-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathkeycloak.sh
executable file
·142 lines (117 loc) · 3.45 KB
/
keycloak.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/env bash
set -e
# CONSTANTS
readonly DNSMASQ_DOMAIN=kind.cluster
readonly TF_STATE=.tf-state/keycloak.tfstate
# FUNCTIONS
log(){
echo "---------------------------------------------------------------------------------------"
echo $1
echo "---------------------------------------------------------------------------------------"
}
keycloak(){
log "KEYCLOAK ..."
helm upgrade --install --wait --timeout 15m --atomic --namespace keycloak --create-namespace \
--repo https://charts.bitnami.com/bitnami keycloak keycloak --reuse-values --values - <<EOF
auth:
createAdminUser: true
adminUser: admin
adminPassword: admin
managementUser: manager
managementPassword: manager
proxyAddressForwarding: true
ingress:
enabled: true
hostname: keycloak.kind.cluster
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: ca-issuer
tls: true
postgresql:
enabled: true
auth:
postgresPassword: password
password: password
EOF
}
keycloak_config(){
log "KEYCLOAK CONFIG ..."
terraform -chdir=./terraform/keycloak init && terraform -chdir=./terraform/keycloak apply -auto-approve -state=$TF_STATE
}
cleanup(){
log "CLEANUP ..."
terraform -chdir=./terraform/keycloak init && terraform -chdir=./terraform/keycloak destroy -auto-approve -state=$TF_STATE || true
rm -f ./terraform/keycloak/$TF_STATE
rm -f ./terraform/keycloak/.terraform.lock.hcl
rm -rf ./terraform/keycloak/.terraform
}
rbac(){
log "RBAC ..."
kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-admin
subjects:
- kind: Group
name: kube-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
EOF
kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-dev
subjects:
- kind: Group
name: kube-dev
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
EOF
}
kubectl_config(){
log "KUBECTL ..."
local ID_TOKEN=$(curl -X POST https://keycloak.kind.cluster/auth/realms/master/protocol/openid-connect/token \
-d grant_type=password \
-d client_id=kube \
-d client_secret=kube-client-secret \
-d username=$1 \
-d password=$1 \
-d scope=openid \
-d response_type=id_token | jq -r '.id_token')
local REFRESH_TOKEN=$(curl -X POST https://keycloak.kind.cluster/auth/realms/master/protocol/openid-connect/token \
-d grant_type=password \
-d client_id=kube \
-d client_secret=kube-client-secret \
-d username=$1 \
-d password=$1 \
-d scope=openid \
-d response_type=id_token | jq -r '.refresh_token')
local CA_DATA=$(cat .ssl/root-ca.pem | base64 | tr -d '\n')
kubectl config set-credentials $1 \
--auth-provider=oidc \
--auth-provider-arg=client-id=kube \
--auth-provider-arg=client-secret=kube-client-secret \
--auth-provider-arg=idp-issuer-url=https://keycloak.kind.cluster/auth/realms/master \
--auth-provider-arg=id-token=$ID_TOKEN \
--auth-provider-arg=refresh-token=$REFRESH_TOKEN \
--auth-provider-arg=idp-certificate-authority-data=$CA_DATA
kubectl config set-context $1 --cluster=kind-kind --user=$1
}
# RUN
cleanup
keycloak
keycloak_config
rbac
kubectl_config user-admin
kubectl_config user-dev
# DONE
log "KEYCLOAK READY !"
echo "KEYCLOAK: https://keycloak.$DNSMASQ_DOMAIN"