chore: Configure ingresses for Keycloak user endpoints and admin cons…

…ole (#58) Jira: EPMDEDP-13452 Related: #58 Change-Id: Ifeb628617a2be969262fc943bb21382b29aa232f
epam · Mar 13, 2024 · f4836da · f4836da
1 parent db4b406
commit f4836da
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 9 deletions.
diff --git a/add-ons/keycloak/README.md b/add-ons/keycloak/README.md
@@ -4,6 +4,31 @@
 
 A Helm chart for Keycloak
 
+# Expose Keycloak
+
+Keycloak add-on provides the ability to split user endpoints and admin endpoints to different Ingress Controllers.<br>
+The user endpoints are used for user authentication and authorization, while the admin endpoints are used for Keycloak administration.
+
+To expose external Keycloak endpoint, follow the steps below:
+
+1. Set the `keycloak.ingress.enabled` parameter to `true` to enable the Ingress resource.
+
+2. Set the `keycloak.ingress.ingressClassName` parameter to `external-nginx` to use the External Ingress Controller.
+
+```yaml
+keycloak:
+  ingress:
+    enabled: true
+    ingressClassName: "external-nginx"
+```
+
+These changes provide the ability to expose Keycloak endpoints according to the rules from [documentation](https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations).
+
+To expose internal Keycloak endpoint, follow the steps below:
+
+1. Set the `keycloak.ingress.console.enabled` parameter to `true` to enable the Ingress resource for admin console endpoint.
+2. Set the `keycloak.ingress.console.ingressClassName` parameter to `nginx` or leave it empty to use the Internal Ingress Controller.
+
 ## Requirements
 
 | Repository | Name | Version |
@@ -53,12 +78,22 @@ A Helm chart for Keycloak
 | keycloakx.fullnameOverride | string | `"keycloakx"` |  |
 | keycloakx.health.enabled | bool | `false` |  |
 | keycloakx.ingress.annotations."ingress.kubernetes.io/affinity" | string | `"cookie"` |  |
-| keycloakx.ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` |  |
-| keycloakx.ingress.console.enabled | bool | `false` |  |
+| keycloakx.ingress.console.enabled | bool | `true` |  |
+| keycloakx.ingress.console.ingressClassName | string | `"nginx"` |  |
+| keycloakx.ingress.console.rules[0].host | string | `"keycloak-internal.example.com"` |  |
+| keycloakx.ingress.console.rules[0].paths[0].path | string | `"{{ tpl .Values.http.relativePath $ | trimSuffix \"/\" }}/"` |  |
+| keycloakx.ingress.console.rules[0].paths[0].pathType | string | `"Prefix"` |  |
 | keycloakx.ingress.enabled | bool | `true` |  |
+| keycloakx.ingress.ingressClassName | string | `"external-nginx"` |  |
 | keycloakx.ingress.rules[0].host | string | `"keycloak.example.com"` |  |
-| keycloakx.ingress.rules[0].paths[0].path | string | `"{{ tpl .Values.http.relativePath $ | trimSuffix \"/\" }}/"` |  |
+| keycloakx.ingress.rules[0].paths[0].path | string | `"{{ tpl .Values.http.relativePath $ | trimSuffix \"/\" }}/realms/"` |  |
 | keycloakx.ingress.rules[0].paths[0].pathType | string | `"Prefix"` |  |
+| keycloakx.ingress.rules[0].paths[1].path | string | `"{{ tpl .Values.http.relativePath $ | trimSuffix \"/\" }}/resources/"` |  |
+| keycloakx.ingress.rules[0].paths[1].pathType | string | `"Prefix"` |  |
+| keycloakx.ingress.rules[0].paths[2].path | string | `"{{ tpl .Values.http.relativePath $ | trimSuffix \"/\" }}/robots.txt"` |  |
+| keycloakx.ingress.rules[0].paths[2].pathType | string | `"Prefix"` |  |
+| keycloakx.ingress.rules[0].paths[3].path | string | `"{{ tpl .Values.http.relativePath $ | trimSuffix \"/\" }}/js/"` |  |
+| keycloakx.ingress.rules[0].paths[3].pathType | string | `"Prefix"` |  |
 | keycloakx.metrics.enabled | bool | `false` |  |
 | keycloakx.nameOverride | string | `"keycloakx"` |  |
 | keycloakx.proxy.enabled | bool | `true` |  |
@@ -68,4 +103,3 @@ A Helm chart for Keycloak
 | keycloakx.resources.requests.cpu | string | `"50m"` |  |
 | keycloakx.resources.requests.memory | string | `"512Mi"` |  |
 | pgo.enabled | bool | `true` | Enables creating a new database with Postgres operator. |
-
diff --git a/add-ons/keycloak/README.md.gotmpl b/add-ons/keycloak/README.md.gotmpl
@@ -0,0 +1,41 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+# Expose Keycloak
+
+Keycloak add-on provides the ability to split user endpoints and admin endpoints to different Ingress Controllers.<br>
+The user endpoints are used for user authentication and authorization, while the admin endpoints are used for Keycloak administration.
+
+To expose external Keycloak endpoint, follow the steps below:
+
+1. Set the `keycloak.ingress.enabled` parameter to `true` to enable the Ingress resource.
+
+2. Set the `keycloak.ingress.ingressClassName` parameter to `external-nginx` to use the External Ingress Controller.
+
+```yaml
+keycloak:
+  ingress:
+    enabled: true
+    ingressClassName: "external-nginx"
+```
+
+These changes provide the ability to expose Keycloak endpoints according to the rules from [documentation](https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations).
+
+To expose internal Keycloak endpoint, follow the steps below:
+
+1. Set the `keycloak.ingress.console.enabled` parameter to `true` to enable the Ingress resource for admin console endpoint.
+2. Set the `keycloak.ingress.console.ingressClassName` parameter to `nginx` or leave it empty to use the Internal Ingress Controller.
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
diff --git a/add-ons/keycloak/values.yaml b/add-ons/keycloak/values.yaml
@@ -52,16 +52,35 @@ keycloakx:
   ingress:
     enabled: true
     annotations:
-      kubernetes.io/ingress.class: nginx
       ingress.kubernetes.io/affinity: cookie
-    # The following parameter is unrecommended to expose. Admin paths lead to an unnecessary attack vector.
-    console:
-      enabled: false
+    # Defines the class of the Ingress Controller.
+    # It allows you to choose which Ingress controller in cluster should be used to expose the Keycloak service to the outside world.
+    ingressClassName: "external-nginx"
+    # Exposes Keycloak paths according to the rules from documentation.
+    # Ref: https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
     rules:
       - host: keycloak.example.com
         paths:
-          - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/'
+          - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/realms/'
+            pathType: Prefix
+          - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/resources/'
+            pathType: Prefix
+          - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/robots.txt'
             pathType: Prefix
+          - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/js/'
+            pathType: Prefix
+    # Provides creating Ingress for Keycloak which is used to access the Keycloak Admin Console.
+    console:
+      enabled: true
+      # Defines the class of the Ingress controller.
+      # Use internal Ingress Class to expose the Keycloak Admin Console to the internal network.
+      ingressClassName: "nginx"
+      rules:
+        - host: keycloak-internal.example.com
+          # Paths for the host
+          paths:
+            - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/'
+              pathType: Prefix
 
   proxy:
     enabled: true