Skip to content

Commit

Permalink
fix(password-jks): Align password-jks pwd value & allow ssl key excha…
Browse files Browse the repository at this point in the history 
…nge port
  • Loading branch information
@yyvess
yyvess committed Jan 26, 2024
1 parent 0f55b95 commit 60bdd94
Show file tree
Hide file tree
Showing 11 changed files with 70 additions and 26 deletions.
6 changes: 5 additions & 1 deletion templates/certificates.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ import (
annotations: #config.metadata.annotations
}
#Data: {
"password-jks": "changeme" // it's fine, secret don't add any security here
// it's fine, secret don't add any security here
// TODO Next version of cert manager, a pwd will be set by default
// https://github.com/cert-manager/cert-manager/pull/6657
// then we can remove this secret and use the default
"password-jks": "changeit" // it's fine, secret don't add any security here
}
}

Expand Down
1 change: 0 additions & 1 deletion templates/config.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,6 @@ import (
stack: *"kubernetes" | "tcp" | "udp" | "ec2" | "azure" | "google"
jgroups: {
name: *"jgroups" | string
port: *7800 | int & >0 & <=65535
}
}

Expand Down
8 changes: 5 additions & 3 deletions templates/configmap.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,19 @@ import (
source: https://infinispan.org/docs/13.0.x/titles/embedding/embedding.html
-->
<stack name="encrypt-kubernetes" extends="kubernetes">
<SSL_KEY_EXCHANGE keystore_name="/jks/keystore.jks:"
<SSL_KEY_EXCHANGE keystore_name="/jks/keystore.jks"
keystore_password="changeit"
port="2157"
port_range="0"
stack.combine="INSERT_AFTER"
stack.position="VERIFY_SUSPECT2"/>
<ASYM_ENCRYPT use_external_key_exchange="true"
change_key_on_leave="false"
change_key_on_coord_leave="false"
asym_keylength="2048"
sym_keylength="128"
sym_algorithm="AES"
sym_keylength="128"
asym_algorithm="RSA"
asym_keylength="2048"
stack.combine="INSERT_BEFORE"
stack.position="pbcast.NAKACK2"/>
</stack>
Expand Down
9 changes: 6 additions & 3 deletions templates/deployment.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,20 +105,23 @@ import (
volumeMounts: [
if #config.ha {
{
mountPath: "/opt/keycloak/conf"
name: "cache"
mountPath: "/opt/keycloak/conf"
readOnly: true
}
},
if #certSecretName != _|_ {
{
mountPath: "/certs"
name: "certs"
mountPath: "/certs"
readOnly: true
}
},
if #jksSecretName != _|_ {
{
mountPath: "/jks"
name: "jks"
mountPath: "/jks"
readOnly: true
}
},
]
Expand Down
5 changes: 4 additions & 1 deletion templates/networking.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,10 @@ import (
]
ports: [{
protocol: "TCP"
port: #config.cache.jgroups.port
port: 7800
}, {
protocol: "TCP"
port: 2157
},
]}
},
Expand Down
9 changes: 8 additions & 1 deletion templates/services.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,14 @@ import (
ports: [
{
name: "jgroups"
port: #config.cache.jgroups.port
port: 7800
protocol: "TCP"
targetPort: "jgroups"
appProtocol: "tcp"
},
{
name: "jgroups-ssl"
port: 2157
protocol: "TCP"
targetPort: "jgroups"
appProtocol: "tcp"
Expand Down
28 changes: 19 additions & 9 deletions test/certificate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ metadata:
app.kubernetes.io/managed-by: timoni
app.kubernetes.io/name: keycloak-jks-pwd
app.kubernetes.io/version: 0.0.0-devel
name: keycloak-jks-pwd-86dfda33
name: keycloak-jks-pwd-d89b3236
namespace: test
stringData:
password-jks: changeme
password-jks: changeit
---
apiVersion: cert-manager.io/v1
kind: Certificate
Expand All @@ -64,7 +64,7 @@ spec:
create: true
passwordSecretRef:
key: password-jks
name: keycloak-jks-pwd-86dfda33
name: keycloak-jks-pwd-d89b3236
secretName: keycloak-jks
---
apiVersion: cert-manager.io/v1
Expand Down Expand Up @@ -118,6 +118,11 @@ spec:
port: 7800
protocol: TCP
targetPort: jgroups
- appProtocol: tcp
name: jgroups-ssl
port: 2157
protocol: TCP
targetPort: jgroups
publishNotReadyAddresses: true
selector:
app.kubernetes.io/name: keycloak
Expand All @@ -130,11 +135,11 @@ data:
\ xmlns=\"urn:infinispan:config:11.0\">\n <jgroups>\n <!--\n
\ source: https://infinispan.org/docs/13.0.x/titles/embedding/embedding.html\n
\ -->\n <stack name=\"encrypt-kubernetes\" extends=\"kubernetes\">\n\t\t\t\t\t\t\t<SSL_KEY_EXCHANGE
keystore_name=\"/jks/keystore.jks:\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tkeystore_password=\"changeit\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tstack.combine=\"INSERT_AFTER\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tstack.position=\"VERIFY_SUSPECT2\"/>\n
keystore_name=\"/jks/keystore.jks\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tkeystore_password=\"changeit\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tport=\"2157\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tport_range=\"0\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tstack.combine=\"INSERT_AFTER\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tstack.position=\"VERIFY_SUSPECT2\"/>\n
\ <ASYM_ENCRYPT use_external_key_exchange=\"true\"\n change_key_on_leave=\"false\"\n
\ change_key_on_coord_leave=\"false\"\n asym_keylength=\"2048\"\n
\ sym_keylength=\"128\"\n sym_algorithm=\"AES\"\n
\ asym_algorithm=\"RSA\"\n stack.combine=\"INSERT_BEFORE\"\n
\ change_key_on_coord_leave=\"false\"\n sym_algorithm=\"AES\"\n
\ sym_keylength=\"128\"\n asym_algorithm=\"RSA\"\n
\ asym_keylength=\"2048\"\n stack.combine=\"INSERT_BEFORE\"\n
\ stack.position=\"pbcast.NAKACK2\"/>\n </stack>\n
\ </jgroups>\n\n <cache-container name=\"keycloak\">\n <transport
stack=\"encrypt-kubernetes\" lock-timeout=\"60000\"/>\n <local-cache
Expand Down Expand Up @@ -174,7 +179,7 @@ metadata:
app.kubernetes.io/managed-by: timoni
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 0.0.0-devel
name: keycloak-cc75f05f
name: keycloak-bef22f5a
namespace: test
---
apiVersion: policy/v1
Expand Down Expand Up @@ -215,6 +220,8 @@ spec:
ports:
- port: 7800
protocol: TCP
- port: 2157
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: keycloak
Expand Down Expand Up @@ -332,10 +339,13 @@ spec:
volumeMounts:
- mountPath: /opt/keycloak/conf
name: cache
readOnly: true
- mountPath: /certs
name: certs
readOnly: true
- mountPath: /jks
name: jks
readOnly: true
serviceAccountName: default
volumes:
- name: certs
Expand All @@ -348,6 +358,6 @@ spec:
items:
- key: cache-ispn.xml
path: cache-ispn.xml
name: keycloak-cc75f05f
name: keycloak-bef22f5a
name: cache
---
8 changes: 5 additions & 3 deletions test/external-secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@ metadata:
app.kubernetes.io/managed-by: timoni
app.kubernetes.io/name: keycloak-jks-pwd
app.kubernetes.io/version: 0.0.0-devel
name: keycloak-jks-pwd-86dfda33
name: keycloak-jks-pwd-d89b3236
namespace: test
stringData:
password-jks: changeme
password-jks: changeit
---
apiVersion: cert-manager.io/v1
kind: Certificate
Expand All @@ -55,7 +55,7 @@ spec:
create: true
passwordSecretRef:
key: password-jks
name: keycloak-jks-pwd-86dfda33
name: keycloak-jks-pwd-d89b3236
secretName: keycloak-jks
---
apiVersion: v1
Expand Down Expand Up @@ -167,8 +167,10 @@ spec:
volumeMounts:
- mountPath: /certs
name: certs
readOnly: true
- mountPath: /jks
name: jks
readOnly: true
serviceAccountName: existing-sa
volumes:
- name: certs
Expand Down
6 changes: 6 additions & 0 deletions test/pdb.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ spec:
port: 7800
protocol: TCP
targetPort: jgroups
- appProtocol: tcp
name: jgroups-ssl
port: 2157
protocol: TCP
targetPort: jgroups
publishNotReadyAddresses: true
selector:
app.kubernetes.io/name: keycloak
Expand Down Expand Up @@ -257,6 +262,7 @@ spec:
volumeMounts:
- mountPath: /opt/keycloak/conf
name: cache
readOnly: true
serviceAccountName: default
volumes:
- configMap:
Expand Down
2 changes: 1 addition & 1 deletion test/production-istio-values.cue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ values: {
virtualService: {
gateways: [{"istio-system/istio-ingressgateway"}]
hosts: [
"keycloak.myorgs.com",
"keycloak.myorg.com",
]
}

Expand Down
14 changes: 11 additions & 3 deletions test/production-istio.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,11 @@ spec:
port: 7800
protocol: TCP
targetPort: jgroups
- appProtocol: tcp
name: jgroups-ssl
port: 2157
protocol: TCP
targetPort: jgroups
publishNotReadyAddresses: true
selector:
app.kubernetes.io/name: keycloak
Expand Down Expand Up @@ -196,6 +201,8 @@ spec:
ports:
- port: 7800
protocol: TCP
- port: 2157
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: keycloak
Expand All @@ -215,7 +222,7 @@ spec:
gateways:
- istio-system/istio-ingressgateway
hosts:
- keycloak.myorgs.com
- keycloak.dev.eu.zelros.com
http:
- directResponse:
status: 403
Expand Down Expand Up @@ -274,9 +281,9 @@ spec:
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
value: FIXME-USE-SECRET
value: admin
- name: KC_DB_URL
value: jdbc:postgresql://keycloak.postgres.svc.cluster.local/keycloakdb?sslmode=require
value: jdbc:postgresql://keycloak.zel-wbeyaon.svc.cluster.local/keycloakdb?sslmode=require
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
Expand Down Expand Up @@ -346,6 +353,7 @@ spec:
volumeMounts:
- mountPath: /opt/keycloak/conf
name: cache
readOnly: true
serviceAccountName: default
volumes:
- configMap:
Expand Down

0 comments on commit 60bdd94

Please sign in to comment.