Extended Traefik lables for access restrictions on keycloak

2 years ago · 7eb2650482
parent d59a2ace4a
commit 7eb2650482
5 changed files with 38 additions and 28 deletions
--- a/group_vars/stage_devnso/keycloak.yml
+++ b/group_vars/stage_devnso/keycloak.yml
@ -1,3 +1,2 @@
 # Used to authorize access to keaycloak via tcp/443 on the hcloud firewall
-keycloak_https_whitelisted_ips:
+keycloak_https_whitelisted_ips: []
  - 0.0.0.0/0 # Public access to keycloak
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@ -20,16 +20,13 @@ keycloak_admin_realm_acls:
  - name: mobene
    admin_ips:
      - 92.42.192.128/25 # MOB-486 - mobene
-      - 167.235.150.201/32 # prodwork01-kube-cpl-01 ; DEV-786 mobene (nsodev) migration
+      - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
-      - 167.235.150.198/32 # prodwork01-kube-cpl-02 ; DEV-786 mobene (nsodev) migration
+      - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
-      - 167.235.150.195/32 # prodwork01-kube-cpl-03 ; DEV-786 mobene (nsodev) migration
+      - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
-      - 167.235.150.133/32 # prodwork01-kube-node-01 ; DEV-786 mobene (nsodev) migration
+      - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
-      - 167.235.150.197/32 # prodwork01-kube-node-02 DEV-786 mobene (nsodev) migration
+      - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
-      - 23.88.53.161/32 # prodwork01-kube-node-03 ; DEV-786 mobene (nsodev) migration
+      - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
-      - 195.201.113.110/32 # prodwork01-kube-node-04 ; DEV-786 mobene (nsodev) migration
+      - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
      - 5.75.184.216/32 # prodwork01-kube-node-05 ; DEV-786 mobene (nsodev) migration
      - 91.107.228.133/32 # prodwork01-kube-node-06 ; => DEV-987
      - 167.235.25.0/32 # prodwork01-kube-node-07 ; => DEV-987
  - name: linde
    admin_ips:
      - 145.225.17.1/32 # DEV-1142 - Linde
--- a/group_vars/stage_qanso/keycloak.yml
+++ b/group_vars/stage_qanso/keycloak.yml
@ -1,15 +1,2 @@
 # Used to authorize access to keaycloak via tcp/443 on the hcloud firewall
-keycloak_https_whitelisted_ips:
+keycloak_https_whitelisted_ips: []
  - 0.0.0.0/0 # Public access to keycloak
 # Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
 # Both variables are mandatory!
 # name: <realm_name>
 # admin_ips: <ip/range in cidr notation>
 keycloak_admin_realm_acls:
  - name: management
    admin_ips:
      - 79.140.117.133/32 # mha
  - name: mhel
    admin_ips:
      - 79.140.117.133/32 # mha
--- a/roles/keycloak/tasks/_configure_traefik.yml
+++ b/roles/keycloak/tasks/_configure_traefik.yml
@ -24,3 +24,23 @@
    loop_var: keycloak_accessible_realm
  tags:
    - update_deployment
 # Neccessary for Trafik labels to allow POST method from AWX on k8s
 - name: "Get k8s_worker_node_ips"
  block:
    - name: "Lookup hetzner servers - smaradigo k8s worker nodes"
      become: false
      delegate_to: localhost
      hcloud_server_info:
        api_token: "{{ hetzner_authentication_ansible_vault }}"
        label_selector: "service=kube_node,stage={{ stage }}"
      register: found_servers
    - name: "Initial VAR(s)"
      set_fact:
        k8s_worker_node_ips: []
    - name: "Get IPs from k8s worker nodes"
      set_fact:
        k8s_worker_node_ips: '{{ k8s_worker_node_ips + [ item + "/32" ] }}'
      loop: '{{ found_servers.hcloud_server_info | selectattr("ipv4_address","defined") | map(attribute="ipv4_address") }}'
  tags:
    - update_deployment
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@ -12,6 +12,13 @@ keycloak_labels: [
  '"traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt"',
  '"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"',
  '"traefik.http.routers.{{ keycloak_id }}-auth.service={{ keycloak_id }}"',
  '"traefik.http.routers.{{ keycloak_id }}-auth.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
  '"traefik.http.routers.{{ keycloak_id }}-auth.entrypoints=websecure"',
  '"traefik.http.routers.{{ keycloak_id }}-auth.tls=true"',
  '"traefik.http.routers.{{ keycloak_id }}-auth.tls.certresolver=letsencrypt"',
  '"traefik.http.services.{{ keycloak_id }}-auth.loadbalancer.server.port={{ service_port }}"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.service={{ keycloak_id }}"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.entrypoints=websecure"',
@ -19,7 +26,7 @@ keycloak_labels: [
  '"traefik.http.routers.{{ keycloak_id }}-state-change.tls.certresolver=letsencrypt"',
  '"traefik.http.services.{{ keycloak_id }}-state-change.loadbalancer.server.port={{ service_port }}"',
  '"traefik.http.routers.{{ keycloak_id }}-state-change.middlewares={{ keycloak_id }}-state-change-ipwhitelist"',
-  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ ip_whitelist | join(",") }}"',
+  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips) | join(",") }}"',
 ]
 keycloak_docker: {