ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: version bump keycloak to 20.X, add PDB, support HA deployment

Browse Source
This commit is contained in:
Stefan Reimer 2022-11-03 13:20:50 +01:00
parent 52c06e07a7
commit a4bc8c5d2d
8 changed files with 221 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/kubezero-auth/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-auth
description: KubeZero umbrella chart for all things Authentication and Identity management
type: application
version: 0.2.4
appVersion: 19.0.1
version: 0.3.2
appVersion: 20.0.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

2
charts/kubezero-auth/crds/keycloak-realmimports.yaml
View File

@ -938,6 +938,8 @@ spec:
type: array
type: object
type: array
otpPolicyCodeReusable:
type: boolean
clientProfiles:
type: object
x-kubernetes-preserve-unknown-fields: true

207
charts/kubezero-auth/crds/keycloak.yaml
View File

@ -19,46 +19,59 @@ spec:
properties:
spec:
properties:
hostname:
description: |-
Hostname for the Keycloak server.
The special value `INSECURE-DISABLE` disables the hostname strict resolution.
type: string
instances:
description: Number of Keycloak instances in HA mode. Default is 1.
type: integer
serverConfiguration:
description: |-
Configuration of the Keycloak server.
expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets.
items:
properties:
secret:
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
value:
type: string
name:
type: string
type: object
type: array
tlsSecret:
description: |-
A secret containing the TLS configuration for HTTPS. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets.
The special value `INSECURE-DISABLE` disables https.
type: string
disableDefaultIngress:
description: Disable the default ingress.
type: boolean
image:
description: Custom Keycloak image to be used.
type: string
transaction:
description: In this section you can find all properties related to
the settings of transaction behavior.
properties:
xaEnabled:
description: Determine whether Keycloak should use a non-XA datasource
in case the database does not support XA transactions.
type: boolean
type: object
http:
description: In this section you can configure Keycloak features related
to HTTP and HTTPS
properties:
httpPort:
description: The used HTTP port.
type: integer
tlsSecret:
description: "A secret containing the TLS configuration for HTTPS.\
\ Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets."
type: string
httpsPort:
description: The used HTTPS port.
type: integer
httpEnabled:
description: Enables the HTTP listener.
type: boolean
type: object
hostname:
description: In this section you can configure Keycloak hostname and
related properties.
properties:
hostname:
description: Hostname for the Keycloak server.
type: string
strict:
description: Disables dynamically resolving the hostname from
request headers.
type: boolean
strictBackchannel:
description: By default backchannel URLs are dynamically resolved
from request headers to allow internal and external applications.
type: boolean
admin:
description: The hostname for accessing the administration console.
type: string
adminUrl:
description: "Set the base URL for accessing the administration\
\ console, including scheme, host, port and path"
type: string
type: object
unsupported:
description: |-
In this section you can configure podTemplate advanced features, not production-ready, and not supported settings.
@ -2765,9 +2778,123 @@ spec:
type: object
type: object
type: object
required:
- hostname
- tlsSecret
ingress:
description: |-
The deployment is, by default, exposed through a basic ingress.
You can change this behaviour by setting the enabled property to false.
properties:
enabled:
type: boolean
type: object
image:
description: Custom Keycloak image to be used.
type: string
imagePullSecrets:
description: Secret(s) that might be used when pulling an image from
a private container image registry or repository.
items:
properties:
name:
type: string
type: object
type: array
additionalOptions:
description: |-
Configuration of the Keycloak server.
expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets.
items:
properties:
secret:
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
value:
type: string
name:
type: string
type: object
type: array
db:
description: In this section you can find all properties related to
connect to a database.
properties:
passwordSecret:
description: The reference to a secret holding the password of
the database user.
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
usernameSecret:
description: The reference to a secret holding the username of
the database user.
properties:
optional:
type: boolean
key:
type: string
name:
type: string
type: object
port:
description: "Sets the port of the default JDBC URL of the chosen\
\ vendor. If the `url` option is set, this option is ignored."
type: integer
schema:
description: The database schema to be used.
type: string
host:
description: "Sets the hostname of the default JDBC URL of the\
\ chosen vendor. If the `url` option is set, this option is\
\ ignored."
type: string
url:
description: "The full database JDBC URL. If not provided, a default\
\ URL is set based on the selected database vendor. For instance,\
\ if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. "
type: string
poolInitialSize:
description: The initial size of the connection pool.
type: integer
poolMaxSize:
description: The maximum size of the connection pool.
type: integer
vendor:
description: The database vendor.
type: string
database:
description: "Sets the database name of the default JDBC URL of\
\ the chosen vendor. If the `url` option is set, this option\
\ is ignored."
type: string
poolMinSize:
description: The minimal size of the connection pool.
type: integer
type: object
features:
description: "In this section you can configure Keycloak features,\
\ which should be enabled/disabled."
properties:
disabled:
description: Disabled Keycloak features
items:
type: string
type: array
enabled:
description: Enabled Keycloak features
items:
type: string
type: array
type: object
type: object
status:
properties:

22
charts/kubezero-auth/templates/keycloak/keycloak.yaml
View File

@ -5,12 +5,14 @@ metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
instances: 1
disableDefaultIngress: true
instances: {{ .Values.keycloak.replicas }}
serverConfiguration:
additionalOptions:
# Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45
{{- if lt (int .Values.keycloak.replicas) 2 }}
- name: cache
value: local
{{- end }}
{{- if .Values.postgresql.enabled }}
- name: db
value: postgres
@ -30,15 +32,21 @@ spec:
- name: hostname-strict-https
value: "false"
- name: proxy
value: passthrough
value: edge
- name: http-enabled
value: "true"
#hostname: INSECURE-DISABLE
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
ingress:
enabled: false
http:
httpEnabled: true
# We use Istio Ingress to terminate TLS
# mTls down the road
tlsSecret: INSECURE-DISABLE
hostname:
hostname: {{ default "keycloak" .Values.keycloak.istio.url }}
strict: false
strictBackchannel: false
{{- end }}

24
charts/kubezero-auth/templates/keycloak/operator.yaml
View File

@ -4,20 +4,20 @@ apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000
app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
name: keycloak-operator
---
apiVersion: v1
kind: Service
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000
app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/version: 20.0.0
name: keycloak-operator
spec:
ports:
@ -26,7 +26,7 @@ spec:
targetPort: 8080
selector:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/version: 20.0.0
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
@ -179,24 +179,24 @@ apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000
app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
name: keycloak-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
template:
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000
app.quarkus.io/build-timestamp: 2022-11-01 - 13:22:44 +0000
labels:
app.kubernetes.io/version: 19.0.1
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.0
spec:
containers:
- env:
@ -205,8 +205,8 @@ spec:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_KEYCLOAK_IMAGE
value: quay.io/keycloak/keycloak:19.0.1
image: quay.io/keycloak/keycloak-operator:19.0.1
value: quay.io/keycloak/keycloak:20.0.0
image: quay.io/keycloak/keycloak-operator:20.0.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3

15
charts/kubezero-auth/templates/keycloak/pdb.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "kubezero-lib.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: keycloak
app.kubernetes.io/managed-by: keycloak-operator
{{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }}
{{- end }}

6
charts/kubezero-auth/update.sh
View File

@ -9,8 +9,8 @@ helm dep update
# Operator
VERSION=$(yq eval '.appVersion' Chart.yaml)
wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml
patch -i keycloak.patch -p0 --no-backup-if-mismatch

4
charts/kubezero-auth/values.yaml
View File

@ -1,6 +1,10 @@
keycloak:
enabled: false
replicas: 1
podDisruptionBudget:
minAvailable: 1
istio:
enabled: false
gateway: istio-ingress/private-ingressgateway