ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 21 Packages Projects Releases Wiki Activity

Updated Kubezero-auth module using Bitnami for KeyCloak

Browse Source
This commit is contained in:
Stefan Reimer 2023-09-06 10:43:03 +00:00
parent 1c5a1b2390
commit 6ac4810348
16 changed files with 74 additions and 5546 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
charts/kubezero-auth/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-auth name: kubezero-auth
description: KubeZero umbrella chart for all things Authentication and Identity management description: KubeZero umbrella chart for all things Authentication and Identity management
type: application type: application
version: 0.3.5 version: 0.4.0
appVersion: 21.1.1 appVersion: 22.0.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,8 +16,8 @@ dependencies:
- name: kubezero-lib - name: kubezero-lib
version: ">= 0.1.6" version: ">= 0.1.6"
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: postgresql - name: keycloak
version: 11.8.1 version: 16.1.2
repository: https://charts.bitnami.com/bitnami repository: "oci://registry-1.docker.io/bitnamicharts"
condition: postgresql.enabled condition: keycloak.enabled
kubeVersion: ">= 1.25.0" kubeVersion: ">= 1.26.0"

33
charts/kubezero-auth/README.md
View File

@ -1,6 +1,6 @@
# kubezero-auth # kubezero-auth
![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 21.1.1](https://img.shields.io/badge/AppVersion-21.1.1-informational?style=flat-square) ![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.1](https://img.shields.io/badge/AppVersion-22.0.1-informational?style=flat-square)
KubeZero umbrella chart for all things Authentication and Identity management KubeZero umbrella chart for all things Authentication and Identity management
@ -14,40 +14,45 @@ KubeZero umbrella chart for all things Authentication and Identity management
## Requirements ## Requirements
Kubernetes: `>= 1.25.0` Kubernetes: `>= 1.26.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://charts.bitnami.com/bitnami | postgresql | 11.8.1 | | oci://registry-1.docker.io/bitnamicharts | keycloak | 16.1.2 |
# Keycloak # Keycloak
## Operator ## Operator
https://www.keycloak.org/operator/installation
https://github.com/keycloak/keycloak/tree/main/operator https://github.com/keycloak/keycloak/tree/main/operator
https://github.com/aerogear/keycloak-metrics-spi https://github.com/aerogear/keycloak-metrics-spi
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
## Resources ## Resources
- https://github.com/bitnami/charts/tree/main/bitnami/keycloak
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
- custom image: `https://www.keycloak.org/server/containers`
## Values ## Values
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| keycloak.auth.adminUser | string | `"admin"` | |
| keycloak.auth.existingSecret | string | `"kubezero-auth"` | |
| keycloak.auth.passwordSecretKey | string | `"admin-password"` | |
| keycloak.enabled | bool | `false` | | | keycloak.enabled | bool | `false` | |
| keycloak.istio.enabled | bool | `false` | | | keycloak.istio.enabled | bool | `false` | |
| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| keycloak.istio.url | string | `""` | | | keycloak.istio.url | string | `""` | |
| keycloak.metrics.enabled | bool | `false` | | | keycloak.metrics.enabled | bool | `false` | |
| keycloak.podDisruptionBudget.minAvailable | int | `1` | | | keycloak.metrics.serviceMonitor.enabled | bool | `true` | |
| keycloak.replicas | int | `1` | | | keycloak.pdb.create | bool | `false` | |
| postgresql.auth.database | string | `"keycloak"` | | | keycloak.pdb.minAvailable | int | `1` | |
| postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | | | keycloak.postgresql.auth.database | string | `"keycloak"` | |
| postgresql.auth.username | string | `"keycloak"` | | | keycloak.postgresql.auth.existingSecret | string | `"kubezero-auth"` | |
| postgresql.enabled | bool | `false` | | | keycloak.postgresql.auth.username | string | `"keycloak"` | |
| postgresql.primary.persistence.size | string | `"1Gi"` | | | keycloak.postgresql.primary.persistence.size | string | `"1Gi"` | |
| postgresql.readReplicas.replicaCount | int | `0` | | | keycloak.postgresql.readReplicas.replicaCount | int | `0` | |
| keycloak.production | bool | `true` | |
| keycloak.proxy | string | `"edge"` | |
| keycloak.replicaCount | int | `1` | |

5
charts/kubezero-auth/README.md.gotmpl
View File

@ -17,13 +17,12 @@
## Operator ## Operator
https://www.keycloak.org/operator/installation
https://github.com/keycloak/keycloak/tree/main/operator https://github.com/keycloak/keycloak/tree/main/operator
https://github.com/aerogear/keycloak-metrics-spi https://github.com/aerogear/keycloak-metrics-spi
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
## Resources ## Resources
- https://github.com/bitnami/charts/tree/main/bitnami/keycloak
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
- custom image: `https://www.keycloak.org/server/containers`
{{ template "chart.valuesSection" . }} {{ template "chart.valuesSection" . }}

2248
charts/kubezero-auth/crds/keycloak-realmimports.yaml
View File

File diff suppressed because it is too large Load Diff

2917
charts/kubezero-auth/crds/keycloak.yaml
View File

File diff suppressed because it is too large Load Diff

3
charts/kubezero-auth/dashboards-keycloak.yaml
View File

@ -4,5 +4,6 @@ gzip: true
# folder: # folder:
dashboards: dashboards:
- name: keycloak - name: keycloak
url: https://grafana.com/api/dashboards/10441/revisions/2/download # url: https://grafana.com/api/dashboards/10441/revisions/2/download
url: https://grafana.com/api/dashboards/17878/revisions/1/download
tags: ['Keycloak', 'Auth'] tags: ['Keycloak', 'Auth']

12
charts/kubezero-auth/keycloak.patch
View File

@ -1,12 +0,0 @@
--- templates/keycloak/operator.yaml.orig 2022-05-11 12:46:15.860204871 +0200
+++ templates/keycloak/operator.yaml 2022-05-11 12:46:02.840068240 +0200
@@ -1,3 +1,4 @@
+{{- if .Values.keycloak.enabled }}
---
apiVersion: v1
kind: ServiceAccount
@@ -233,3 +234,4 @@
successThreshold: 1
timeoutSeconds: 10
serviceAccountName: keycloak-operator
+{{- end }}

2
charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml
View File

File diff suppressed because one or more lines are too long

3
charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml
View File

@ -2,7 +2,7 @@
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy kind: AuthorizationPolicy
metadata: metadata:
name: {{ .Release.Name }}-deny-metrics-ipblocks name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks
namespace: istio-system namespace: istio-system
labels: labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }} {{- include "kubezero-lib.labels" $ | nindent 4 }}
@ -12,6 +12,7 @@ spec:
app: istio-ingressgateway app: istio-ingressgateway
action: DENY action: DENY
rules: rules:
# block access to metrics via Ingress
- to: - to:
- operation: - operation:
hosts: ["{{ .Values.keycloak.istio.url }}"] hosts: ["{{ .Values.keycloak.istio.url }}"]

2
charts/kubezero-auth/templates/keycloak/istio-service.yaml
View File

@ -14,5 +14,5 @@ spec:
http: http:
- route: - route:
- destination: - destination:
host: {{ template "kubezero-lib.fullname" $ }}-service host: {{ template "kubezero-lib.fullname" $ }}-keycloak
{{- end }} {{- end }}

56
charts/kubezero-auth/templates/keycloak/keycloak.yaml
View File

@ -1,56 +0,0 @@
{{- if .Values.keycloak.enabled }}
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
instances: {{ .Values.keycloak.replicas }}
additionalOptions:
# Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45
{{- if lt (int .Values.keycloak.replicas) 2 }}
- name: cache
value: local
{{- end }}
{{- if .Values.postgresql.enabled }}
- name: db
value: postgres
- name: db-url-host
value: {{ template "kubezero-lib.fullname" . }}-postgresql
- name: db-username
value: keycloak
- name: db-password
secret:
name: {{ template "kubezero-lib.fullname" . }}-postgresql
key: password
{{- else }}
# Fallback to local file within the pod - dev ONLY !!
- name: db
value: dev-file
{{- end }}
- name: hostname-strict-https
value: "false"
- name: proxy
value: edge
- name: http-enabled
value: "true"
- name: log-console-output
value: json
ingress:
enabled: false
http:
httpEnabled: true
# We use Istio Ingress to terminate TLS
# mTls down the road
hostname:
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
strict: false
strictBackchannel: false
{{- end }}

237
charts/kubezero-auth/templates/keycloak/operator.yaml
View File

@ -1,237 +0,0 @@
{{- if .Values.keycloak.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
name: keycloak-operator
---
apiVersion: v1
kind: Service
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
name: keycloak-operator
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: keycloak-operator-role
rules:
- apiGroups:
- apps
- extensions
resources:
- statefulsets
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
- secrets
- services
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keycloak-operator
name: keycloak-operator-role-binding
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: keycloak-operator-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloak-operator-view
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: view
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloakcontroller-role-binding
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: keycloakcontroller-cluster-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloakrealmimportcontroller-role-binding
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: keycloakrealmimportcontroller-cluster-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: keycloakcontroller-cluster-role
rules:
- apiGroups:
- k8s.keycloak.org
resources:
- keycloaks
- keycloaks/status
- keycloaks/finalizers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: keycloakrealmimportcontroller-cluster-role
rules:
- apiGroups:
- k8s.keycloak.org
resources:
- keycloakrealmimports
- keycloakrealmimports/status
- keycloakrealmimports/finalizers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
name: keycloak-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
template:
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
spec:
containers:
- env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_KEYCLOAK_IMAGE
value: quay.io/keycloak/keycloak:21.1.1
image: quay.io/keycloak/keycloak-operator:21.1.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /q/health/live
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
name: keycloak-operator
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /q/health/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
serviceAccountName: keycloak-operator
{{- end }}

15
charts/kubezero-auth/templates/keycloak/pdb.yaml
View File

@ -1,15 +0,0 @@
{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: keycloak
app.kubernetes.io/managed-by: keycloak-operator
{{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }}
{{- end }}

17
charts/kubezero-auth/update.sh
View File

@ -1,19 +1,12 @@
#!/bin/bash #!/bin/bash
# https://www.keycloak.org/operator/installation
set -ex set -ex
helm dep update . ../../scripts/lib-update.sh
# Operator login_ecr_public
VERSION=$(yq eval '.appVersion' Chart.yaml) update_helm
wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
patch -i keycloak.patch -p0 --no-backup-if-mismatch
# Fetch dashboards # Fetch dashboards
../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml ../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml
update_docs

54
charts/kubezero-auth/values.yaml
View File

@ -1,29 +1,43 @@
keycloak: keycloak:
enabled: false enabled: false
replicas: 1 proxy: edge
podDisruptionBudget: production: true
auth:
adminUser: admin
existingSecret: kubezero-auth
passwordSecretKey: admin-password
replicaCount: 1
pdb:
create: false
minAvailable: 1 minAvailable: 1
metrics:
enabled: false
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 512Mi
postgresql:
auth:
existingSecret: kubezero-auth
username: keycloak
database: keycloak
primary:
persistence:
size: 1Gi
readReplicas:
replicaCount: 0
istio: istio:
enabled: false enabled: false
gateway: istio-ingress/private-ingressgateway gateway: istio-ingress/private-ingressgateway
url: "" url: ""
metrics:
enabled: false
postgresql:
enabled: false
auth:
existingSecret: kubezero-auth-postgresql
username: keycloak
database: keycloak
primary:
persistence:
size: 1Gi
readReplicas:
replicaCount: 0

2
charts/kubezero-metrics/values.yaml
View File

@ -105,7 +105,7 @@ kube-prometheus-stack:
resources: resources:
requests: requests:
memory: 512Mi memory: 2Gi
cpu: 500m cpu: 500m
limits: limits:
memory: 4Gi memory: 4Gi