From 07310742e5328fe0f974cc5864f502c820530d4e Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Thu, 21 Nov 2024 14:24:24 +0300 Subject: [PATCH 1/3] add sso roles --- packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/templates/tenant.yaml | 140 +++++++++++++++++++++ packages/apps/versions_map | 3 +- 3 files changed, 143 insertions(+), 2 deletions(-) diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 25f689949..eedbebf2d 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.5.0 +version: 1.6.0 diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index 3b9b8fc1a..ad95c4378 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -88,3 +88,143 @@ roleRef: kind: Role name: {{ include "tenant.name" . }} apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-view + namespace: {{ include "tenant.name" . }} +rules: + - apiGroups: ["apps.cozystack.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods", "pods/log"] + verbs: ["get", "list", "watch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-view + namespace: {{ include "tenant.name" . }} +subjects: + - kind: Group + name: {{ include "tenant.name" . }}-view + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-view + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-use + namespace: {{ include "tenant.name" . }} +rules: + - apiGroups: ["apps.cozystack.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods", "pods/log"] + verbs: ["get", "list", "watch"] + - apiGroups: ["kubevirt.io"] + resources: ["virtualmachines"] + verbs: ["get", "list"] + - apiGroups: ["subresources.kubevirt.io"] + resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"] + verbs: ["get", "list"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-use + namespace: {{ include "tenant.name" . }} +subjects: + - kind: Group + name: {{ include "tenant.name" . }}-use + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-use + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-admin + namespace: {{ include "tenant.name" . }} +rules: + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods/log", "pods"] + verbs: ["get", "list", "watch", "delete"] + - apiGroups: ["kubevirt.io"] + resources: ["virtualmachines"] + verbs: ["get", "list"] + - apiGroups: ["subresources.kubevirt.io"] + resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"] + verbs: ["get", "list"] + - apiGroups: ["apps.cozystack.io"] + resources: ["buckets", "clickhouses", "ferretdb", "foos", "httpcaches", "kafkas", "kuberneteses", "mysqls", "natses", "postgreses", "rabbitmqs", "redises", "seaweedfses", "tcpbalancers", "virtualmachines", "vmdisks", "vminstances"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-admin + namespace: {{ include "tenant.name" . }} +subjects: + - kind: Group + name: {{ include "tenant.name" . }}-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-admin + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} +rules: + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods/log", "pods"] + verbs: ["get", "list", "watch", "delete"] + - apiGroups: ["kubevirt.io"] + resources: ["virtualmachines"] + verbs: ["get", "list"] + - apiGroups: ["subresources.kubevirt.io"] + resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"] + verbs: ["get", "list"] + - apiGroups: ["apps.cozystack.io"] + resources: ["*"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} +subjects: + - kind: Group + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 0828366e4..08c646bcc 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -86,7 +86,8 @@ tenant 1.2.0 15478a88 tenant 1.3.0 ceefae03 tenant 1.3.1 c56e5769 tenant 1.4.0 94c688f7 -tenant 1.5.0 HEAD +tenant 1.5.0 48128743 +tenant 1.6.0 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 5ca8823 From 4f58d24d233f3461a3960c3ea1086c422a1751ac Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Mon, 25 Nov 2024 20:22:53 +0300 Subject: [PATCH 2/3] add KeycloakRealmGroup --- .../apps/tenant/templates/keycloakgroups.yaml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 packages/apps/tenant/templates/keycloakgroups.yaml diff --git a/packages/apps/tenant/templates/keycloakgroups.yaml b/packages/apps/tenant/templates/keycloakgroups.yaml new file mode 100644 index 000000000..807772508 --- /dev/null +++ b/packages/apps/tenant/templates/keycloakgroups.yaml @@ -0,0 +1,45 @@ +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakRealmGroup +metadata: + name: {{ include "tenant.name" . }}-view +spec: + name: {{ include "tenant.name" . }}-view + realmRef: + name: keycloakrealm-cozy + kind: KeycloakRealm + +--- + +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakRealmGroup +metadata: + name: {{ include "tenant.name" . }}-use +spec: + name: {{ include "tenant.name" . }}-use + realmRef: + name: keycloakrealm-cozy + kind: KeycloakRealm + +--- + +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakRealmGroup +metadata: + name: {{ include "tenant.name" . }}-admin +spec: + name: {{ include "tenant.name" . }}-admin + realmRef: + name: keycloakrealm-cozy + kind: KeycloakRealm + +--- + +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakRealmGroup +metadata: + name: {{ include "tenant.name" . }}-super-admin +spec: + name: {{ include "tenant.name" . }}-super-admin + realmRef: + name: keycloakrealm-cozy + kind: KeycloakRealm From f02bbf0b6437b7634c06565a23159da187c85fab Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Tue, 26 Nov 2024 02:46:55 +0300 Subject: [PATCH 3/3] fix configure and add KeycloakRealmGroup --- .../apps/tenant/templates/keycloakgroups.yaml | 12 ++++++++---- .../core/platform/bundles/distro-full.yaml | 7 +++++++ .../core/platform/bundles/distro-hosted.yaml | 7 +++++++ packages/core/platform/bundles/paas-full.yaml | 6 ++++++ .../core/platform/bundles/paas-hosted.yaml | 6 ++++++ packages/system/keycloak-configure/Chart.yaml | 3 +++ .../templates/configure-kk.yaml | 18 +++++++++--------- packages/system/keycloak-operator/values.yaml | 2 ++ 8 files changed, 48 insertions(+), 13 deletions(-) create mode 100644 packages/system/keycloak-configure/Chart.yaml rename packages/system/{keycloak-operator => keycloak-configure}/templates/configure-kk.yaml (84%) create mode 100644 packages/system/keycloak-operator/values.yaml diff --git a/packages/apps/tenant/templates/keycloakgroups.yaml b/packages/apps/tenant/templates/keycloakgroups.yaml index 807772508..e4b956e23 100644 --- a/packages/apps/tenant/templates/keycloakgroups.yaml +++ b/packages/apps/tenant/templates/keycloakgroups.yaml @@ -2,11 +2,12 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmGroup metadata: name: {{ include "tenant.name" . }}-view + namespace: {{ include "tenant.name" . }} spec: name: {{ include "tenant.name" . }}-view realmRef: name: keycloakrealm-cozy - kind: KeycloakRealm + kind: ClusterKeycloakRealm --- @@ -14,11 +15,12 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmGroup metadata: name: {{ include "tenant.name" . }}-use + namespace: {{ include "tenant.name" . }} spec: name: {{ include "tenant.name" . }}-use realmRef: name: keycloakrealm-cozy - kind: KeycloakRealm + kind: ClusterKeycloakRealm --- @@ -26,11 +28,12 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmGroup metadata: name: {{ include "tenant.name" . }}-admin + namespace: {{ include "tenant.name" . }} spec: name: {{ include "tenant.name" . }}-admin realmRef: name: keycloakrealm-cozy - kind: KeycloakRealm + kind: ClusterKeycloakRealm --- @@ -38,8 +41,9 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmGroup metadata: name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} spec: name: {{ include "tenant.name" . }}-super-admin realmRef: name: keycloakrealm-cozy - kind: KeycloakRealm + kind: ClusterKeycloakRealm diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index 26ef8aac5..0d06471c8 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -188,3 +188,10 @@ releases: namespace: cozy-keycloak optional: true dependsOn: [keycloak] + +- name: keycloak-configure + releaseName: keycloak-configure + chart: cozy-keycloak-configure + namespace: cozy-keycloak + optional: true + dependsOn: [keycloak-operator] diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index 7b138a8da..57573553e 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -138,3 +138,10 @@ releases: namespace: cozy-keycloak optional: true dependsOn: [keycloak] + +- name: keycloak-configure + releaseName: keycloak-configure + chart: cozy-keycloak-configure + namespace: cozy-keycloak + optional: true + dependsOn: [keycloak-operator] diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 7ba1256f2..27e1dd32a 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -261,3 +261,9 @@ releases: chart: cozy-keycloak-operator namespace: cozy-keycloak dependsOn: [keycloak] + +- name: keycloak-configure + releaseName: keycloak-configure + chart: cozy-keycloak-configure + namespace: cozy-keycloak + dependsOn: [keycloak-operator] diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index ee80ef6f9..695a4994d 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -157,3 +157,9 @@ releases: chart: cozy-keycloak-operator namespace: cozy-keycloak dependsOn: [keycloak] + +- name: keycloak-configure + releaseName: keycloak-configure + chart: cozy-keycloak-configure + namespace: cozy-keycloak + dependsOn: [keycloak-operator] diff --git a/packages/system/keycloak-configure/Chart.yaml b/packages/system/keycloak-configure/Chart.yaml new file mode 100644 index 000000000..033ecac6a --- /dev/null +++ b/packages/system/keycloak-configure/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-keycloak-configure +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/keycloak-operator/templates/configure-kk.yaml b/packages/system/keycloak-configure/templates/configure-kk.yaml similarity index 84% rename from packages/system/keycloak-operator/templates/configure-kk.yaml rename to packages/system/keycloak-configure/templates/configure-kk.yaml index 33bd9de95..3bba54bb3 100644 --- a/packages/system/keycloak-operator/templates/configure-kk.yaml +++ b/packages/system/keycloak-configure/templates/configure-kk.yaml @@ -3,25 +3,25 @@ {{- $apiServerAdress := index $cozyConfig.data "api-server-adress" }} {{- $k8sClient := randAlphaNum 32 -}} -apiVersion: v1.edp.epam.com/v1 -kind: Keycloak +apiVersion: v1.edp.epam.com/v1alpha1 +kind: ClusterKeycloak metadata: name: keycloak-cozy + namespace: {{ .Release.Namespace }} spec: secret: keycloak-credentials url: https://keycloak.{{ $host }} --- -apiVersion: v1.edp.epam.com/v1 -kind: KeycloakRealm +apiVersion: v1.edp.epam.com/v1alpha1 +kind: ClusterKeycloakRealm metadata: name: keycloakrealm-cozy + namespace: {{ .Release.Namespace }} spec: realmName: cozy - keycloakRef: - name: keycloak-cozy - kind: Keycloak + clusterKeycloakRef: keycloak-cozy --- @@ -33,7 +33,7 @@ spec: name: groups realmRef: name: keycloakrealm-cozy - kind: KeycloakRealm + kind: ClusterKeycloakRealm description: "Group Membership" protocol: openid-connect protocolMappers: @@ -68,7 +68,7 @@ spec: enabled: true realmRef: name: keycloakrealm-cozy - kind: KeycloakRealm + kind: ClusterKeycloakRealm secret: $k8s-client:client-secret-key advancedProtocolMappers: true authorizationServicesEnabled: true diff --git a/packages/system/keycloak-operator/values.yaml b/packages/system/keycloak-operator/values.yaml new file mode 100644 index 000000000..573e5b208 --- /dev/null +++ b/packages/system/keycloak-operator/values.yaml @@ -0,0 +1,2 @@ +keycloak-operator: + clusterReconciliationEnabled: true