Monitok Stack adopt keycloak and LDAP use NGINX

# Integrating Keycloak and LDAP in a Monitok Stack with NGINX ## Purpose: 為Monitor Stack Component 加上認證（Keycloak)授權(Authorization) Follow Need to know ## Monitor Stack component: Kibana, Prometheus, AlertManager … any have UI ## Architecture ![image](https://hackmd.io/_uploads/B1MGUOnVkx.png) nginx add on keycloak and LDAP nginx -> Kibana （ Elasticsearch +fluenbit+Kibana ), Prometheus, Alertmanager, Grafana ## Deploy by Helm Chart 1. Platform Chart ( Logic ) 2. DevOps value ( Setting ) ## DevOps value Setting ### ngnix and keycloak for 認證(authentication) nginx's URL 為對外expose 服務的進入點，經由ngnix可統一做認證授權，使得特定使用者才能使用。再做完認證授權後，由ngnix再轉送到k8s內部服務。可以是一至多組Virtual Service host代表不同服務的入口點。 - ngnix's keycloak set client id, private key - keycloak set redirect URI/URL use {nginx's URL for Kibana,Prometheus,Alertmanager} #### (驗證) 設定完後，實際運作順序: user(人)->(input)nginx's URL at browser->keyclock(login)->{nginx's URL for Kibana,Prometheus,Alertmanager} ### ngnix and LDAP for 授權(authorization) LDAP: Lightweight Directory Access Protocol nginx 設定與LDAP的連線資訊: 1. LDAP's URL 2. LDAP's port 3. LDAP SSL true or false 4. LDAP's account 5. LDAP's password **Note:** LDAP's port & SSL & certification port 設 389 , SSL 就會設 false, 不用加 certification -> 由這點可以知道排除憑證的情況下，LDAP帳密或是帳號在LDAP的啟用狀態影響了LDAP連線的結果(Bind to LDAP result) port 設 636 , SSL 就會設 true, 需加對應LDAP URL(網域)的正確 certification -> 憑證正確與否預先測試可用 openSSL command 憑證connect LDAP URL nginx 設定與LDAP的連線**結果** Argo CD Log | Kube Dashboard Pod's Log | End to End check by nginx's URLs LDAP Bind Error 可能情況: (1)密碼錯誤 (2)帳密正確但是LDAP Account 狀態為Disabled (3)使用LDAP port 636 SSL true 時憑證放錯 (1)(2) Error Msg Format "The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data <HEX>, vece ]." (1) Code 49 Hex 52e : ERROR_LOGON_FAILURE, Returns when username is valid but password/credential is invalid. (2) Code 49 Hex 533 : ERROR_ACCOUNT_DISABLED, Administratively Disabled: LDAP User-Account-Control Attribute - ACCOUNTDISABLE, **NOTE: Returns only when presented with valid username and password/credential.** (3) Error Msg contain `issuer` or same as run openSSL XXX {cert} XXX {LDAP URL} result(Command to Verify LDAP Connection via OpenSSL) for more info.(SSL handshake bytes and verification result/code) ## Trouble Shooting ldap.wiki.com：[Common Active Directory Bind Errors](https://ldapwiki.com/wiki/Wiki.jsp?page=Common+Active+Directory+Bind+Errors&fbclid=IwY2xjawHLbsNleHRuA2FlbQIxMQABHROh_vh8812YNwOymFEOxmxSbPkcj83EjKAywOHkz-dHroBgmrDfDRvylw_aem_fGevvS2upWCxA3kHRJanAQ#top) ### ngnix link to actual upstream service(s) **How ngnix link to actual upstream service ?** use k8s internal service (internal endpoint). (由 kube dahshboard service section可找到) ## Tool openSSL command x 2 - 將源頭憑證(cer/crt)轉成(pem) - 由 pem 來測試 LDAP URL 是否成功進行 SSL Handshake **Note:** 由Deply to ENV**(Stage)**來決定下載哪一個憑證，最後由openSSL command XXX pem XXX connect LDAP URL 來確認憑證可否與設置的LDAP URL 進行連線 ## 延伸: 原本服務可以連線後來用Nginx也可連線，如何關閉原本服務入口? 只保留有加認證授權的入口? keyword: K8s Virtual Service and Service 取消(註解掉)原服務的Virtual Service配置，把原Virtual Service host 設的值，貼到nginx's URL, 使得原User無痛轉換或是 Virtual Service 路由到另外一個 service port 非原服務，當Service有開不同的port出來for不同用途 Ex: 只保留首頁(8080)，不保留詳細頁面(5000) -> Virtual Service 只路由到首頁(8080) Base on traffic inside or outside K8s (1) expose to outside cluster -> inner cluster (2) inner cluster only ## 延伸: 副檔名 cer vs crt ![image](https://hackmd.io/_uploads/H183yOhNkx.png) ref:[OpenSSL LDAP Certification Check](https://chatgpt.com/share/675ef039-b0bc-8001-9f03-80f4e2259c53)