From e9f67624d1f5e25d24c951e385661341baa21830 Mon Sep 17 00:00:00 2001 From: Andreas Geissler Date: Wed, 24 Apr 2024 15:38:24 +0200 Subject: [AUTHENTICATION] Restructured keycloak and Oauth2-proxy Changed keycloak-init to "authentication" and moved as root chart Moved oauth2-proxy to onap-authentication and updated to version 7.5.4 Use TCL proposal for REALM creation. Update keycloak-config-cli version to 5.12.0. Ingress AuthorizationPolicy creation for all defined accessRoles in the configured realms Issue-ID: OOM-3292 Issue-ID: OOM-3268 Change-Id: I0901cd416ca5da871931d7cf084cd35c55f804f1 Signed-off-by: Andreas Geissler --- .../templates/requestauthentication.yaml | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 kubernetes/authentication/templates/requestauthentication.yaml (limited to 'kubernetes/authentication/templates/requestauthentication.yaml') diff --git a/kubernetes/authentication/templates/requestauthentication.yaml b/kubernetes/authentication/templates/requestauthentication.yaml new file mode 100644 index 0000000000..036680d7cb --- /dev/null +++ b/kubernetes/authentication/templates/requestauthentication.yaml @@ -0,0 +1,36 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.ingressAuthentication.enabled }} +--- +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: {{ .Release.Name }}-request-auth + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingress + jwtRules: + {{- $dot := . }} + {{- range $index, $realm := .Values.realmSettings }} + - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ $dot.Values.keycloak.relativePath }}realms/{{ $realm.name }}" + jwksUri: {{ $dot.Values.keycloak.intURL }}realms/{{ $realm.name }}/protocol/openid-connect/certs + {{- end }} + - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}realms/master" + jwksUri: {{ .Values.keycloak.intURL }}realms/master/protocol/openid-connect/certs + forwardOriginalToken: true +{{- end }} \ No newline at end of file -- cgit 1.2.3-korg