stackabletech
diff --git a/‎stacks/keycloak-opa-poc/druid.yaml
Lines changed: 122 additions & 0 deletions b/‎stacks/keycloak-opa-poc/druid.yaml
Lines changed: 122 additions & 0 deletions
diff --git a/‎stacks/keycloak-opa-poc/hdfs.yaml
Lines changed: 24 additions & 0 deletions b/‎stacks/keycloak-opa-poc/hdfs.yaml
Lines changed: 24 additions & 0 deletions
diff --git a/‎stacks/keycloak-opa-poc/keycloak.yaml
Lines changed: 89 additions & 0 deletions b/‎stacks/keycloak-opa-poc/keycloak.yaml
Lines changed: 89 additions & 0 deletions
diff --git a/‎stacks/keycloak-opa-poc/opa.yaml
Lines changed: 12 additions & 0 deletions b/‎stacks/keycloak-opa-poc/opa.yaml
Lines changed: 12 additions & 0 deletions
diff --git a/‎stacks/keycloak-opa-poc/policies.yaml
Lines changed: 58 additions & 0 deletions b/‎stacks/keycloak-opa-poc/policies.yaml
Lines changed: 58 additions & 0 deletions
diff --git a/‎stacks/keycloak-opa-poc/serviceaccount.yaml
Lines changed: 45 additions & 0 deletions b/‎stacks/keycloak-opa-poc/serviceaccount.yaml
Lines changed: 45 additions & 0 deletions
@@ -0,0 +1,122 @@
+---
+apiVersion: druid.stackable.tech/v1alpha1
+kind: DruidCluster
+metadata:
+  name: druid
+spec:
+  image:
+    productVersion: 26.0.0
+    stackableVersion: 23.7.0
+  clusterConfig:
+    listenerClass: external-unstable
+    deepStorage:
+      hdfs:
+        configMapName: hdfs
+        directory: /data
+    metadataStorageDatabase:
+      dbType: postgresql
+      connString: jdbc:postgresql://postgresql-druid/druid
+      host: postgresql-druid
+      port: 5432
+      user: druid
+      password: druid
+    zookeeperConfigMapName: druid-znode
+    authorization:
+      opa:
+        configMapName: opa
+        package: druid
+  brokers:
+    roleGroups:
+      default:
+        replicas: 1
+    podOverrides: &pod-overrides
+      spec:
+        containers:
+          - name: druid
+            env:
+              - name: KEYCLOAK_DISCOVERY_URL
+                valueFrom:
+                  configMapKeyRef:
+                    name: keycloak
+                    key: KEYCLOAK_DISCOVERY_URL
+              - name: DRUID_CLIENT_SECRET
+                valueFrom:
+                  secretKeyRef:
+                    name: keycloak-client-secrets
+                    key: druid
+              - name: DRUID_COOKIE_PASSPHRASE
+                valueFrom:
+                  secretKeyRef:
+                    name: keycloak-client-secrets
+                    key: druidCookiePassphrase
+              - name: DRUID_SYSTEM_USER_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: keycloak-client-secrets
+                    key: druidSystemUserPassword
+    configOverrides:
+      runtime.properties: &runtime-properties
+        druid.extensions.loadList: >-
+          ["postgresql-metadata-storage",
+          "simple-client-sslcontext",
+          "druid-kafka-indexing-service",
+          "druid-datasketches",
+          "prometheus-emitter",
+          "druid-basic-security",
+          "druid-opa-authorizer",
+          "druid-hdfs-storage",
+          "druid-pac4j"]
+
+        # basic authenticator needed for internal authentication among Druid processes
+        # Trying to use the pac4j authenticator in the escalator below leads to 302 errors, 
+        # it seems like the Druid processes cannot handle the OIDC authentication flow.
+        druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic
+        druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: '${env:DRUID_SYSTEM_USER_PASSWORD}' # Default password for internal 'druid_system' user
+        druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "true"  # for any non system user, skip to the pac4j authenticator
+        druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer
+
+        # pac4j authenticator
+        druid.auth.authenticator.pac4j.type: pac4j
+        druid.auth.authenticator.pac4j.authorizerName: OpaAuthorizer
+        # pac4j common config
+        druid.auth.pac4j.cookiePassphrase: '${env:DRUID_COOKIE_PASSPHRASE}'
+        # OIDC common config
+        druid.auth.pac4j.oidc.clientID: druid
+        druid.auth.pac4j.oidc.clientSecret: '{"type":"environment","variable":"DRUID_CLIENT_SECRET"}'
+        druid.auth.pac4j.oidc.discoveryURI: '${env:KEYCLOAK_DISCOVERY_URL}'
+        # druid.auth.pac4j.oidc.oidcClaim: preferred_username  # setting doesn't work, but should?
+        
+        druid.auth.authenticatorChain: '["MyBasicMetadataAuthenticator","pac4j"]'
+
+        druid.escalator.type: basic
+        druid.escalator.internalClientUsername: druid_system
+        druid.escalator.internalClientPassword: '{"type":"environment","variable":"DRUID_SYSTEM_USER_PASSWORD"}'
+        druid.escalator.authorizerName: OpaAuthorizer
+  coordinators:
+    roleGroups:
+      default:
+        replicas: 1
+    podOverrides: *pod-overrides
+    configOverrides:
+      runtime.properties: *runtime-properties
+  historicals:
+    roleGroups:
+      default:
+        replicas: 1
+    podOverrides: *pod-overrides
+    configOverrides:
+      runtime.properties: *runtime-properties
+  middleManagers:
+    roleGroups:
+      default:
+        replicas: 1
+    podOverrides: *pod-overrides
+    configOverrides:
+      runtime.properties: *runtime-properties
+  routers:
+    roleGroups:
+      default:
+        replicas: 1
+    podOverrides: *pod-overrides
+    configOverrides:
+      runtime.properties: *runtime-properties
@@ -0,0 +1,24 @@
+---
+apiVersion: hdfs.stackable.tech/v1alpha1
+kind: HdfsCluster
+metadata:
+  name: hdfs
+spec:
+  image:
+    productVersion: 3.3.4
+    stackableVersion: 23.7.0
+  clusterConfig:
+    dfsReplication: 1
+    zookeeperConfigMapName: hdfs-znode
+  nameNodes:
+    roleGroups:
+      default:
+        replicas: 2
+  dataNodes:
+    roleGroups:
+      default:
+        replicas: 1
+  journalNodes:
+    roleGroups:
+      default:
+        replicas: 1
@@ -0,0 +1,89 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - name: keycloak
+          image: quay.io/keycloak/keycloak:22.0.3
+          # Keycloak is running in development mode: https://www.keycloak.org/server/configuration#_starting_keycloak
+          # production mode disables HTTP and requires a TLS configuration, which is currently very difficult to configure
+          # given that we're running on a NodePort
+          args: ["start-dev"]
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: admin
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin-credentials
+                  key: admin
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /realms/master
+              port: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  type: NodePort
+  selector:
+    app: keycloak
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-admin-credentials
+stringData:
+  admin: "{{ keycloakAdminPassword }}"
+---
+# This job creates a ConfigMap with connection info for Keycloak
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: propagate-keycloak-address
+spec:
+  template:
+    spec:
+      containers:
+      - name: propagate-keycloak-address
+        image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev # We need 0.0.0-dev, so we get kubectl
+        command:
+          - bash
+          - -x
+          - -euo
+          - pipefail
+          - -c
+          - |
+            echo "Determining Keycloak public reachable address"
+            KEYCLOAK_ADDRESS=$(kubectl get svc keycloak -o json | jq -r --argfile endpoints <(kubectl get endpoints keycloak -o json) --argfile nodes <(kubectl get nodes -o json) '($nodes.items[] | select(.metadata.name == $endpoints.subsets[].addresses[].nodeName) | .status.addresses | map(select(.type == "ExternalIP" or .type == "InternalIP")) | min_by(.type) | .address | tostring) + ":" + (.spec.ports[] | select(.name == "http") | .nodePort | tostring)')
+            echo "Found Keycloak running at $KEYCLOAK_ADDRESS"
+
+            echo "Writing Keycloak address to ConfigMap keycloak"
+            kubectl create configmap keycloak --from-literal="KEYCLOAK=$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_DISCOVERY_URL=http://$KEYCLOAK_ADDRESS/realms/master/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f -
+      serviceAccountName: demo-serviceaccount
+      restartPolicy: OnFailure
+  backoffLimit: 20 # give some time for the Keycloak to be available
@@ -0,0 +1,12 @@
+---
+apiVersion: opa.stackable.tech/v1alpha1
+kind: OpaCluster
+metadata:
+  name: opa
+spec:
+  image:
+    productVersion: "0.51.0"
+    stackableVersion: "23.7.0"
+  servers:
+    roleGroups:
+      default: {}
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-bundle-trino
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  trino.rego: |
+    package trino
+    import future.keywords.in
+
+    default allow = false
+
+    allow {
+      input.context.identity.user in ["alice", "admin"]
+    }
+
+    allow {
+      input.action.operation == "ImpersonateUser"
+      input.action.resource.user.name == input.context.identity.user
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-bundle-druid
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  druid.rego: |
+    package druid
+    import data.bundles.opagroups.admins
+    import future.keywords.in
+    import future.keywords.if
+
+    default allow = false
+
+    allow if input.user in admins
+
+    allow if input.user == "druid_system"
+# A CM like this is created by the setup keycloak Job
+# It is used for Druid roles, as we currently need to write them based on the user uuids.
+# ---
+# apiVersion: v1
+# kind: ConfigMap
+# metadata:
+#   name: opagroups
+#   labels:
+#     opa.stackable.tech/bundle: "true"
+# data:
+#   data.json: |
+#     {
+#       "admins": [
+#         "57d3b407-ecc0-4cc1-aaaf-45a63f43b96b",
+#         "170b4130-ca4d-417b-b229-f2917d5ab3d1"
+#       ]
+#     }
@@ -0,0 +1,45 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: demo-serviceaccount
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: demo-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: demo-serviceaccount
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: demo-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: demo-clusterrole
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch