From 3291ee7f5302cd4e827457c76cdb600cb2f516e9 Mon Sep 17 00:00:00 2001 From: Sourav Paul Date: Mon, 4 Sep 2023 23:37:46 +0100 Subject: [PATCH 1/2] Add keycloak SAML auth automation for AMG --- .../resources/load_balancer/iam_policy.json | 35 ++ PetAdoptions/keycloak-cleanup.sh | 36 +++ PetAdoptions/keycloak-setup.sh | 305 ++++++++++++++++++ 3 files changed, 376 insertions(+) create mode 100755 PetAdoptions/keycloak-cleanup.sh create mode 100755 PetAdoptions/keycloak-setup.sh diff --git a/PetAdoptions/cdk/pet_stack/resources/load_balancer/iam_policy.json b/PetAdoptions/cdk/pet_stack/resources/load_balancer/iam_policy.json index b0b1860d..13fe768b 100644 --- a/PetAdoptions/cdk/pet_stack/resources/load_balancer/iam_policy.json +++ b/PetAdoptions/cdk/pet_stack/resources/load_balancer/iam_policy.json @@ -150,6 +150,41 @@ } } }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "StringEquals": { + "elasticloadbalancing:CreateAction": [ + "CreateTargetGroup", + "CreateLoadBalancer" + ] + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, { "Effect": "Allow", "Action": [ diff --git a/PetAdoptions/keycloak-cleanup.sh b/PetAdoptions/keycloak-cleanup.sh new file mode 100755 index 00000000..ab7fb3f0 --- /dev/null +++ b/PetAdoptions/keycloak-cleanup.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +echo "This script cleans up keycloak related resources for Amazon Managed Grafana SAML authentication." + +export CLUSTER_NAME=PetSite +export KEYCLOAK_NAMESPACE=keycloak + +echo "Uninstall keycloak..." +helm uninstall keycloak --namespace $KEYCLOAK_NAMESPACE +echo "Delete keycloak namespace..." +kubectl delete ns $KEYCLOAK_NAMESPACE + +echo "Remove bitnami helm repo..." +helm repo remove bitnami + +echo "Delete EBS CSI StorageClass..." +kubectl delete -f storageclass.yaml + +echo "Delete EBS CSI addon..." +eksctl delete addon \ + --name aws-ebs-csi-driver \ + --cluster $CLUSTER_NAME + +echo "Wait for addone deletion..." +aws eks wait addon-deleted \ + --cluster-name $CLUSTER_NAME \ + --addon-name aws-ebs-csi-driver + +echo "Delete IRSA for EBS CSI addon..." +eksctl delete iamserviceaccount \ + --name ebs-csi-controller-sa \ + --namespace kube-system \ + --cluster $CLUSTER_NAME + +echo "" +echo "Cleanup done." \ No newline at end of file diff --git a/PetAdoptions/keycloak-setup.sh b/PetAdoptions/keycloak-setup.sh new file mode 100755 index 00000000..392747e2 --- /dev/null +++ b/PetAdoptions/keycloak-setup.sh @@ -0,0 +1,305 @@ +#!/bin/bash + +echo "This script sets up keycloak related resources for Amazon Managed Grafana SAML authentication." + +export CLUSTER_NAME=PetSite +export WORKSPACE_NAME=demo-amg +export KEYCLOAK_NAMESPACE=keycloak +export KEYCLOAK_REALM_AMG=amg +export WORKSPACE_ID=$(aws grafana list-workspaces --query 'workspaces[?name==`'$WORKSPACE_NAME'`].id' --output text) + +export WORKSPACE_STATUS=$(aws grafana describe-workspace --workspace-id $WORKSPACE_ID --query 'workspace.status' --output text) +while [ "$WORKSPACE_STATUS" != "ACTIVE" ] +do + echo "Workspace status is '$WORKSPACE_STATUS'. Waiting for 10 seconds." + sleep 10 + export WORKSPACE_STATUS=$(aws grafana describe-workspace --workspace-id $WORKSPACE_ID --query 'workspace.status' --output text) +done + +export WORKSPACE_ENDPOINT=$(aws grafana describe-workspace --workspace-id $WORKSPACE_ID --query workspace.endpoint --output text) + +IRSA=$(eksctl get iamserviceaccount --cluster PetSite --namespace kube-system --name ebs-csi-controller-sa -o json | jq -r '.[].metadata.name') + +if [ -z "$IRSA" ]; then + echo "IRSA for 'aws-ebs-csi-driver' will be created." + eksctl create iamserviceaccount \ + --name ebs-csi-controller-sa \ + --namespace kube-system \ + --cluster $CLUSTER_NAME \ + --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ + --approve \ + --role-only \ + --role-name AmazonEKS_EBS_CSI_DriverRole +else + echo "IRSA for 'aws-ebs-csi-driver' is already created." +fi + +EBS_CSI_ADDON=$(aws eks list-addons --cluster-name $CLUSTER_NAME --query 'addons[?@==`aws-ebs-csi-driver`]' --output text) + +if [ -z "$EBS_CSI_ADDON" ]; then + echo "The addon 'aws-ebs-csi-driver' will be installed." + eksctl create addon \ + --name aws-ebs-csi-driver \ + --cluster $CLUSTER_NAME \ + --service-account-role-arn arn:aws:iam::$ACCOUNT_ID:role/AmazonEKS_EBS_CSI_DriverRole \ + --force + + echo "Waiting for addon status to become 'ACTIVE'..." + aws eks wait addon-active \ + --cluster-name $CLUSTER_NAME \ + --addon-name aws-ebs-csi-driver +else + echo "The addon 'aws-ebs-csi-driver' is already installed." +fi + +echo "Creating StorageClass..." +cat >storageclass.yaml < keycloak_values.yaml < /tmp/disable_ssl.sh </dev/null 2>&1 & + +keycloakConfigCli: + enabled: true + image: + registry: public.ecr.aws + repository: bitnami/keycloak-config-cli + tag: 5.8.0-debian-11-r37 + command: + - java + - -jar + - /opt/keycloak-config-cli.jar + configuration: + realm.json: | + { + "realm": "$KEYCLOAK_REALM_AMG", + "enabled": true, + "sslRequired": "none", + "roles": { + "realm": [ + { + "name": "admin" + }, + { + "name": "editor" + } + ] + }, + "users": [ + { + "username": "admin", + "email": "admin@keycloak", + "enabled": true, + "firstName": "Admin", + "realmRoles": [ + "admin" + ], + "credentials": [ + { + "type": "password", + "value": "$KEYCLOAK_PASSWORD" + } + ] + }, + { + "username": "editor", + "email": "editor@keycloak", + "enabled": true, + "firstName": "Editor", + "realmRoles": [ + "editor" + ], + "credentials": [ + { + "type": "password", + "value": "$KEYCLOAK_PASSWORD" + } + ] + } + ], + "clients": [ + { + "clientId": "https://${WORKSPACE_ENDPOINT}/saml/metadata", + "name": "amazon-managed-grafana", + "enabled": true, + "protocol": "saml", + "adminUrl": "https://${WORKSPACE_ENDPOINT}/login/saml", + "redirectUris": [ + "https://${WORKSPACE_ENDPOINT}/saml/acs" + ], + "attributes": { + "saml.authnstatement": "true", + "saml.server.signature": "true", + "saml_name_id_format": "email", + "saml_force_name_id_format": "true", + "saml.assertion.signature": "true", + "saml.client.signature": "false" + }, + "defaultClientScopes": [], + "protocolMappers": [ + { + "name": "name", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": false, + "config": { + "attribute.nameformat": "Unspecified", + "user.attribute": "firstName", + "attribute.name": "displayName" + } + }, + { + "name": "email", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": false, + "config": { + "attribute.nameformat": "Unspecified", + "user.attribute": "email", + "attribute.name": "mail" + } + }, + { + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "config": { + "single": "true", + "attribute.nameformat": "Unspecified", + "attribute.name": "role" + } + } + ] + } + ] + } +service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + http: + enabled: true + ports: + http: 80 +EOF + +echo "Adding bitnami repo..." +helm repo add bitnami https://charts.bitnami.com/bitnami + +echo "Installing keycloak..." +helm install keycloak bitnami/keycloak \ + --create-namespace \ + --namespace $KEYCLOAK_NAMESPACE \ + -f keycloak_values.yaml + +echo "Checking Target Group health..." + +export LB_ARN=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[?contains(LoadBalancerArn, `loadbalancer/net/k8s-keycloak-keycloak-`)].LoadBalancerArn' --output text) +export TARGET_GRP_ARN=$(aws elbv2 describe-target-groups --load-balancer-arn $LB_ARN --query 'TargetGroups[0].TargetGroupArn' --output text) +export TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn $TARGET_GRP_ARN --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text) + +while [ "$TARGET_HEALTH" != "healthy" ] +do + echo "Target health is $TARGET_HEALTH. Waiting 10 seconds." + sleep 10 + export TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn $TARGET_GRP_ARN --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text) +done + +echo "Target health is $TARGET_HEALTH." + +ELB_HOSTNAME=$(kubectl get service/keycloak \ + -n $KEYCLOAK_NAMESPACE \ + --output go-template \ + --template='{{range .status.loadBalancer.ingress}}{{.hostname}}{{end}}') +export SAML_URL=http://$ELB_HOSTNAME/realms/$KEYCLOAK_REALM_AMG/protocol/saml/descriptor + +echo "Generating workspace SAML configuration..." +cat >workspace-saml-auth-config.json < Date: Wed, 6 Sep 2023 23:10:12 +0100 Subject: [PATCH 2/2] Parameterise the scripts --- PetAdoptions/keycloak-cleanup.sh | 207 ++++++++++++- PetAdoptions/keycloak-setup.sh | 492 +++++++++++++++++++++++++------ 2 files changed, 596 insertions(+), 103 deletions(-) diff --git a/PetAdoptions/keycloak-cleanup.sh b/PetAdoptions/keycloak-cleanup.sh index ab7fb3f0..242ff192 100755 --- a/PetAdoptions/keycloak-cleanup.sh +++ b/PetAdoptions/keycloak-cleanup.sh @@ -1,36 +1,211 @@ #!/bin/bash +# +# Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Permission is hereby granted, free of charge, to any person obtaining a copy of this +# software and associated documentation files (the "Software"), to deal in the Software +# without restriction, including without limitation the rights to use, copy, modify, +# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, +# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +#title keycloak-cleanup.sh +#description This script cleans up keycloak related resources for Amazon Managed Grafana SAML authentication. +#author Sourav Paul (@psour) +#contributors @psour +#date 2023-09-06 +#version 1.0 +#usage ./keycloak-cleanup.sh -c [-n|--keycloak-namespace ] [-h|--help] +#============================================================================== + +echo --------------------------------------------------------------------------------------------- echo "This script cleans up keycloak related resources for Amazon Managed Grafana SAML authentication." +echo --------------------------------------------------------------------------------------------- + +#### Resolve command line arguments +POSITIONAL_ARGS=() + +while [[ $# -gt 0 ]]; do + case $1 in + -c|--cluster-name) + CLUSTER_NAME="$2" + shift # past argument + shift # past value + ;; + -n|--keycloak-namespace) + KEYCLOAK_NAMESPACE="$2" + shift # past argument + shift # past value + ;; + -h|--help) + SHOW_HELP=YES + shift # past argument + ;; + -*|--*) + echo "Unknown option $1" + exit 1 + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + ;; + esac +done + +#### Functions +function print_usage() { + echo "" + echo "Options:" + echo " -c, --cluster-name string Amazon EKS cluster name" + echo " -n, --keycloak-namespace string Namespace for keycloak (default keycloak)" + echo " -h, --help Show this help message" +} + +function handle_error() { + echo "" + echo $1 + echo "" + echo "Exiting script with code: $2..." + exit $2 +} + +function handle_error_with_usage() { + echo "" + echo $1 + echo "" + echo "Printing help..." + print_usage + echo "" + echo "Exiting script with code: $2..." + echo "" + exit $2 +} + +function handle_arg_help() { + if [ "$SHOW_HELP" = "YES" ]; then + print_usage + exit 0 + fi +} + +function validate_arg_cluster_name() { + if [ -z "$CLUSTER_NAME" ]; then + handle_error_with_usage "ERROR: Amazon EKS cluster name is required." 2 + fi +} + +function resolve_arg_keycloak_namespace() { + if [ -z "$KEYCLOAK_NAMESPACE" ]; then + KEYCLOAK_NAMESPACE=keycloak + fi +} + +function print_script_arguments() { + echo "" + echo "Script arguments:" + echo "---------------------------------------------------------------------------------------------" + echo " CLUSTER_NAME........$CLUSTER_NAME" + echo " KEYCLOAK_NAMESPACE..$KEYCLOAK_NAMESPACE" + echo "---------------------------------------------------------------------------------------------" + echo "" +} -export CLUSTER_NAME=PetSite -export KEYCLOAK_NAMESPACE=keycloak +function locate_eks_cluster() { + echo "Searching Amazon EKS cluster with name '$CLUSTER_NAME'..." + CLUSTER_META=$(aws eks describe-cluster --name $CLUSTER_NAME) + CMD_RESULT=$? + if [ -z "$CLUSTER_META" ] || [ $CMD_RESULT -ne 0 ] ; then + handle_error "ERROR: Could not locate Amazon EKS cluster with name '$CLUSTER_NAME'. Please check error message." 3 + fi + echo "Found Amazon EKS cluster." +} -echo "Uninstall keycloak..." -helm uninstall keycloak --namespace $KEYCLOAK_NAMESPACE -echo "Delete keycloak namespace..." -kubectl delete ns $KEYCLOAK_NAMESPACE +function uninstall_keycloak() { + echo "Uninstalling application 'keycloak'..." + helm uninstall keycloak --namespace $KEYCLOAK_NAMESPACE + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to uninstall application 'keycloak'." 4 + fi -echo "Remove bitnami helm repo..." -helm repo remove bitnami + echo "Deleting namespace '$KEYCLOAK_NAMESPACE'..." + kubectl delete ns $KEYCLOAK_NAMESPACE + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to delete namespce '$KEYCLOAK_NAMESPACE'." 5 + fi +} -echo "Delete EBS CSI StorageClass..." -kubectl delete -f storageclass.yaml +function remove_helm_repo() { + echo "Removing helm repo 'bitnami'..." + helm repo remove bitnami + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to remove helm repo 'bitnami'." 6 + fi +} -echo "Delete EBS CSI addon..." -eksctl delete addon \ +function uninstall_ebs_csi_driver_addon() { + echo "Deleting EBS StorageClass..." + kubectl delete -f storageclass.yaml + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to delete EBS StorageClass." 7 + fi + + echo "Uninstalling EBS CSI driver addon from cluster..." + eksctl delete addon \ --name aws-ebs-csi-driver \ --cluster $CLUSTER_NAME + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to uninstall EBS CSI driver addon from cluster." 8 + fi -echo "Wait for addone deletion..." -aws eks wait addon-deleted \ + echo "Waiting for EBS CSI driver addon deletion to complete..." + aws eks wait addon-deleted \ --cluster-name $CLUSTER_NAME \ --addon-name aws-ebs-csi-driver + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to wait for EBS CSI driver addon deletion to complete." 9 + fi -echo "Delete IRSA for EBS CSI addon..." -eksctl delete iamserviceaccount \ + echo "Deleting IRSA for EBS CSI driver addon..." + eksctl delete iamserviceaccount \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster $CLUSTER_NAME + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to delete IRSA for EBS CSI driver addon." 10 + fi +} + +#### Main #### + +handle_arg_help + +validate_arg_cluster_name + +resolve_arg_keycloak_namespace + +print_script_arguments + +locate_eks_cluster + +uninstall_keycloak + +remove_helm_repo + +uninstall_ebs_csi_driver_addon echo "" echo "Cleanup done." \ No newline at end of file diff --git a/PetAdoptions/keycloak-setup.sh b/PetAdoptions/keycloak-setup.sh index 392747e2..d6ce519a 100755 --- a/PetAdoptions/keycloak-setup.sh +++ b/PetAdoptions/keycloak-setup.sh @@ -1,59 +1,268 @@ #!/bin/bash +# +# Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Permission is hereby granted, free of charge, to any person obtaining a copy of this +# software and associated documentation files (the "Software"), to deal in the Software +# without restriction, including without limitation the rights to use, copy, modify, +# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, +# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +#title keycloak-setup.sh +#description This script sets up keycloak related resources for Amazon Managed Grafana SAML authentication. +#author Sourav Paul (@psour) +#contributors @psour +#date 2023-09-06 +#version 1.0 +#usage ./keycloak-setup.sh -c|--cluster-name -w|--workspace-name [-a|--account-id ] [-n|--keycloak-namespace ] [-r|--keycloak-realm ] [-h|--help] +#============================================================================== + +echo --------------------------------------------------------------------------------------------- echo "This script sets up keycloak related resources for Amazon Managed Grafana SAML authentication." +echo --------------------------------------------------------------------------------------------- + +#### Resolve command line arguments +POSITIONAL_ARGS=() -export CLUSTER_NAME=PetSite -export WORKSPACE_NAME=demo-amg -export KEYCLOAK_NAMESPACE=keycloak -export KEYCLOAK_REALM_AMG=amg -export WORKSPACE_ID=$(aws grafana list-workspaces --query 'workspaces[?name==`'$WORKSPACE_NAME'`].id' --output text) - -export WORKSPACE_STATUS=$(aws grafana describe-workspace --workspace-id $WORKSPACE_ID --query 'workspace.status' --output text) -while [ "$WORKSPACE_STATUS" != "ACTIVE" ] -do - echo "Workspace status is '$WORKSPACE_STATUS'. Waiting for 10 seconds." - sleep 10 - export WORKSPACE_STATUS=$(aws grafana describe-workspace --workspace-id $WORKSPACE_ID --query 'workspace.status' --output text) +while [[ $# -gt 0 ]]; do + case $1 in + -a|--account-id) + ACCOUNT_ID="$2" + shift # past argument + shift # past value + ;; + -c|--cluster-name) + CLUSTER_NAME="$2" + shift # past argument + shift # past value + ;; + -w|--workspace-name) + WORKSPACE_NAME="$2" + shift # past argument + shift # past value + ;; + -n|--keycloak-namespace) + KEYCLOAK_NAMESPACE="$2" + shift # past argument + shift # past value + ;; + -r|--keycloak-realm) + KEYCLOAK_REALM="$2" + shift # past argument + shift # past value + ;; + -h|--help) + SHOW_HELP=YES + shift # past argument + ;; + -*|--*) + echo "Unknown option $1" + exit 1 + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + ;; + esac done -export WORKSPACE_ENDPOINT=$(aws grafana describe-workspace --workspace-id $WORKSPACE_ID --query workspace.endpoint --output text) - -IRSA=$(eksctl get iamserviceaccount --cluster PetSite --namespace kube-system --name ebs-csi-controller-sa -o json | jq -r '.[].metadata.name') - -if [ -z "$IRSA" ]; then - echo "IRSA for 'aws-ebs-csi-driver' will be created." - eksctl create iamserviceaccount \ - --name ebs-csi-controller-sa \ - --namespace kube-system \ - --cluster $CLUSTER_NAME \ - --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ - --approve \ - --role-only \ - --role-name AmazonEKS_EBS_CSI_DriverRole -else - echo "IRSA for 'aws-ebs-csi-driver' is already created." -fi - -EBS_CSI_ADDON=$(aws eks list-addons --cluster-name $CLUSTER_NAME --query 'addons[?@==`aws-ebs-csi-driver`]' --output text) - -if [ -z "$EBS_CSI_ADDON" ]; then - echo "The addon 'aws-ebs-csi-driver' will be installed." - eksctl create addon \ - --name aws-ebs-csi-driver \ - --cluster $CLUSTER_NAME \ - --service-account-role-arn arn:aws:iam::$ACCOUNT_ID:role/AmazonEKS_EBS_CSI_DriverRole \ - --force - - echo "Waiting for addon status to become 'ACTIVE'..." - aws eks wait addon-active \ - --cluster-name $CLUSTER_NAME \ - --addon-name aws-ebs-csi-driver -else - echo "The addon 'aws-ebs-csi-driver' is already installed." -fi - -echo "Creating StorageClass..." -cat >storageclass.yaml <storageclass.yaml < keycloak_values.yaml < keycloak_values.yaml < /tmp/disable_ssl.sh < /tmp/disable_ssl.sh </dev/null 2>&1 & @@ -111,7 +364,7 @@ keycloakConfigCli: configuration: realm.json: | { - "realm": "$KEYCLOAK_REALM_AMG", + "realm": "$KEYCLOAK_REALM", "enabled": true, "sslRequired": "none", "roles": { @@ -223,38 +476,66 @@ service: http: 80 EOF -echo "Adding bitnami repo..." -helm repo add bitnami https://charts.bitnami.com/bitnami + echo "Executing helm $HELM_ACTION keycloak..." + helm $HELM_ACTION keycloak bitnami/keycloak \ + --create-namespace \ + --namespace $KEYCLOAK_NAMESPACE \ + -f keycloak_values.yaml + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to execute helm $HELM_ACTION keycloak." 19 + fi +} -echo "Installing keycloak..." -helm install keycloak bitnami/keycloak \ - --create-namespace \ - --namespace $KEYCLOAK_NAMESPACE \ - -f keycloak_values.yaml +function wait_for_load_balancer() { + echo "Checking Target Group health..." -echo "Checking Target Group health..." + LB_ARN=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[?contains(LoadBalancerArn, `loadbalancer/net/k8s-keycloak-keycloak-`)].LoadBalancerArn' --output text) + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to describe keycloak load balancer." 20 + fi -export LB_ARN=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[?contains(LoadBalancerArn, `loadbalancer/net/k8s-keycloak-keycloak-`)].LoadBalancerArn' --output text) -export TARGET_GRP_ARN=$(aws elbv2 describe-target-groups --load-balancer-arn $LB_ARN --query 'TargetGroups[0].TargetGroupArn' --output text) -export TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn $TARGET_GRP_ARN --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text) + TARGET_GRP_ARN=$(aws elbv2 describe-target-groups --load-balancer-arn $LB_ARN --query 'TargetGroups[0].TargetGroupArn' --output text) + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to describe keycloak target group." 21 + fi -while [ "$TARGET_HEALTH" != "healthy" ] -do - echo "Target health is $TARGET_HEALTH. Waiting 10 seconds." - sleep 10 - export TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn $TARGET_GRP_ARN --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text) -done + TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn $TARGET_GRP_ARN --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text) + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to describe keycloak target health." 22 + fi -echo "Target health is $TARGET_HEALTH." + while [ "$TARGET_HEALTH" != "healthy" ] + do + echo "Target health is $TARGET_HEALTH. Waiting 10 seconds." + sleep 10 + TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn $TARGET_GRP_ARN --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text) + CMD_RESULT=$? + if [ $CMD_RESULT -ne 0 ]; then + handle_error "ERROR: Failed to describe keycloak target health." 22 + fi + done -ELB_HOSTNAME=$(kubectl get service/keycloak \ - -n $KEYCLOAK_NAMESPACE \ - --output go-template \ - --template='{{range .status.loadBalancer.ingress}}{{.hostname}}{{end}}') -export SAML_URL=http://$ELB_HOSTNAME/realms/$KEYCLOAK_REALM_AMG/protocol/saml/descriptor + echo "Target health is $TARGET_HEALTH." -echo "Generating workspace SAML configuration..." -cat >workspace-saml-auth-config.json <workspace-saml-auth-config.json <workspace-saml-auth-config.json <