gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-1211 bugfix: iam access for mobene|prodwork01 is broken

Browse Source
main
Michael Hähnel 2 years ago
parent 7eb2650482
commit 186f73a892
3 changed files with 40 additions and 31 deletions
Show Stats Download Patch File Download Diff File

3
group_vars/all/keycloak.yml
Unescape Escape View File

@ -4,6 +4,9 @@ keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
keycloak_default_theme: "mpmx-theme" keycloak_default_theme: "mpmx-theme"
# Additional ips to consider as intranet ips (e.g. inter stage communication)
keycloak_ip_whitelist: []
# Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
# Both variables are mandatory! # Both variables are mandatory!
# name: <realm_name> # name: <realm_name>

23
group_vars/stage_prodnso/keycloak.yml
Unescape Escape View File

@ -2,6 +2,19 @@
keycloak_https_whitelisted_ips: keycloak_https_whitelisted_ips:
- 0.0.0.0/0 # Public access to keycloak - 0.0.0.0/0 # Public access to keycloak
# TODO migrate mobene completly to prodwork01
keycloak_ip_whitelist:
- 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
- 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
- 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
- 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
- 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
- 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
- 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
keycloak_customer_ips_mobene:
- 92.42.192.128/25 # MOB-486 - mobene
# Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
# Both variables are mandatory! # Both variables are mandatory!
# name: <realm_name> # name: <realm_name>
@ -18,15 +31,7 @@ keycloak_admin_realm_acls:
- 195.200.47.243/32 # DEV-230 - sparda berlin - 195.200.47.243/32 # DEV-230 - sparda berlin
- 195.200.47.244/32 # DEV-230 - sparda berlin - 195.200.47.244/32 # DEV-230 - sparda berlin
- name: mobene - name: mobene
admin_ips: admin_ips: "{{ keycloak_customer_ips_mobene + keycloak_ip_whitelist }}"
- 92.42.192.128/25 # MOB-486 - mobene
- 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
- 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
- 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
- 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
- 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
- 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
- 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
- name: linde - name: linde
admin_ips: admin_ips:
- 145.225.17.1/32 # DEV-1142 - Linde - 145.225.17.1/32 # DEV-1142 - Linde

45
roles/keycloak/vars/main.yml
Unescape Escape View File

@ -4,29 +4,30 @@ keycloak_id: "{{ inventory_hostname }}-keycloak"
keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak" keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak"
keycloak_labels: [ keycloak_labels: [
# open all
'"traefik.enable=true"', '"traefik.enable=true"',
'"traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}"', '"traefik.http.routers.{{ keycloak_id }}-public.service={{ keycloak_id }}"',
'"traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ stage_server_domain }}`)"', '"traefik.http.routers.{{ keycloak_id }}-public.rule=Host(`{{ stage_server_domain }}`)"',
'"traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure"', '"traefik.http.routers.{{ keycloak_id }}-public.entrypoints=websecure"',
'"traefik.http.routers.{{ keycloak_id }}.tls=true"', '"traefik.http.routers.{{ keycloak_id }}-public.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt"', '"traefik.http.routers.{{ keycloak_id }}-public.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"', '"traefik.http.services.{{ keycloak_id }}-public.loadbalancer.server.port={{ service_port }}"',
# allow login / login page (except for master)
'"traefik.http.routers.{{ keycloak_id }}-auth.service={{ keycloak_id }}"', '"traefik.http.routers.{{ keycloak_id }}-public-login.service={{ keycloak_id }}"',
'"traefik.http.routers.{{ keycloak_id }}-auth.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"', '"traefik.http.routers.{{ keycloak_id }}-public-login.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
'"traefik.http.routers.{{ keycloak_id }}-auth.entrypoints=websecure"', '"traefik.http.routers.{{ keycloak_id }}-public-login.entrypoints=websecure"',
'"traefik.http.routers.{{ keycloak_id }}-auth.tls=true"', '"traefik.http.routers.{{ keycloak_id }}-public-login.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}-auth.tls.certresolver=letsencrypt"', '"traefik.http.routers.{{ keycloak_id }}-public-login.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ keycloak_id }}-auth.loadbalancer.server.port={{ service_port }}"', '"traefik.http.services.{{ keycloak_id }}-public-login.loadbalancer.server.port={{ service_port }}"',
# restrict all POST, PUT, DELETE, PATCH to intranet
'"traefik.http.routers.{{ keycloak_id }}-state-change.service={{ keycloak_id }}"', '"traefik.http.routers.{{ keycloak_id }}-private.service={{ keycloak_id }}"',
'"traefik.http.routers.{{ keycloak_id }}-state-change.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"', '"traefik.http.routers.{{ keycloak_id }}-private.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
'"traefik.http.routers.{{ keycloak_id }}-state-change.entrypoints=websecure"', '"traefik.http.routers.{{ keycloak_id }}-private.entrypoints=websecure"',
'"traefik.http.routers.{{ keycloak_id }}-state-change.tls=true"', '"traefik.http.routers.{{ keycloak_id }}-private.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}-state-change.tls.certresolver=letsencrypt"', '"traefik.http.routers.{{ keycloak_id }}-private.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ keycloak_id }}-state-change.loadbalancer.server.port={{ service_port }}"', '"traefik.http.services.{{ keycloak_id }}-private.loadbalancer.server.port={{ service_port }}"',
'"traefik.http.routers.{{ keycloak_id }}-state-change.middlewares={{ keycloak_id }}-state-change-ipwhitelist"', '"traefik.http.routers.{{ keycloak_id }}-private.middlewares={{ keycloak_id }}-private-ipwhitelist"',
'"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips) | join(",") }}"', '"traefik.http.middlewares.{{ keycloak_id }}-private-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + keycloak_ip_whitelist) | join(",") }}"',
] ]
keycloak_docker: { keycloak_docker: {

Write Preview
Loading…
Cancel
Save