diff --git a/charts/kubezero-auth/Chart.yaml b/charts/kubezero-auth/Chart.yaml index ea3c0424..449c5ff7 100644 --- a/charts/kubezero-auth/Chart.yaml +++ b/charts/kubezero-auth/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-auth description: KubeZero umbrella chart for all things Authentication and Identity management type: application -version: 0.2.4 -appVersion: 19.0.1 +version: 0.3.2 +appVersion: 20.0.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-auth/crds/keycloak-realmimports.yaml b/charts/kubezero-auth/crds/keycloak-realmimports.yaml index cf4e799d..b617a305 100644 --- a/charts/kubezero-auth/crds/keycloak-realmimports.yaml +++ b/charts/kubezero-auth/crds/keycloak-realmimports.yaml @@ -938,6 +938,8 @@ spec: type: array type: object type: array + otpPolicyCodeReusable: + type: boolean clientProfiles: type: object x-kubernetes-preserve-unknown-fields: true diff --git a/charts/kubezero-auth/crds/keycloak.yaml b/charts/kubezero-auth/crds/keycloak.yaml index 13abb8d0..50036592 100644 --- a/charts/kubezero-auth/crds/keycloak.yaml +++ b/charts/kubezero-auth/crds/keycloak.yaml @@ -19,46 +19,59 @@ spec: properties: spec: properties: - hostname: - description: |- - Hostname for the Keycloak server. - The special value `INSECURE-DISABLE` disables the hostname strict resolution. - type: string instances: description: Number of Keycloak instances in HA mode. Default is 1. type: integer - serverConfiguration: - description: |- - Configuration of the Keycloak server. - expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. - items: - properties: - secret: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - value: - type: string - name: - type: string - type: object - type: array - tlsSecret: - description: |- - A secret containing the TLS configuration for HTTPS. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. - The special value `INSECURE-DISABLE` disables https. - type: string - disableDefaultIngress: - description: Disable the default ingress. - type: boolean - image: - description: Custom Keycloak image to be used. - type: string + transaction: + description: In this section you can find all properties related to + the settings of transaction behavior. + properties: + xaEnabled: + description: Determine whether Keycloak should use a non-XA datasource + in case the database does not support XA transactions. + type: boolean + type: object + http: + description: In this section you can configure Keycloak features related + to HTTP and HTTPS + properties: + httpPort: + description: The used HTTP port. + type: integer + tlsSecret: + description: "A secret containing the TLS configuration for HTTPS.\ + \ Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets." + type: string + httpsPort: + description: The used HTTPS port. + type: integer + httpEnabled: + description: Enables the HTTP listener. + type: boolean + type: object + hostname: + description: In this section you can configure Keycloak hostname and + related properties. + properties: + hostname: + description: Hostname for the Keycloak server. + type: string + strict: + description: Disables dynamically resolving the hostname from + request headers. + type: boolean + strictBackchannel: + description: By default backchannel URLs are dynamically resolved + from request headers to allow internal and external applications. + type: boolean + admin: + description: The hostname for accessing the administration console. + type: string + adminUrl: + description: "Set the base URL for accessing the administration\ + \ console, including scheme, host, port and path" + type: string + type: object unsupported: description: |- In this section you can configure podTemplate advanced features, not production-ready, and not supported settings. @@ -2765,9 +2778,123 @@ spec: type: object type: object type: object - required: - - hostname - - tlsSecret + ingress: + description: |- + The deployment is, by default, exposed through a basic ingress. + You can change this behaviour by setting the enabled property to false. + properties: + enabled: + type: boolean + type: object + image: + description: Custom Keycloak image to be used. + type: string + imagePullSecrets: + description: Secret(s) that might be used when pulling an image from + a private container image registry or repository. + items: + properties: + name: + type: string + type: object + type: array + additionalOptions: + description: |- + Configuration of the Keycloak server. + expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. + items: + properties: + secret: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + value: + type: string + name: + type: string + type: object + type: array + db: + description: In this section you can find all properties related to + connect to a database. + properties: + passwordSecret: + description: The reference to a secret holding the password of + the database user. + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + usernameSecret: + description: The reference to a secret holding the username of + the database user. + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + port: + description: "Sets the port of the default JDBC URL of the chosen\ + \ vendor. If the `url` option is set, this option is ignored." + type: integer + schema: + description: The database schema to be used. + type: string + host: + description: "Sets the hostname of the default JDBC URL of the\ + \ chosen vendor. If the `url` option is set, this option is\ + \ ignored." + type: string + url: + description: "The full database JDBC URL. If not provided, a default\ + \ URL is set based on the selected database vendor. For instance,\ + \ if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. " + type: string + poolInitialSize: + description: The initial size of the connection pool. + type: integer + poolMaxSize: + description: The maximum size of the connection pool. + type: integer + vendor: + description: The database vendor. + type: string + database: + description: "Sets the database name of the default JDBC URL of\ + \ the chosen vendor. If the `url` option is set, this option\ + \ is ignored." + type: string + poolMinSize: + description: The minimal size of the connection pool. + type: integer + type: object + features: + description: "In this section you can configure Keycloak features,\ + \ which should be enabled/disabled." + properties: + disabled: + description: Disabled Keycloak features + items: + type: string + type: array + enabled: + description: Enabled Keycloak features + items: + type: string + type: array + type: object type: object status: properties: diff --git a/charts/kubezero-auth/templates/keycloak/keycloak.yaml b/charts/kubezero-auth/templates/keycloak/keycloak.yaml index 77c4238b..87af1215 100644 --- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml +++ b/charts/kubezero-auth/templates/keycloak/keycloak.yaml @@ -5,12 +5,14 @@ metadata: name: {{ template "kubezero-lib.fullname" . }} namespace: {{ .Release.Namespace }} spec: - instances: 1 - disableDefaultIngress: true + instances: {{ .Values.keycloak.replicas }} - serverConfiguration: + additionalOptions: + # Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45 + {{- if lt (int .Values.keycloak.replicas) 2 }} - name: cache value: local + {{- end }} {{- if .Values.postgresql.enabled }} - name: db value: postgres @@ -30,15 +32,21 @@ spec: - name: hostname-strict-https value: "false" - name: proxy - value: passthrough + value: edge - name: http-enabled value: "true" - #hostname: INSECURE-DISABLE - hostname: {{ default "keycloak" .Values.keycloak.istio.url }} - + ingress: + enabled: false + + http: + httpEnabled: true + # We use Istio Ingress to terminate TLS # mTls down the road - tlsSecret: INSECURE-DISABLE + hostname: + hostname: {{ default "keycloak" .Values.keycloak.istio.url }} + strict: false + strictBackchannel: false {{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/operator.yaml b/charts/kubezero-auth/templates/keycloak/operator.yaml index 42c616a9..9b137e6b 100644 --- a/charts/kubezero-auth/templates/keycloak/operator.yaml +++ b/charts/kubezero-auth/templates/keycloak/operator.yaml @@ -4,20 +4,20 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000 labels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.0 name: keycloak-operator --- apiVersion: v1 kind: Service metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000 labels: app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 19.0.1 + app.kubernetes.io/version: 20.0.0 name: keycloak-operator spec: ports: @@ -26,7 +26,7 @@ spec: targetPort: 8080 selector: app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 19.0.1 + app.kubernetes.io/version: 20.0.0 type: ClusterIP --- apiVersion: rbac.authorization.k8s.io/v1 @@ -179,24 +179,24 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000 labels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.0 name: keycloak-operator spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.0 template: metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000 labels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.0 spec: containers: - env: @@ -205,8 +205,8 @@ spec: fieldRef: fieldPath: metadata.namespace - name: OPERATOR_KEYCLOAK_IMAGE - value: quay.io/keycloak/keycloak:19.0.1 - image: quay.io/keycloak/keycloak-operator:19.0.1 + value: quay.io/keycloak/keycloak:20.0.0 + image: quay.io/keycloak/keycloak-operator:20.0.0 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/charts/kubezero-auth/templates/keycloak/pdb.yaml b/charts/kubezero-auth/templates/keycloak/pdb.yaml new file mode 100644 index 00000000..6386d207 --- /dev/null +++ b/charts/kubezero-auth/templates/keycloak/pdb.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "kubezero-lib.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: keycloak + app.kubernetes.io/managed-by: keycloak-operator + {{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }} +{{- end }} diff --git a/charts/kubezero-auth/update.sh b/charts/kubezero-auth/update.sh index dbc2a471..b1ab082c 100755 --- a/charts/kubezero-auth/update.sh +++ b/charts/kubezero-auth/update.sh @@ -9,8 +9,8 @@ helm dep update # Operator VERSION=$(yq eval '.appVersion' Chart.yaml) -wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml -wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml +wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml +wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml -wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml +wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml patch -i keycloak.patch -p0 --no-backup-if-mismatch diff --git a/charts/kubezero-auth/values.yaml b/charts/kubezero-auth/values.yaml index ec225c7e..8cf95a5b 100644 --- a/charts/kubezero-auth/values.yaml +++ b/charts/kubezero-auth/values.yaml @@ -1,6 +1,10 @@ keycloak: enabled: false + replicas: 1 + podDisruptionBudget: + minAvailable: 1 + istio: enabled: false gateway: istio-ingress/private-ingressgateway