Updated Kubezero-auth module using Bitnami for KeyCloak
This commit is contained in:
parent
1c5a1b2390
commit
6ac4810348
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-auth
|
||||
description: KubeZero umbrella chart for all things Authentication and Identity management
|
||||
type: application
|
||||
version: 0.3.5
|
||||
appVersion: 21.1.1
|
||||
version: 0.4.0
|
||||
appVersion: 22.0.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -16,8 +16,8 @@ dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.6"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: postgresql
|
||||
version: 11.8.1
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: postgresql.enabled
|
||||
kubeVersion: ">= 1.25.0"
|
||||
- name: keycloak
|
||||
version: 16.1.2
|
||||
repository: "oci://registry-1.docker.io/bitnamicharts"
|
||||
condition: keycloak.enabled
|
||||
kubeVersion: ">= 1.26.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-auth
|
||||
|
||||
![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 21.1.1](https://img.shields.io/badge/AppVersion-21.1.1-informational?style=flat-square)
|
||||
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.1](https://img.shields.io/badge/AppVersion-22.0.1-informational?style=flat-square)
|
||||
|
||||
KubeZero umbrella chart for all things Authentication and Identity management
|
||||
|
||||
@ -14,40 +14,45 @@ KubeZero umbrella chart for all things Authentication and Identity management
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.25.0`
|
||||
Kubernetes: `>= 1.26.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||
| https://charts.bitnami.com/bitnami | postgresql | 11.8.1 |
|
||||
| oci://registry-1.docker.io/bitnamicharts | keycloak | 16.1.2 |
|
||||
|
||||
# Keycloak
|
||||
|
||||
## Operator
|
||||
|
||||
https://www.keycloak.org/operator/installation
|
||||
https://github.com/keycloak/keycloak/tree/main/operator
|
||||
https://github.com/aerogear/keycloak-metrics-spi
|
||||
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
|
||||
|
||||
## Resources
|
||||
|
||||
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
|
||||
- custom image: `https://www.keycloak.org/server/containers`
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/keycloak
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| keycloak.auth.adminUser | string | `"admin"` | |
|
||||
| keycloak.auth.existingSecret | string | `"kubezero-auth"` | |
|
||||
| keycloak.auth.passwordSecretKey | string | `"admin-password"` | |
|
||||
| keycloak.enabled | bool | `false` | |
|
||||
| keycloak.istio.enabled | bool | `false` | |
|
||||
| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||
| keycloak.istio.url | string | `""` | |
|
||||
| keycloak.metrics.enabled | bool | `false` | |
|
||||
| keycloak.podDisruptionBudget.minAvailable | int | `1` | |
|
||||
| keycloak.replicas | int | `1` | |
|
||||
| postgresql.auth.database | string | `"keycloak"` | |
|
||||
| postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | |
|
||||
| postgresql.auth.username | string | `"keycloak"` | |
|
||||
| postgresql.enabled | bool | `false` | |
|
||||
| postgresql.primary.persistence.size | string | `"1Gi"` | |
|
||||
| postgresql.readReplicas.replicaCount | int | `0` | |
|
||||
| keycloak.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| keycloak.pdb.create | bool | `false` | |
|
||||
| keycloak.pdb.minAvailable | int | `1` | |
|
||||
| keycloak.postgresql.auth.database | string | `"keycloak"` | |
|
||||
| keycloak.postgresql.auth.existingSecret | string | `"kubezero-auth"` | |
|
||||
| keycloak.postgresql.auth.username | string | `"keycloak"` | |
|
||||
| keycloak.postgresql.primary.persistence.size | string | `"1Gi"` | |
|
||||
| keycloak.postgresql.readReplicas.replicaCount | int | `0` | |
|
||||
| keycloak.production | bool | `true` | |
|
||||
| keycloak.proxy | string | `"edge"` | |
|
||||
| keycloak.replicaCount | int | `1` | |
|
||||
|
@ -17,13 +17,12 @@
|
||||
|
||||
## Operator
|
||||
|
||||
https://www.keycloak.org/operator/installation
|
||||
https://github.com/keycloak/keycloak/tree/main/operator
|
||||
https://github.com/aerogear/keycloak-metrics-spi
|
||||
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
|
||||
|
||||
## Resources
|
||||
|
||||
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
|
||||
- custom image: `https://www.keycloak.org/server/containers`
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/keycloak
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -4,5 +4,6 @@ gzip: true
|
||||
# folder:
|
||||
dashboards:
|
||||
- name: keycloak
|
||||
url: https://grafana.com/api/dashboards/10441/revisions/2/download
|
||||
# url: https://grafana.com/api/dashboards/10441/revisions/2/download
|
||||
url: https://grafana.com/api/dashboards/17878/revisions/1/download
|
||||
tags: ['Keycloak', 'Auth']
|
||||
|
@ -1,12 +0,0 @@
|
||||
--- templates/keycloak/operator.yaml.orig 2022-05-11 12:46:15.860204871 +0200
|
||||
+++ templates/keycloak/operator.yaml 2022-05-11 12:46:02.840068240 +0200
|
||||
@@ -1,3 +1,4 @@
|
||||
+{{- if .Values.keycloak.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
@@ -233,3 +234,4 @@
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 10
|
||||
serviceAccountName: keycloak-operator
|
||||
+{{- end }}
|
File diff suppressed because one or more lines are too long
@ -2,7 +2,7 @@
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: {{ .Release.Name }}-deny-metrics-ipblocks
|
||||
name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks
|
||||
namespace: istio-system
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||
@ -12,6 +12,7 @@ spec:
|
||||
app: istio-ingressgateway
|
||||
action: DENY
|
||||
rules:
|
||||
# block access to metrics via Ingress
|
||||
- to:
|
||||
- operation:
|
||||
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
||||
|
@ -14,5 +14,5 @@ spec:
|
||||
http:
|
||||
- route:
|
||||
- destination:
|
||||
host: {{ template "kubezero-lib.fullname" $ }}-service
|
||||
host: {{ template "kubezero-lib.fullname" $ }}-keycloak
|
||||
{{- end }}
|
||||
|
@ -1,56 +0,0 @@
|
||||
{{- if .Values.keycloak.enabled }}
|
||||
apiVersion: k8s.keycloak.org/v2alpha1
|
||||
kind: Keycloak
|
||||
metadata:
|
||||
name: {{ template "kubezero-lib.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
instances: {{ .Values.keycloak.replicas }}
|
||||
|
||||
additionalOptions:
|
||||
# Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45
|
||||
{{- if lt (int .Values.keycloak.replicas) 2 }}
|
||||
- name: cache
|
||||
value: local
|
||||
{{- end }}
|
||||
{{- if .Values.postgresql.enabled }}
|
||||
- name: db
|
||||
value: postgres
|
||||
- name: db-url-host
|
||||
value: {{ template "kubezero-lib.fullname" . }}-postgresql
|
||||
- name: db-username
|
||||
value: keycloak
|
||||
- name: db-password
|
||||
secret:
|
||||
name: {{ template "kubezero-lib.fullname" . }}-postgresql
|
||||
key: password
|
||||
{{- else }}
|
||||
# Fallback to local file within the pod - dev ONLY !!
|
||||
- name: db
|
||||
value: dev-file
|
||||
{{- end }}
|
||||
- name: hostname-strict-https
|
||||
value: "false"
|
||||
- name: proxy
|
||||
value: edge
|
||||
- name: http-enabled
|
||||
value: "true"
|
||||
- name: log-console-output
|
||||
value: json
|
||||
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
|
||||
http:
|
||||
httpEnabled: true
|
||||
|
||||
# We use Istio Ingress to terminate TLS
|
||||
# mTls down the road
|
||||
hostname:
|
||||
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
|
||||
strict: false
|
||||
strictBackchannel: false
|
||||
{{- end }}
|
@ -1,237 +0,0 @@
|
||||
{{- if .Values.keycloak.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
annotations:
|
||||
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
app.kubernetes.io/version: 21.1.1
|
||||
name: keycloak-operator
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
app.kubernetes.io/version: 21.1.1
|
||||
name: keycloak-operator
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
selector:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
app.kubernetes.io/version: 21.1.1
|
||||
type: ClusterIP
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: keycloak-operator-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- apps
|
||||
- extensions
|
||||
resources:
|
||||
- statefulsets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- batch
|
||||
resources:
|
||||
- jobs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
name: keycloak-operator-role-binding
|
||||
roleRef:
|
||||
kind: Role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
name: keycloak-operator-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keycloak-operator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: keycloak-operator-view
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
name: view
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keycloak-operator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: keycloakcontroller-role-binding
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
name: keycloakcontroller-cluster-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keycloak-operator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: keycloakrealmimportcontroller-role-binding
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
name: keycloakrealmimportcontroller-cluster-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keycloak-operator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: keycloakcontroller-cluster-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- k8s.keycloak.org
|
||||
resources:
|
||||
- keycloaks
|
||||
- keycloaks/status
|
||||
- keycloaks/finalizers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: keycloakrealmimportcontroller-cluster-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- k8s.keycloak.org
|
||||
resources:
|
||||
- keycloakrealmimports
|
||||
- keycloakrealmimports/status
|
||||
- keycloakrealmimports/finalizers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
annotations:
|
||||
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
app.kubernetes.io/version: 21.1.1
|
||||
name: keycloak-operator
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
app.kubernetes.io/version: 21.1.1
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak-operator
|
||||
app.kubernetes.io/version: 21.1.1
|
||||
spec:
|
||||
containers:
|
||||
- env:
|
||||
- name: KUBERNETES_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: OPERATOR_KEYCLOAK_IMAGE
|
||||
value: quay.io/keycloak/keycloak:21.1.1
|
||||
image: quay.io/keycloak/keycloak-operator:21.1.1
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /q/health/live
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 30
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 10
|
||||
name: keycloak-operator
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /q/health/ready
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 30
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 10
|
||||
serviceAccountName: keycloak-operator
|
||||
{{- end }}
|
@ -1,15 +0,0 @@
|
||||
{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "kubezero-lib.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: keycloak
|
||||
app.kubernetes.io/managed-by: keycloak-operator
|
||||
{{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }}
|
||||
{{- end }}
|
@ -1,19 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
# https://www.keycloak.org/operator/installation
|
||||
|
||||
set -ex
|
||||
|
||||
helm dep update
|
||||
. ../../scripts/lib-update.sh
|
||||
|
||||
# Operator
|
||||
VERSION=$(yq eval '.appVersion' Chart.yaml)
|
||||
|
||||
wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
|
||||
wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
|
||||
|
||||
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
|
||||
patch -i keycloak.patch -p0 --no-backup-if-mismatch
|
||||
login_ecr_public
|
||||
update_helm
|
||||
|
||||
# Fetch dashboards
|
||||
../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml
|
||||
|
||||
update_docs
|
||||
|
@ -1,23 +1,32 @@
|
||||
keycloak:
|
||||
enabled: false
|
||||
|
||||
replicas: 1
|
||||
podDisruptionBudget:
|
||||
minAvailable: 1
|
||||
proxy: edge
|
||||
production: true
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
gateway: istio-ingress/private-ingressgateway
|
||||
url: ""
|
||||
auth:
|
||||
adminUser: admin
|
||||
existingSecret: kubezero-auth
|
||||
passwordSecretKey: admin-password
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
pdb:
|
||||
create: false
|
||||
minAvailable: 1
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 512Mi
|
||||
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
postgresql:
|
||||
auth:
|
||||
existingSecret: kubezero-auth-postgresql
|
||||
existingSecret: kubezero-auth
|
||||
username: keycloak
|
||||
database: keycloak
|
||||
|
||||
@ -27,3 +36,8 @@ postgresql:
|
||||
|
||||
readReplicas:
|
||||
replicaCount: 0
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
gateway: istio-ingress/private-ingressgateway
|
||||
url: ""
|
||||
|
@ -105,7 +105,7 @@ kube-prometheus-stack:
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
memory: 2Gi
|
||||
cpu: 500m
|
||||
limits:
|
||||
memory: 4Gi
|
||||
|
Loading…
Reference in New Issue
Block a user