From 6ac481034861da5c514709070fb2c42c40907073 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 6 Sep 2023 10:43:03 +0000 Subject: [PATCH] Updated Kubezero-auth module using Bitnami for KeyCloak --- charts/kubezero-auth/Chart.yaml | 14 +- charts/kubezero-auth/README.md | 33 +- charts/kubezero-auth/README.md.gotmpl | 5 +- .../crds/keycloak-realmimports.yaml | 2248 ------------- charts/kubezero-auth/crds/keycloak.yaml | 2917 ----------------- charts/kubezero-auth/dashboards-keycloak.yaml | 3 +- charts/kubezero-auth/keycloak.patch | 12 - .../keycloak/grafana-dashboards.yaml | 2 +- .../keycloak/istio-authorization-policy.yaml | 3 +- .../templates/keycloak/istio-service.yaml | 2 +- .../templates/keycloak/keycloak.yaml | 56 - .../templates/keycloak/operator.yaml | 237 -- .../kubezero-auth/templates/keycloak/pdb.yaml | 15 - charts/kubezero-auth/update.sh | 17 +- charts/kubezero-auth/values.yaml | 54 +- charts/kubezero-metrics/values.yaml | 2 +- 16 files changed, 74 insertions(+), 5546 deletions(-) delete mode 100644 charts/kubezero-auth/crds/keycloak-realmimports.yaml delete mode 100644 charts/kubezero-auth/crds/keycloak.yaml delete mode 100644 charts/kubezero-auth/keycloak.patch delete mode 100644 charts/kubezero-auth/templates/keycloak/keycloak.yaml delete mode 100644 charts/kubezero-auth/templates/keycloak/operator.yaml delete mode 100644 charts/kubezero-auth/templates/keycloak/pdb.yaml diff --git a/charts/kubezero-auth/Chart.yaml b/charts/kubezero-auth/Chart.yaml index 452a186e..4b7e5843 100644 --- a/charts/kubezero-auth/Chart.yaml +++ b/charts/kubezero-auth/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-auth description: KubeZero umbrella chart for all things Authentication and Identity management type: application -version: 0.3.5 -appVersion: 21.1.1 +version: 0.4.0 +appVersion: 22.0.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,8 +16,8 @@ dependencies: - name: kubezero-lib version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - - name: postgresql - version: 11.8.1 - repository: https://charts.bitnami.com/bitnami - condition: postgresql.enabled -kubeVersion: ">= 1.25.0" + - name: keycloak + version: 16.1.2 + repository: "oci://registry-1.docker.io/bitnamicharts" + condition: keycloak.enabled +kubeVersion: ">= 1.26.0" diff --git a/charts/kubezero-auth/README.md b/charts/kubezero-auth/README.md index 5fd3eceb..11b4e105 100644 --- a/charts/kubezero-auth/README.md +++ b/charts/kubezero-auth/README.md @@ -1,6 +1,6 @@ # kubezero-auth -![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 21.1.1](https://img.shields.io/badge/AppVersion-21.1.1-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.1](https://img.shields.io/badge/AppVersion-22.0.1-informational?style=flat-square) KubeZero umbrella chart for all things Authentication and Identity management @@ -14,40 +14,45 @@ KubeZero umbrella chart for all things Authentication and Identity management ## Requirements -Kubernetes: `>= 1.25.0` +Kubernetes: `>= 1.26.0` | Repository | Name | Version | |------------|------|---------| | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | -| https://charts.bitnami.com/bitnami | postgresql | 11.8.1 | +| oci://registry-1.docker.io/bitnamicharts | keycloak | 16.1.2 | # Keycloak ## Operator +https://www.keycloak.org/operator/installation https://github.com/keycloak/keycloak/tree/main/operator https://github.com/aerogear/keycloak-metrics-spi https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates ## Resources - -- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak` -- custom image: `https://www.keycloak.org/server/containers` +- https://github.com/bitnami/charts/tree/main/bitnami/keycloak ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| keycloak.auth.adminUser | string | `"admin"` | | +| keycloak.auth.existingSecret | string | `"kubezero-auth"` | | +| keycloak.auth.passwordSecretKey | string | `"admin-password"` | | | keycloak.enabled | bool | `false` | | | keycloak.istio.enabled | bool | `false` | | | keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | keycloak.istio.url | string | `""` | | | keycloak.metrics.enabled | bool | `false` | | -| keycloak.podDisruptionBudget.minAvailable | int | `1` | | -| keycloak.replicas | int | `1` | | -| postgresql.auth.database | string | `"keycloak"` | | -| postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | | -| postgresql.auth.username | string | `"keycloak"` | | -| postgresql.enabled | bool | `false` | | -| postgresql.primary.persistence.size | string | `"1Gi"` | | -| postgresql.readReplicas.replicaCount | int | `0` | | +| keycloak.metrics.serviceMonitor.enabled | bool | `true` | | +| keycloak.pdb.create | bool | `false` | | +| keycloak.pdb.minAvailable | int | `1` | | +| keycloak.postgresql.auth.database | string | `"keycloak"` | | +| keycloak.postgresql.auth.existingSecret | string | `"kubezero-auth"` | | +| keycloak.postgresql.auth.username | string | `"keycloak"` | | +| keycloak.postgresql.primary.persistence.size | string | `"1Gi"` | | +| keycloak.postgresql.readReplicas.replicaCount | int | `0` | | +| keycloak.production | bool | `true` | | +| keycloak.proxy | string | `"edge"` | | +| keycloak.replicaCount | int | `1` | | diff --git a/charts/kubezero-auth/README.md.gotmpl b/charts/kubezero-auth/README.md.gotmpl index c0b6241a..e4bf1767 100644 --- a/charts/kubezero-auth/README.md.gotmpl +++ b/charts/kubezero-auth/README.md.gotmpl @@ -17,13 +17,12 @@ ## Operator +https://www.keycloak.org/operator/installation https://github.com/keycloak/keycloak/tree/main/operator https://github.com/aerogear/keycloak-metrics-spi https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates ## Resources - -- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak` -- custom image: `https://www.keycloak.org/server/containers` +- https://github.com/bitnami/charts/tree/main/bitnami/keycloak {{ template "chart.valuesSection" . }} diff --git a/charts/kubezero-auth/crds/keycloak-realmimports.yaml b/charts/kubezero-auth/crds/keycloak-realmimports.yaml deleted file mode 100644 index b617a305..00000000 --- a/charts/kubezero-auth/crds/keycloak-realmimports.yaml +++ /dev/null @@ -1,2248 +0,0 @@ -# Generated by Fabric8 CRDGenerator, manual edits might get overwritten! -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: keycloakrealmimports.k8s.keycloak.org -spec: - group: k8s.keycloak.org - names: - kind: KeycloakRealmImport - plural: keycloakrealmimports - singular: keycloakrealmimport - scope: Namespaced - versions: - - name: v2alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - keycloakCRName: - description: "The name of the Keycloak CR to reference, in the same\ - \ namespace." - type: string - realm: - description: The RealmRepresentation to import into Keycloak. - properties: - webAuthnPolicyAvoidSameAuthenticatorRegister: - type: boolean - federatedUsers: - items: - properties: - id: - type: string - clientConsents: - items: - properties: - grantedClientScopes: - items: - type: string - type: array - grantedRealmRoles: - items: - type: string - type: array - lastUpdatedDate: - type: integer - createdDate: - type: integer - clientId: - type: string - type: object - type: array - clientRoles: - additionalProperties: - items: - type: string - type: array - type: object - requiredActions: - items: - type: string - type: array - enabled: - type: boolean - realmRoles: - items: - type: string - type: array - createdTimestamp: - type: integer - emailVerified: - type: boolean - disableableCredentialTypes: - items: - type: string - type: array - socialLinks: - items: - properties: - socialUserId: - type: string - socialProvider: - type: string - socialUsername: - type: string - type: object - type: array - username: - type: string - federationLink: - type: string - access: - additionalProperties: - type: boolean - type: object - totp: - type: boolean - serviceAccountClientId: - type: string - attributes: - additionalProperties: - items: - type: string - type: array - type: object - federatedIdentities: - items: - properties: - userId: - type: string - identityProvider: - type: string - userName: - type: string - type: object - type: array - firstName: - type: string - self: - type: string - notBefore: - type: integer - groups: - items: - type: string - type: array - credentials: - items: - properties: - id: - type: string - period: - type: integer - counter: - type: integer - value: - type: string - hashIterations: - type: integer - algorithm: - type: string - hashedSaltedValue: - type: string - type: - type: string - priority: - type: integer - device: - type: string - temporary: - type: boolean - userLabel: - type: string - createdDate: - type: integer - secretData: - type: string - config: - additionalProperties: - items: - type: string - type: array - type: object - credentialData: - type: string - salt: - type: string - digits: - type: integer - type: object - type: array - applicationRoles: - additionalProperties: - items: - type: string - type: array - type: object - lastName: - type: string - email: - type: string - origin: - type: string - type: object - type: array - adminEventsEnabled: - type: boolean - registrationEmailAsUsername: - type: boolean - keycloakVersion: - type: string - oauth2DeviceCodeLifespan: - type: integer - sslRequired: - type: string - realm: - type: string - defaultGroups: - items: - type: string - type: array - enabled: - type: boolean - webAuthnPolicySignatureAlgorithms: - items: - type: string - type: array - ssoSessionMaxLifespanRememberMe: - type: integer - webAuthnPolicyRpId: - type: string - webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: - type: boolean - users: - items: - properties: - id: - type: string - clientConsents: - items: - properties: - grantedClientScopes: - items: - type: string - type: array - grantedRealmRoles: - items: - type: string - type: array - lastUpdatedDate: - type: integer - createdDate: - type: integer - clientId: - type: string - type: object - type: array - clientRoles: - additionalProperties: - items: - type: string - type: array - type: object - requiredActions: - items: - type: string - type: array - enabled: - type: boolean - realmRoles: - items: - type: string - type: array - createdTimestamp: - type: integer - emailVerified: - type: boolean - disableableCredentialTypes: - items: - type: string - type: array - socialLinks: - items: - properties: - socialUserId: - type: string - socialProvider: - type: string - socialUsername: - type: string - type: object - type: array - username: - type: string - federationLink: - type: string - access: - additionalProperties: - type: boolean - type: object - totp: - type: boolean - serviceAccountClientId: - type: string - attributes: - additionalProperties: - items: - type: string - type: array - type: object - federatedIdentities: - items: - properties: - userId: - type: string - identityProvider: - type: string - userName: - type: string - type: object - type: array - firstName: - type: string - self: - type: string - notBefore: - type: integer - groups: - items: - type: string - type: array - credentials: - items: - properties: - id: - type: string - period: - type: integer - counter: - type: integer - value: - type: string - hashIterations: - type: integer - algorithm: - type: string - hashedSaltedValue: - type: string - type: - type: string - priority: - type: integer - device: - type: string - temporary: - type: boolean - userLabel: - type: string - createdDate: - type: integer - secretData: - type: string - config: - additionalProperties: - items: - type: string - type: array - type: object - credentialData: - type: string - salt: - type: string - digits: - type: integer - type: object - type: array - applicationRoles: - additionalProperties: - items: - type: string - type: array - type: object - lastName: - type: string - email: - type: string - origin: - type: string - type: object - type: array - clientTemplates: - items: - properties: - protocol: - type: string - id: - type: string - fullScopeAllowed: - type: boolean - frontchannelLogout: - type: boolean - serviceAccountsEnabled: - type: boolean - standardFlowEnabled: - type: boolean - description: - type: string - publicClient: - type: boolean - consentRequired: - type: boolean - bearerOnly: - type: boolean - protocolMappers: - items: - properties: - protocol: - type: string - id: - type: string - name: - type: string - protocolMapper: - type: string - consentText: - type: string - consentRequired: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - name: - type: string - directAccessGrantsEnabled: - type: boolean - implicitFlowEnabled: - type: boolean - attributes: - additionalProperties: - type: string - type: object - type: object - type: array - webAuthnPolicyPasswordlessUserVerificationRequirement: - type: string - registrationFlow: - type: string - publicKey: - type: string - webAuthnPolicyPasswordlessCreateTimeout: - type: integer - authenticationFlows: - items: - properties: - id: - type: string - providerId: - type: string - authenticationExecutions: - items: - properties: - userSetupAllowed: - type: boolean - flowAlias: - type: string - autheticatorFlow: - type: boolean - authenticatorConfig: - type: string - authenticator: - type: string - priority: - type: integer - requirement: - type: string - authenticatorFlow: - type: boolean - type: object - type: array - topLevel: - type: boolean - alias: - type: string - builtIn: - type: boolean - description: - type: string - type: object - type: array - applicationScopeMappings: - additionalProperties: - items: - properties: - clientTemplate: - type: string - self: - type: string - clientScope: - type: string - client: - type: string - roles: - items: - type: string - type: array - type: object - type: array - type: object - offlineSessionMaxLifespan: - type: integer - codeSecret: - type: string - offlineSessionIdleTimeout: - type: integer - quickLoginCheckMilliSeconds: - type: integer - privateKey: - type: string - webAuthnPolicyRpEntityName: - type: string - emailTheme: - type: string - accessCodeLifespanLogin: - type: integer - passwordPolicy: - type: string - ssoSessionIdleTimeoutRememberMe: - type: integer - resetPasswordAllowed: - type: boolean - failureFactor: - type: integer - otpPolicyAlgorithm: - type: string - requiredActions: - items: - properties: - providerId: - type: string - alias: - type: string - defaultAction: - type: boolean - priority: - type: integer - name: - type: string - enabled: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - actionTokenGeneratedByUserLifespan: - type: integer - clientAuthenticationFlow: - type: string - webAuthnPolicyAuthenticatorAttachment: - type: string - actionTokenGeneratedByAdminLifespan: - type: integer - id: - type: string - clientPolicies: - type: object - x-kubernetes-preserve-unknown-fields: true - webAuthnPolicyUserVerificationRequirement: - type: string - loginTheme: - type: string - requiredCredentials: - items: - type: string - type: array - webAuthnPolicyPasswordlessAttestationConveyancePreference: - type: string - directGrantFlow: - type: string - identityProviderMappers: - items: - properties: - id: - type: string - name: - type: string - identityProviderMapper: - type: string - identityProviderAlias: - type: string - config: - additionalProperties: - type: string - type: object - type: object - type: array - dockerAuthenticationFlow: - type: string - browserFlow: - type: string - bruteForceProtected: - type: boolean - displayNameHtml: - type: string - ssoSessionIdleTimeout: - type: integer - browserSecurityHeaders: - additionalProperties: - type: string - type: object - eventsListeners: - items: - type: string - type: array - accessTokenLifespan: - type: integer - applications: - items: - properties: - name: - type: string - claims: - properties: - picture: - type: boolean - gender: - type: boolean - phone: - type: boolean - website: - type: boolean - email: - type: boolean - profile: - type: boolean - address: - type: boolean - name: - type: boolean - username: - type: boolean - locale: - type: boolean - type: object - id: - type: string - frontchannelLogout: - type: boolean - useTemplateConfig: - type: boolean - registrationAccessToken: - type: string - baseUrl: - type: string - serviceAccountsEnabled: - type: boolean - registeredNodes: - additionalProperties: - type: integer - type: object - useTemplateMappers: - type: boolean - description: - type: string - publicClient: - type: boolean - useTemplateScope: - type: boolean - authorizationSettings: - properties: - id: - type: string - resources: - items: - properties: - _id: - type: string - uris: - items: - type: string - type: array - attributes: - additionalProperties: - items: - type: string - type: array - type: object - displayName: - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - owner: - properties: - id: - type: string - name: - type: string - type: object - name: - type: string - type: - type: string - icon_uri: - type: string - ownerManagedAccess: - type: boolean - type: object - type: array - decisionStrategy: - enum: - - AFFIRMATIVE - - stableIndex - - CONSENSUS - - UNANIMOUS - type: string - name: - type: string - policyEnforcementMode: - enum: - - stableIndex - - PERMISSIVE - - ENFORCING - - DISABLED - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - policies: - items: - properties: - config: - additionalProperties: - type: string - type: object - id: - type: string - owner: - type: string - resources: - items: - type: string - type: array - policies: - items: - type: string - type: array - decisionStrategy: - enum: - - AFFIRMATIVE - - stableIndex - - CONSENSUS - - UNANIMOUS - type: string - logic: - enum: - - stableIndex - - POSITIVE - - NEGATIVE - type: string - resourcesData: - items: - properties: - _id: - type: string - uris: - items: - type: string - type: array - attributes: - additionalProperties: - items: - type: string - type: array - type: object - displayName: - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - owner: - properties: - id: - type: string - name: - type: string - type: object - name: - type: string - type: - type: string - icon_uri: - type: string - ownerManagedAccess: - type: boolean - type: object - type: array - name: - type: string - type: - type: string - scopesData: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - description: - type: string - scopes: - items: - type: string - type: array - type: object - type: array - clientId: - type: string - allowRemoteResourceManagement: - type: boolean - type: object - clientId: - type: string - enabled: - type: boolean - clientAuthenticatorType: - type: string - surrogateAuthRequired: - type: boolean - webOrigins: - items: - type: string - type: array - authorizationServicesEnabled: - type: boolean - secret: - type: string - protocol: - type: string - fullScopeAllowed: - type: boolean - nodeReRegistrationTimeout: - type: integer - clientTemplate: - type: string - access: - additionalProperties: - type: boolean - type: object - alwaysDisplayInConsole: - type: boolean - rootUrl: - type: string - oauth2DeviceAuthorizationGrantEnabled: - type: boolean - standardFlowEnabled: - type: boolean - optionalClientScopes: - items: - type: string - type: array - consentRequired: - type: boolean - authenticationFlowBindingOverrides: - additionalProperties: - type: string - type: object - bearerOnly: - type: boolean - defaultClientScopes: - items: - type: string - type: array - adminUrl: - type: string - protocolMappers: - items: - properties: - protocol: - type: string - id: - type: string - name: - type: string - protocolMapper: - type: string - consentText: - type: string - consentRequired: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - notBefore: - type: integer - directGrantsOnly: - type: boolean - defaultRoles: - items: - type: string - type: array - directAccessGrantsEnabled: - type: boolean - implicitFlowEnabled: - type: boolean - origin: - type: string - attributes: - additionalProperties: - type: string - type: object - redirectUris: - items: - type: string - type: array - type: object - type: array - otpPolicyCodeReusable: - type: boolean - clientProfiles: - type: object - x-kubernetes-preserve-unknown-fields: true - userFederationMappers: - items: - properties: - id: - type: string - federationProviderDisplayName: - type: string - federationMapperType: - type: string - name: - type: string - config: - additionalProperties: - type: string - type: object - type: object - type: array - enabledEventTypes: - items: - type: string - type: array - otpPolicyLookAheadWindow: - type: integer - displayName: - type: string - eventsEnabled: - type: boolean - clientSessionMaxLifespan: - type: integer - roles: - properties: - application: - additionalProperties: - items: - properties: - attributes: - additionalProperties: - items: - type: string - type: array - type: object - id: - type: string - clientRole: - type: boolean - name: - type: string - description: - type: string - scopeParamRequired: - type: boolean - composites: - properties: - realm: - items: - type: string - type: array - application: - additionalProperties: - items: - type: string - type: array - type: object - client: - additionalProperties: - items: - type: string - type: array - type: object - type: object - containerId: - type: string - composite: - type: boolean - type: object - type: array - type: object - client: - additionalProperties: - items: - properties: - attributes: - additionalProperties: - items: - type: string - type: array - type: object - id: - type: string - clientRole: - type: boolean - name: - type: string - description: - type: string - scopeParamRequired: - type: boolean - composites: - properties: - realm: - items: - type: string - type: array - application: - additionalProperties: - items: - type: string - type: array - type: object - client: - additionalProperties: - items: - type: string - type: array - type: object - type: object - containerId: - type: string - composite: - type: boolean - type: object - type: array - type: object - realm: - items: - properties: - attributes: - additionalProperties: - items: - type: string - type: array - type: object - id: - type: string - clientRole: - type: boolean - name: - type: string - description: - type: string - scopeParamRequired: - type: boolean - composites: - properties: - realm: - items: - type: string - type: array - application: - additionalProperties: - items: - type: string - type: array - type: object - client: - additionalProperties: - items: - type: string - type: array - type: object - type: object - containerId: - type: string - composite: - type: boolean - type: object - type: array - type: object - groups: - items: - properties: - attributes: - additionalProperties: - items: - type: string - type: array - type: object - id: - type: string - access: - additionalProperties: - type: boolean - type: object - realmRoles: - items: - type: string - type: array - path: - type: string - clientRoles: - additionalProperties: - items: - type: string - type: array - type: object - name: - type: string - subGroups: - items: - properties: - attributes: - additionalProperties: - items: - type: string - type: array - type: object - id: - type: string - access: - additionalProperties: - type: boolean - type: object - realmRoles: - items: - type: string - type: array - path: - type: string - clientRoles: - additionalProperties: - items: - type: string - type: array - type: object - name: - type: string - type: object - type: array - type: object - type: array - webAuthnPolicyCreateTimeout: - type: integer - webAuthnPolicyAttestationConveyancePreference: - type: string - clientOfflineSessionIdleTimeout: - type: integer - notBefore: - type: integer - webAuthnPolicyPasswordlessRpEntityName: - type: string - verifyEmail: - type: boolean - clientScopeMappings: - additionalProperties: - items: - properties: - clientTemplate: - type: string - self: - type: string - clientScope: - type: string - client: - type: string - roles: - items: - type: string - type: array - type: object - type: array - type: object - identityProviders: - items: - properties: - storeToken: - type: boolean - trustEmail: - type: boolean - updateProfileFirstLoginMode: - type: string - authenticateByDefault: - type: boolean - displayName: - type: string - providerId: - type: string - linkOnly: - type: boolean - postBrokerLoginFlowAlias: - type: string - alias: - type: string - enabled: - type: boolean - firstBrokerLoginFlowAlias: - type: string - internalId: - type: string - addReadTokenRoleOnCreate: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - resetCredentialsFlow: - type: string - duplicateEmailsAllowed: - type: boolean - maxDeltaTimeSeconds: - type: integer - offlineSessionMaxLifespanEnabled: - type: boolean - realmCacheEnabled: - type: boolean - attributes: - additionalProperties: - type: string - type: object - adminTheme: - type: string - loginWithEmailAllowed: - type: boolean - otpSupportedApplications: - items: - type: string - type: array - clientOfflineSessionMaxLifespan: - type: integer - userFederationProviders: - items: - properties: - id: - type: string - providerName: - type: string - displayName: - type: string - priority: - type: integer - fullSyncPeriod: - type: integer - lastSync: - type: integer - changedSyncPeriod: - type: integer - config: - additionalProperties: - type: string - type: object - type: object - type: array - internationalizationEnabled: - type: boolean - permanentLockout: - type: boolean - userManagedAccessAllowed: - type: boolean - smtpServer: - additionalProperties: - type: string - type: object - otpPolicyDigits: - type: integer - webAuthnPolicyPasswordlessSignatureAlgorithms: - items: - type: string - type: array - socialProviders: - additionalProperties: - type: string - type: object - otpPolicyInitialCounter: - type: integer - defaultSignatureAlgorithm: - type: string - refreshTokenMaxReuse: - type: integer - revokeRefreshToken: - type: boolean - accountTheme: - type: string - webAuthnPolicyPasswordlessAcceptableAaguids: - items: - type: string - type: array - webAuthnPolicyPasswordlessAuthenticatorAttachment: - type: string - supportedLocales: - items: - type: string - type: array - defaultDefaultClientScopes: - items: - type: string - type: array - authenticatorConfig: - items: - properties: - id: - type: string - alias: - type: string - config: - additionalProperties: - type: string - type: object - type: object - type: array - webAuthnPolicyPasswordlessRpId: - type: string - scopeMappings: - items: - properties: - clientTemplate: - type: string - self: - type: string - clientScope: - type: string - client: - type: string - roles: - items: - type: string - type: array - type: object - type: array - clientScopes: - items: - properties: - protocol: - type: string - id: - type: string - protocolMappers: - items: - properties: - protocol: - type: string - id: - type: string - name: - type: string - protocolMapper: - type: string - consentText: - type: string - consentRequired: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - name: - type: string - description: - type: string - attributes: - additionalProperties: - type: string - type: object - type: object - type: array - oauth2DevicePollingInterval: - type: integer - eventsExpiration: - type: integer - certificate: - type: string - defaultRole: - properties: - attributes: - additionalProperties: - items: - type: string - type: array - type: object - id: - type: string - clientRole: - type: boolean - name: - type: string - description: - type: string - scopeParamRequired: - type: boolean - composites: - properties: - realm: - items: - type: string - type: array - application: - additionalProperties: - items: - type: string - type: array - type: object - client: - additionalProperties: - items: - type: string - type: array - type: object - type: object - containerId: - type: string - composite: - type: boolean - type: object - defaultOptionalClientScopes: - items: - type: string - type: array - editUsernameAllowed: - type: boolean - defaultLocale: - type: string - webAuthnPolicyRequireResidentKey: - type: string - oauthClients: - items: - properties: - name: - type: string - claims: - properties: - picture: - type: boolean - gender: - type: boolean - phone: - type: boolean - website: - type: boolean - email: - type: boolean - profile: - type: boolean - address: - type: boolean - name: - type: boolean - username: - type: boolean - locale: - type: boolean - type: object - id: - type: string - frontchannelLogout: - type: boolean - useTemplateConfig: - type: boolean - registrationAccessToken: - type: string - baseUrl: - type: string - serviceAccountsEnabled: - type: boolean - registeredNodes: - additionalProperties: - type: integer - type: object - useTemplateMappers: - type: boolean - description: - type: string - publicClient: - type: boolean - useTemplateScope: - type: boolean - authorizationSettings: - properties: - id: - type: string - resources: - items: - properties: - _id: - type: string - uris: - items: - type: string - type: array - attributes: - additionalProperties: - items: - type: string - type: array - type: object - displayName: - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - owner: - properties: - id: - type: string - name: - type: string - type: object - name: - type: string - type: - type: string - icon_uri: - type: string - ownerManagedAccess: - type: boolean - type: object - type: array - decisionStrategy: - enum: - - AFFIRMATIVE - - stableIndex - - CONSENSUS - - UNANIMOUS - type: string - name: - type: string - policyEnforcementMode: - enum: - - stableIndex - - PERMISSIVE - - ENFORCING - - DISABLED - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - policies: - items: - properties: - config: - additionalProperties: - type: string - type: object - id: - type: string - owner: - type: string - resources: - items: - type: string - type: array - policies: - items: - type: string - type: array - decisionStrategy: - enum: - - AFFIRMATIVE - - stableIndex - - CONSENSUS - - UNANIMOUS - type: string - logic: - enum: - - stableIndex - - POSITIVE - - NEGATIVE - type: string - resourcesData: - items: - properties: - _id: - type: string - uris: - items: - type: string - type: array - attributes: - additionalProperties: - items: - type: string - type: array - type: object - displayName: - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - owner: - properties: - id: - type: string - name: - type: string - type: object - name: - type: string - type: - type: string - icon_uri: - type: string - ownerManagedAccess: - type: boolean - type: object - type: array - name: - type: string - type: - type: string - scopesData: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - description: - type: string - scopes: - items: - type: string - type: array - type: object - type: array - clientId: - type: string - allowRemoteResourceManagement: - type: boolean - type: object - clientId: - type: string - enabled: - type: boolean - clientAuthenticatorType: - type: string - surrogateAuthRequired: - type: boolean - webOrigins: - items: - type: string - type: array - authorizationServicesEnabled: - type: boolean - secret: - type: string - protocol: - type: string - fullScopeAllowed: - type: boolean - nodeReRegistrationTimeout: - type: integer - clientTemplate: - type: string - access: - additionalProperties: - type: boolean - type: object - alwaysDisplayInConsole: - type: boolean - rootUrl: - type: string - oauth2DeviceAuthorizationGrantEnabled: - type: boolean - standardFlowEnabled: - type: boolean - optionalClientScopes: - items: - type: string - type: array - consentRequired: - type: boolean - authenticationFlowBindingOverrides: - additionalProperties: - type: string - type: object - bearerOnly: - type: boolean - defaultClientScopes: - items: - type: string - type: array - adminUrl: - type: string - protocolMappers: - items: - properties: - protocol: - type: string - id: - type: string - name: - type: string - protocolMapper: - type: string - consentText: - type: string - consentRequired: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - notBefore: - type: integer - directGrantsOnly: - type: boolean - defaultRoles: - items: - type: string - type: array - directAccessGrantsEnabled: - type: boolean - implicitFlowEnabled: - type: boolean - origin: - type: string - attributes: - additionalProperties: - type: string - type: object - redirectUris: - items: - type: string - type: array - type: object - type: array - adminEventsDetailsEnabled: - type: boolean - ssoSessionMaxLifespan: - type: integer - accessCodeLifespanUserAction: - type: integer - registrationAllowed: - type: boolean - social: - type: boolean - accessTokenLifespanForImplicitFlow: - type: integer - rememberMe: - type: boolean - maxFailureWaitSeconds: - type: integer - defaultRoles: - items: - type: string - type: array - otpPolicyType: - type: string - otpPolicyPeriod: - type: integer - accessCodeLifespan: - type: integer - minimumQuickLoginWaitSeconds: - type: integer - webAuthnPolicyAcceptableAaguids: - items: - type: string - type: array - updateProfileOnInitialSocialLogin: - type: boolean - clientSessionIdleTimeout: - type: integer - webAuthnPolicyPasswordlessRequireResidentKey: - type: string - waitIncrementSeconds: - type: integer - protocolMappers: - items: - properties: - protocol: - type: string - id: - type: string - name: - type: string - protocolMapper: - type: string - consentText: - type: string - consentRequired: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - clients: - items: - properties: - id: - type: string - frontchannelLogout: - type: boolean - useTemplateConfig: - type: boolean - registrationAccessToken: - type: string - baseUrl: - type: string - serviceAccountsEnabled: - type: boolean - registeredNodes: - additionalProperties: - type: integer - type: object - useTemplateMappers: - type: boolean - description: - type: string - publicClient: - type: boolean - useTemplateScope: - type: boolean - authorizationSettings: - properties: - id: - type: string - resources: - items: - properties: - _id: - type: string - uris: - items: - type: string - type: array - attributes: - additionalProperties: - items: - type: string - type: array - type: object - displayName: - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - owner: - properties: - id: - type: string - name: - type: string - type: object - name: - type: string - type: - type: string - icon_uri: - type: string - ownerManagedAccess: - type: boolean - type: object - type: array - decisionStrategy: - enum: - - AFFIRMATIVE - - stableIndex - - CONSENSUS - - UNANIMOUS - type: string - name: - type: string - policyEnforcementMode: - enum: - - stableIndex - - PERMISSIVE - - ENFORCING - - DISABLED - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - policies: - items: - properties: - config: - additionalProperties: - type: string - type: object - id: - type: string - owner: - type: string - resources: - items: - type: string - type: array - policies: - items: - type: string - type: array - decisionStrategy: - enum: - - AFFIRMATIVE - - stableIndex - - CONSENSUS - - UNANIMOUS - type: string - logic: - enum: - - stableIndex - - POSITIVE - - NEGATIVE - type: string - resourcesData: - items: - properties: - _id: - type: string - uris: - items: - type: string - type: array - attributes: - additionalProperties: - items: - type: string - type: array - type: object - displayName: - type: string - scopes: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - owner: - properties: - id: - type: string - name: - type: string - type: object - name: - type: string - type: - type: string - icon_uri: - type: string - ownerManagedAccess: - type: boolean - type: object - type: array - name: - type: string - type: - type: string - scopesData: - items: - properties: - id: - type: string - displayName: - type: string - name: - type: string - iconUri: - type: string - type: object - type: array - description: - type: string - scopes: - items: - type: string - type: array - type: object - type: array - clientId: - type: string - allowRemoteResourceManagement: - type: boolean - type: object - clientId: - type: string - enabled: - type: boolean - clientAuthenticatorType: - type: string - name: - type: string - surrogateAuthRequired: - type: boolean - webOrigins: - items: - type: string - type: array - authorizationServicesEnabled: - type: boolean - secret: - type: string - protocol: - type: string - fullScopeAllowed: - type: boolean - nodeReRegistrationTimeout: - type: integer - clientTemplate: - type: string - access: - additionalProperties: - type: boolean - type: object - alwaysDisplayInConsole: - type: boolean - rootUrl: - type: string - oauth2DeviceAuthorizationGrantEnabled: - type: boolean - standardFlowEnabled: - type: boolean - optionalClientScopes: - items: - type: string - type: array - consentRequired: - type: boolean - authenticationFlowBindingOverrides: - additionalProperties: - type: string - type: object - bearerOnly: - type: boolean - defaultClientScopes: - items: - type: string - type: array - adminUrl: - type: string - protocolMappers: - items: - properties: - protocol: - type: string - id: - type: string - name: - type: string - protocolMapper: - type: string - consentText: - type: string - consentRequired: - type: boolean - config: - additionalProperties: - type: string - type: object - type: object - type: array - notBefore: - type: integer - directGrantsOnly: - type: boolean - defaultRoles: - items: - type: string - type: array - directAccessGrantsEnabled: - type: boolean - implicitFlowEnabled: - type: boolean - origin: - type: string - attributes: - additionalProperties: - type: string - type: object - redirectUris: - items: - type: string - type: array - type: object - type: array - components: - additionalProperties: - items: - properties: - id: - type: string - providerId: - type: string - subType: - type: string - subComponents: - additionalProperties: - items: - properties: - id: - type: string - providerId: - type: string - subType: - type: string - name: - type: string - config: - additionalProperties: - items: - type: string - type: array - type: object - type: object - type: array - type: object - name: - type: string - config: - additionalProperties: - items: - type: string - type: array - type: object - type: object - type: array - type: object - passwordCredentialGrantAllowed: - type: boolean - userCacheEnabled: - type: boolean - type: object - required: - - keycloakCRName - - realm - type: object - status: - properties: - conditions: - items: - properties: - status: - type: boolean - type: - type: string - message: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/kubezero-auth/crds/keycloak.yaml b/charts/kubezero-auth/crds/keycloak.yaml deleted file mode 100644 index 50036592..00000000 --- a/charts/kubezero-auth/crds/keycloak.yaml +++ /dev/null @@ -1,2917 +0,0 @@ -# Generated by Fabric8 CRDGenerator, manual edits might get overwritten! -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: keycloaks.k8s.keycloak.org -spec: - group: k8s.keycloak.org - names: - kind: Keycloak - plural: keycloaks - shortNames: - - kc - singular: keycloak - scope: Namespaced - versions: - - name: v2alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - instances: - description: Number of Keycloak instances in HA mode. Default is 1. - type: integer - transaction: - description: In this section you can find all properties related to - the settings of transaction behavior. - properties: - xaEnabled: - description: Determine whether Keycloak should use a non-XA datasource - in case the database does not support XA transactions. - type: boolean - type: object - http: - description: In this section you can configure Keycloak features related - to HTTP and HTTPS - properties: - httpPort: - description: The used HTTP port. - type: integer - tlsSecret: - description: "A secret containing the TLS configuration for HTTPS.\ - \ Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets." - type: string - httpsPort: - description: The used HTTPS port. - type: integer - httpEnabled: - description: Enables the HTTP listener. - type: boolean - type: object - hostname: - description: In this section you can configure Keycloak hostname and - related properties. - properties: - hostname: - description: Hostname for the Keycloak server. - type: string - strict: - description: Disables dynamically resolving the hostname from - request headers. - type: boolean - strictBackchannel: - description: By default backchannel URLs are dynamically resolved - from request headers to allow internal and external applications. - type: boolean - admin: - description: The hostname for accessing the administration console. - type: string - adminUrl: - description: "Set the base URL for accessing the administration\ - \ console, including scheme, host, port and path" - type: string - type: object - unsupported: - description: |- - In this section you can configure podTemplate advanced features, not production-ready, and not supported settings. - Use at your own risk and open an issue with your use-case if you don't find an alternative way. - properties: - podTemplate: - description: |- - You can configure that will be merged with the one configured by default by the operator. - Use at your own risk, we reserve the possibility to remove/change the way any field gets merged in future releases without notice. - Reference: https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates - properties: - metadata: - properties: - generateName: - type: string - deletionGracePeriodSeconds: - type: integer - deletionTimestamp: - type: string - clusterName: - type: string - resourceVersion: - type: string - annotations: - additionalProperties: - type: string - type: object - selfLink: - type: string - creationTimestamp: - type: string - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - ownerReferences: - items: - properties: - blockOwnerDeletion: - type: boolean - uid: - type: string - apiVersion: - type: string - name: - type: string - kind: - type: string - controller: - type: boolean - type: object - type: array - uid: - type: string - generation: - type: integer - name: - type: string - managedFields: - items: - properties: - time: - type: string - apiVersion: - type: string - fieldsV1: - type: object - fieldsType: - type: string - manager: - type: string - operation: - type: string - subresource: - type: string - type: object - type: array - namespace: - type: string - type: object - spec: - properties: - volumes: - items: - properties: - hostPath: - properties: - path: - type: string - type: - type: string - type: object - flexVolume: - properties: - readOnly: - type: boolean - options: - additionalProperties: - type: string - type: object - secretRef: - properties: - name: - type: string - type: object - fsType: - type: string - driver: - type: string - type: object - gcePersistentDisk: - properties: - readOnly: - type: boolean - pdName: - type: string - partition: - type: integer - fsType: - type: string - type: object - ephemeral: - properties: - volumeClaimTemplate: - properties: - metadata: - properties: - generateName: - type: string - deletionGracePeriodSeconds: - type: integer - deletionTimestamp: - type: string - clusterName: - type: string - resourceVersion: - type: string - annotations: - additionalProperties: - type: string - type: object - selfLink: - type: string - creationTimestamp: - type: string - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - ownerReferences: - items: - properties: - blockOwnerDeletion: - type: boolean - uid: - type: string - apiVersion: - type: string - name: - type: string - kind: - type: string - controller: - type: boolean - type: object - type: array - uid: - type: string - generation: - type: integer - name: - type: string - managedFields: - items: - properties: - time: - type: string - apiVersion: - type: string - fieldsV1: - type: object - fieldsType: - type: string - manager: - type: string - operation: - type: string - subresource: - type: string - type: object - type: array - namespace: - type: string - type: object - spec: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - storageClassName: - type: string - dataSource: - properties: - name: - type: string - kind: - type: string - apiGroup: - type: string - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - dataSourceRef: - properties: - name: - type: string - kind: - type: string - apiGroup: - type: string - type: object - accessModes: - items: - type: string - type: array - volumeMode: - type: string - volumeName: - type: string - type: object - type: object - type: object - scaleIO: - properties: - readOnly: - type: boolean - storageMode: - type: string - storagePool: - type: string - system: - type: string - gateway: - type: string - secretRef: - properties: - name: - type: string - type: object - fsType: - type: string - sslEnabled: - type: boolean - volumeName: - type: string - protectionDomain: - type: string - type: object - csi: - properties: - nodePublishSecretRef: - properties: - name: - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - fsType: - type: string - driver: - type: string - type: object - secret: - properties: - optional: - type: boolean - secretName: - type: string - items: - items: - properties: - path: - type: string - key: - type: string - mode: - type: integer - type: object - type: array - defaultMode: - type: integer - type: object - name: - type: string - vsphereVolume: - properties: - storagePolicyName: - type: string - storagePolicyID: - type: string - volumePath: - type: string - fsType: - type: string - type: object - gitRepo: - properties: - revision: - type: string - repository: - type: string - directory: - type: string - type: object - glusterfs: - properties: - path: - type: string - readOnly: - type: boolean - endpoints: - type: string - type: object - nfs: - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - type: object - cinder: - properties: - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - fsType: - type: string - volumeID: - type: string - type: object - flocker: - properties: - datasetUUID: - type: string - datasetName: - type: string - type: object - quobyte: - properties: - group: - type: string - readOnly: - type: boolean - volume: - type: string - user: - type: string - registry: - type: string - tenant: - type: string - type: object - photonPersistentDisk: - properties: - pdID: - type: string - fsType: - type: string - type: object - persistentVolumeClaim: - properties: - readOnly: - type: boolean - claimName: - type: string - type: object - awsElasticBlockStore: - properties: - readOnly: - type: boolean - partition: - type: integer - fsType: - type: string - volumeID: - type: string - type: object - configMap: - properties: - optional: - type: boolean - items: - items: - properties: - path: - type: string - key: - type: string - mode: - type: integer - type: object - type: array - defaultMode: - type: integer - name: - type: string - type: object - storageos: - properties: - readOnly: - type: boolean - volumeNamespace: - type: string - secretRef: - properties: - name: - type: string - type: object - fsType: - type: string - volumeName: - type: string - type: object - portworxVolume: - properties: - readOnly: - type: boolean - fsType: - type: string - volumeID: - type: string - type: object - iscsi: - properties: - readOnly: - type: boolean - chapAuthSession: - type: boolean - lun: - type: integer - targetPortal: - type: string - iscsiInterface: - type: string - portals: - items: - type: string - type: array - initiatorName: - type: string - secretRef: - properties: - name: - type: string - type: object - fsType: - type: string - iqn: - type: string - chapAuthDiscovery: - type: boolean - type: object - rbd: - properties: - readOnly: - type: boolean - pool: - type: string - keyring: - type: string - image: - type: string - secretRef: - properties: - name: - type: string - type: object - monitors: - items: - type: string - type: array - fsType: - type: string - user: - type: string - type: object - azureFile: - properties: - readOnly: - type: boolean - secretName: - type: string - shareName: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - path: - type: string - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - type: string - type: object - mode: - type: integer - type: object - type: array - defaultMode: - type: integer - type: object - projected: - properties: - defaultMode: - type: integer - sources: - items: - properties: - secret: - properties: - optional: - type: boolean - items: - items: - properties: - path: - type: string - key: - type: string - mode: - type: integer - type: object - type: array - name: - type: string - type: object - configMap: - properties: - optional: - type: boolean - items: - items: - properties: - path: - type: string - key: - type: string - mode: - type: integer - type: object - type: array - name: - type: string - type: object - serviceAccountToken: - properties: - path: - type: string - audience: - type: string - expirationSeconds: - type: integer - type: object - downwardAPI: - properties: - items: - items: - properties: - path: - type: string - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - type: string - type: object - mode: - type: integer - type: object - type: array - type: object - type: object - type: array - type: object - azureDisk: - properties: - readOnly: - type: boolean - diskName: - type: string - cachingMode: - type: string - fsType: - type: string - kind: - type: string - diskURI: - type: string - type: object - cephfs: - properties: - path: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - monitors: - items: - type: string - type: array - secretFile: - type: string - user: - type: string - type: object - emptyDir: - properties: - sizeLimit: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - medium: - type: string - type: object - fc: - properties: - readOnly: - type: boolean - lun: - type: integer - wwids: - items: - type: string - type: array - targetWWNs: - items: - type: string - type: array - fsType: - type: string - type: object - type: object - type: array - restartPolicy: - type: string - terminationGracePeriodSeconds: - type: integer - setHostnameAsFQDN: - type: boolean - dnsConfig: - properties: - nameservers: - items: - type: string - type: array - searches: - items: - type: string - type: array - options: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - type: object - securityContext: - properties: - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - windowsOptions: - properties: - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - gmsaCredentialSpec: - type: string - runAsUserName: - type: string - type: object - sysctls: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - fsGroupChangePolicy: - type: string - seLinuxOptions: - properties: - role: - type: string - type: - type: string - user: - type: string - level: - type: string - type: object - fsGroup: - type: integer - supplementalGroups: - items: - type: integer - type: array - runAsUser: - type: integer - seccompProfile: - properties: - type: - type: string - localhostProfile: - type: string - type: object - type: object - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - subdomain: - type: string - serviceAccount: - type: string - activeDeadlineSeconds: - type: integer - priority: - type: integer - ephemeralContainers: - items: - properties: - lifecycle: - properties: - postStart: - properties: - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - preStop: - properties: - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - type: object - command: - items: - type: string - type: array - livenessProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - stdin: - type: boolean - image: - type: string - targetContainerName: - type: string - terminationMessagePolicy: - type: string - readinessProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - terminationMessagePath: - type: string - env: - items: - properties: - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - type: string - type: object - secretKeyRef: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - type: object - name: - type: string - type: object - type: array - tty: - type: boolean - args: - items: - type: string - type: array - startupProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - stdinOnce: - type: boolean - ports: - items: - properties: - containerPort: - type: integer - hostPort: - type: integer - name: - type: string - protocol: - type: string - hostIP: - type: string - type: object - type: array - workingDir: - type: string - envFrom: - items: - properties: - prefix: - type: string - configMapRef: - properties: - optional: - type: boolean - name: - type: string - type: object - secretRef: - properties: - optional: - type: boolean - name: - type: string - type: object - type: object - type: array - volumeMounts: - items: - properties: - readOnly: - type: boolean - subPathExpr: - type: string - mountPath: - type: string - mountPropagation: - type: string - subPath: - type: string - name: - type: string - type: object - type: array - securityContext: - properties: - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - windowsOptions: - properties: - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - gmsaCredentialSpec: - type: string - runAsUserName: - type: string - type: object - allowPrivilegeEscalation: - type: boolean - capabilities: - properties: - add: - items: - type: string - type: array - drop: - items: - type: string - type: array - type: object - seLinuxOptions: - properties: - role: - type: string - type: - type: string - user: - type: string - level: - type: string - type: object - readOnlyRootFilesystem: - type: boolean - privileged: - type: boolean - runAsUser: - type: integer - procMount: - type: string - seccompProfile: - properties: - type: - type: string - localhostProfile: - type: string - type: object - type: object - name: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - imagePullPolicy: - type: string - volumeDevices: - items: - properties: - devicePath: - type: string - name: - type: string - type: object - type: array - type: object - type: array - automountServiceAccountToken: - type: boolean - containers: - items: - properties: - lifecycle: - properties: - postStart: - properties: - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - preStop: - properties: - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - type: object - command: - items: - type: string - type: array - livenessProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - stdin: - type: boolean - image: - type: string - terminationMessagePolicy: - type: string - readinessProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - terminationMessagePath: - type: string - env: - items: - properties: - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - type: string - type: object - secretKeyRef: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - type: object - name: - type: string - type: object - type: array - tty: - type: boolean - args: - items: - type: string - type: array - startupProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - stdinOnce: - type: boolean - ports: - items: - properties: - containerPort: - type: integer - hostPort: - type: integer - name: - type: string - protocol: - type: string - hostIP: - type: string - type: object - type: array - workingDir: - type: string - envFrom: - items: - properties: - prefix: - type: string - configMapRef: - properties: - optional: - type: boolean - name: - type: string - type: object - secretRef: - properties: - optional: - type: boolean - name: - type: string - type: object - type: object - type: array - volumeMounts: - items: - properties: - readOnly: - type: boolean - subPathExpr: - type: string - mountPath: - type: string - mountPropagation: - type: string - subPath: - type: string - name: - type: string - type: object - type: array - securityContext: - properties: - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - windowsOptions: - properties: - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - gmsaCredentialSpec: - type: string - runAsUserName: - type: string - type: object - allowPrivilegeEscalation: - type: boolean - capabilities: - properties: - add: - items: - type: string - type: array - drop: - items: - type: string - type: array - type: object - seLinuxOptions: - properties: - role: - type: string - type: - type: string - user: - type: string - level: - type: string - type: object - readOnlyRootFilesystem: - type: boolean - privileged: - type: boolean - runAsUser: - type: integer - procMount: - type: string - seccompProfile: - properties: - type: - type: string - localhostProfile: - type: string - type: object - type: object - name: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - imagePullPolicy: - type: string - volumeDevices: - items: - properties: - devicePath: - type: string - name: - type: string - type: object - type: array - type: object - type: array - initContainers: - items: - properties: - lifecycle: - properties: - postStart: - properties: - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - preStop: - properties: - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - type: object - command: - items: - type: string - type: array - livenessProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - stdin: - type: boolean - image: - type: string - terminationMessagePolicy: - type: string - readinessProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - terminationMessagePath: - type: string - env: - items: - properties: - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - type: string - type: object - secretKeyRef: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - type: object - name: - type: string - type: object - type: array - tty: - type: boolean - args: - items: - type: string - type: array - startupProbe: - properties: - periodSeconds: - type: integer - failureThreshold: - type: integer - initialDelaySeconds: - type: integer - grpc: - properties: - port: - type: integer - service: - type: string - type: object - successThreshold: - type: integer - terminationGracePeriodSeconds: - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - timeoutSeconds: - type: integer - exec: - properties: - command: - items: - type: string - type: array - type: object - httpGet: - properties: - path: - type: string - scheme: - type: string - host: - type: string - httpHeaders: - items: - properties: - value: - type: string - name: - type: string - type: object - type: array - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - stdinOnce: - type: boolean - ports: - items: - properties: - containerPort: - type: integer - hostPort: - type: integer - name: - type: string - protocol: - type: string - hostIP: - type: string - type: object - type: array - workingDir: - type: string - envFrom: - items: - properties: - prefix: - type: string - configMapRef: - properties: - optional: - type: boolean - name: - type: string - type: object - secretRef: - properties: - optional: - type: boolean - name: - type: string - type: object - type: object - type: array - volumeMounts: - items: - properties: - readOnly: - type: boolean - subPathExpr: - type: string - mountPath: - type: string - mountPropagation: - type: string - subPath: - type: string - name: - type: string - type: object - type: array - securityContext: - properties: - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - windowsOptions: - properties: - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - gmsaCredentialSpec: - type: string - runAsUserName: - type: string - type: object - allowPrivilegeEscalation: - type: boolean - capabilities: - properties: - add: - items: - type: string - type: array - drop: - items: - type: string - type: array - type: object - seLinuxOptions: - properties: - role: - type: string - type: - type: string - user: - type: string - level: - type: string - type: object - readOnlyRootFilesystem: - type: boolean - privileged: - type: boolean - runAsUser: - type: integer - procMount: - type: string - seccompProfile: - properties: - type: - type: string - localhostProfile: - type: string - type: object - type: object - name: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - imagePullPolicy: - type: string - volumeDevices: - items: - properties: - devicePath: - type: string - name: - type: string - type: object - type: array - type: object - type: array - priorityClassName: - type: string - tolerations: - items: - properties: - key: - type: string - operator: - type: string - tolerationSeconds: - type: integer - value: - type: string - effect: - type: string - type: object - type: array - hostPID: - type: boolean - os: - properties: - name: - type: string - type: object - serviceAccountName: - type: string - shareProcessNamespace: - type: boolean - hostNetwork: - type: boolean - hostname: - type: string - nodeSelector: - additionalProperties: - type: string - type: object - enableServiceLinks: - type: boolean - affinity: - properties: - podAntiAffinity: - properties: - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - namespaces: - items: - type: string - type: array - topologyKey: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - namespaces: - items: - type: string - type: array - topologyKey: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - type: integer - type: object - type: array - type: object - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - weight: - type: integer - preference: - properties: - matchFields: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - type: object - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchFields: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - type: object - type: array - type: object - type: object - podAffinity: - properties: - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - namespaces: - items: - type: string - type: array - topologyKey: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - namespaces: - items: - type: string - type: array - topologyKey: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - type: integer - type: object - type: array - type: object - type: object - readinessGates: - items: - properties: - conditionType: - type: string - type: object - type: array - dnsPolicy: - type: string - hostIPC: - type: boolean - topologySpreadConstraints: - items: - properties: - topologyKey: - type: string - maxSkew: - type: integer - whenUnsatisfiable: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - values: - items: - type: string - type: array - operator: - type: string - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - type: array - overhead: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - schedulerName: - type: string - nodeName: - type: string - preemptionPolicy: - type: string - hostAliases: - items: - properties: - hostnames: - items: - type: string - type: array - ip: - type: string - type: object - type: array - runtimeClassName: - type: string - type: object - type: object - type: object - ingress: - description: |- - The deployment is, by default, exposed through a basic ingress. - You can change this behaviour by setting the enabled property to false. - properties: - enabled: - type: boolean - type: object - image: - description: Custom Keycloak image to be used. - type: string - imagePullSecrets: - description: Secret(s) that might be used when pulling an image from - a private container image registry or repository. - items: - properties: - name: - type: string - type: object - type: array - additionalOptions: - description: |- - Configuration of the Keycloak server. - expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. - items: - properties: - secret: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - value: - type: string - name: - type: string - type: object - type: array - db: - description: In this section you can find all properties related to - connect to a database. - properties: - passwordSecret: - description: The reference to a secret holding the password of - the database user. - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - usernameSecret: - description: The reference to a secret holding the username of - the database user. - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - port: - description: "Sets the port of the default JDBC URL of the chosen\ - \ vendor. If the `url` option is set, this option is ignored." - type: integer - schema: - description: The database schema to be used. - type: string - host: - description: "Sets the hostname of the default JDBC URL of the\ - \ chosen vendor. If the `url` option is set, this option is\ - \ ignored." - type: string - url: - description: "The full database JDBC URL. If not provided, a default\ - \ URL is set based on the selected database vendor. For instance,\ - \ if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. " - type: string - poolInitialSize: - description: The initial size of the connection pool. - type: integer - poolMaxSize: - description: The maximum size of the connection pool. - type: integer - vendor: - description: The database vendor. - type: string - database: - description: "Sets the database name of the default JDBC URL of\ - \ the chosen vendor. If the `url` option is set, this option\ - \ is ignored." - type: string - poolMinSize: - description: The minimal size of the connection pool. - type: integer - type: object - features: - description: "In this section you can configure Keycloak features,\ - \ which should be enabled/disabled." - properties: - disabled: - description: Disabled Keycloak features - items: - type: string - type: array - enabled: - description: Enabled Keycloak features - items: - type: string - type: array - type: object - type: object - status: - properties: - conditions: - items: - properties: - status: - type: boolean - type: - type: string - message: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/kubezero-auth/dashboards-keycloak.yaml b/charts/kubezero-auth/dashboards-keycloak.yaml index 033324fc..9200d36e 100644 --- a/charts/kubezero-auth/dashboards-keycloak.yaml +++ b/charts/kubezero-auth/dashboards-keycloak.yaml @@ -4,5 +4,6 @@ gzip: true # folder: dashboards: - name: keycloak - url: https://grafana.com/api/dashboards/10441/revisions/2/download + # url: https://grafana.com/api/dashboards/10441/revisions/2/download + url: https://grafana.com/api/dashboards/17878/revisions/1/download tags: ['Keycloak', 'Auth'] diff --git a/charts/kubezero-auth/keycloak.patch b/charts/kubezero-auth/keycloak.patch deleted file mode 100644 index bde84836..00000000 --- a/charts/kubezero-auth/keycloak.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- templates/keycloak/operator.yaml.orig 2022-05-11 12:46:15.860204871 +0200 -+++ templates/keycloak/operator.yaml 2022-05-11 12:46:02.840068240 +0200 -@@ -1,3 +1,4 @@ -+{{- if .Values.keycloak.enabled }} - --- - apiVersion: v1 - kind: ServiceAccount -@@ -233,3 +234,4 @@ - successThreshold: 1 - timeoutSeconds: 10 - serviceAccountName: keycloak-operator -+{{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml index 8528a1ec..e310b245 100644 --- a/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml +++ b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml @@ -9,5 +9,5 @@ metadata: {{- include "kubezero-lib.labels" . | nindent 4 }} binaryData: keycloak.json.gz: - H4sIAAAAAAAC/+1dbVPbuBb+zq/weHvvtDspTUKA0Jn9AJS+zNKWW+Deubd0MoqtJF4c27VkIMvkv19JtmNJlh3nPVDtzNIgGUmWjp7zPEfHzuOOYZidjuMFEUbmW+P7j1pcEsKfkRNCVkZKDOOR/SR1eBRAUmoGwIOuWUuLHZsW9kHUh1mhB4bs2g9i8R0MkeN7tMZkZeOauo9+CHrAA7le5OJJP3IF19PhbnO3Xt6d+pbiNl8HDrQGIMSvpavSvi8caJzSC5S9N3YPdhvz9R4MlDfKF1eeUGUfAwjwEAT5Xj7KFZX7sQEGyI9CC8qdBaE/hHgAI6SYQkWdMIf1yQqSn7GpAs/zMcDkEmqr8UBM10F4YrnZ8EhNN3Jc/Ik216hlpdxw1cMg10APdF1aj8MIcuUDx1aUOpbvnfquH9IGw34XvKzXjGajQX7s79eMxiu+6fT+j7N7Mf5pHLswxMIQstlFg64PQttM6sa1/J0uck8zjZ5efOn8TZupc8Wu48FJG/Pc7c8IhiP5j9HAvz8nLZPyHnARP2gM+tQEvMh1pdL3DnRtuSUMH7C6onCW2b8/dpL5NqHtYGn+zL4H8SfaZKPeajXiIrpXr3zfxU6Q2l28GdKhmg6GIZsJWn/QbO0d7e8d1pstNp90Jm85cGZ7WAHMpxHC/vCC7fC3vCVYwBrAK2cI/QjnJ6iKndgQWaETJCM0P8OhH44MKwpD6GF3ZHSh4/WNCEHb6I6MP+HIcn1wu8s30aNTfep7PacvjI613gORi5FUTkee2I9YTCqGPtt0Jh4QHzXwXRuZwiXjmtQQmxvaklxD8C0gg8/mV6h7YCtZl8sdTzT22G6ysZSMGHSR70YYmjX5CoRhgDjUyv57zJVwc0PsC0Iv11wMnsCNYLLkufpxbcaOfjs7PmnvHZV31a4v3lEI7fJOjhSdSCU/Su0h8hzMvBEkdu9h3niES02f+J+QIHxsHzuKi8j8O/aFLy+6OSAFh0Jb96TkQCh5kM3IpIBXV3ZD/QzdxF+TESkQkIHKvojBt7Jlm34gesu0OHTITKQoZIII+8Ii0FWJLPhV+dcMZVxLZb7mEAJP3J3yPmPYgCQczhYcpbdauErUK1yl2+8cdGN8lKZHvu4zCG8JuUjQWznngRv1He/fMokU3EvYh1i+b2lq4EPA7BpFw5d/3Q07Q4afne4IQ9ShqPnoeAgDz4J/3Jgv0s83Zs0AIQSkjDC04MYcv/qdYNEbZSsEqqo2ciODhdnzwyFg+wETA+sgSEwByRcNlDYX2x3rDBfWEu9GFvI9sDDb3w3pAhf2oWe/nwxC7jmEPeZSzRNhn+4ozIndwPuQQb1MBEjN5cDpYVUVZl6cuFDm0YzEwX08O75QMYNY5cjca7on5RmDMFMm2dJsasTSIp9Z5DGL3FyxkytzWhOXlYAk6MtOq9Bl5eF9ursqc1Y5D1LWQbGbKnZSM3Wgdk/Fzkl0TT8KUazQKfGQpHRImQ2qnJHsimRHJLshwQllTU9zQJL7MR30Bd7nLlJ5n1LXUuBYcm5FtOsCl1LkUMaSxJjqTCq4kmzmprgRExFKzy+B0qsIczLdo9xGXRgSMUJ+D3y7Q0XXQs5l9vbEiU+9QH5JSuE/A/9jbj/sSEteDcFV+C0HMLSI0iJKi6gnJ6IOliyimntaRT07FeX53lKEFNfOL6qk1M6WzItWTFox/SqK6WBJiinzNVoyPRHJVNmTzNXkNggnGcuraCfgOgCxIz8kAKrZBWHOHtjx2jn0+njA5IFQDlWXb5GrmAdneo5L17ApFHwIgU0Jo2DKlRGp0ZQgSSgoxCQbepcxMZHnpBpgZb0UAFZsmOL4iXH0vWN0pVohWn3XV5Qm4lhRQ0d6NgzwqKDufzD0FVWxGM2VMikql4ZOf4Avlaf7FMkUpeTa/zg2M+hDPp6Gfcz2r9yDElmzpaIn6EjqhhXeJ500sgwKwgAufAIVnxMGYvmeBy3M+V21GwH02H0CyoVonPEZea2nAXVAR0WtPEJCdJCV5y2QLLcNQ8iQuuf6XDJNzKW/CpuMdwcWVKFJzk8Q4LVuc91SWhZAW5VZsKBnqeQFZMyfLiNK3EK5Ssh5jc9kS0x3HLU5bt3yh0MH4yqedZMTcOrHoyyYhdMFZ6EatdjkBFyjwps/KeUOvBL6znMKpXJk5d9gPwEh6Q9UR3MZO0lYyTXiJRXB1TSp5pHHZkDlRh6d/RBL5xwMfzsps3E827lz7IjMaA4AuYREPu/uATw4EqB2I+s2RgtJNfdUPM10/f4JQHLu1CQySyZGkToltaz2RhPnouAiI/AASwAtGyozYYl1TkYsWpUinsuPbOomyjolf8VlUZZ2mnQgKZOcpY7y68T4iIqI0PJzeMfi/5ywHs92XFDEhamFEMJ/y5w1vdn9+j/4FS4/ZiCI2o1dlDB1LlVctLGvhBKH0nphzrmrg6JVDi/mO3lQMOY5YsM938NJgqHZFqcrMxoiWIStsvSsnMOqAWU5l5JRZj5YwAG3tL4K4iyzL7F1ofYdtJwhYNK7cBvOquzjEV0l8PeNUmKD8lxzWnyc8J53xK4uUprHB9QrsFV6Yw5M+7V9L8JCGigO/dsJ2TYXiiXfJidtHQIyxCG/oqdvL8kedYfzhXdnjtI+PrLexuMVh2vP2f0ZFzA0vp0dn39WBmrLs91To/mS5PCmAi3nYYpjAYXoV4Z9SuQrwT0l6o2fUTChABILvejyEkMOq4Q5BckqIWAR/s0QTChBxGlsqEBqT4M5BchVEt0ciJGPZpku5RGtMZf65JDrpeNZ5BOCMrx9b7YGP17NHWNUY9WswUYZiQxitkYAEDbI6MzazmygVAJJ1UOUTwOWnjHOHEzFGYYjrdZUHHmeiDH1RGTlABIS7U56iR/Z2SyOFAcYyuMI3/hb2AD+aL34LPQif85SmIG0kGBs1rVgfFKC0XLpOV7HsdcmGic9rlM4np5/OvtypZWjVo7TGV3uNHpO6ZhhoZaOK5WOGYatTj4WodYCEjLGJM3hNIdbLObfaC856H/4LDjcNc3IMMSTz2dE4gRVuxQut7787mok8HgpJDAvnTUX1FywMhdsL+kY4VBzwc1zweVGApdFCYsQagtOF9aSAL2hjObGAhnN7WkZzfKpQKM1W0ZzfGZwUJ6aPGPu8SxJxGoY2UBCMC3Yrlzg5tpzgVea+hujJpltNWCigMw37DDHj77v1YeLQSbpZ060XF/SZuvhwQCebeyTf78lE4CeaPbmhjMyX7wYEK/wJ2Tvw/O7fxF68PaoXZQyrEqgTEiuONCydE4GcrnLY5TLFc+S6Km8l6Mtv5f1pZTqp6g2zTnkjKdmcyVPUS3+EJWEL8/tGSrhnSH6Iapf5iGqSmlsKga1zodmFktgWR8JS85JglzSr356Zo1crXFQLzJV6RBjhU/YqAfWmIV5beljOJozbZoz5c76V0OaDtdOmhRve6/AmaS/WillmkqMlGxE86KnyYsYpLwyFMSoBxwX2jE/6gCMITFT9BiEPnHLMPzjxkyvvDFrjLvQJ5DZhxtzvAV8Kh6LMR4bj4/sLitxq9osdHJZ02Y7gFz/GkOEydwZC4fzklG+KKeUJ9tEKY0zFsk0fM+I1y0evKaX63s4e33MUZNCTQqXEEjbW83riNo6kqYjaZoxLpDV+yjzwZqS/6yDJTZXnCyykchbkoeiuZLmSporaa5UKYC2GrLU1MeOTzghSz0KTYdmP1g0pmW1JplaVeNnxsap0WV8f7OcS9YWDTkuf8ZmiZqVBwm3JVrGZyXroNnGieAMpGx1KXCLcESdl6bDaQlDbK+CIe7taYa47eE0zR23LClNfCBK56YZc7yNSaeobQkdSp+H1fEyTYaeULxsJWyocfREMs62K1ymU850ytmUAFBtcpJHC0/ZL5/s7ThkrJ5+tjV5WPQZ98ksagalTxY1U9JMSRk2ah2s5GCxqcNGOgtLk6i5srCE8NGzTcaqLTPItq5jxorHqidbG1Ljc8/0iaMmiJogaoI4JZS2Goa419KhNB1K06G0padS6UjaKnK0dEBN86Vt5EsWCG2pYVp0AWzb8fqK98eTym9+xBwr3zj3UmSXbWWpwdOk2PztcO/k/cGR8MZ6WndpgXj3oJ/C3KW1AzhMbJxgRuC7AMMPIYSe8IZlApBkuWMqs9vKudeCt/D5BNMd4saVr2TO4AejdGfMQAiJA7FChzlEYeOsnfotL+K3r3hpKgR4CAKRcU/lcSlJOpkAjkBABoT8uJQAnSY2mn9/895+Kd3L795xZToRkh0UIvjfbHDzO2ulg/5JsA137Cj2E53Yth6pAfnU8344u8p8LvP2Liz0ven8z+t3W1P8ruFCY/1frsZmyEhnyIinxvjDSCbH+CjddZE3VUZSSelH4qV94g+HheHR1GnK82s+HOfwuMzYHmIr+hINu4xxCnecVCavTheqRvlu7OwbGgrd8xCpHXQjJ0NkRFTBZMEEBq6DJwakdAWj+MZOEndhggj7plyrnpNRbk6U3mtD+CvldQcBcZXyl1fIlFP68ojU93CCR/rCBaoU5G+gkEFG8rlmKHz7hUikxFVSeJCFm2/XF2n8t7Pjk/beUVkHRwt10Kd0obT5tty88PuPwm+giTwHc4tprtc/5wIu+60q34agiqkclWt4sv6RBb8qqhjLc628vZpDSHQxVyRuEbYLUd5DVfhaGQpLk3jCOc0yRAVvTJ9c9RmEtzBE81KCmVw+cVozu/sa8bPkc6Ne361zzv+NUaFBi6BsIX34nZ4Wbk64r5c4XEwg1fB7RjJRaMIaUh5h3ANkkNu+g7bheHSChsggKp0YEvF3ed0MIoLRWkNpDbUMDXXQ3B4NdfBsNdTF10stogpFVDw7WkVpFaVVlFZRWkVVcNGVVFSrrlXUhlRU7NKWKKMkBqF1FMqIgxZSWkhtXEgd1rdHSB0+WyH18ez4nRZSRUIqnh0tpLSQ0kJKCyktpCq46GpCqqGF1IaEVOzSliikJAahhRTKiIMWUlpIbV5ItbdHSLWf74nUtT6QKj6QutbnUVpGaRmlZZSWUQoZ1Z5XRjW1jNrUedT1ko+jrvVpVO406npJh1E7yUDprVDTovV79Xj2TESlCsisqHkQF+NRPDybGGF8JRliZkzmn8nSJl2bxxEemJOe6CvOiOaJNVlsdKZL+AtnjI+qJ5EF+0TQjR/Aze0T1sMDFr3o63fw7orMnWJrFlyo3KiDGG94GUH4sBvZ8NhVPYGcvgdU5ibEKTuKy5PnBM13GRfgUXcCVrxzNolNhOzrqIM8Z0ir/53eKF+TrXhDKO3DB/lSdOsE16F7OfIsxbBTu+IojAxIwiN8rnI70QrlODkL4NdiKmGKCZBDHFqCgWw1OjEey1/fVbuNCHfzIIaoE/h2hy4Fr1HmXnrzk4cw8MSlLDIAVq6endQ2HEVz0yxjoRtfmpkonuQlsMGWHP0rHaop1ubuiZapL06MML5priJC8CpuSCmMtsIyl2Jo34S30ixmZaHc1iImpn4Gfxw/hK9t7SnaWu6h/sXMTdXc8i0u/2ar7LUPv4IZ7qTSbxzzMIdNfsLAejFBNT3//nUjfVeCif2kzBT+LHAI5c9C4+mEdVIyzQsLc5+LYTTq3C97/C8N7oVa+9znBv8L0QBcDfdGhyb3uWHH9ONHeg9UFHDWNLUXvuEDvmG+l2aL/4V7u8WhzY83HYswfX/7Xra/M7af0mbjM8ShYyHjHUCDrg/CuEUzYsp2YtCvbbH6bsLTY5ouxYsmjVEpMelqmHRFjxtCwqeNewcPjNxILi8+3YQ3Hv1/gHGA3r550ycXRt1dyx++ATD0+xCEbyZDS5p9jQLH3Bn/H96x+Fsj4wAA + H4sIAAAAAAAC/+1dbVPbuBb+zq/weDt32p1Ak/AWOrMfgNKWu9CyQNnZWzoZxVYSLY7tWjKQMvnvV5LfZFlOHPJCKNqZpYkk6/XonOc8OlYe1gzDbLeR64cEm++Mb/S7YTzwvzTHBQNIU833F+2r48PLL+fH+6dHl+fHhxdmLSnjgA50WKErZBEvQOAUkgBZOCthQ2wFyCfIc1m5s8AbQNKHIX4rPWK8BwQYF14YWDB7nAx93gmbZmIpz3fCHnKPbZbvp/XK+Z/jYWQtm7zAiP79XoumADpwAF0+CQ+jOC2AP0IUQMXEJH3ygUsHnzaHeEc6ILD6ICBZejKPByAwpKxbGOB4YuJO1aZoqgfCHiy28zGfXLmNXgC6wAWFVuTktB05Q2hpb2Nzo/6YIQXA7yub8vvGa8+x38xr8voQkAHwi219kjMqt6OSUVQqnW5RLlVNNjbq6UymEgtc1yOA7SkusmvRXkSYpMKadY/mdELkkGNWXaOWpQrdVXeDloEu6DgsnwQhFNL7yFakIstzDz3HC1iFQa8DXtdrRrPRoH+2t2tG441YdTL+/Wwsxn+MfQcGJNcFAoIeJOkwE8WDBoglNur1mpg+AMTq77tDmtUFDoa5TAJ6fDt/z6emy4f7HQ8EtpnmjsR+lBVLCz3MZ26nmkVW+AL9ZNUIE0Gnx4VpHY+Z9R8hDIbyw7jv3Z3QmouTy6f2A4KOLT+zMssH74m6g6Xryv/9vhbXI1uy90l5w+saf8Kh5XjgxhjExgze+15AoG3cIdLPshNbd3F2fB1cu+z/PiE+fvf2bY8WDDsbljd4C2Dg9SAI3t7Ez63H1a5jH7Fn0vrSTkftAIuEwDFuEab/oJ/R+rIH1g2EDWBYnj9k3c0eQzZdg62tBp8RE9qISEJpdhG2gPMP7c4FXUty6rmkn0ib2XMh4Qa4sdvabUVJTFdfep5DkJ9onEgNuqHj8G9UOm+ylaRfb+Fn705c80hnK2zvYYiJNzjjGv3dtDtOWsFTOPCCoWGFQUCNvzM0OhC5PSPEdNk6w3TRNsQqukyEDj23i3qyTNuwC0KHYCmd5ljxTswnM3H3uBo1SZ8CjT41b9jMFRnVpIr46FOUkts4vk87X9wfPO++uNVYOnLzaiPaD1lfxvQYdLDnhASaNbkEJtDHgh3K/nsopAhzQ+UGQtcsFBnVpqznt6P9g9bmnllTlboFTsj636rP3lAA7fGN7CkakVK+j13u0OVK0vQhFWuXiJOTK2p6FDAE1CRHy6/Ufz2af+bJa2qyrbybq4vtw51cyr0sJSbTz3VlMwwYXKIB/BL3SGEquC7YzhurG1lwTc/Pw5skOUB0JkCyhUFIvNwisFUJLfhF+TRbPeBYKuk0BxBI0idvI771sWQ+sgXHyVBLV4mZz8tkd50wzwkr7Vyu3CkIbigajDWycs4jP+cqw4y7G02KGQtGWB63NDXUZHG5xuHg9b+3g/aAq8d2Z0ggbjOl+IBcTIBrwT+uzVfJ52uzZoAAAppGIbV/bY7e/E5VzVtlLVQTVa3k2pVnuesFFB5wdUkFrI0hFQUsF+orZS6SO94YKc0lMKAL+QEwrzQPlSMphT3o2h/STsgtB7AbuaIHuX26phAnOgDCjSw1Z9z2GLEp+nS0f6bCJpGnJ+PNyTZPNOi5QZt0d/JR5lPLrFuZbSs3O2qjozI54wxOam5iDQh6ssEpNTdF3S2bmqLuTjU3QyprE8zDuAbKbVC5BZqqAbXtKbc8ebvzvVRFlVocUd8orU0mlSpLI9sZ2crINiZnYbKqJ1kXybaYCH+Gd4VCKtMywbCMNSslRqVgUvIbpMSclBmTkeSHTTQkFczISKLKrmQCJ83HFI+LK6S0KHk0PBmPV7I5N2EHBtTLoN99z24z/3Um8zN9ffkeJ3aiuHBjDURmHvaFTbUmCUY1w6AyCzInpf0k7SdpP2n5ftLOnP2k5qZ2lH45R8n13Ln4SkI9L9BZoqPX/pL2l16uv7QzJ38pszHaYXpJDlNlM/SoKlfBbZJNRBXPCTgIYH52inMOBIvsKEgNPzU8gW6Pn4k16rl0qCo+dwvksDlt5hI+BsBmmzMngJXVTKMp6ZlcQqmisaF7EaEMuY/VtFDWSokWigQl33+6WD13H1+qZoxl3/YUqbEjq8hhPT0a+GRYkvc/GHiKrMh2F1K57ZZTA9Trkwtl+ATTP4pUWvZvZHMB2xUpMuIRvp/kFpT6MFsqFhqApWZ44l3cSCMLUaFm/cyjW/c0hhWW57rQIoIxVdsGwOIJUlVaqkMzkCKv9ST16rNeMSkPcY7w4+lFCaTLbcMAcs3ZdTwhAisCxl9yFlpU4hZU7e6CdqeK0LopNMuwlg9tVcjEUuxBJd0ta+rJnsMYZT7eMSjo+lO6cSar+9rCJsjyBgNESBWr+ZTTdOhFvSyZq8OlzFU1cPGU0/QVl07RwVj0IDpU30RUMYDnsBert28KuBHDjK9YdLSoYk6CXx5E5Q6YE1JU715ApLMPrsDbCVRBro1ukR3SCSpoUCF0UwybvAf3SNLIXRW+Mh2vdwCwHDyWsq10/OZE+5SaG4VrMwT3cIyKyzrFRUzChWnfGhNdYqFnE7dC1ih9SgjGHdto3IDkYRQkaViceI5QZGOsBJ6TseHUdIOaUJ9Ap+c93IxKz9fBRnoI2QaFthoWZcVYLxIIweLwTEWhkySSXJV55lBDPIgwW5HKjFHvF2qtEYduLZmr78WAOOkE9Qugigz7ECiGKkJPxRBzG16df4t+KjjPIo/NUNjfMgpLJJD6zPA9wiRAnTB2ugv9TPQBqwgE489IssW/IEOuzkoPMbxuV6qrVFzKCa4qtFXJaclqklYTOKXWFJzSkx6z71ahjXLeQuSv7Yjeg3QuoXYLqAd9nmB2sRc0PRH7+sbebu40xgv9LE/MUriDIrOUFz4bYd8Bw2T/81D5XAFf1DAdjzCdV7AAJ0mTpScME0gxVslVLB/FTOZD0L2jUFBKSCHsG0wfc6DU4QhYRFUpO3t/iawbrnfPvbTPdWWBC6ZbedfqU1Nh8/d02Knz6wACZ/DmNXIt+gnD10msdJvacIpHvzW3+t/fPJqFenjg9Y9GM9FRJ7wrxhkMjPOj/ZNTg4IPwweYGLR3RVYqfXdoRfCBT00O9TvWLQdgjCwNEjRI0CDhZYCEnYkggYOArS0NAjQImBxasXQQEMAeU4PRG1ArgQXOxR5pSKAhgYYEGhI8J0hQOAZ+JHHQrGvMoDHD4jCB5bCpbCN7geRA2sb8CILDk+Ojz5caDmg4oOGAhgPPAA605nSOsKvhgIYDTwQH5ksTzAsVFKmCOYCDJ45rjQNVGzMEqrYmBarKpGVja7pA1YjS3BkfcTplSOk0saHqAJsniPNkCasV4tlceojnCkR0RvqLroladWGfrgps88Bw/G2zPphNedF2Hqm3Hh0/t3V/bwDXNrbpv+fxePBqB9ItLTju1as+1bV/Qn4Lm9f5F1rk3V6rLLpy+li2SsFyyk7sLaoT842ne5YvcizUPsqRP83mQl7kmP09DmkX/WqvceTe8tTvcej3OKaPblJZ+2XG2s92JvpowBDzpX5yeqqD7ueCKxo79TJRKnCcCwvMV3esMT+wsdDofY02Jr42uhi4sbt0uKG4C7sC2pCeWijYmAgplHZcI4pfGVFwRfDGUECKLkAOtCNk0QaEQCrM+MEPPGoBYfDHtZmUvDZr3OqzV/74h2tztAJIJOqLMRoZDw98lJVQSW3+cG1ek2sjQMuvE4gJnWFjZmon7uWr8ZDtYIGQzTjiJJXhuUa0WFFfNHyb4Z3J5SEzDbqeLcWzuZi7Olqa49Ecj0ZkCw9Ue5DxVk2JHJaBwpoLPvyeBycUH5NrlKFRhkYZy6R2FgMzmvoo6RkHhKh7oYHEog6LjEnxbXGkSFVmx3hyUHERjW+as6baciiz+c/rNHzOeJJrQTyOGJSo6Zz5A60FRfDo6JxnS920FoGpNjc1plp16kajrWcZmpN/meCFRujk313QgTqLggbK9xw1N6NhRJGbWQiOaOw9k7ib1aJmdOCNDryZS+BNLT1vYYmH/MuxvRpHQdWDcBYVZ8JelEwnRWMPff6jMcYiqYqtnYUc/zQ1VaGjTDT8WNb9B79ssElt+fTPsg6DKh6RHSyL7BEjcPS5kAZgGoAth+RZDALb3NIkjyZ5NMp6olARzfFUiEHRVI9GGnNDGhYIbAljFG9A5aUO098u3908+LAj3okTPXLBbtrkQ/yRG2GS24eDWLTozvM9BxD4kd01KW5ZpmbookSwYWNLIR5efFup8rfus/1KcCe0bpjemwL3UL1sBchPLiGc5RbZkttfV+Cy1NkvRF3YDZxT03DbivvuICAD4OdFeiL4S5DVQSw0EmrpU8TkMNR0GG+X4q2em9tjMWJRWYzGIxt2H2fI9ogKPMZ58eKJU29BCr358JtS6lWiMfPlFdcd5zfhtvSb9BzrK5SAYo9KppJOPoYq+Y1kkj2ZtIyAI13KmaqPLwFwe7KdTy66bTRbSomE93DgO5HzpLzu2Qx6HfC6ub1dq9f4343dN+rLP+kMUP2VzWYeNbA+wPX6nvJR9c2rE+yIGXh3+EMABrDQGhh6YXa1s/Lh3MWpLluCCrejKk0u23KfqNrwqNkfFM2SuDP3ZYOkuo7agV1SXUJCF/GnBrgItKr/Mlvcwj/ZNl/4b1Sr8PEPKjqkbYcRrmtHluqBVeUx4Pvx6DKDvBxsO7AU+ib67rGwd2sC7DUcaMx8uysfsJEM2IhGavxhxGM1PkmDKAOzytMBmloml0XMKk+XeV8Q1rG6uijbwloMsBrmNmoVK4/k8sALuZYQtvX0F9/PD8uUX00ekQ65I5kSrFzlEnPBS5/DNebM7VnqLeXTVP7b0f5Ba3NvXAN7MzUw8RL3vVb1W9aVijheLXO5ALBAA25vVbmEXcX07Y3HXxMuJKfiEVrwi+JJ8S51SdAhcEWZ/C4hKxhtD0ljK88yi0Y+JcH4teO45LLltNQpCG5gUMrdLf8nTl9T2zC1kaxR60Q/Uw20URdM5lujQoUW1bKlRvd3ptWejm2aydyepXrU8LpGPG6c2trE+hp3ABt0FLfQNpDLxjvAhhcYVHqohSqSPSDsQVNzCJpD+MU4hJ3m6nAIO5pD0ByC5hA0hzAzh3D25eLlkAjRYDWLoFkEzSJoFuERLMJO85EswlZdswjPmUWILMccaQTJ7v6SPEJsbjWRoIkETSRkRmS3vjpEwq4mEjSRoIkETSTMTCR8Otp//2KIhGiwmkjQRIImEjSR8AgiYbf+WCKhoYmE50wkRJZjjkSCZHd/SSIhNreaSNBEgiYSBCPSWh0ioaWJBE0kaCJBEwmzRyR8fUEBCV91PIKmETSNoGmER9IIrcfSCE1NIzzreISvcw5H+PrrRyN8nVMwwlrcLusZkyeWv1mPJiNC6iATneiElerwYdQ9m0peVJJ2MZMg8894peKmzf2Q9M20JcLxO6F2KN1s1DnFRJDAB9WdQXlcC53oqhwVwiTwns/9FWJLhMAppB6yhRWbUVVKuS/7kfYRvVYKB53QhvuO6pagATW/SJHuRuDffJ9tKlHZpkpINM8mXfZgyDW1avNF2alnkFdtyaI2cqk9eC8XxTfI/xo4F0PXUnQ7ER1BF8iKJncTh6PcACxD2U9hkcVJr6B5GNRB1I7Fuo1fmN+O9Kz8K5u1m7ADAxcSiNu+Z7fZUohYfOo1Tm/nP3YxAW5+KcsEgKerZyeRDaSoboJk5PZGKi6zzIaorKQdsp50cP0K0NSOA9f/4k2qfd55yaDi+h6qdiLv/a9kyGY+tyQjluZoooSMEMPLSJMpXY+VEPG5SOx57sLG2cQ1kOuau6yqL9IaRTdpVRVaXlhL7HOV2MLdX7MJraq6Jclt8XrY7Aa4qsKcdP+lyPNa4smOIgiJBArV7EanMKbr3a03krvZTOLFaWbuMR9R5yOjyZPJaSewXnSEzG2BhWnUhS+b4peGcPXttvC5IX6h3oiQI9wg1xQ+N2Ki43syBuaeCGI5sRWx4h2xYrGV5pb4RbhNb9cW+5v0JTd9Pz03UxSZo5IgfiMWUOM9wP2OBwLb+AzvjCuEQ+Cgn9H1iNGzIffdTffj3X8/3zW3YkfiNnU2uFtl3kF4c0Fd1Ggjr43+D4qMqm3O6AAA {{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml index 8cdbf8ee..b0b5e901 100644 --- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml +++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml @@ -2,7 +2,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: {{ .Release.Name }}-deny-metrics-ipblocks + name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks namespace: istio-system labels: {{- include "kubezero-lib.labels" $ | nindent 4 }} @@ -12,6 +12,7 @@ spec: app: istio-ingressgateway action: DENY rules: + # block access to metrics via Ingress - to: - operation: hosts: ["{{ .Values.keycloak.istio.url }}"] diff --git a/charts/kubezero-auth/templates/keycloak/istio-service.yaml b/charts/kubezero-auth/templates/keycloak/istio-service.yaml index 3032256a..c2dea0f2 100644 --- a/charts/kubezero-auth/templates/keycloak/istio-service.yaml +++ b/charts/kubezero-auth/templates/keycloak/istio-service.yaml @@ -14,5 +14,5 @@ spec: http: - route: - destination: - host: {{ template "kubezero-lib.fullname" $ }}-service + host: {{ template "kubezero-lib.fullname" $ }}-keycloak {{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/keycloak.yaml b/charts/kubezero-auth/templates/keycloak/keycloak.yaml deleted file mode 100644 index f11b23f5..00000000 --- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.keycloak.enabled }} -apiVersion: k8s.keycloak.org/v2alpha1 -kind: Keycloak -metadata: - name: {{ template "kubezero-lib.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - instances: {{ .Values.keycloak.replicas }} - - additionalOptions: - # Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45 - {{- if lt (int .Values.keycloak.replicas) 2 }} - - name: cache - value: local - {{- end }} - {{- if .Values.postgresql.enabled }} - - name: db - value: postgres - - name: db-url-host - value: {{ template "kubezero-lib.fullname" . }}-postgresql - - name: db-username - value: keycloak - - name: db-password - secret: - name: {{ template "kubezero-lib.fullname" . }}-postgresql - key: password - {{- else }} - # Fallback to local file within the pod - dev ONLY !! - - name: db - value: dev-file - {{- end }} - - name: hostname-strict-https - value: "false" - - name: proxy - value: edge - - name: http-enabled - value: "true" - - name: log-console-output - value: json - - - ingress: - enabled: false - - http: - httpEnabled: true - - # We use Istio Ingress to terminate TLS - # mTls down the road - hostname: - hostname: {{ default "keycloak" .Values.keycloak.istio.url }} - strict: false - strictBackchannel: false -{{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/operator.yaml b/charts/kubezero-auth/templates/keycloak/operator.yaml deleted file mode 100644 index f31e3b22..00000000 --- a/charts/kubezero-auth/templates/keycloak/operator.yaml +++ /dev/null @@ -1,237 +0,0 @@ -{{- if .Values.keycloak.enabled }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000 - labels: - app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 21.1.1 - name: keycloak-operator ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000 - labels: - app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 21.1.1 - name: keycloak-operator -spec: - ports: - - name: http - port: 80 - targetPort: 8080 - selector: - app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 21.1.1 - type: ClusterIP ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: keycloak-operator-role -rules: - - apiGroups: - - apps - - extensions - resources: - - statefulsets - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - "" - resources: - - secrets - - services - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - create - - delete - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/name: keycloak-operator - name: keycloak-operator-role-binding -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: keycloak-operator-role -subjects: - - kind: ServiceAccount - name: keycloak-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: keycloak-operator-view -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: view -subjects: - - kind: ServiceAccount - name: keycloak-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: keycloakcontroller-role-binding -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: keycloakcontroller-cluster-role -subjects: - - kind: ServiceAccount - name: keycloak-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: keycloakrealmimportcontroller-role-binding -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: keycloakrealmimportcontroller-cluster-role -subjects: - - kind: ServiceAccount - name: keycloak-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: keycloakcontroller-cluster-role -rules: - - apiGroups: - - k8s.keycloak.org - resources: - - keycloaks - - keycloaks/status - - keycloaks/finalizers - verbs: - - get - - list - - watch - - create - - delete - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: keycloakrealmimportcontroller-cluster-role -rules: - - apiGroups: - - k8s.keycloak.org - resources: - - keycloakrealmimports - - keycloakrealmimports/status - - keycloakrealmimports/finalizers - verbs: - - get - - list - - watch - - create - - delete - - patch - - update ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000 - labels: - app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 21.1.1 - name: keycloak-operator -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 21.1.1 - template: - metadata: - annotations: - app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000 - labels: - app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 21.1.1 - spec: - containers: - - env: - - name: KUBERNETES_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_KEYCLOAK_IMAGE - value: quay.io/keycloak/keycloak:21.1.1 - image: quay.io/keycloak/keycloak-operator:21.1.1 - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /q/health/live - port: 8080 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - name: keycloak-operator - ports: - - containerPort: 8080 - name: http - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /q/health/ready - port: 8080 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - serviceAccountName: keycloak-operator -{{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/pdb.yaml b/charts/kubezero-auth/templates/keycloak/pdb.yaml deleted file mode 100644 index 6386d207..00000000 --- a/charts/kubezero-auth/templates/keycloak/pdb.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ template "kubezero-lib.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: keycloak - app.kubernetes.io/managed-by: keycloak-operator - {{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }} -{{- end }} diff --git a/charts/kubezero-auth/update.sh b/charts/kubezero-auth/update.sh index 393f71a9..386349ef 100755 --- a/charts/kubezero-auth/update.sh +++ b/charts/kubezero-auth/update.sh @@ -1,19 +1,12 @@ #!/bin/bash - -# https://www.keycloak.org/operator/installation - set -ex -helm dep update +. ../../scripts/lib-update.sh -# Operator -VERSION=$(yq eval '.appVersion' Chart.yaml) - -wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml -wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml - -wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml -patch -i keycloak.patch -p0 --no-backup-if-mismatch +login_ecr_public +update_helm # Fetch dashboards ../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml + +update_docs diff --git a/charts/kubezero-auth/values.yaml b/charts/kubezero-auth/values.yaml index 8cf95a5b..b8d7c792 100644 --- a/charts/kubezero-auth/values.yaml +++ b/charts/kubezero-auth/values.yaml @@ -1,29 +1,43 @@ keycloak: enabled: false - replicas: 1 - podDisruptionBudget: + proxy: edge + production: true + + auth: + adminUser: admin + existingSecret: kubezero-auth + passwordSecretKey: admin-password + + replicaCount: 1 + + pdb: + create: false minAvailable: 1 + metrics: + enabled: false + serviceMonitor: + enabled: true + resources: + requests: + cpu: 100m + memory: 512Mi + + postgresql: + auth: + existingSecret: kubezero-auth + username: keycloak + database: keycloak + + primary: + persistence: + size: 1Gi + + readReplicas: + replicaCount: 0 + istio: enabled: false gateway: istio-ingress/private-ingressgateway url: "" - - metrics: - enabled: false - -postgresql: - enabled: false - - auth: - existingSecret: kubezero-auth-postgresql - username: keycloak - database: keycloak - - primary: - persistence: - size: 1Gi - - readReplicas: - replicaCount: 0 diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index 57874ffa..7092c4f2 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -105,7 +105,7 @@ kube-prometheus-stack: resources: requests: - memory: 512Mi + memory: 2Gi cpu: 500m limits: memory: 4Gi