Updated Kubezero-auth module using Bitnami for KeyCloak

This commit is contained in:
Stefan Reimer 2023-09-06 10:43:03 +00:00
parent 1c5a1b2390
commit 6ac4810348
16 changed files with 74 additions and 5546 deletions

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-auth
description: KubeZero umbrella chart for all things Authentication and Identity management
type: application
version: 0.3.5
appVersion: 21.1.1
version: 0.4.0
appVersion: 22.0.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -16,8 +16,8 @@ dependencies:
- name: kubezero-lib
version: ">= 0.1.6"
repository: https://cdn.zero-downtime.net/charts/
- name: postgresql
version: 11.8.1
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
kubeVersion: ">= 1.25.0"
- name: keycloak
version: 16.1.2
repository: "oci://registry-1.docker.io/bitnamicharts"
condition: keycloak.enabled
kubeVersion: ">= 1.26.0"

View File

@ -1,6 +1,6 @@
# kubezero-auth
![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 21.1.1](https://img.shields.io/badge/AppVersion-21.1.1-informational?style=flat-square)
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.1](https://img.shields.io/badge/AppVersion-22.0.1-informational?style=flat-square)
KubeZero umbrella chart for all things Authentication and Identity management
@ -14,40 +14,45 @@ KubeZero umbrella chart for all things Authentication and Identity management
## Requirements
Kubernetes: `>= 1.25.0`
Kubernetes: `>= 1.26.0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://charts.bitnami.com/bitnami | postgresql | 11.8.1 |
| oci://registry-1.docker.io/bitnamicharts | keycloak | 16.1.2 |
# Keycloak
## Operator
https://www.keycloak.org/operator/installation
https://github.com/keycloak/keycloak/tree/main/operator
https://github.com/aerogear/keycloak-metrics-spi
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
## Resources
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
- custom image: `https://www.keycloak.org/server/containers`
- https://github.com/bitnami/charts/tree/main/bitnami/keycloak
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| keycloak.auth.adminUser | string | `"admin"` | |
| keycloak.auth.existingSecret | string | `"kubezero-auth"` | |
| keycloak.auth.passwordSecretKey | string | `"admin-password"` | |
| keycloak.enabled | bool | `false` | |
| keycloak.istio.enabled | bool | `false` | |
| keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| keycloak.istio.url | string | `""` | |
| keycloak.metrics.enabled | bool | `false` | |
| keycloak.podDisruptionBudget.minAvailable | int | `1` | |
| keycloak.replicas | int | `1` | |
| postgresql.auth.database | string | `"keycloak"` | |
| postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | |
| postgresql.auth.username | string | `"keycloak"` | |
| postgresql.enabled | bool | `false` | |
| postgresql.primary.persistence.size | string | `"1Gi"` | |
| postgresql.readReplicas.replicaCount | int | `0` | |
| keycloak.metrics.serviceMonitor.enabled | bool | `true` | |
| keycloak.pdb.create | bool | `false` | |
| keycloak.pdb.minAvailable | int | `1` | |
| keycloak.postgresql.auth.database | string | `"keycloak"` | |
| keycloak.postgresql.auth.existingSecret | string | `"kubezero-auth"` | |
| keycloak.postgresql.auth.username | string | `"keycloak"` | |
| keycloak.postgresql.primary.persistence.size | string | `"1Gi"` | |
| keycloak.postgresql.readReplicas.replicaCount | int | `0` | |
| keycloak.production | bool | `true` | |
| keycloak.proxy | string | `"edge"` | |
| keycloak.replicaCount | int | `1` | |

View File

@ -17,13 +17,12 @@
## Operator
https://www.keycloak.org/operator/installation
https://github.com/keycloak/keycloak/tree/main/operator
https://github.com/aerogear/keycloak-metrics-spi
https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates
## Resources
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
- custom image: `https://www.keycloak.org/server/containers`
- https://github.com/bitnami/charts/tree/main/bitnami/keycloak
{{ template "chart.valuesSection" . }}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -4,5 +4,6 @@ gzip: true
# folder:
dashboards:
- name: keycloak
url: https://grafana.com/api/dashboards/10441/revisions/2/download
# url: https://grafana.com/api/dashboards/10441/revisions/2/download
url: https://grafana.com/api/dashboards/17878/revisions/1/download
tags: ['Keycloak', 'Auth']

View File

@ -1,12 +0,0 @@
--- templates/keycloak/operator.yaml.orig 2022-05-11 12:46:15.860204871 +0200
+++ templates/keycloak/operator.yaml 2022-05-11 12:46:02.840068240 +0200
@@ -1,3 +1,4 @@
+{{- if .Values.keycloak.enabled }}
---
apiVersion: v1
kind: ServiceAccount
@@ -233,3 +234,4 @@
successThreshold: 1
timeoutSeconds: 10
serviceAccountName: keycloak-operator
+{{- end }}

File diff suppressed because one or more lines are too long

View File

@ -2,7 +2,7 @@
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Release.Name }}-deny-metrics-ipblocks
name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks
namespace: istio-system
labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }}
@ -12,6 +12,7 @@ spec:
app: istio-ingressgateway
action: DENY
rules:
# block access to metrics via Ingress
- to:
- operation:
hosts: ["{{ .Values.keycloak.istio.url }}"]

View File

@ -14,5 +14,5 @@ spec:
http:
- route:
- destination:
host: {{ template "kubezero-lib.fullname" $ }}-service
host: {{ template "kubezero-lib.fullname" $ }}-keycloak
{{- end }}

View File

@ -1,56 +0,0 @@
{{- if .Values.keycloak.enabled }}
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
instances: {{ .Values.keycloak.replicas }}
additionalOptions:
# Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45
{{- if lt (int .Values.keycloak.replicas) 2 }}
- name: cache
value: local
{{- end }}
{{- if .Values.postgresql.enabled }}
- name: db
value: postgres
- name: db-url-host
value: {{ template "kubezero-lib.fullname" . }}-postgresql
- name: db-username
value: keycloak
- name: db-password
secret:
name: {{ template "kubezero-lib.fullname" . }}-postgresql
key: password
{{- else }}
# Fallback to local file within the pod - dev ONLY !!
- name: db
value: dev-file
{{- end }}
- name: hostname-strict-https
value: "false"
- name: proxy
value: edge
- name: http-enabled
value: "true"
- name: log-console-output
value: json
ingress:
enabled: false
http:
httpEnabled: true
# We use Istio Ingress to terminate TLS
# mTls down the road
hostname:
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
strict: false
strictBackchannel: false
{{- end }}

View File

@ -1,237 +0,0 @@
{{- if .Values.keycloak.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
name: keycloak-operator
---
apiVersion: v1
kind: Service
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
name: keycloak-operator
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: keycloak-operator-role
rules:
- apiGroups:
- apps
- extensions
resources:
- statefulsets
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
- secrets
- services
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keycloak-operator
name: keycloak-operator-role-binding
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: keycloak-operator-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloak-operator-view
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: view
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloakcontroller-role-binding
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: keycloakcontroller-cluster-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloakrealmimportcontroller-role-binding
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: keycloakrealmimportcontroller-cluster-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: keycloakcontroller-cluster-role
rules:
- apiGroups:
- k8s.keycloak.org
resources:
- keycloaks
- keycloaks/status
- keycloaks/finalizers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: keycloakrealmimportcontroller-cluster-role
rules:
- apiGroups:
- k8s.keycloak.org
resources:
- keycloakrealmimports
- keycloakrealmimports/status
- keycloakrealmimports/finalizers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
name: keycloak-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
template:
metadata:
annotations:
app.quarkus.io/build-timestamp: 2023-04-26 - 10:32:03 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 21.1.1
spec:
containers:
- env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_KEYCLOAK_IMAGE
value: quay.io/keycloak/keycloak:21.1.1
image: quay.io/keycloak/keycloak-operator:21.1.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /q/health/live
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
name: keycloak-operator
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /q/health/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
serviceAccountName: keycloak-operator
{{- end }}

View File

@ -1,15 +0,0 @@
{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: keycloak
app.kubernetes.io/managed-by: keycloak-operator
{{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }}
{{- end }}

View File

@ -1,19 +1,12 @@
#!/bin/bash
# https://www.keycloak.org/operator/installation
set -ex
helm dep update
. ../../scripts/lib-update.sh
# Operator
VERSION=$(yq eval '.appVersion' Chart.yaml)
wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
patch -i keycloak.patch -p0 --no-backup-if-mismatch
login_ecr_public
update_helm
# Fetch dashboards
../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml
update_docs

View File

@ -1,29 +1,43 @@
keycloak:
enabled: false
replicas: 1
podDisruptionBudget:
proxy: edge
production: true
auth:
adminUser: admin
existingSecret: kubezero-auth
passwordSecretKey: admin-password
replicaCount: 1
pdb:
create: false
minAvailable: 1
metrics:
enabled: false
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 512Mi
postgresql:
auth:
existingSecret: kubezero-auth
username: keycloak
database: keycloak
primary:
persistence:
size: 1Gi
readReplicas:
replicaCount: 0
istio:
enabled: false
gateway: istio-ingress/private-ingressgateway
url: ""
metrics:
enabled: false
postgresql:
enabled: false
auth:
existingSecret: kubezero-auth-postgresql
username: keycloak
database: keycloak
primary:
persistence:
size: 1Gi
readReplicas:
replicaCount: 0

View File

@ -105,7 +105,7 @@ kube-prometheus-stack:
resources:
requests:
memory: 512Mi
memory: 2Gi
cpu: 500m
limits:
memory: 4Gi