feat: new KubeZero Auth module, starting with Keycloak

This commit is contained in:
Stefan Reimer 2022-05-11 12:50:05 +02:00
parent 39cb28f4f6
commit 68aa21da4d
8 changed files with 3130 additions and 0 deletions

View File

@ -0,0 +1,19 @@
apiVersion: v2
name: kubezero-auth
description: KubeZero umbrella chart for all things Authentication and Identity management
type: application
version: 0.1.0
appVersion: 18.0.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- keycloak
maintainers:
- name: Stefan Reimer
email: stefan@zero-downtime.net
dependencies:
- name: kubezero-lib
version: ">= 0.1.4"
repository: https://cdn.zero-downtime.net/charts/
kubeVersion: ">= 1.20.0"

View File

@ -0,0 +1,33 @@
# kubezero-auth
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square)
KubeZero umbrella chart for all things Authentication and Identity management
**Homepage:** <https://kubezero.com>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Stefan Reimer | <stefan@zero-downtime.net> | |
## Requirements
Kubernetes: `>= 1.20.0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
# Keycloak
## Resources
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
- custom image: `https://www.keycloak.org/server/containers`
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| keycloak.enabled | bool | `false` | |

View File

@ -0,0 +1,22 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
# Keycloak
## Resources
- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak`
- custom image: `https://www.keycloak.org/server/containers`
{{ template "chart.valuesSection" . }}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,12 @@
--- templates/keycloak-operator/all.yaml.orig 2022-05-11 12:46:15.860204871 +0200
+++ templates/keycloak-operator/all.yaml 2022-05-11 12:46:02.840068240 +0200
@@ -1,3 +1,4 @@
+{{- if .Values.keycloak.enabled }}
---
apiVersion: v1
kind: ServiceAccount
@@ -233,3 +234,4 @@
successThreshold: 1
timeoutSeconds: 10
serviceAccountName: keycloak-operator
+{{- end }}

View File

@ -0,0 +1,237 @@
{{- if .Values.keycloak.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 18.0.0
name: keycloak-operator
---
apiVersion: v1
kind: Service
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 18.0.0
name: keycloak-operator
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 18.0.0
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: keycloak-operator-role
rules:
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
- secrets
- services
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keycloak-operator
name: keycloak-operator-role-binding
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: keycloak-operator-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloak-operator-view
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: view
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloakcontroller-role-binding
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: keycloakcontroller-cluster-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloakrealmimportcontroller-role-binding
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: keycloakrealmimportcontroller-cluster-role
subjects:
- kind: ServiceAccount
name: keycloak-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: keycloakcontroller-cluster-role
rules:
- apiGroups:
- k8s.keycloak.org
resources:
- keycloaks
- keycloaks/status
- keycloaks/finalizers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: keycloakrealmimportcontroller-cluster-role
rules:
- apiGroups:
- k8s.keycloak.org
resources:
- keycloakrealmimports
- keycloakrealmimports/status
- keycloakrealmimports/finalizers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 18.0.0
name: keycloak-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 18.0.0
template:
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 18.0.0
spec:
containers:
- env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OPERATOR_KEYCLOAK_IMAGE
value: quay.io/keycloak/keycloak:18.0.0
image: quay.io/keycloak/keycloak-operator:18.0.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /q/health/live
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
name: keycloak-operator
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /q/health/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
serviceAccountName: keycloak-operator
{{- end }}

15
charts/kubezero-auth/update.sh Executable file
View File

@ -0,0 +1,15 @@
#!/bin/bash
set -ex
helm dep update
# Operator
VERSION=$(yq eval '.appVersion' Chart.yaml)
wget -q -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
# No realm imports needed so far
# wget -q -O crds/keycloak-realmimport.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
wget -q -O templates/keycloak-operator/all.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml
patch -i keycloak.patch -p0 --no-backup-if-mismatch

View File

@ -0,0 +1,2 @@
keycloak:
enabled: false