Auth in Kubernetes by OIDC

[akastav]

It is necessary to create conditions for the possibility of authorization and generation of the EKS configuration file using OAUTH authorization (dex, keycloak, etc). Provide the ability to restrict users based on the RBAC model and select the OIDC authorization provider

[jamal68]

Keycloak is an identity and a token issuer for Oauth2 tokens.
It can be used to secure microservices environment.
Single sign 0n.
Standard protocols such Oauth 2.0, OIDC 1.0, SAML 2.0
Provide with verifyable access, refresh and ID tokens
Flexible authentication and authorization.
Multi-factor authorization.
Social login.
Support directory srvices.(User Federation)

Keycloak also provides fine-grained authorization services. This helps to manage permissions for all services from the Keycloak admin console and gives the power to define exactly the policies needed.

Helm chart bootstraps a Keycloak StatefulSet on a Kubernetes cluster using the Helm package manager.

We can use terraform module keycloak_realm Resource to deploy keycloak to EKS.

[akastav]

Why not? This is a great thing that I once worked with. It would be great if you can implement a keycloack module that can interact with oidc Kubernetes, Cognito, and all ingress (you just need to describe a set of annotations and automate the deployment process)

[jamal68]

data "aws_eks_cluster" "this" {
name = var.cluster_name

data "aws_region" "current" {}

resource "kubernetes_namespace" "this" {
depends_on = [
var.module_depends_on
]
count = var.namespace == "" ? 1 - local.argocd_enabled : 0
metadata {
name = var.namespace_name
}
}

resource "helm_release" "keyclok" {
count = 1 - local.argocd_enabled
depends_on = [
var.module_depends_on
]
repository = local.repository
name = local.name
chart = local.chart
chart_version = var.chart_version
namespace = local.namespace
recreate_pods = true
timeout = 1200

dynamic "set" {
for_each = local.conf

  content {
  name  = set.key
  value = set.value
}

}

resource "local_file" "this" {
count = local.argocd_enabled
depends_on = [
var.module_depends_on
]
content = yamlencode(local.application)
filename = "${path.root}/${var.argocd.path}/${local.name}.yaml"
}

locals {
argocd_enabled = length(var.argocd) > 0 ? 1 : 0
namespace = coalescelist(kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name

repository = "https://charts.bitnami.com/bitnami"
name = "keyclok"
chart = "keyclok"
chart_version = var.chart_version
conf = merge(local.conf_defaults, var.conf)
conf_defaults = merge({
"rbac.create" = true,
"resources.limits.cpu" = "100m",
"resources.limits.memory" = "2048Mi",
"resources.requests.cpu" = "512m",
"resources.requests.memory" = "512Mi",
"aws.region" = data.aws_region.current.name

}

)
}

application = {
"apiVersion" = "argoproj.io/v1alpha1"
"kind" = "Application"
"metadata" = {
"name" = local.name
"namespace" = var.argocd.namespace
}
"spec" = {
"destination" = {
"namespace" = local.namespace
"server" = "https://kubernetes.default.svc"
}
"project" = "default"
"source" = {
"repoURL" = local.repository
"targetRevision" = var.chart_version
"chart" = local.chart
"helm" = {
"parameters" = values({
for key, value in local.conf :
key => {
"name" = key
"value" = tostring(value)
}
})
}
}
"syncPolicy" = {
"automated" = {
"prune" = true
"selfHeal" = true
}
}
}

[akastav]

Please use https://github.com/provectus/sak-incubator to suggest a new module. Fork sak-incubator, add a new module with README and example how we can add this module to the main project and open pull-request from fork to sak-incubator repository.

[jamal68]

Done.

[wallhided]

Module PR still on review.
provectus/sak-incubator#2
We need to actualize it. Also PR have some unresolved comments.