完成了基本版本的测试：能够自动安装 istio、各个扩展和 KeyCloak。辅以手动的 KeyCloak 配置，可以完成各个 istio 扩展组件的登录集成。

Jijie Chen · Jijie Chen · commit a1becff6ee52 · 2020-10-07T17:44:39.000+08:00
diff --git a/README.md b/README.md
@@ -0,0 +1,28 @@
+
+
+
+
+
+# On KeyCloak:
+
+### create realm 'mesh'
+
+### create keycloak client: kiali-client, grafana-client, jaeger-client
+    # Access Type: confidential
+    # Mappers: audiences/groups  (required claim name: groups)
+### create user/group
+    # user: basic
+    # groups: kiali_users, jaeger_users, grafana_users/grafana_admins
+
+
+
+
+
+### todo: to use different deployment to support kiali viewer/admin
+
+
+
+
+Keycloak warning:
+
+the receive buffer of socket ManagedMulticastSocketBinding was set to 25.00MB, but the OS only allocated 16.78MB
diff --git a/addons/chart/values.yaml b/addons/chart/values.yaml
@@ -10,25 +10,35 @@ switches:
 grafana:
   replicas: 1
   grafana.ini:
+    server:
+      root_url: http://grafana.WILDCARD_BASE_DOMAIN
+    auth:
+      disable_login_form: true
+      oauth_auto_login: true
+    auth.basic:
+      enabled: false
+    # azuread supports 'allowed_groups': https://grafana.com/docs/grafana/latest/auth/azuread/#configure-allowed-groups-and-domains
+    # generic_oauth supports 'role_attribute_path': https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping
     auth.generic_oauth:
+      name: OpenId
       enabled: true
       client_id: grafana-client
-      client_secret: AAAAAAAA
+      client_secret: GGGGGGGG
       scopes: openid profile email
-      auth_url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/master/protocol/openid-connect/auth
-      token_url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/master/protocol/openid-connect/token
-      api_url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/master/protocol/openid-connect/userinfo
-      allowed_domains: grafana.WILDCARD_BASE_DOMAIN
+      auth_url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/mesh/protocol/openid-connect/auth
+      token_url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/mesh/protocol/openid-connect/token
+      api_url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/mesh/protocol/openid-connect/userinfo
       allow_sign_up: true
-      team_ids: grafana_users
       tls_skip_verify_insecure: true
+      role_attribute_path: contains(groups[*], 'grafana_admins') && 'Admin' || 'Viewer'
+      # allowed_domains (valid email domain...)
   datasources:
     datasources.yaml:
       apiVersion: 1
       datasources:
       - name: Prometheus
         type: prometheus
-        url: http://prometheus.istio-system.svc:9090
+        url: http://addons-prometheus-server.istio-system.svc
         access: proxy
         isDefault: true
   dashboardProviders: 
diff --git a/addons/gatekeeper/configmap/jaeger.yaml b/addons/gatekeeper/configmap/jaeger.yaml
@@ -1,9 +1,9 @@
 redirection-url: http://jaeger.WILDCARD_BASE_DOMAIN
-discovery-url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/master
+discovery-url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/mesh
 upstream-url: http://127.0.0.1:16686/
 skip-openid-provider-tls-verify: true
 client-id: jaeger-client
-client-secret: AAAAAAAA
+client-secret: JJJJJJJJ
 enable-refresh-tokens: true
 listen: :8000
 secure-cookie: false
diff --git a/addons/gatekeeper/configmap/kiali.yaml b/addons/gatekeeper/configmap/kiali.yaml
@@ -1,9 +1,9 @@
 redirection-url: http://kiali.WILDCARD_BASE_DOMAIN
-discovery-url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/master
+discovery-url: https://keycloak.WILDCARD_BASE_DOMAIN/auth/realms/mesh
 upstream-url: http://127.0.0.1:20001/
 skip-openid-provider-tls-verify: true
 client-id: kiali-client
-client-secret: AAAAAAAA
+client-secret: KKKKKKKK
 enable-refresh-tokens: true
 listen: :8000
 secure-cookie: false
diff --git a/addons/mesh/grafana.gw.yaml b/addons/mesh/grafana.gw.yaml
@@ -11,4 +11,4 @@ spec:
     port:
       name: http
       number: 80
-      protocol: HTTP
+      protocol: HTTP
diff --git a/addons/mesh/grafana.vs.yaml b/addons/mesh/grafana.vs.yaml
@@ -18,5 +18,5 @@ spec:
       - destination:
           host: addons-grafana
           port:
-            number: 8000
+            number: 80
 
diff --git a/addons/mesh/jaeger.gw.yaml b/addons/mesh/jaeger.gw.yaml
@@ -11,4 +11,4 @@ spec:
     port:
       name: http
       number: 80
-      protocol: HTTP
+      protocol: HTTP
diff --git a/addons/mesh/keycloak.vs.yaml b/addons/mesh/keycloak.vs.yaml
@@ -16,4 +16,4 @@ spec:
         - destination:
             host: addons-keycloak-http
             port:
-              number: 8443
+              number: 8443
diff --git a/addons/mesh/kiali.gw.yaml b/addons/mesh/kiali.gw.yaml
@@ -11,4 +11,4 @@ spec:
     port:
       name: http
       number: 80
-      protocol: HTTP
+      protocol: HTTP
diff --git a/install.sh b/install.sh
@@ -46,13 +46,6 @@ sed -i '' "s/WILDCARD_BASE_DOMAIN/$WILDCARD_BASE_DOMAIN/" ./addons/chart/values.
 echo "Installing Istiod..."
 istioctl install -f ./istio-operator.yaml -n istio-system
 
-sleep 5
-INGRESS_IP=$(kubectl get svc/istio-ingressgateway -o 'jsonpath={.status.loadBalancer.ingress[0].ip}')
-echo "Ingress gateway IP is $INGRESS_IP"
-echo ""
-
-
-
 
 echo "Installing KeyCloak..."
 kubectl create secret tls addons-certificates --key certs/server/server.key --cert certs/server/server.pem -n istio-system
@@ -62,7 +55,10 @@ helm install addons-keycloak -n istio-system ./addons/chart \
 kubectl apply -f ./addons/mesh/keycloak.gw.yaml -n istio-system
 kubectl apply -f ./addons/mesh/keycloak.vs.yaml -n istio-system
 
+sleep 5
 echo ""
+INGRESS_IP=$(kubectl get svc/istio-ingressgateway -o 'jsonpath={.status.loadBalancer.ingress[0].ip}')
+echo "Ingress gateway IP is $INGRESS_IP"
 echo "Keycloak hostname: keycloak.$WILDCARD_BASE_DOMAIN"
 echo "Please update DNS and create oidc clients in KeyCloak:"
 echo "DNS: *.$WILDCARD_BASE_DOMAIN"
@@ -85,11 +81,12 @@ helm template addons -n istio-system ./addons/chart \
     --set-string 'switches.prometheus-enabled=true,switches.grafana-enabled=true,switches.kiali-enabled=true,switches.jaeger-enabled=true' \
     > ./addons/gatekeeper/.addons-install-pre.yaml
 kubectl kustomize ./addons/gatekeeper > ./addons/gatekeeper/.addons-install-post.yaml
-
 kubectl apply  -n istio-system -f ./addons/gatekeeper/.addons-install-post.yaml
-kubectl rollout status addons-kiali -n istio-system
-kubectl rollout status addons-grafana -n istio-system
-kubectl rollout status addons-jaeger-query -n istio-system
+
+sleep 3
+kubectl rollout status deploy/addons-kiali -n istio-system
+kubectl rollout status deploy/addons-grafana -n istio-system
+kubectl rollout status deploy/addons-jaeger-query -n istio-system
 
 
 for SVC in grafana kiali jaeger ; do
diff --git a/update-oidc-client-secret.sh b/update-oidc-client-secret.sh
@@ -2,17 +2,35 @@
 
 set -e
 
-# create keycloak client: kiali-client, grafana-client, jaeger-client
-    # Access Type: confidential
-    # Mappers: audiences/groups  (required claim name: groups)
-# create user/group
-    # user: basic
-    # groups: kiali_users, grafana_users, jaeger_users
 
 
+# export GRAFANA_OIDC_CLIENT_SECRET=''
+# export KIALI_OIDC_CLIENT_SECRET=''
+# export JAEGER_OIDC_CLIENT_SECRET=''
 
 
+if [ -z "$GRAFANA_OIDC_CLIENT_SECRET" ]; then
+    echo "GRAFANA_OIDC_CLIENT_SECRET is not set."
+    exit 1
+fi
+if [ -z "$KIALI_OIDC_CLIENT_SECRET" ]; then
+    echo "KIALI_OIDC_CLIENT_SECRET is not set."
+    exit 1
+fi
+if [ -z "$JAEGER_OIDC_CLIENT_SECRET" ]; then
+    echo "JAEGER_OIDC_CLIENT_SECRET is not set."
+    exit 1
+fi
 
-# patch config AAAAAAAA, use oidc secret!
-# restart deployments
 
+k get cm/addons-grafana -o yaml | sed "s/GGGGGGGG/$GRAFANA_OIDC_CLIENT_SECRET/" | k apply -f -
+k get cm/addons-oidc-gatekeeper-config -o yaml | \
+    sed 's/JJJJJJJJ/$JAEGER_OIDC_CLIENT_SECRET/' | \
+    sed 's/KKKKKKKK/$KIALI_OIDC_CLIENT_SECRET/' | \
+    k apply -f - 
+
+
+PATCH="{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
+kubectl patch deployment addons-grafana -p $PATCH
+kubectl patch deployment addons-jaeger-query -p $PATCH
+kubectl patch deployment addons-kiali -p $PATCH
