tracing-gatekeeper.yml

apiVersion: v1
kind: Secret
metadata:
  name: dashboard-proxy-keys
  annotations:
    vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
    vault.security.banzaicloud.io/vault-role: "default"
    vault.security.banzaicloud.io/vault-path: "kubernetes"
    vault.security.banzaicloud.io/vault-skip-verify: "true"
type: Opaque
stringData:
  CLIENT_ID: vault:secret/data/tracing/client/id#client_id
  CLIENT_SECRET: vault:secret/data/tracing/client/secret#client_secret
  ENCRYPTION_KEY: vault:secret/data/tracing/client/encryption#encryption_key
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dashboard-proxy-config
data:
  gatekeeper.yaml: |-
    discovery-url: https://auth.local.net/auth/realms/localnet
    skip-upstream-tls-verify: false
    skip-openid-provider-tls-verify: true
    listen: ':3000'
    secure-cookie: false
    enable-logging: true
    enable-json-logging: true
    enable-default-deny: true
    enable-refresh-tokens: true
    enable-session-cookies: true
    debug: true
    ingress.enabled: true
    redirection-url: https://tracing.local.net
    upstream-url: http://jaeger.tracing.svc.cluster.local:16686/
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dashboard-gatekeeper
spec:
  selector:
    matchLabels:
      app: dashboard-gatekeeper
  template:
    metadata:
      labels:
        app: dashboard-gatekeeper
      annotations:
        linkerd.io/inject: enabled
      # annotations:
      #   vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
      #   vault.security.banzaicloud.io/vault-tls-secret: "vault-tls"
    spec:
      hostAliases:
        - ip: "192.168.0.111"
          hostnames:
            - auth.local.net
      containers:
      - name: dashboard-gatekeeper
        image: bitnami/keycloak-gatekeeper:9
        # image: keycloak/keycloak-gatekeeper:7.0.0
        ports:
        - containerPort: 3000
        env:
          - name: CLIENT_ID
            valueFrom:
                secretKeyRef:
                  key: CLIENT_ID
                  name: dashboard-proxy-keys
          - name: CLIENT_SECRET
            valueFrom:
                secretKeyRef:
                  key: CLIENT_SECRET
                  name: dashboard-proxy-keys
          - name: ENCRYPTION_KEY
            valueFrom:
                secretKeyRef:
                  key: ENCRYPTION_KEY
                  name: dashboard-proxy-keys
        args:
          - /keycloak-gatekeeper
          - --config=/etc/secrets/gatekeeper.yaml
          - --client-id=$(CLIENT_ID)
          - --client-secret=$(CLIENT_SECRET)
          - --encryption-key=$(ENCRYPTION_KEY)
          - --resources=uri=/*
        volumeMounts:
          - name: gatekeeper-secrets
            mountPath: /etc/secrets
      volumes:
        - name: gatekeeper-secrets
          configMap:
              name: dashboard-proxy-config
---
apiVersion: v1
kind: Service
metadata:
  name: dashboard-gatekeeper
spec:
  selector:
    app: dashboard-gatekeeper
  ports:
  - port: 3000
    targetPort: 3000
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: tracing-cert
spec:
  secretName: tracing-tls
  commonName: mesh
  dnsNames:
    - tracing.local.net
  ipAddresses:
    - 192.168.0.111
    - 127.0.0.1
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-gatekeeper
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
      grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
spec:
  rules:
    - host: tracing.local.net
      http:
        paths:
          - path: /
            backend:
                serviceName: dashboard-gatekeeper
                servicePort: 3000
  tls:
    - hosts:
      - tracing.local.net
      secretName: tracing-tls