gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-1211 bugfix#2: iam access for mobene|prodwork01 is broken

Browse Source
main
Michael Hähnel 2 years ago
parent 186f73a892
commit 844706cb29
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File

5
roles/keycloak/vars/main.yml
Unescape Escape View File

@ -4,6 +4,8 @@ keycloak_id: "{{ inventory_hostname }}-keycloak"
keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak" keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak"
keycloak_labels: [ keycloak_labels: [
# Definve service
'"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"',
# open all # open all
'"traefik.enable=true"', '"traefik.enable=true"',
'"traefik.http.routers.{{ keycloak_id }}-public.service={{ keycloak_id }}"', '"traefik.http.routers.{{ keycloak_id }}-public.service={{ keycloak_id }}"',
@ -11,21 +13,18 @@ keycloak_labels: [
'"traefik.http.routers.{{ keycloak_id }}-public.entrypoints=websecure"', '"traefik.http.routers.{{ keycloak_id }}-public.entrypoints=websecure"',
'"traefik.http.routers.{{ keycloak_id }}-public.tls=true"', '"traefik.http.routers.{{ keycloak_id }}-public.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}-public.tls.certresolver=letsencrypt"', '"traefik.http.routers.{{ keycloak_id }}-public.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ keycloak_id }}-public.loadbalancer.server.port={{ service_port }}"',
# allow login / login page (except for master) # allow login / login page (except for master)
'"traefik.http.routers.{{ keycloak_id }}-public-login.service={{ keycloak_id }}"', '"traefik.http.routers.{{ keycloak_id }}-public-login.service={{ keycloak_id }}"',
'"traefik.http.routers.{{ keycloak_id }}-public-login.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"', '"traefik.http.routers.{{ keycloak_id }}-public-login.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
'"traefik.http.routers.{{ keycloak_id }}-public-login.entrypoints=websecure"', '"traefik.http.routers.{{ keycloak_id }}-public-login.entrypoints=websecure"',
'"traefik.http.routers.{{ keycloak_id }}-public-login.tls=true"', '"traefik.http.routers.{{ keycloak_id }}-public-login.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}-public-login.tls.certresolver=letsencrypt"', '"traefik.http.routers.{{ keycloak_id }}-public-login.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ keycloak_id }}-public-login.loadbalancer.server.port={{ service_port }}"',
# restrict all POST, PUT, DELETE, PATCH to intranet # restrict all POST, PUT, DELETE, PATCH to intranet
'"traefik.http.routers.{{ keycloak_id }}-private.service={{ keycloak_id }}"', '"traefik.http.routers.{{ keycloak_id }}-private.service={{ keycloak_id }}"',
'"traefik.http.routers.{{ keycloak_id }}-private.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"', '"traefik.http.routers.{{ keycloak_id }}-private.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
'"traefik.http.routers.{{ keycloak_id }}-private.entrypoints=websecure"', '"traefik.http.routers.{{ keycloak_id }}-private.entrypoints=websecure"',
'"traefik.http.routers.{{ keycloak_id }}-private.tls=true"', '"traefik.http.routers.{{ keycloak_id }}-private.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}-private.tls.certresolver=letsencrypt"', '"traefik.http.routers.{{ keycloak_id }}-private.tls.certresolver=letsencrypt"',
'"traefik.http.services.{{ keycloak_id }}-private.loadbalancer.server.port={{ service_port }}"',
'"traefik.http.routers.{{ keycloak_id }}-private.middlewares={{ keycloak_id }}-private-ipwhitelist"', '"traefik.http.routers.{{ keycloak_id }}-private.middlewares={{ keycloak_id }}-private-ipwhitelist"',
'"traefik.http.middlewares.{{ keycloak_id }}-private-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + keycloak_ip_whitelist) | join(",") }}"', '"traefik.http.middlewares.{{ keycloak_id }}-private-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + keycloak_ip_whitelist) | join(",") }}"',
] ]

Write Preview
Loading…
Cancel
Save