🔒 Autogenerate the OAuth2 client secret and cookie secret for a simplified and more secure setup

Author: ndebuhr

README.md

@@ -293,17 +293,6 @@ cd ..
 ## Configuration
 Configure [helm values](deploy/values.yaml), based on the instructions below.
 
-### Keycloak
-```
-# Generate a client secret and encryption key for keycloak (or provide your own)
-
-# To generate a value for the Keycloak client secret
-head /dev/urandom | tr -dc A-Za-z0-9 | head -c32
-# To generate a value for the Keycloak encryption key
-head /dev/urandom | tr -dc A-Za-z0-9 | head -c16
-```
-Use these for the `keycloak.clientSecret` and `keycloak.cookieSecret` Helm values - replacing the defaults for security.
-
 ### Domain
 
 Set the `domain` value, based on the domain that you would like to run your workstation on.

deploy/templates/_helpers.tpl

@@ -0,0 +1,7 @@
+{{- define "rand32" -}}
+{{- randAlphaNum 32 | nospace -}}
+{{- end -}}
+
+{{- define "rand16" -}}
+{{- randAlphaNum 16 | nospace -}}
+{{- end -}}

deploy/templates/keycloak.yaml

@@ -1,3 +1,5 @@
+{{- $clientSecret := include "rand32" . }}
+{{- $cookieSecret := include "rand16" . }}
 apiVersion: keycloak.org/v1alpha1
 kind: Keycloak
 metadata:
@@ -54,7 +56,7 @@ spec:
     composite: false
   client:
     clientId: workstation
-    secret: {{ .Values.keycloak.clientSecret }}
+    secret: {{ $clientSecret }}
     standardFlowEnabled: true
     redirectUris:
     - "*"
@@ -352,4 +354,131 @@ spec:
   - Egress
   egress:
   - {}
+{{ end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy
+  labels:
+    app: oauth2-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+    spec:
+      {{ toYaml .Values.podDefaults | nindent 6 }}
+      containers:
+      - name: oauth2-proxy
+        image: {{ .Values.oauth2Proxy.image }}
+        args:
+        - "--session-cookie-minimal"
+        - "--session-store-type=redis"
+        - "--redis-connection-url=redis://{{ .Release.Name }}-redis-master:6379"
+        ports:
+        - containerPort: 4180
+          protocol: TCP
+        resources: {{ toYaml .Values.oauth2Proxy.resources | nindent 10 }}
+        env:
+          # OIDC Config
+          - name: "OAUTH2_PROXY_SCOPE"
+            value: "openid profile"
+          - name: "OAUTH2_PROXY_PROVIDER"
+            value: "oidc"
+          - name: "OAUTH2_PROXY_OIDC_ISSUER_URL"
+            value: "https://keycloak.{{ .Values.domain }}/auth/realms/workstation"
+          - name: "OAUTH2_PROXY_CLIENT_ID"
+            value: workstation
+          - name: "OAUTH2_PROXY_CLIENT_SECRET"
+            value: {{ $clientSecret }}
+          # Cookie Config
+          - name: "OAUTH2_PROXY_COOKIE_SECRET"
+            value: "{{ $cookieSecret }}"
+          - name: "OAUTH2_PROXY_COOKIE_DOMAINS"
+            value: ".{{ .Values.domain }}"
+          # Proxy config
+          - name: "OAUTH2_PROXY_EMAIL_DOMAINS"
+            value: "*"
+          - name: "OAUTH2_PROXY_WHITELIST_DOMAINS"
+            value: ".{{ .Values.domain }}"
+          - name: "OAUTH2_PROXY_HTTP_ADDRESS"
+            value: "0.0.0.0:4180"
+          - name: "OAUTH2_PROXY_SET_XAUTHREQUEST"
+            value: "true"
+          - name: "OAUTH2_PROXY_UPSTREAMS"
+            value: "file:///dev/null"
+---
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: oauth2-proxy
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: oauth2-proxy
+  minReplicas: 1
+  maxReplicas: 3
+  metrics:
+  - type: Object
+    object:
+      metric:
+        name: requests-per-second
+      describedObject:
+        apiVersion: networking.k8s.io/v1
+        kind: Ingress
+        name: oauth2-proxy
+      target:
+        type: Value
+        value: 5k
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy
+  labels:
+    app: oauth2-proxy
+spec:
+  ports:
+  - name: http
+    port: 4180
+    protocol: TCP
+    targetPort: 4180
+  selector:
+    app: oauth2-proxy
+{{ if eq .Values.policies.enabled true }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: oauth2-proxy
+spec:
+  podSelector:
+    matchLabels:
+      app: oauth2-proxy
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: ingress-nginx
+    - namespaceSelector: {}
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: ingress-nginx
+    - namespaceSelector: {}
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak
+          component: keycloak
 {{ end }}

deploy/templates/oauth2-proxy.yaml

@@ -35,10 +35,6 @@ initializers:
 
 # Keycloak
 keycloak:
-  # Change me!
-  clientSecret: OkSR7DMXAXzIrZIoWyN8yh0sFkiYrfJd
-  # Change me!
-  cookieSecret: 2u2iS0FH7pPjOUUn
   resources: {}
   operator:
     image: quay.io/keycloak/keycloak-operator:16.1.0