diff --git a/group_vars/all/keycloak.yml b/group_vars/all/keycloak.yml index f502f90..3b9491a 100644 --- a/group_vars/all/keycloak.yml +++ b/group_vars/all/keycloak.yml @@ -4,6 +4,9 @@ keycloak_admin_password: "{{ keycloak_admin_password_vault }}" keycloak_default_theme: "mpmx-theme" +# Additional ips to consider as intranet ips (e.g. inter stage communication) +keycloak_ip_whitelist: [] + # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm # Both variables are mandatory! # name: diff --git a/group_vars/stage_prodnso/keycloak.yml b/group_vars/stage_prodnso/keycloak.yml index 9d19e52..c7c87a7 100644 --- a/group_vars/stage_prodnso/keycloak.yml +++ b/group_vars/stage_prodnso/keycloak.yml @@ -2,6 +2,19 @@ keycloak_https_whitelisted_ips: - 0.0.0.0/0 # Public access to keycloak +# TODO migrate mobene completly to prodwork01 +keycloak_ip_whitelist: + - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01 + - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02 + - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03 + - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04 + - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05 + - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06 + - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07 + +keycloak_customer_ips_mobene: + - 92.42.192.128/25 # MOB-486 - mobene + # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm # Both variables are mandatory! # name: @@ -18,15 +31,7 @@ keycloak_admin_realm_acls: - 195.200.47.243/32 # DEV-230 - sparda berlin - 195.200.47.244/32 # DEV-230 - sparda berlin - name: mobene - admin_ips: - - 92.42.192.128/25 # MOB-486 - mobene - - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01 - - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02 - - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03 - - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04 - - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05 - - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06 - - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07 + admin_ips: "{{ keycloak_customer_ips_mobene + keycloak_ip_whitelist }}" - name: linde admin_ips: - 145.225.17.1/32 # DEV-1142 - Linde diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index 5ec34da..e1cd42c 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -4,29 +4,30 @@ keycloak_id: "{{ inventory_hostname }}-keycloak" keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak" keycloak_labels: [ + # open all '"traefik.enable=true"', - '"traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}"', - '"traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ stage_server_domain }}`)"', - '"traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure"', - '"traefik.http.routers.{{ keycloak_id }}.tls=true"', - '"traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt"', - '"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"', - - '"traefik.http.routers.{{ keycloak_id }}-auth.service={{ keycloak_id }}"', - '"traefik.http.routers.{{ keycloak_id }}-auth.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"', - '"traefik.http.routers.{{ keycloak_id }}-auth.entrypoints=websecure"', - '"traefik.http.routers.{{ keycloak_id }}-auth.tls=true"', - '"traefik.http.routers.{{ keycloak_id }}-auth.tls.certresolver=letsencrypt"', - '"traefik.http.services.{{ keycloak_id }}-auth.loadbalancer.server.port={{ service_port }}"', - - '"traefik.http.routers.{{ keycloak_id }}-state-change.service={{ keycloak_id }}"', - '"traefik.http.routers.{{ keycloak_id }}-state-change.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"', - '"traefik.http.routers.{{ keycloak_id }}-state-change.entrypoints=websecure"', - '"traefik.http.routers.{{ keycloak_id }}-state-change.tls=true"', - '"traefik.http.routers.{{ keycloak_id }}-state-change.tls.certresolver=letsencrypt"', - '"traefik.http.services.{{ keycloak_id }}-state-change.loadbalancer.server.port={{ service_port }}"', - '"traefik.http.routers.{{ keycloak_id }}-state-change.middlewares={{ keycloak_id }}-state-change-ipwhitelist"', - '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips) | join(",") }}"', + '"traefik.http.routers.{{ keycloak_id }}-public.service={{ keycloak_id }}"', + '"traefik.http.routers.{{ keycloak_id }}-public.rule=Host(`{{ stage_server_domain }}`)"', + '"traefik.http.routers.{{ keycloak_id }}-public.entrypoints=websecure"', + '"traefik.http.routers.{{ keycloak_id }}-public.tls=true"', + '"traefik.http.routers.{{ keycloak_id }}-public.tls.certresolver=letsencrypt"', + '"traefik.http.services.{{ keycloak_id }}-public.loadbalancer.server.port={{ service_port }}"', + # allow login / login page (except for master) + '"traefik.http.routers.{{ keycloak_id }}-public-login.service={{ keycloak_id }}"', + '"traefik.http.routers.{{ keycloak_id }}-public-login.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"', + '"traefik.http.routers.{{ keycloak_id }}-public-login.entrypoints=websecure"', + '"traefik.http.routers.{{ keycloak_id }}-public-login.tls=true"', + '"traefik.http.routers.{{ keycloak_id }}-public-login.tls.certresolver=letsencrypt"', + '"traefik.http.services.{{ keycloak_id }}-public-login.loadbalancer.server.port={{ service_port }}"', + # restrict all POST, PUT, DELETE, PATCH to intranet + '"traefik.http.routers.{{ keycloak_id }}-private.service={{ keycloak_id }}"', + '"traefik.http.routers.{{ keycloak_id }}-private.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"', + '"traefik.http.routers.{{ keycloak_id }}-private.entrypoints=websecure"', + '"traefik.http.routers.{{ keycloak_id }}-private.tls=true"', + '"traefik.http.routers.{{ keycloak_id }}-private.tls.certresolver=letsencrypt"', + '"traefik.http.services.{{ keycloak_id }}-private.loadbalancer.server.port={{ service_port }}"', + '"traefik.http.routers.{{ keycloak_id }}-private.middlewares={{ keycloak_id }}-private-ipwhitelist"', + '"traefik.http.middlewares.{{ keycloak_id }}-private-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + keycloak_ip_whitelist) | join(",") }}"', ] keycloak_docker: {