Extended Traefik lables for access restrictions on keycloak

2 years ago · 7eb2650482
parent d59a2ace4a
commit 7eb2650482
5 changed files with 38 additions and 28 deletions
--- a/group_vars/stage_devnso/keycloak.yml
+++ b/group_vars/stage_devnso/keycloak.yml
@ -1,3 +1,2 @@
 # Used to authorize access to keaycloak via tcp/443 on the hcloud firewall
-keycloak_https_whitelisted_ips:
-  - 0.0.0.0/0 # Public access to keycloak
+keycloak_https_whitelisted_ips: []
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@ -20,16 +20,13 @@ keycloak_admin_realm_acls:
  - name: mobene
    admin_ips:
      - 92.42.192.128/25 # MOB-486 - mobene
-      - 167.235.150.201/32 # prodwork01-kube-cpl-01 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.198/32 # prodwork01-kube-cpl-02 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.195/32 # prodwork01-kube-cpl-03 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.133/32 # prodwork01-kube-node-01 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.197/32 # prodwork01-kube-node-02 DEV-786 mobene (nsodev) migration
-      - 23.88.53.161/32 # prodwork01-kube-node-03 ; DEV-786 mobene (nsodev) migration
-      - 195.201.113.110/32 # prodwork01-kube-node-04 ; DEV-786 mobene (nsodev) migration
-      - 5.75.184.216/32 # prodwork01-kube-node-05 ; DEV-786 mobene (nsodev) migration
-      - 91.107.228.133/32 # prodwork01-kube-node-06 ; => DEV-987
-      - 167.235.25.0/32 # prodwork01-kube-node-07 ; => DEV-987
+      - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
+      - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
+      - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
+      - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
+      - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
+      - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
+      - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
  - name: linde
    admin_ips:
      - 145.225.17.1/32 # DEV-1142 - Linde
--- a/group_vars/stage_qanso/keycloak.yml
+++ b/group_vars/stage_qanso/keycloak.yml
@ -1,15 +1,2 @@
 # Used to authorize access to keaycloak via tcp/443 on the hcloud firewall
-keycloak_https_whitelisted_ips:
-  - 0.0.0.0/0 # Public access to keycloak
-
-# Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
-# Both variables are mandatory!
-# name: <realm_name>
-# admin_ips: <ip/range in cidr notation>
-keycloak_admin_realm_acls:
-  - name: management
-    admin_ips:
-      - 79.140.117.133/32 # mha
-  - name: mhel
-    admin_ips:
-      - 79.140.117.133/32 # mha
+keycloak_https_whitelisted_ips: []
--- a/roles/keycloak/tasks/_configure_traefik.yml
+++ b/roles/keycloak/tasks/_configure_traefik.yml
@ -3,7 +3,7 @@
  ansible.builtin.set_fact:
    labels:
      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.service={{ keycloak_id }}"'
-      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.rule=Host(`{{ stage_server_domain }}`) && Method(`POST`,`PUT`,`DELETE`, `PATCH`) && (PathPrefix(`/auth/realms/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/realms/{{ keycloak_accessible_realm.name }}`))"'
+      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.rule=Host(`{{ stage_server_domain }}`) && Method(`POST`,`PUT`,`DELETE`,`PATCH`) && (PathPrefix(`/auth/realms/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/realms/{{ keycloak_accessible_realm.name }}`))"'
      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.entrypoints=websecure"'
      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.tls=true"'
      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.tls.certresolver=letsencrypt-http"'
@ -24,3 +24,23 @@
    loop_var: keycloak_accessible_realm
  tags:
    - update_deployment
+
+# Neccessary for Trafik labels to allow POST method from AWX on k8s
+- name: "Get k8s_worker_node_ips"
+  block:
+    - name: "Lookup hetzner servers - smaradigo k8s worker nodes"
+      become: false
+      delegate_to: localhost
+      hcloud_server_info:
+        api_token: "{{ hetzner_authentication_ansible_vault }}"
+        label_selector: "service=kube_node,stage={{ stage }}"
+      register: found_servers
+    - name: "Initial VAR(s)"
+      set_fact:
+        k8s_worker_node_ips: []
+    - name: "Get IPs from k8s worker nodes"
+      set_fact:
+        k8s_worker_node_ips: '{{ k8s_worker_node_ips + [ item + "/32" ] }}'
+      loop: '{{ found_servers.hcloud_server_info | selectattr("ipv4_address","defined") | map(attribute="ipv4_address") }}'
+  tags:
+    - update_deployment
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@ -12,6 +12,13 @@ keycloak_labels: [
  '"traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt"',
  '"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"',

+  '"traefik.http.routers.{{ keycloak_id }}-auth.service={{ keycloak_id }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.entrypoints=websecure"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.tls=true"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ keycloak_id }}-auth.loadbalancer.server.port={{ service_port }}"',
+
  '"traefik.http.routers.{{ keycloak_id }}-state-change.service={{ keycloak_id }}"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.entrypoints=websecure"',
@ -19,7 +26,7 @@ keycloak_labels: [
  '"traefik.http.routers.{{ keycloak_id }}-state-change.tls.certresolver=letsencrypt"',
  '"traefik.http.services.{{ keycloak_id }}-state-change.loadbalancer.server.port={{ service_port }}"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.middlewares={{ keycloak_id }}-state-change-ipwhitelist"',
-  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ ip_whitelist | join(",") }}"',
+  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips) | join(",") }}"',
 ]

 keycloak_docker: {