stackabletech · fhennig · Oct 16, 2023 · Oct 16, 2023
diff --git a/stacks/keycloak-opa-poc/aas.yaml b/stacks/keycloak-opa-poc/aas.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-server
+  labels:
+    app: aas
+spec:
+  ports:
+    - name: http
+      port: 9000
+      targetPort: 9000
+  selector:
+    app: aas
+  type: NodePort
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: aas
+  labels:
+    app: aas
+spec:
+  containers:
+    - name: aas
+      image: aas-service:current
+      ports:
+        - name: web
+          containerPort: 9000
+          protocol: TCP
+      env:
+        - name: SPRING_PROFILES_ACTIVE
+          value: test
+        - name: SPRING_DATASOURCE_URL
+          value: jdbc:postgresql://postgresql-aas:5432/aas
+        - name: SPRING_DATASOURCE_USERNAME
+          value: aas
+        - name: SPRING_DATASOURCE_PASSWORD
+          value: aas 
+        - name: AAS_IAM_BASEURI
+          value: http://key-server:8080
+          # valueFrom:
+          #   configMapKeyRef:
+          #     name: keycloak
+          #     key: KEYCLOAK_BASE_URI
diff --git a/stacks/keycloak-opa-poc/druid.yaml b/stacks/keycloak-opa-poc/druid.yaml
@@ -21,10 +21,6 @@ spec:
       user: druid
       password: druid
     zookeeperConfigMapName: druid-znode
-    authorization:
-      opa:
-        configMapName: opa
-        package: druid
   brokers:
     roleGroups:
       default:
@@ -63,7 +59,6 @@ spec:
           "druid-datasketches",
           "prometheus-emitter",
           "druid-basic-security",
-          "druid-opa-authorizer",
           "druid-hdfs-storage",
           "druid-pac4j"]
 
@@ -73,11 +68,9 @@ spec:
         druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic
         druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: '${env:DRUID_SYSTEM_USER_PASSWORD}' # Default password for internal 'druid_system' user
         druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "true"  # for any non system user, skip to the pac4j authenticator
-        druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer
 
         # pac4j authenticator
         druid.auth.authenticator.pac4j.type: pac4j
-        druid.auth.authenticator.pac4j.authorizerName: OpaAuthorizer
         # pac4j common config
         druid.auth.pac4j.cookiePassphrase: '${env:DRUID_COOKIE_PASSPHRASE}'
         # OIDC common config
@@ -87,11 +80,6 @@ spec:
         # druid.auth.pac4j.oidc.oidcClaim: preferred_username  # setting doesn't work, but should?
 
         druid.auth.authenticatorChain: '["MyBasicMetadataAuthenticator","pac4j"]'
-
-        druid.escalator.type: basic
-        druid.escalator.internalClientUsername: druid_system
-        druid.escalator.internalClientPassword: '{"type":"environment","variable":"DRUID_SYSTEM_USER_PASSWORD"}'
-        druid.escalator.authorizerName: OpaAuthorizer
   coordinators:
     roleGroups:
       default:

diff --git a/stacks/keycloak-opa-poc/keycloak.yaml b/stacks/keycloak-opa-poc/keycloak.yaml
@@ -15,13 +15,17 @@ spec:
       labels:
         app: keycloak
     spec:
+      volumes:
+        - name: keycloak-import-dir
+          configMap:
+            name: keycloak-gaia-x-realm
       containers:
         - name: keycloak
           image: quay.io/keycloak/keycloak:22.0.3
           # Keycloak is running in development mode: https://www.keycloak.org/server/configuration#_starting_keycloak
           # production mode disables HTTP and requires a TLS configuration, which is currently very difficult to configure
           # given that we're running on a NodePort
-          args: ["start-dev"]
+          args: ["start-dev", "--import-realm", "--hostname-url=http://key-server:8080"]
           env:
             - name: KEYCLOAK_ADMIN
               value: admin
@@ -30,6 +34,9 @@ spec:
                 secretKeyRef:
                   name: keycloak-admin-credentials
                   key: admin
+          volumeMounts:
+            - name: keycloak-import-dir
+              mountPath: /opt/keycloak/data/import
           ports:
             - name: http
               containerPort: 8080
@@ -41,7 +48,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: keycloak
+  name: key-server
   labels:
     app: keycloak
 spec:
@@ -79,11 +86,14 @@ spec:
           - -c
           - |
             echo "Determining Keycloak public reachable address"
-            KEYCLOAK_ADDRESS=$(kubectl get svc keycloak -o json | jq -r --argfile endpoints <(kubectl get endpoints keycloak -o json) --argfile nodes <(kubectl get nodes -o json) '($nodes.items[] | select(.metadata.name == $endpoints.subsets[].addresses[].nodeName) | .status.addresses | map(select(.type == "ExternalIP" or .type == "InternalIP")) | min_by(.type) | .address | tostring) + ":" + (.spec.ports[] | select(.name == "http") | .nodePort | tostring)')
+            KEYCLOAK_ADDRESS=$(kubectl get svc key-server -o json | jq -r --argfile endpoints <(kubectl get endpoints key-server -o json) --argfile nodes <(kubectl get nodes -o json) '($nodes.items[] | select(.metadata.name == $endpoints.subsets[].addresses[].nodeName) | .status.addresses | map(select(.type == "ExternalIP" or .type == "InternalIP")) | min_by(.type) | .address | tostring) + ":" + (.spec.ports[] | select(.name == "http") | .nodePort | tostring)')
             echo "Found Keycloak running at $KEYCLOAK_ADDRESS"
 
             echo "Writing Keycloak address to ConfigMap keycloak"
-            kubectl create configmap keycloak --from-literal="KEYCLOAK=$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_DISCOVERY_URL=http://$KEYCLOAK_ADDRESS/realms/master/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f -
+            kubectl create configmap keycloak --from-literal="KEYCLOAK=key-server:8080" --from-literal="KEYCLOAK_BASE_URI=http://key-server:8080" --from-literal="KEYCLOAK_DISCOVERY_URL=http://key-server:8080/realms/gaia-x/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f -
       serviceAccountName: demo-serviceaccount
       restartPolicy: OnFailure
   backoffLimit: 20 # give some time for the Keycloak to be available
+
+
+  # kubectl create configmap keycloak --from-literal="KEYCLOAK=$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_BASE_URI=http://$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_DISCOVERY_URL=http://$KEYCLOAK_ADDRESS/realms/gaia-x/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f -
diff --git a/stacks/keycloak-opa-poc/postgres-aas.yaml b/stacks/keycloak-opa-poc/postgres-aas.yaml
@@ -0,0 +1,11 @@
+releaseName: postgresql-aas
+name: postgresql
+repo:
+  name: bitnami
+  url: https://charts.bitnami.com/bitnami/
+version: 12.6.6
+options:
+  auth:
+    username: aas
+    password: aas
+    database: aas