ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: version bump keycloak to 20.X, add PDB, support HA deployment

Browse Source
This commit is contained in:
Stefan Reimer 2022-11-03 13:20:50 +01:00
parent 52c06e07a7
commit a4bc8c5d2d
8 changed files with 221 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/kubezero-auth/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-auth name: kubezero-auth
description: KubeZero umbrella chart for all things Authentication and Identity management description: KubeZero umbrella chart for all things Authentication and Identity management
type: application type: application
version: 0.2.4 version: 0.3.2
appVersion: 19.0.1 appVersion: 20.0.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

2
charts/kubezero-auth/crds/keycloak-realmimports.yaml
View File

@ -938,6 +938,8 @@ spec:
type: array type: array
type: object type: object
type: array type: array
otpPolicyCodeReusable:
type: boolean
clientProfiles: clientProfiles:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true

207
charts/kubezero-auth/crds/keycloak.yaml
View File

@ -19,46 +19,59 @@ spec:
properties: properties:
spec: spec:
properties: properties:
hostname:
description: |-
Hostname for the Keycloak server.
The special value `INSECURE-DISABLE` disables the hostname strict resolution.
type: string
instances: instances:
description: Number of Keycloak instances in HA mode. Default is 1. description: Number of Keycloak instances in HA mode. Default is 1.
type: integer type: integer
serverConfiguration: transaction:
description: |- description: In this section you can find all properties related to
Configuration of the Keycloak server. the settings of transaction behavior.
expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. properties:
items: xaEnabled:
properties: description: Determine whether Keycloak should use a non-XA datasource
secret: in case the database does not support XA transactions.
properties: type: boolean
optional: type: object
type: boolean http:
key: description: In this section you can configure Keycloak features related
type: string to HTTP and HTTPS
name: properties:
type: string httpPort:
type: object description: The used HTTP port.
value: type: integer
type: string tlsSecret:
name: description: "A secret containing the TLS configuration for HTTPS.\
type: string \ Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets."
type: object type: string
type: array httpsPort:
tlsSecret: description: The used HTTPS port.
description: |- type: integer
A secret containing the TLS configuration for HTTPS. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. httpEnabled:
The special value `INSECURE-DISABLE` disables https. description: Enables the HTTP listener.
type: string type: boolean
disableDefaultIngress: type: object
description: Disable the default ingress. hostname:
type: boolean description: In this section you can configure Keycloak hostname and
image: related properties.
description: Custom Keycloak image to be used. properties:
type: string hostname:
description: Hostname for the Keycloak server.
type: string
strict:
description: Disables dynamically resolving the hostname from
request headers.
type: boolean
strictBackchannel:
description: By default backchannel URLs are dynamically resolved
from request headers to allow internal and external applications.
type: boolean
admin:
description: The hostname for accessing the administration console.
type: string
adminUrl:
description: "Set the base URL for accessing the administration\
\ console, including scheme, host, port and path"
type: string
type: object
unsupported: unsupported:
description: |- description: |-
In this section you can configure podTemplate advanced features, not production-ready, and not supported settings. In this section you can configure podTemplate advanced features, not production-ready, and not supported settings.
@ -2765,9 +2778,123 @@ spec:
type: object type: object
type: object type: object
type: object type: object
required: ingress:
- hostname description: |-
- tlsSecret The deployment is, by default, exposed through a basic ingress.
You can change this behaviour by setting the enabled property to false.
properties:
enabled:
type: boolean
type: object
image:
description: Custom Keycloak image to be used.
type: string
imagePullSecrets:
description: Secret(s) that might be used when pulling an image from
a private container image registry or repository.
items:
properties:
name:
type: string
type: object
type: array
additionalOptions:
description: |-
Configuration of the Keycloak server.
expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets.
items:
properties:
secret:
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
value:
type: string
name:
type: string
type: object
type: array
db:
description: In this section you can find all properties related to
connect to a database.
properties:
passwordSecret:
description: The reference to a secret holding the password of
the database user.
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
usernameSecret:
description: The reference to a secret holding the username of
the database user.
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
port:
description: "Sets the port of the default JDBC URL of the chosen\
\ vendor. If the `url` option is set, this option is ignored."
type: integer
schema:
description: The database schema to be used.
type: string
host:
description: "Sets the hostname of the default JDBC URL of the\
\ chosen vendor. If the `url` option is set, this option is\
\ ignored."
type: string
url:
description: "The full database JDBC URL. If not provided, a default\
\ URL is set based on the selected database vendor. For instance,\
\ if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. "
type: string
poolInitialSize:
description: The initial size of the connection pool.
type: integer
poolMaxSize:
description: The maximum size of the connection pool.
type: integer
vendor:
description: The database vendor.
type: string
database:
description: "Sets the database name of the default JDBC URL of\
\ the chosen vendor. If the `url` option is set, this option\
\ is ignored."
type: string
poolMinSize:
description: The minimal size of the connection pool.
type: integer
type: object
features:
description: "In this section you can configure Keycloak features,\
\ which should be enabled/disabled."
properties:
disabled:
description: Disabled Keycloak features
items:
type: string
type: array
enabled:
description: Enabled Keycloak features
items:
type: string
type: array
type: object
type: object type: object
status: status:
properties: properties:

22
charts/kubezero-auth/templates/keycloak/keycloak.yaml
View File

@ -5,12 +5,14 @@ metadata:
name: {{ template "kubezero-lib.fullname" . }} name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
spec: spec:
instances: 1 instances: {{ .Values.keycloak.replicas }}
disableDefaultIngress: true
serverConfiguration: additionalOptions:
# Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45
{{- if lt (int .Values.keycloak.replicas) 2 }}
- name: cache - name: cache
value: local value: local
{{- end }}
{{- if .Values.postgresql.enabled }} {{- if .Values.postgresql.enabled }}
- name: db - name: db
value: postgres value: postgres
@ -30,15 +32,21 @@ spec:
- name: hostname-strict-https - name: hostname-strict-https
value: "false" value: "false"
- name: proxy - name: proxy
value: passthrough value: edge
- name: http-enabled - name: http-enabled
value: "true" value: "true"
#hostname: INSECURE-DISABLE ingress:
hostname: {{ default "keycloak" .Values.keycloak.istio.url }} enabled: false
http:
httpEnabled: true
# We use Istio Ingress to terminate TLS # We use Istio Ingress to terminate TLS
# mTls down the road # mTls down the road
tlsSecret: INSECURE-DISABLE hostname:
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
strict: false
strictBackchannel: false
{{- end }} {{- end }}

24
charts/kubezero-auth/templates/keycloak/operator.yaml
View File

@ -4,20 +4,20 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
annotations: annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels: labels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
name: keycloak-operator name: keycloak-operator
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
annotations: annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels: labels:
app.kubernetes.io/name: keycloak-operator app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 19.0.1 app.kubernetes.io/version: 20.0.0
name: keycloak-operator name: keycloak-operator
spec: spec:
ports: ports:
@ -26,7 +26,7 @@ spec:
targetPort: 8080 targetPort: 8080
selector: selector:
app.kubernetes.io/name: keycloak-operator app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 19.0.1 app.kubernetes.io/version: 20.0.0
type: ClusterIP type: ClusterIP
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -179,24 +179,24 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
annotations: annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels: labels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
name: keycloak-operator name: keycloak-operator
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
template: template:
metadata: metadata:
annotations: annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels: labels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
spec: spec:
containers: containers:
- env: - env:
@ -205,8 +205,8 @@ spec:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
- name: OPERATOR_KEYCLOAK_IMAGE - name: OPERATOR_KEYCLOAK_IMAGE
value: quay.io/keycloak/keycloak:19.0.1 value: quay.io/keycloak/keycloak:20.0.0
image: quay.io/keycloak/keycloak-operator:19.0.1 image: quay.io/keycloak/keycloak-operator:20.0.0
imagePullPolicy: Always imagePullPolicy: Always
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3

15
charts/kubezero-auth/templates/keycloak/pdb.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: keycloak
app.kubernetes.io/managed-by: keycloak-operator
{{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }}
{{- end }}

6
charts/kubezero-auth/update.sh
View File

@ -9,8 +9,8 @@ helm dep update
# Operator # Operator
VERSION=$(yq eval '.appVersion' Chart.yaml) VERSION=$(yq eval '.appVersion' Chart.yaml)
wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
patch -i keycloak.patch -p0 --no-backup-if-mismatch patch -i keycloak.patch -p0 --no-backup-if-mismatch

4
charts/kubezero-auth/values.yaml
View File

@ -1,6 +1,10 @@
keycloak: keycloak:
enabled: false enabled: false
replicas: 1
podDisruptionBudget:
minAvailable: 1
istio: istio:
enabled: false enabled: false
gateway: istio-ingress/private-ingressgateway gateway: istio-ingress/private-ingressgateway