From 434f349fe6fda234875622a93de3939d0082eb78 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Thu, 1 Aug 2024 18:02:17 -0500 Subject: [PATCH] fix: account for keycloak HA ports (#619) ## Description Fixes a number of issues to fix support Keycloak for HA deployments * scopes AuthorizationPolicy to port 8080 (http) to avoid denying JGroups traffic * adds 7800 and 57800 to headless service and pod to ensure Istio routes traffic correctly. * adds network policy to allow internamespace traffic on 7800 + 57800 Note: It was not immediately obvious that port 57800 is used by Keycloak's HA deployment. I noticed traffic on 57800 when debugging and did some research and determined it was related to used for Infinispan's "failure discovery protocol". The number is computed based on the [port offset](https://infinispan.org/docs/stable/titles/server/server.html#jgroups-system-properties_cluster-transport), so port offset (50000) + 7800 = 57800. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/620 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/workflows/slim-dev-test.yaml | 2 +- bundles/k3d-slim-dev/uds-bundle.yaml | 2 -- src/istio/oscal-component.yaml | 1 + src/keycloak/chart/templates/istio-admin.yaml | 13 ++++++++++++- src/keycloak/chart/templates/service-headless.yaml | 8 ++++++++ src/keycloak/chart/templates/statefulset.yaml | 8 +++++++- src/keycloak/chart/templates/uds-package.yaml | 13 +++++++++++++ 7 files changed, 42 insertions(+), 5 deletions(-) diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index 691d30fe9..f785bdb50 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -11,7 +11,7 @@ on: - src/istio/* - src/prometheus-stack/* - packages/slim-dev/* - - bundles/core-slim-dev/* + - bundles/k3d-slim-dev/* - .github/workflows/slim-dev* # Permissions for the GITHUB_TOKEN used by the workflow. diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 237944eac..b0987f1be 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -36,8 +36,6 @@ packages: # x-release-please-start-version ref: 0.24.1 # x-release-please-end - optionalComponents: - - metrics-server overrides: istio-admin-gateway: uds-istio-config: diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index c6bb07f23..6ab639a60 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -425,6 +425,7 @@ component-definition: "to": [ { "operation": { + "ports": ["8080"], "paths": ["/admin*", "/realms/master*"] } } diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index 684f63b00..72c5754b3 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -12,6 +12,8 @@ spec: rules: - to: - operation: + ports: + - "8080" paths: - "/admin*" - "/realms/master*" @@ -21,6 +23,8 @@ spec: - istio-admin-gateway - to: - operation: + ports: + - "8080" paths: - /metrics* from: @@ -30,16 +34,23 @@ spec: - monitoring - to: - operation: + ports: + - "8080" paths: # Never allow anonymous client registration except from the pepr-system namespace # This is another fallback protection, as the KC policy already blocks it - "/realms/{{ .Values.realm }}/clients-registrations/*" from: - source: - notNamespaces: ["pepr-system"] + notNamespaces: + - "pepr-system" - when: - key: request.headers[istio-mtls-client-certificate] values: ["*"] + to: + - operation: + ports: + - "8080" from: - source: notNamespaces: diff --git a/src/keycloak/chart/templates/service-headless.yaml b/src/keycloak/chart/templates/service-headless.yaml index 37b530411..d5a67c2b5 100644 --- a/src/keycloak/chart/templates/service-headless.yaml +++ b/src/keycloak/chart/templates/service-headless.yaml @@ -14,5 +14,13 @@ spec: port: 80 targetPort: http protocol: TCP + - name: tcp + port: 7800 + targetPort: tcp + protocol: TCP + - name: tcp-fd + port: 57800 + targetPort: tcp-fd + protocol: TCP selector: {{- include "keycloak.selectorLabels" . | nindent 4 }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index f270807f6..c0dddf1c5 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -136,7 +136,7 @@ spec: # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack. # https://www.keycloak.org/server/caching - name: JAVA_OPTS_APPEND - value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local # Postgres database configuration - name: KC_DB @@ -189,6 +189,12 @@ spec: - name: http containerPort: 8080 protocol: TCP + - name: tcp + containerPort: 7800 + protocol: TCP + - name: tcp-fd + containerPort: 57800 + protocol: TCP livenessProbe: httpGet: path: /health/live diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 27afba03f..e5919fa04 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -60,6 +60,19 @@ spec: port: {{ .Values.postgresql.port }} remoteGenerated: Anywhere {{- end }} + {{- if .Values.autoscaling.enabled }} + # HA for keycloak + - direction: Ingress + remoteGenerated: IntraNamespace + ports: + - 7800 + - 57800 + - direction: Egress + remoteGenerated: IntraNamespace + ports: + - 7800 + - 57800 + {{- end }} expose: - description: "remove private paths from public gateway"