ $? -ne 0 ]
+then
+ echo "$secretName in $sourceNS does not exist"
+ usage
+fi
+
+# Check if the destination namespace exists
+kubectl get ns $destinationNS >/dev/null 2>/dev/null
+if [ $? -ne 0 ]
+then
+ echo "$destinationNS does not exist"
+ usage
+fi
+
+# Begin script in case all parameters are correct
+echo "Copying $secretName from $sourceNS to $destinationNS"
+
+tlsCrt=$(kubectl get secret ${secretName} -n ${sourceNS} -o json -o=jsonpath="{.data.tls\.crt}")
+tlsKey=$(kubectl get secret ${secretName} -n ${sourceNS} -o json -o=jsonpath="{.data.tls\.key}")
+caCrt=$(kubectl get secret ${secretName} -n ${sourceNS} -o json -o=jsonpath="{.data.ca\.crt}")
+
+kubectl apply -f - <<EOF
+apiVersion: v1
+data:
+ tls.crt: ${tlsCrt}
+ tls.key: ${tlsKey}
+ ca.crt: ${caCrt}
+kind: Secret
+metadata:
+ name: ${secretName}
+ namespace: ${destinationNS}
+type: kubernetes.io/tls
+EOF
--- /dev/null
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: cm-ca-issuer
+ namespace: default
+spec:
+ ca:
+ secretName: cm-cluster-issuer-rootca-secret
--- /dev/null
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: keycloak-client-cert
+ namespace: default
+spec:
+ secretName: cm-keycloak-client-certs
+ duration: 2160h # 90d
+ renewBefore: 360h # 15d
+ subject:
+ organizations:
+ - oran
+ organizationalUnits:
+ - oran
+ countries:
+ - IE
+ localities:
+ - Dublin
+ streetAddresses:
+ - Main Street
+ commonName: keycloak
+ isCA: false
+ privateKey:
+ algorithm: RSA
+ encoding: PKCS1
+ size: 2048
+ usages:
+ - client auth
+ dnsNames:
+ - keycloak.default
+ - keycloak
+ - keycloak.est.tech
+ emailAddresses:
+ - client@mail.com
+ issuerRef:
+ name: cm-ca-issuer
+ kind: Issuer
+ group: cert-manager.io
--- /dev/null
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cm-keycloak-jwk-pw
+ namespace: default
+type: Opaque
+data:
+ password: Y2hhbmdlaXQ=
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: keycloak-server-cert
+ namespace: default
+spec:
+ secretName: cm-keycloak-server-certs
+ duration: 2160h # 90d
+ renewBefore: 360h # 15d
+ subject:
+ organizations:
+ - oran
+ organizationalUnits:
+ - oran
+ countries:
+ - IE
+ localities:
+ - Dublin
+ streetAddresses:
+ - Main Street
+ commonName: keycloak
+ isCA: false
+ keystores:
+ jks:
+ create: true
+ passwordSecretRef:
+ name: cm-keycloak-jwk-pw
+ key: password
+ privateKey:
+ algorithm: RSA
+ encoding: PKCS1
+ size: 2048
+ usages:
+ - server auth
+ dnsNames:
+ - keycloak.default
+ - keycloak
+ - keycloak.est.tech
+ emailAddresses:
+ - server@mail.com
+ issuerRef:
+ name: cm-ca-issuer
+ kind: Issuer
+ group: cert-manager.io
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022-2023 Nordix Foundation.
+# Copyright (C) 2022-23 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v1
kind: ServiceAccount
metadata:
- name: keycloak
+ name: keycloak
namespace: default
---
apiVersion: v1
name: keycloak
labels:
app: keycloak
+ app.kubernetes.io/instance: keycloak
+ app.kubernetes.io/name: keycloak
spec:
type: ExternalName
- externalName: keycloak.local
+ externalName: keycloak.local
ports:
- name: http
port: 8080
targetPort: 8080
- nodePort: 31560
+ nodePort: 31560
- name: https
port: 8443
targetPort: 8443
namespace: default
labels:
app: keycloak
+ app.kubernetes.io/instance: keycloak
+ app.kubernetes.io/name: keycloak
spec:
replicas: 1
selector:
metadata:
labels:
app: keycloak
+ app.kubernetes.io/instance: keycloak
+ app.kubernetes.io/name: keycloak
spec:
initContainers:
- name: init-postgres
image: busybox
- imagePullPolicy: IfNotPresent
+ imagePullPolicy: IfNotPresent
command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
- serviceAccountName: keycloak
+ serviceAccountName: keycloak
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:latest
- imagePullPolicy: IfNotPresent
- args: [
+ imagePullPolicy: IfNotPresent
+ args: [
'start',
- '--https-key-store-file=/etc/x509/https/server.keystore',
- '--https-key-store-password=changeit',
- '--https-key-store-type=PKCS12',
- '--https-trust-store-file=/etc/x509/https/server.truststore',
- '--https-trust-store-password=changeit',
- '--https-trust-store-type=PKCS12',
+ '--https-key-store-file=/etc/x509/https/keystore.jks',
+ '--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
+ '--https-key-store-type=JKS',
+ '--https-trust-store-file=/etc/x509/https/truststore.jks',
+ '--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
+ '--https-trust-store-type=JKS',
'--https-client-auth=request',
'--http-enabled=true'
]
-
env:
- - name : X509_CA_BUNDLE
- value: /etc/x509/https/rootCA.crt
- - name : KEYCLOAK_ADMIN
- value: admin
- - name : KEYCLOAK_ADMIN_PASSWORD
- value: admin
- - name : KC_DB
- value: postgres
- - name : KC_DB_URL
- value: "jdbc:postgresql://postgres:5432/keycloak"
+ - name : KEYCLOAK_ADMIN
+ value: admin
+ - name : KEYCLOAK_ADMIN_PASSWORD
+ value: admin
+ - name : KC_DB
+ value: postgres
+ - name : KC_DB_URL
+ value: "jdbc:postgresql://postgres:5432/keycloak"
- name : KC_DB_USERNAME
value: keycloak
- name : KC_DB_PASSWORD
value: keycloak
- name : KC_HOSTNAME
- value: keycloak
- - name : MY_PROVIDER_JAR_URL
- value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
+ value: keycloak
+ - name: KC_DB_URL_DATABASE
+ value: keycloak
+ - name : MY_PROVIDER_JAR_URL
+ value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
- name: KC_HEALTH_ENABLED
value: "true"
- - name: KC_METRICS_ENABLED
+ - name: KC_METRICS_ENABLED
value: "true"
+ - name: KC_KEYSTORE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: cm-keycloak-jwk-pw
+ key: password
ports:
- name: http
containerPort: 8080
containerPort: 8443
readinessProbe:
httpGet:
- scheme: HTTPS
- path: /health/ready
+ scheme: HTTPS
+ path: /health/ready
port: 8443
volumeMounts:
- - name: keycloak-certs
- mountPath: /etc/x509/https
- - name: authz-js-policies
- mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
+ - name: keycloak-certs
+ mountPath: /etc/x509/https
+ readOnly: true
+ - name: authz-js-policies
+ mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
volumes:
- - name: keycloak-certs
+ - name: keycloak-certs
+ secret:
+ secretName: cm-keycloak-server-certs
+ - name: authz-js-policies
hostPath:
- path: /var/keycloak/certs
- type: Directory
- - name: authz-js-policies
- hostPath:
- path: /var/keycloak/deployments/authz-js-policies.jar
+ path: /var/keycloak/deployments/authz-js-policies.jar
type: File
---
apiVersion: networking.istio.io/v1alpha3
hosts:
- "*"
gateways:
- - kcgateway
+ - kcgateway
http:
- name: "keycloak-routes"
match:
// -
-// ========================LICENSE_START=================================
-// O-RAN-SC
-// %%
-// Copyright (C) 2022-2023: Nordix Foundation
-// %%
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
//
-// http://www.apache.org/licenses/LICENSE-2.0
+// ========================LICENSE_START=================================
+// O-RAN-SC
+// %%
+// Copyright (C) 2022-2023: Nordix Foundation
+// %%
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// ========================LICENSE_END===================================
+// http://www.apache.org/licenses/LICENSE-2.0
//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ========================LICENSE_END===================================
package main
import (
+ "bytes"
"context"
"database/sql"
"encoding/json"
"net/http"
"os"
"path/filepath"
+ "time"
)
var settings *cli.EnvSettings
var chartRequested *chart.Chart
-
-//var url string
var repoName string
var chartName string
var releaseName string
Realm string
Client string
Authenticator string
+ CaCrt string
+ TlsCrt string
+ TlsKey string
+ Email string
+ SubjectDN string
+ MappingSource string
Roles []struct {
Role string
Grants []string
realm := rapp.Realm
client := rapp.Client
authenticator := rapp.Authenticator
+ caCrt := rapp.CaCrt
+ tlsCrt := rapp.TlsCrt
+ tlsKey := rapp.TlsKey
+ email := rapp.Email
+ subjectDN := rapp.SubjectDN
+ mappingSource := rapp.MappingSource
+
+ httpClient := &http.Client{
+ Timeout: time.Second * 10,
+ }
if !rapp.SecurityEnabled {
return nil
if rapp.Type == "provider" {
// keycloak client setup
fmt.Println("Setting up keycloak")
- url = "http://rapps-keycloak-mgr.default/create?"
- params = "realm=" + realm + "&name=" + client + "&role=" + role + "&authType=" + authenticator
- url += params
- _, err := http.Get(url)
+ url = "http://rapps-keycloak-mgr.default/create"
+ values := map[string]string{"realm": realm, "name": client, "role": role, "authType": authenticator,
+ "tlsCrt": tlsCrt, "email": email, "subjectDN": subjectDN, "mappingSource": mappingSource}
+ jsonValue, _ := json.Marshal(values)
+ req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonValue))
+ if err != nil {
+ fmt.Printf("Got error %s", err.Error())
+ }
+ req.Header.Set("Content-type", "application/json")
+ resp, err := httpClient.Do(req)
+ fmt.Println("Keycloak response status:", resp.Status)
if err != nil {
+ fmt.Printf("Got error %s", err.Error())
return err
} else {
fmt.Println("Setting up istio")
} else {
fmt.Println("Setting up istio")
url = "http://rapps-istio-mgr.default/create-filter?"
- params = "name=" + chartName + "&realm=" + realm + "&client=" + client + "&authType=" + authenticator
+ params = "name=" + chartName + "&realm=" + realm + "&client=" + client + "&authType=" + authenticator +
+ "&tlsCrt=" + tlsCrt + "&tlsKey=" + tlsKey + "&caCrt=" + caCrt
url += params
_, err := http.Get(url)
if err != nil {
}
func main() {
- //flag.StringVar(&url, "url", "http://chartmuseum:8080", "ChartMuseum url")
flag.StringVar(&repoName, "repoName", "local-dev", "Repository name")
flag.StringVar(&namespace, "namespace", "istio-nonrtric", "namespace for install")
flag.Parse()
install := action.NewInstall(actionConfig)
- fmt.Printf("Repo Name: %s\n",repoName)
- fmt.Printf("Chart Name: %s\n",chartName)
+ fmt.Printf("Repo Name: %s\n", repoName)
+ fmt.Printf("Chart Name: %s\n", chartName)
cp, err := install.ChartPathOptions.LocateChart(fmt.Sprintf("%s/%s", repoName, chartName), settings)
- fmt.Printf("Chart location: %s\n",cp)
+ fmt.Printf("Chart location: %s\n", cp)
chartRequested, err = loader.Load(cp)
id serial PRIMARY KEY,
name VARCHAR ( 50 ) UNIQUE NOT NULL,
type VARCHAR ( 50 ) NOT NULL,
- created_on TIMESTAMP DEFAULT NOW()
+ created_on TIMESTAMP DEFAULT NOW()
);`
_, err = db.Exec(createStmt)
if err != nil {
// -
-// ========================LICENSE_START=================================
-// O-RAN-SC
-// %%
-// Copyright (C) 2022: Nordix Foundation
-// %%
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
//
-// http://www.apache.org/licenses/LICENSE-2.0
+// ========================LICENSE_START=================================
+// O-RAN-SC
+// %%
+// Copyright (C) 2022-2023: Nordix Foundation
+// %%
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// ========================LICENSE_END===================================
+// http://www.apache.org/licenses/LICENSE-2.0
//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ========================LICENSE_END===================================
package main
import (
"bytes"
"context"
"fmt"
- netv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
netv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
+ netv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
secv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
versioned "istio.io/client-go/pkg/clientset/versioned"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type TemplateConfig struct {
- Name string
- Namespace string
- Realm string
- Client string
- Authenticator string
- Role string
- Method string
+ Name string
+ Namespace string
+ Realm string
+ Client string
+ Authenticator string
+ Role string
+ Method string
+ TlsCrt string
+ TlsKey string
+ CaCrt string
}
var inputs TemplateConfig
func createGateway(clientset *versioned.Clientset) (string, error) {
gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
- config = template.Must(template.ParseFiles("./templates/Gateway-template.txt"))
- var manifest bytes.Buffer
- err := config.Execute(&manifest, inputs)
- if err != nil {
- return "", err
- }
+ config = template.Must(template.ParseFiles("./templates/Gateway-template.txt"))
+ var manifest bytes.Buffer
+ err := config.Execute(&manifest, inputs)
+ if err != nil {
+ return "", err
+ }
gt := &netv1beta1.Gateway{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
func createVirtualService(clientset *versioned.Clientset) (string, error) {
vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
- config = template.Must(template.ParseFiles("./templates/VirtualService-template.txt"))
- var manifest bytes.Buffer
- err := config.Execute(&manifest, inputs)
- if err != nil {
- return "", err
- }
+ config = template.Must(template.ParseFiles("./templates/VirtualService-template.txt"))
+ var manifest bytes.Buffer
+ err := config.Execute(&manifest, inputs)
+ if err != nil {
+ return "", err
+ }
vs := &netv1beta1.VirtualService{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
func createRequestAuthentication(clientset *versioned.Clientset) (string, error) {
raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
- config = template.Must(template.ParseFiles("./templates/RequestAuthentication-template.txt"))
- var manifest bytes.Buffer
- err := config.Execute(&manifest, inputs)
- if err != nil {
- return "", err
- }
+ config = template.Must(template.ParseFiles("./templates/RequestAuthentication-template.txt"))
+ var manifest bytes.Buffer
+ err := config.Execute(&manifest, inputs)
+ if err != nil {
+ return "", err
+ }
ra := &secv1beta1.RequestAuthentication{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
func createAuthorizationPolicy(clientset *versioned.Clientset) (string, error) {
apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
- config = template.Must(template.ParseFiles("./templates/AuthorizationPolicy-template.txt"))
- var manifest bytes.Buffer
- err := config.Execute(&manifest, inputs)
- if err != nil {
- return "", err
- }
+ config = template.Must(template.ParseFiles("./templates/AuthorizationPolicy-template.txt"))
+ var manifest bytes.Buffer
+ err := config.Execute(&manifest, inputs)
+ if err != nil {
+ return "", err
+ }
ap := &secv1beta1.AuthorizationPolicy{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
}
func createEnvoyFilter(clientset *versioned.Clientset) (string, error) {
- efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
+ efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
config = template.Must(template.ParseFiles("./templates/EnvoyFilter-template.txt"))
var manifest bytes.Buffer
- err := config.Execute(&manifest, inputs)
- if err != nil {
- return "", err
- }
+ err := config.Execute(&manifest, inputs)
+ if err != nil {
+ return "", err
+ }
- ef := &netv1alpha3.EnvoyFilter{}
- dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
+ ef := &netv1alpha3.EnvoyFilter{}
+ dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
- if err = dec.Decode(&ef); err != nil {
- return "", err
- }
+ if err = dec.Decode(&ef); err != nil {
+ return "", err
+ }
- result, err := efClient.Create(context.TODO(), ef, metav1.CreateOptions{})
+ result, err := efClient.Create(context.TODO(), ef, metav1.CreateOptions{})
- if err != nil {
- return "", err
- }
+ if err != nil {
+ return "", err
+ }
- fmt.Printf("Create Envoy Filter %s \n", result.GetName())
- return result.GetName(), nil
+ fmt.Printf("Create Envoy Filter %s \n", result.GetName())
+ return result.GetName(), nil
}
func removeGateway(clientset *versioned.Clientset) {
func removeEnvoyFilter(clientset *versioned.Clientset) {
efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
- err := efClient.Delete(context.TODO(), appName+"-outbound-filter", metav1.DeleteOptions{})
- if err != nil {
- fmt.Println(err)
- } else {
- fmt.Println("Deleted EnvoyFilter " + appName + "-outbound-filter")
- }
+ err := efClient.Delete(context.TODO(), appName+"-outbound-filter", metav1.DeleteOptions{})
+ if err != nil {
+ fmt.Println(err)
+ } else {
+ fmt.Println("Deleted EnvoyFilter " + appName + "-outbound-filter")
+ }
}
func createIstioPolicy(res http.ResponseWriter, req *http.Request) {
appName := query.Get("name")
roleName := query.Get("role")
methodName := query.Get("method")
- inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Role: roleName, Method: methodName }
+ inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Role: roleName, Method: methodName}
var msg string
clientset := connectToK8s()
_, err := createGateway(clientset)
}
func createIstioFilter(res http.ResponseWriter, req *http.Request) {
- query := req.URL.Query()
- realmName := query.Get("realm")
- clientId := query.Get("client")
- appName := query.Get("name")
- authType := query.Get("authType")
- inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Client: clientId, Authenticator: authType}
- var msg string
- clientset := connectToK8s()
- _, err := createEnvoyFilter(clientset)
- if err != nil {
- msg = err.Error()
- fmt.Println(err.Error())
- }
- // create response binary data
- data := []byte(msg) // slice of bytes
- // write `data` to response
- res.Write(data)
+ query := req.URL.Query()
+ realmName := query.Get("realm")
+ clientId := query.Get("client")
+ appName := query.Get("name")
+ authType := query.Get("authType")
+ tlsCrt := query.Get("tlsCrt")
+ tlsKey := query.Get("tlsKey")
+ caCrt := query.Get("caCrt")
+ inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Client: clientId,
+ Authenticator: authType, TlsCrt: tlsCrt, TlsKey: tlsKey, CaCrt: caCrt}
+ var msg string
+ clientset := connectToK8s()
+ _, err := createEnvoyFilter(clientset)
+ if err != nil {
+ msg = err.Error()
+ fmt.Println(err.Error())
+ }
+ // create response binary data
+ data := []byte(msg) // slice of bytes
+ // write `data` to response
+ res.Write(data)
}
func removeIstioPolicy(res http.ResponseWriter, req *http.Request) {
}
func removeIstioFilter(res http.ResponseWriter, req *http.Request) {
- query := req.URL.Query()
- appName = query.Get("name")
- clientset := connectToK8s()
- removeEnvoyFilter(clientset)
+ query := req.URL.Query()
+ appName = query.Get("name")
+ clientset := connectToK8s()
+ removeEnvoyFilter(clientset)
}
func main() {
// -
-// ========================LICENSE_START=================================
-// O-RAN-SC
-// %%
-// Copyright (C) 2022-2023: Nordix Foundation
-// %%
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
//
-// http://www.apache.org/licenses/LICENSE-2.0
+// ========================LICENSE_START=================================
+// O-RAN-SC
+// %%
+// Copyright (C) 2022-2023: Nordix Foundation
+// %%
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// ========================LICENSE_END===================================
+// http://www.apache.org/licenses/LICENSE-2.0
//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ========================LICENSE_END===================================
package main
import (
+ "context"
"crypto/tls"
"crypto/x509"
"encoding/json"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubernetes "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
+ "net"
"net/http"
"net/url"
"rapps/utils/generatejwt"
- "context"
- "net"
"time"
)
var clientId string
var namespace string
var authenticator string
+var tlsCrt string
+var tlsKey string
+var caCrt string
var healthy bool = true
var jwt Jwttoken
clientId = req.Header.Get("client")
realmName = req.Header.Get("realm")
namespace = req.Header.Get("ns")
+ tlsCrt = req.Header.Get("tlsCrt")
+ tlsKey = req.Header.Get("tlsKey")
+ caCrt = req.Header.Get("caCrt")
keycloakUrl := "http://" + keycloakHost + ":" + keycloakPort + "/realms/" + realmName + "/protocol/openid-connect/token"
fmt.Printf("Making token request to %s\n", keycloakUrl)
res.Header().Set("Content-type", "application/json")
} else if authenticator == "client-x509" {
keycloakPort = "443"
keycloakUrl := "https://" + keycloakAlias + ":" + keycloakPort + "/realms/" + realmName + "/protocol/openid-connect/token"
- resp, err = getx509Token(keycloakUrl, clientId)
+ resp, err = getx509Token(keycloakUrl, clientId, tlsCrt, tlsKey, caCrt)
} else {
resp, err = getSecretToken(keycloakUrl, clientId)
}
}
func getClientAssertion() string {
- //aud := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName
- //aud := "http://keycloak/auth/realms/" + realmName
aud := "https://keycloak:8443/realms/" + realmName
- clientAssertion := generatejwt.CreateJWT("/certs/client.key", "", clientId, aud)
+ clientAssertion := generatejwt.CreateJWT(tlsKey, "", clientId, aud)
return clientAssertion
}
-func getx509Token(keycloakUrl, clientId string) (*http.Response, error) {
+func getx509Token(keycloakUrl, clientId, tlsCrt, tlsKey, caCrt string) (*http.Response, error) {
var resp = &http.Response{}
var err error
}
func getClient() *http.Client {
- caCert, _ := ioutil.ReadFile("/certs/rootCA.crt")
+ caCert, _ := ioutil.ReadFile(caCrt)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
- cert, _ := tls.LoadX509KeyPair("/certs/client.crt", "/certs/client.key")
+ cert, _ := tls.LoadX509KeyPair(tlsCrt, tlsKey)
dialer := &net.Dialer{
Timeout: 30 * time.Second,
var flowAlias string = "x509 direct grant"
func createClient(res http.ResponseWriter, req *http.Request) {
- query := req.URL.Query()
- realmName := query.Get("realm")
- clientName := query.Get("name")
- role := query.Get("role")
- authType := query.Get("authType")
+ body, err := ioutil.ReadAll(req.Body)
+ if err != nil {
+ panic(err.Error())
+ }
+ keyVal := make(map[string]string)
+ json.Unmarshal(body, &keyVal)
+ realmName := keyVal["realm"]
+ clientName := keyVal["name"]
+ role := keyVal["role"]
+ authType := keyVal["authType"]
+ tlsCrt := keyVal["tlsCrt"]
+ email := keyVal["email"]
+ subjectDN := keyVal["subjectDN"]
+ mappingSource := keyVal["mappingSource"]
+
var msg string
- msg, err := create(realmName, clientName, role, authType)
+ msg, err = create(realmName, clientName, role, authType, tlsCrt, email, subjectDN, mappingSource)
if err != nil {
msg = err.Error()
}
return resp.StatusCode, respString
}
-func create(realmName, clientName, clientRoleName, authType string) (string, error) {
+func create(realmName, clientName, clientRoleName, authType, tlsCrt, email, subjectDN, mappingSource string) (string, error) {
getAdminToken()
var userId string = ""
var jsonValue []byte = []byte{}
if authType == "client-x509" {
flowId = getFlowId(realmName)
if flowId == "" {
- createx509Flow(realmName)
+ createx509Flow(realmName, mappingSource)
flowId = getFlowId(realmName)
}
newUser := User{
ID: realmName + "user",
Username: realmName + "user",
- Email: "client@mail.com",
+ Email: email,
Enabled: true,
}
restUrl = keycloakUrl + "/admin/realms/" + realmName + "/users"
userId = getUserId(realmName, realmName+"user")
}
- newClient := getClient(authType, clientName, flowId)
+ newClient := getClient(authType, clientName, flowId, tlsCrt, subjectDN)
restUrl = keycloakUrl + "/admin/realms/" + realmName + "/clients"
jsonValue, _ = json.Marshal(newClient)
statusCode, _ = sendRequest("POST", restUrl, jsonValue)
return clientSecret, nil
}
-func getClient(authType, clientName, flowId string) Client {
+func getClient(authType, clientName, flowId, tlsCrt, subjectDN string) Client {
var newClient Client
newClient.ClientID = clientName
newClient.Enabled = true
newClient.Attributes = map[string]string{
"use.refresh.tokens": "true",
"client_credentials.use_refresh_token": "true",
- "x509.subjectdn": ".*client@mail.com.*",
+ "x509.subjectdn": ".*" + subjectDN + ".*",
"x509.allow.regex.pattern.comparison": "true"}
newClient.AuthenticationFlowBindingOverrides = map[string]string{
"direct_grant": flowId}
} else {
- jwksString, publicKey, kid := pemtojwks.CreateJWKS("/certs/client.crt")
+ jwksString, publicKey, kid := pemtojwks.CreateJWKS(tlsCrt)
newClient.Attributes = map[string]string{
"token.endpoint.auth.signing.alg": "RS256",
"jwt.credential.public.key": publicKey,
return clientId, clientSecret
}
-func createx509Flow(realmName string) {
+func createx509Flow(realmName, mappingSource string) {
var jsonValue []byte = []byte{}
authenticationFlowRepresentation := AuthenticationFlowRepresentation{
Alias: flowAlias,
"x509-cert-auth.mapper-selection": "Username or Email",
"x509-cert-auth.revalidate-certificate-enabled": "false",
"x509-cert-auth.crldp-checking-enabled": "false",
- "x509-cert-auth.mapping-source-selection": "Subject's e-mail",
+ "x509-cert-auth.mapping-source-selection": mappingSource,
"x509-cert-auth.ocsp-checking-enabled": "false",
},
}
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
namespace: default
labels:
app: rapps-keycloak-mgr
+ app.kubernetes.io/instance: rapps-keycloak-mgr
+ app.kubernetes.io/name: rapps-keycloak-mgr
spec:
selector:
matchLabels:
labels:
app: rapps-keycloak-mgr
version: v1
+ app.kubernetes.io/instance: rapps-keycloak-mgr
+ app.kubernetes.io/name: rapps-keycloak-mgr
spec:
containers:
- name: rapps-keycloak-mgr
readOnly: true
volumes:
- name: certsdir
- hostPath:
- # Ensure the file directory is created.
- path: /var/rapps/certs
- type: DirectoryOrCreate
+ secret:
+ secretName: cm-keycloak-client-certs
serviceAccountName: helm-app
replicas: 1
---
metadata:
name: rapps-keycloak-mgr
namespace: default
+ labels:
+ app: rapps-keycloak-mgr
+ app.kubernetes.io/instance: rapps-keycloak-mgr
+ app.kubernetes.io/name: rapps-keycloak-mgr
spec:
selector:
app: rapps-keycloak-mgr
// -
-// ========================LICENSE_START=================================
-// O-RAN-SC
-// %%
-// Copyright (C) 2022: Nordix Foundation
-// %%
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
//
-// http://www.apache.org/licenses/LICENSE-2.0
+// ========================LICENSE_START=================================
+// O-RAN-SC
+// %%
+// Copyright (C) 2022-2023: Nordix Foundation
+// %%
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// ========================LICENSE_END===================================
+// http://www.apache.org/licenses/LICENSE-2.0
//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ========================LICENSE_END===================================
package main
import (
)
type ServerParameters struct {
- port string // webhook server port
- certFile string // path to the x509 cert
- keyFile string // path to the x509 private key
- hostPath string // path to the x509 private key
+ port string // webhook server port
+ certFile string // path to the x509 cert
+ keyFile string // path to the x509 private key
+ secret string
}
type patchOperation struct {
flag.StringVar(¶meters.port, "port", "8443", "Webhook server port.")
flag.StringVar(¶meters.certFile, "tlsCertFile", "/certs/tls.crt", "File containing the x509 certificate")
flag.StringVar(¶meters.keyFile, "tlsKeyFile", "/certs/tls.key", "File containing the x509 private key")
- flag.StringVar(¶meters.hostPath, "hostPath", "/var/rapps/certs", "Host Path containing rapp cert files")
+ flag.StringVar(¶meters.secret, "secret", "cm-keycloak-client-certs", "Secret containing rapp cert files")
flag.Parse()
http.HandleFunc("/inject-sidecar", HandleSideCarInjection)
Value: containers,
})
- pathType := v1.HostPathDirectoryOrCreate
- pathTypePtr := &pathType
var volumes []v1.Volume
volumes = append(volumes, pod.Spec.Volumes...)
volume := v1.Volume{
Name: "certsdir",
VolumeSource: v1.VolumeSource{
- HostPath: &v1.HostPathVolumeSource{
- Path: parameters.hostPath,
- Type: pathTypePtr,
+ Secret: &v1.SecretVolumeSource{
+ SecretName: parameters.secret,
},
},
}
fmt.Println(volumes)
patches = append(patches, patchOperation{
- Op: "add",
- Path: "/spec/volumes",
- Value: volumes,
+ Op: "add",
+ Path: "/spec/volumes",
+ Value: volumes,
})
fmt.Println(patches)
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
namespace: default
labels:
app: jwt-proxy-admission-controller
+ app.kubernetes.io/instance: jwt-proxy-admission-controller
+ app.kubernetes.io/name: jwt-proxy-admission-controller
spec:
selector:
matchLabels:
labels:
app: jwt-proxy-admission-controller
version: v1
+ app.kubernetes.io/instance: jwt-proxy-admission-controller
+ app.kubernetes.io/name: jwt-proxy-admission-controller
spec:
serviceAccountName: webhook-app
containers:
"-port", "8443",
"-tlsCertFile", "/certs/tls.crt",
"-tlsKeyFile", "/certs/tls.key",
- "-hostPath", "/var/rapps/certs"
+ "-secret", "cm-keycloak-client-certs",
]
ports:
- containerPort: 8443
volumes:
- name: webhook-cert
secret:
- secretName: webhook-cert
+ secretName: cm-webhook-server-certs
replicas: 1
---
apiVersion: v1
metadata:
name: jwt-proxy-admission-controller
namespace: default
+ labels:
+ app: jwt-proxy-admission-controller
+ app.kubernetes.io/instance: jwt-proxy-admission-controller
+ app.kubernetes.io/name: jwt-proxy-admission-controller
spec:
selector:
app: jwt-proxy-admission-controller
-#
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-#
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: {{.Name}}-outbound-filter
- namespace: {{.Namespace}}
+ namespace: {{.Namespace}}
spec:
workloadSelector:
labels:
- app.kubernetes.io/name: {{.Name}}
+ app.kubernetes.io/name: {{.Name}}
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
["realm"] = "{{.Realm}}",
["client"] = "{{.Client}}",
["authenticator"] = "{{.Authenticator}}",
+ ["caCrt"] = "{{.CaCrt}}",
+ ["tlsCrt"] = "{{.TlsCrt}}",
+ ["tlsKey"] = "{{.TlsKey}}",
["ns"] = "{{.Namespace}}"
},
"jwt call",
--- /dev/null
+#
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: webhook-server-cert
+ namespace: default
+spec:
+ secretName: cm-webhook-server-certs
+ duration: 2160h # 90d
+ renewBefore: 360h # 15d
+ subject:
+ organizations:
+ - oran
+ organizationalUnits:
+ - oran
+ countries:
+ - IE
+ localities:
+ - Dublin
+ streetAddresses:
+ - Main Street
+ commonName: webhook
+ isCA: false
+ privateKey:
+ algorithm: RSA
+ encoding: PKCS1
+ size: 2048
+ usages:
+ - server auth
+ dnsNames:
+ - jwt-proxy-admission-controller
+ - jwt-proxy-admission-controller.default.svc.cluster.local
+ - jwt-proxy-admission-controller.default.svc
+ - localhost
+ - 127.0.0.1
+ issuerRef:
+ name: cm-ca-issuer
+ kind: Issuer
+ group: cert-manager.io