DEV-1211 bugfix: iam access for mobene|prodwork01 is broken

2 years ago · 186f73a892
parent 7eb2650482
commit 186f73a892
3 changed files with 40 additions and 31 deletions
--- a/group_vars/all/keycloak.yml
+++ b/group_vars/all/keycloak.yml
@ -4,6 +4,9 @@ keycloak_admin_password: "{{ keycloak_admin_password_vault }}"

 keycloak_default_theme: "mpmx-theme"

+# Additional ips to consider as intranet ips (e.g. inter stage communication)
+keycloak_ip_whitelist: []
+
 # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
 # Both variables are mandatory!
 # name: <realm_name>
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@ -2,6 +2,19 @@
 keycloak_https_whitelisted_ips:
  - 0.0.0.0/0 # Public access to keycloak

+# TODO migrate mobene completly to prodwork01
+keycloak_ip_whitelist:
+  - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
+  - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
+  - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
+  - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
+  - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
+  - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
+  - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
+
+keycloak_customer_ips_mobene:
+  - 92.42.192.128/25 # MOB-486 - mobene
+
 # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
 # Both variables are mandatory!
 # name: <realm_name>
@ -18,15 +31,7 @@ keycloak_admin_realm_acls:
      - 195.200.47.243/32 # DEV-230 - sparda berlin
      - 195.200.47.244/32 # DEV-230 - sparda berlin
  - name: mobene
-    admin_ips:
-      - 92.42.192.128/25 # MOB-486 - mobene
-      - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
-      - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
-      - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
-      - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
-      - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
-      - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
-      - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
+    admin_ips: "{{ keycloak_customer_ips_mobene + keycloak_ip_whitelist }}"
  - name: linde
    admin_ips:
      - 145.225.17.1/32 # DEV-1142 - Linde
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@ -4,29 +4,30 @@ keycloak_id: "{{ inventory_hostname }}-keycloak"
 keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak"

 keycloak_labels: [
+  # open all
  '"traefik.enable=true"',
-  '"traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}"',
-  '"traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ stage_server_domain }}`)"',
-  '"traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure"',
-  '"traefik.http.routers.{{ keycloak_id }}.tls=true"',
-  '"traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt"',
-  '"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"',
-
-  '"traefik.http.routers.{{ keycloak_id }}-auth.service={{ keycloak_id }}"',
-  '"traefik.http.routers.{{ keycloak_id }}-auth.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
-  '"traefik.http.routers.{{ keycloak_id }}-auth.entrypoints=websecure"',
-  '"traefik.http.routers.{{ keycloak_id }}-auth.tls=true"',
-  '"traefik.http.routers.{{ keycloak_id }}-auth.tls.certresolver=letsencrypt"',
-  '"traefik.http.services.{{ keycloak_id }}-auth.loadbalancer.server.port={{ service_port }}"',
-
-  '"traefik.http.routers.{{ keycloak_id }}-state-change.service={{ keycloak_id }}"',
-  '"traefik.http.routers.{{ keycloak_id }}-state-change.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
-  '"traefik.http.routers.{{ keycloak_id }}-state-change.entrypoints=websecure"',
-  '"traefik.http.routers.{{ keycloak_id }}-state-change.tls=true"',
-  '"traefik.http.routers.{{ keycloak_id }}-state-change.tls.certresolver=letsencrypt"',
-  '"traefik.http.services.{{ keycloak_id }}-state-change.loadbalancer.server.port={{ service_port }}"',
-  '"traefik.http.routers.{{ keycloak_id }}-state-change.middlewares={{ keycloak_id }}-state-change-ipwhitelist"',
-  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips) | join(",") }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-public.service={{ keycloak_id }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-public.rule=Host(`{{ stage_server_domain }}`)"',
+  '"traefik.http.routers.{{ keycloak_id }}-public.entrypoints=websecure"',
+  '"traefik.http.routers.{{ keycloak_id }}-public.tls=true"',
+  '"traefik.http.routers.{{ keycloak_id }}-public.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ keycloak_id }}-public.loadbalancer.server.port={{ service_port }}"',
+  # allow login / login page (except for master)
+  '"traefik.http.routers.{{ keycloak_id }}-public-login.service={{ keycloak_id }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-public-login.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
+  '"traefik.http.routers.{{ keycloak_id }}-public-login.entrypoints=websecure"',
+  '"traefik.http.routers.{{ keycloak_id }}-public-login.tls=true"',
+  '"traefik.http.routers.{{ keycloak_id }}-public-login.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ keycloak_id }}-public-login.loadbalancer.server.port={{ service_port }}"',
+  # restrict all POST, PUT, DELETE, PATCH to intranet
+  '"traefik.http.routers.{{ keycloak_id }}-private.service={{ keycloak_id }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-private.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
+  '"traefik.http.routers.{{ keycloak_id }}-private.entrypoints=websecure"',
+  '"traefik.http.routers.{{ keycloak_id }}-private.tls=true"',
+  '"traefik.http.routers.{{ keycloak_id }}-private.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ keycloak_id }}-private.loadbalancer.server.port={{ service_port }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-private.middlewares={{ keycloak_id }}-private-ipwhitelist"',
+  '"traefik.http.middlewares.{{ keycloak_id }}-private-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + keycloak_ip_whitelist) | join(",") }}"',
 ]

 keycloak_docker: {