Feature/105 add ability to configure cas OIDC authenticator with terraform

CHANGELOG.md

@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- [#105] Terraform module to create Keycloak-Clients for CES delegated authentication
+- [#105] Example for using the new `keycloak-client-module` with a CES in GKE
+### Changed
+- [#105] Extend Terraform CES module to configure CAS delegated authentication
 
 ## [v4.1.2] - 2024-12-19
 ### Added

terraform/ces-module/main.tf

@@ -16,23 +16,36 @@ terraform {
 locals {
   split_fqdn = split(".", var.ces_fqdn)
   # Top Level Domain extracted from fully qualified domain name. k3ces.local is used for development mode and empty fqdn.
-  topLevelDomain = var.ces_fqdn != "" ? "${element( split(".", var.ces_fqdn), length(local.split_fqdn) - 2)}.${element(local.split_fqdn, length(local.split_fqdn) - 1)}" : "k3ces.local"
+  topLevelDomain = var.ces_fqdn != "" ? "${element( split(".", var.ces_fqdn), length(local.split_fqdn) - 2)}.${element(local.split_fqdn, length(local.split_fqdn) - 1)}": "k3ces.local"
   splitComponentNamespaces = [
     for componentStr in var.components :
     {
       namespace = split("/", componentStr)[0]
-      rest      = split("/", componentStr)[1] //provoke error here, so that the build fails if no namespace or name is given
+      rest      = split("/", componentStr)[1]
+      //provoke error here, so that the build fails if no namespace or name is given
     }
   ]
   parsedComponents = [
     for namespaceAndRest in local.splitComponentNamespaces :
     {
-      namespace = namespaceAndRest.namespace
-      name      = split(":", namespaceAndRest.rest)[0]
-      version   = length(split(":", namespaceAndRest.rest)) == 2 ? split(":", namespaceAndRest.rest)[1] : "latest"
+      namespace       = namespaceAndRest.namespace
+      name            = split(":", namespaceAndRest.rest)[0]
+      version         = length(split(":", namespaceAndRest.rest)) == 2 ? split(":", namespaceAndRest.rest)[1] : "latest"
       deployNamespace = split(":", namespaceAndRest.rest)[0] != "k8s-longhorn" ? var.ces_namespace : "longhorn-system"
     }
   ]
+  cas_oidc_config_formatted = {
+    enabled = var.cas_oidc_config.enabled
+    discovery_uri = var.cas_oidc_config.discovery_uri
+    client_id = var.cas_oidc_config.client_id
+    display_name = var.cas_oidc_config.display_name
+    optional = var.cas_oidc_config.optional
+    scopes = join(" ", var.cas_oidc_config.scopes)
+    principal_attribute = var.cas_oidc_config.principal_attribute
+    attribute_mapping = var.cas_oidc_config.attribute_mapping
+    allowed_groups = join(", ", var.cas_oidc_config.allowed_groups)
+    initial_admin_usernames = join(", ", var.cas_oidc_config.initial_admin_usernames)
+  }
 }
 
 resource "helm_release" "k8s-ces-setup" {
@@ -61,7 +74,7 @@ resource "helm_release" "k8s-ces-setup" {
         "component_operator_chart"     = var.component_operator_chart
         "component_operator_crd_chart" = var.component_operator_crd_chart
         "components"                   = local.parsedComponents
-        "setup_json"                   = yamlencode(templatefile(
+        "setup_json" = yamlencode(templatefile(
           "${path.module}/setup.json.tftpl",
           {
             # https://docs.cloudogu.com/en/docs/system-components/ces-setup/operations/setup-json/
@@ -74,7 +87,10 @@ resource "helm_release" "k8s-ces-setup" {
             "domain"          = local.topLevelDomain
             "certificateType" = var.ces_certificate_path == null ? "selfsigned" : "external"
             "certificate"     = var.ces_certificate_path != null ? replace(file(var.ces_certificate_path), "\n", "\\n") : ""
-            "certificateKey"  = var.ces_certificate_key_path != null ? replace(file(var.ces_certificate_key_path), "\n", "\\n") : ""
+            "certificateKey" = var.ces_certificate_key_path != null ? replace(file(var.ces_certificate_key_path), "\n", "\\n") : ""
+
+            "cas_oidc_config" = jsonencode(local.cas_oidc_config_formatted)
+            "cas_oidc_client_secret" = var.cas_oidc_client_secret
           }
         ))
         "resource_patches" = var.resource_patches

terraform/ces-module/setup.json.tftpl

@@ -49,5 +49,17 @@
     "groupAttributeName": "",
     "groupAttributeDescription": "",
     "groupAttributeMember": ""
+  },
+  "registryConfig": {
+    "cas": {
+      "oidc": ${cas_oidc_config}
+    }
+  },
+  "registryConfigEncrypted": {
+    "cas": {
+      "oidc": {
+        "client_secret": "${cas_oidc_client_secret}"
+      }
+    }
   }
 }

terraform/ces-module/variables.tf

@@ -174,4 +174,39 @@ variable "is_setup_applied_matching_resource" {
     api            = "apiextensions.k8s.io/v1",
     field_selector = "metadata.name==dogus.k8s.cloudogu.com"
   }
+}
+
+variable "cas_oidc_config" {
+  description = "Configuration of an external cas oidc authenticator. For more information [see here](https://docs.cloudogu.com/en/docs/dogus/cas/operations/Configure_OIDC_Provider/)"
+  type = object({
+    enabled                 = string
+    discovery_uri           = string
+    client_id               = string
+    display_name            = string
+    optional                = string
+    scopes                  = list(string)
+    attribute_mapping       = string
+    principal_attribute     = string
+    allowed_groups          = list(string)
+    initial_admin_usernames = list(string)
+  })
+  default = {
+    enabled                 = false
+    discovery_uri           = ""
+    client_id               = ""
+    display_name            = "CAS oidc provider"
+    optional                = false
+    scopes                  = ["openid", "email", "profile", "groups"]
+    attribute_mapping       = "email:mail,family_name:surname,given_name:givenName,preferred_username:username,name:displayName,groups:externalGroups"
+    principal_attribute     = "preferred_username"
+    allowed_groups          = []
+    initial_admin_usernames = []
+  }
+}
+
+variable "cas_oidc_client_secret" {
+  description = "Contains the secret to be used together with the client ID to identify the CAS to the OIDC provider. Encrypted."
+  type = string
+  sensitive = true
+  default = ""
 }

terraform/examples/ces_keycloak_gke/.gitignore

@@ -0,0 +1,40 @@
+# Cloudogu template files
+!terraform.tfvars.template
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+*.gcs.tfbackend
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+secrets/**

terraform/examples/ces_keycloak_gke/README.md

@@ -0,0 +1,70 @@
+# CES Keycloak GKE example
+
+This is an example how to use the keycloak client module to configure delegated authentication
+in a Cloudogu EcoSystem running on the Google Kubernetes Engine.
+
+## Usage
+
+### Secret configuration (IAM - service account)
+
+List available gcloud projects.
+
+`gcloud projects list`
+
+Set variables.
+
+```bash
+PROJECT_ID=<insert_your_project_name>
+SERVICE_ACCOUNT_NAME=<insert_your_sa_name>
+```
+
+Ensure you are in the correct project.
+
+`gcloud config set project $PROJECT_ID`
+
+You need to create a service account for the Google provider.
+
+`gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --description="DESCRIPTION" --display-name="$SERVICE_ACCOUNT_NAME" --project=$PROJECT_ID`
+
+And assign the necessary Roles (only one role can be added each time with this command (see [here](https://www.googlecloudcommunity.com/gc/Developer-Tools/multiple-role-for-gcloud-iam-service-accounts-add-iam-policy/m-p/686863)))
+
+`gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" --role="roles/editor"`
+`gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" --role="roles/container.serviceAgent"`
+
+Get that service account and save it to `secrets/gcp_sa.json`:
+
+`gcloud iam service-accounts keys create secrets/gcp_sa.json --iam-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com`
+
+### General configuration
+Use the `terraform.tfvars.template` file to create `terraform.tfvars` and set your GCP project and cluster name in it.
+
+If you wish for example to create the cluster in another region you should template `terraform.tfvars.template`.
+See `variables.tf` for possibilities.
+
+Use the `secretVars.tfvars.template` file to create `secretVars.tfvars` and set sensible information like passwords in it.
+
+If you wish to know more about how to use the keycloak-module, have a look at its [Readme](../../keycloak-client-module).
+
+### Create cluster
+
+Init with `terraform init -upgrade`
+
+Check plan
+`terraform plan -var-file=secretVars.tfvars`
+
+Apply with
+`terraform apply -var-file=secretVars.tfvars`
+
+This takes up to 15 minutes.
+
+### Get kubeconfig
+
+```
+gcloud container clusters get-credentials <cluster_name> --zone europe-west3-c --project $PROJECT_ID
+```
+
+### Delete cluster
+
+```
+terraform destroy -var-file=secretVars.tfvars
+```