fix: account for keycloak HA ports (#619)

## Description Fixes a number of issues to fix support Keycloak for HA deployments * scopes AuthorizationPolicy to port 8080 (http) to avoid denying JGroups traffic * adds 7800 and 57800 to headless service and pod to ensure Istio routes traffic correctly. * adds network policy to allow internamespace traffic on 7800 + 57800 Note: It was not immediately obvious that port 57800 is used by Keycloak's HA deployment. I noticed traffic on 57800 when debugging and did some research and determined it was related to used for Infinispan's "failure discovery protocol". The number is computed based on the [port offset](https://infinispan.org/docs/stable/titles/server/server.html#jgroups-system-properties_cluster-transport), so port offset (50000) + 7800 = 57800. ## Related Issue Fixes #620 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
defenseunicorns · Aug 1, 2024 · 434f349 · 434f349
1 parent fc881a0
commit 434f349
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 5 deletions.
diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml
@@ -11,7 +11,7 @@ on:
       - src/istio/*
       - src/prometheus-stack/*
       - packages/slim-dev/*
-      - bundles/core-slim-dev/*
+      - bundles/k3d-slim-dev/*
       - .github/workflows/slim-dev*
 
 # Permissions for the GITHUB_TOKEN used by the workflow.

diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -36,8 +36,6 @@ packages:
     # x-release-please-start-version
     ref: 0.24.1
     # x-release-please-end
-    optionalComponents:
-      - metrics-server
     overrides:
       istio-admin-gateway:
         uds-istio-config:

diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml
@@ -425,6 +425,7 @@ component-definition:
                   "to": [
                     {
                       "operation": {
+                        "ports": ["8080"],
                         "paths": ["/admin*", "/realms/master*"]
                       }
                     }

diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml
@@ -12,6 +12,8 @@ spec:
   rules:
     - to:
         - operation:
+            ports: 
+              - "8080"
             paths:
               - "/admin*"
               - "/realms/master*"
@@ -21,6 +23,8 @@ spec:
               - istio-admin-gateway
     - to:
         - operation:
+            ports: 
+              - "8080"
             paths:
             - /metrics*
       from:
@@ -30,16 +34,23 @@ spec:
             - monitoring
     - to:
         - operation:
+            ports: 
+              - "8080"
             paths:
               # Never allow anonymous client registration except from the pepr-system namespace
               # This is another fallback protection, as the KC policy already blocks it
               - "/realms/{{ .Values.realm }}/clients-registrations/*"
       from:
         - source:
-            notNamespaces: ["pepr-system"]
+            notNamespaces: 
+              - "pepr-system"
     - when:
         - key: request.headers[istio-mtls-client-certificate]
           values: ["*"]
+      to:
+        - operation:
+            ports: 
+              - "8080"
       from:
         - source:
             notNamespaces:

diff --git a/src/keycloak/chart/templates/service-headless.yaml b/src/keycloak/chart/templates/service-headless.yaml
@@ -14,5 +14,13 @@ spec:
       port: 80
       targetPort: http
       protocol: TCP
+    - name: tcp
+      port: 7800
+      targetPort: tcp
+      protocol: TCP
+    - name: tcp-fd
+      port: 57800
+      targetPort: tcp-fd
+      protocol: TCP
   selector:
     {{- include "keycloak.selectorLabels" . | nindent 4 }}
diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
@@ -136,7 +136,7 @@ spec:
             # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
             # https://www.keycloak.org/server/caching
             - name: JAVA_OPTS_APPEND
-              value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
+              value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local
 
             # Postgres database configuration
             - name: KC_DB 
@@ -189,6 +189,12 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+            - name: tcp
+              containerPort: 7800
+              protocol: TCP
+            - name: tcp-fd
+              containerPort: 57800
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /health/live

diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml
@@ -60,6 +60,19 @@ spec:
         port: {{ .Values.postgresql.port }}
         remoteGenerated: Anywhere
       {{- end }}
+      {{- if .Values.autoscaling.enabled }}
+      # HA for keycloak
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+        ports:
+          - 7800
+          - 57800
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+        ports:
+          - 7800
+          - 57800
+      {{- end }}
 
     expose:
       - description: "remove private paths from public gateway"