diff --git a/charts/kubezero-auth/Chart.yaml b/charts/kubezero-auth/Chart.yaml new file mode 100644 index 0000000..a8eead4 --- /dev/null +++ b/charts/kubezero-auth/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: kubezero-auth +description: KubeZero umbrella chart for all things Authentication and Identity management +type: application +version: 0.1.0 +appVersion: 18.0.0 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - keycloak +maintainers: + - name: Stefan Reimer + email: stefan@zero-downtime.net +dependencies: + - name: kubezero-lib + version: ">= 0.1.4" + repository: https://cdn.zero-downtime.net/charts/ +kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-auth/README.md b/charts/kubezero-auth/README.md new file mode 100644 index 0000000..e006cfc --- /dev/null +++ b/charts/kubezero-auth/README.md @@ -0,0 +1,33 @@ +# kubezero-auth + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 18.0.0](https://img.shields.io/badge/AppVersion-18.0.0-informational?style=flat-square) + +KubeZero umbrella chart for all things Authentication and Identity management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Stefan Reimer | | | + +## Requirements + +Kubernetes: `>= 1.20.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | + +# Keycloak + +## Resources +- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak` +- custom image: `https://www.keycloak.org/server/containers` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| keycloak.enabled | bool | `false` | | diff --git a/charts/kubezero-auth/README.md.gotmpl b/charts/kubezero-auth/README.md.gotmpl new file mode 100644 index 0000000..bad2006 --- /dev/null +++ b/charts/kubezero-auth/README.md.gotmpl @@ -0,0 +1,22 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +# Keycloak + +## Resources +- Codecentric Helm chart: `https://github.com/codecentric/helm-charts/tree/master/charts/keycloak` +- custom image: `https://www.keycloak.org/server/containers` + +{{ template "chart.valuesSection" . }} diff --git a/charts/kubezero-auth/crds/keycloak.yaml b/charts/kubezero-auth/crds/keycloak.yaml new file mode 100644 index 0000000..990f063 --- /dev/null +++ b/charts/kubezero-auth/crds/keycloak.yaml @@ -0,0 +1,2790 @@ +# Generated by Fabric8 CRDGenerator, manual edits might get overwritten! +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: keycloaks.k8s.keycloak.org +spec: + group: k8s.keycloak.org + names: + kind: Keycloak + plural: keycloaks + shortNames: + - kc + singular: keycloak + scope: Namespaced + versions: + - name: v2alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + serverConfiguration: + description: |- + Configuration of the Keycloak server. + expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. + items: + properties: + secret: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + value: + type: string + name: + type: string + type: object + type: array + hostname: + description: |- + Hostname for the Keycloak server. + The special value `INSECURE-DISABLE` disables the hostname strict resolution. + type: string + instances: + description: Number of Keycloak instances in HA mode. Default is 1. + type: integer + unsupported: + description: |- + In this section you can configure podTemplate advanced features, not production-ready, and not supported settings. + Use at your own risk and open an issue with your use-case if you don't find an alternative way. + properties: + podTemplate: + description: |- + You can configure that will be merged with the one configured by default by the operator. + Use at your own risk, we reserve the possibility to remove/change the way any field gets merged in future releases without notice. + Reference: https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates + properties: + metadata: + properties: + generateName: + type: string + deletionGracePeriodSeconds: + type: integer + deletionTimestamp: + type: string + clusterName: + type: string + resourceVersion: + type: string + annotations: + additionalProperties: + type: string + type: object + selfLink: + type: string + creationTimestamp: + type: string + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + ownerReferences: + items: + properties: + blockOwnerDeletion: + type: boolean + uid: + type: string + apiVersion: + type: string + name: + type: string + kind: + type: string + controller: + type: boolean + type: object + type: array + uid: + type: string + generation: + type: integer + name: + type: string + managedFields: + items: + properties: + time: + type: string + apiVersion: + type: string + fieldsV1: + type: object + fieldsType: + type: string + manager: + type: string + operation: + type: string + subresource: + type: string + type: object + type: array + namespace: + type: string + type: object + spec: + properties: + volumes: + items: + properties: + hostPath: + properties: + path: + type: string + type: + type: string + type: object + flexVolume: + properties: + readOnly: + type: boolean + options: + additionalProperties: + type: string + type: object + secretRef: + properties: + name: + type: string + type: object + fsType: + type: string + driver: + type: string + type: object + gcePersistentDisk: + properties: + readOnly: + type: boolean + pdName: + type: string + partition: + type: integer + fsType: + type: string + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + properties: + generateName: + type: string + deletionGracePeriodSeconds: + type: integer + deletionTimestamp: + type: string + clusterName: + type: string + resourceVersion: + type: string + annotations: + additionalProperties: + type: string + type: object + selfLink: + type: string + creationTimestamp: + type: string + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + ownerReferences: + items: + properties: + blockOwnerDeletion: + type: boolean + uid: + type: string + apiVersion: + type: string + name: + type: string + kind: + type: string + controller: + type: boolean + type: object + type: array + uid: + type: string + generation: + type: integer + name: + type: string + managedFields: + items: + properties: + time: + type: string + apiVersion: + type: string + fieldsV1: + type: object + fieldsType: + type: string + manager: + type: string + operation: + type: string + subresource: + type: string + type: object + type: array + namespace: + type: string + type: object + spec: + properties: + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + storageClassName: + type: string + dataSource: + properties: + name: + type: string + kind: + type: string + apiGroup: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + dataSourceRef: + properties: + name: + type: string + kind: + type: string + apiGroup: + type: string + type: object + accessModes: + items: + type: string + type: array + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + type: object + scaleIO: + properties: + readOnly: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + gateway: + type: string + secretRef: + properties: + name: + type: string + type: object + fsType: + type: string + sslEnabled: + type: boolean + volumeName: + type: string + protectionDomain: + type: string + type: object + csi: + properties: + nodePublishSecretRef: + properties: + name: + type: string + type: object + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + fsType: + type: string + driver: + type: string + type: object + secret: + properties: + optional: + type: boolean + secretName: + type: string + items: + items: + properties: + path: + type: string + key: + type: string + mode: + type: integer + type: object + type: array + defaultMode: + type: integer + type: object + name: + type: string + vsphereVolume: + properties: + storagePolicyName: + type: string + storagePolicyID: + type: string + volumePath: + type: string + fsType: + type: string + type: object + gitRepo: + properties: + revision: + type: string + repository: + type: string + directory: + type: string + type: object + glusterfs: + properties: + path: + type: string + readOnly: + type: boolean + endpoints: + type: string + type: object + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + type: object + cinder: + properties: + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + fsType: + type: string + volumeID: + type: string + type: object + flocker: + properties: + datasetUUID: + type: string + datasetName: + type: string + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + volume: + type: string + user: + type: string + registry: + type: string + tenant: + type: string + type: object + photonPersistentDisk: + properties: + pdID: + type: string + fsType: + type: string + type: object + persistentVolumeClaim: + properties: + readOnly: + type: boolean + claimName: + type: string + type: object + awsElasticBlockStore: + properties: + readOnly: + type: boolean + partition: + type: integer + fsType: + type: string + volumeID: + type: string + type: object + configMap: + properties: + optional: + type: boolean + items: + items: + properties: + path: + type: string + key: + type: string + mode: + type: integer + type: object + type: array + defaultMode: + type: integer + name: + type: string + type: object + storageos: + properties: + readOnly: + type: boolean + volumeNamespace: + type: string + secretRef: + properties: + name: + type: string + type: object + fsType: + type: string + volumeName: + type: string + type: object + portworxVolume: + properties: + readOnly: + type: boolean + fsType: + type: string + volumeID: + type: string + type: object + iscsi: + properties: + readOnly: + type: boolean + chapAuthSession: + type: boolean + lun: + type: integer + targetPortal: + type: string + iscsiInterface: + type: string + portals: + items: + type: string + type: array + initiatorName: + type: string + secretRef: + properties: + name: + type: string + type: object + fsType: + type: string + iqn: + type: string + chapAuthDiscovery: + type: boolean + type: object + rbd: + properties: + readOnly: + type: boolean + pool: + type: string + keyring: + type: string + image: + type: string + secretRef: + properties: + name: + type: string + type: object + monitors: + items: + type: string + type: array + fsType: + type: string + user: + type: string + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + path: + type: string + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + type: string + type: object + mode: + type: integer + type: object + type: array + defaultMode: + type: integer + type: object + projected: + properties: + defaultMode: + type: integer + sources: + items: + properties: + secret: + properties: + optional: + type: boolean + items: + items: + properties: + path: + type: string + key: + type: string + mode: + type: integer + type: object + type: array + name: + type: string + type: object + configMap: + properties: + optional: + type: boolean + items: + items: + properties: + path: + type: string + key: + type: string + mode: + type: integer + type: object + type: array + name: + type: string + type: object + serviceAccountToken: + properties: + path: + type: string + audience: + type: string + expirationSeconds: + type: integer + type: object + downwardAPI: + properties: + items: + items: + properties: + path: + type: string + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + type: string + type: object + mode: + type: integer + type: object + type: array + type: object + type: object + type: array + type: object + azureDisk: + properties: + readOnly: + type: boolean + diskName: + type: string + cachingMode: + type: string + fsType: + type: string + kind: + type: string + diskURI: + type: string + type: object + cephfs: + properties: + path: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + monitors: + items: + type: string + type: array + secretFile: + type: string + user: + type: string + type: object + emptyDir: + properties: + sizeLimit: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + medium: + type: string + type: object + fc: + properties: + readOnly: + type: boolean + lun: + type: integer + wwids: + items: + type: string + type: array + targetWWNs: + items: + type: string + type: array + fsType: + type: string + type: object + type: object + type: array + restartPolicy: + type: string + terminationGracePeriodSeconds: + type: integer + setHostnameAsFQDN: + type: boolean + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + searches: + items: + type: string + type: array + options: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + type: object + securityContext: + properties: + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + windowsOptions: + properties: + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + gmsaCredentialSpec: + type: string + runAsUserName: + type: string + type: object + sysctls: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + fsGroupChangePolicy: + type: string + seLinuxOptions: + properties: + role: + type: string + type: + type: string + user: + type: string + level: + type: string + type: object + fsGroup: + type: integer + supplementalGroups: + items: + type: integer + type: array + runAsUser: + type: integer + seccompProfile: + properties: + type: + type: string + localhostProfile: + type: string + type: object + type: object + imagePullSecrets: + items: + properties: + name: + type: string + type: object + type: array + subdomain: + type: string + serviceAccount: + type: string + activeDeadlineSeconds: + type: integer + priority: + type: integer + ephemeralContainers: + items: + properties: + lifecycle: + properties: + postStart: + properties: + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + preStop: + properties: + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + type: object + command: + items: + type: string + type: array + livenessProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + stdin: + type: boolean + image: + type: string + targetContainerName: + type: string + terminationMessagePolicy: + type: string + readinessProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + terminationMessagePath: + type: string + env: + items: + properties: + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + type: string + type: object + secretKeyRef: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + type: object + name: + type: string + type: object + type: array + tty: + type: boolean + args: + items: + type: string + type: array + startupProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + stdinOnce: + type: boolean + ports: + items: + properties: + containerPort: + type: integer + hostPort: + type: integer + name: + type: string + protocol: + type: string + hostIP: + type: string + type: object + type: array + workingDir: + type: string + envFrom: + items: + properties: + prefix: + type: string + configMapRef: + properties: + optional: + type: boolean + name: + type: string + type: object + secretRef: + properties: + optional: + type: boolean + name: + type: string + type: object + type: object + type: array + volumeMounts: + items: + properties: + readOnly: + type: boolean + subPathExpr: + type: string + mountPath: + type: string + mountPropagation: + type: string + subPath: + type: string + name: + type: string + type: object + type: array + securityContext: + properties: + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + windowsOptions: + properties: + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + gmsaCredentialSpec: + type: string + runAsUserName: + type: string + type: object + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + seLinuxOptions: + properties: + role: + type: string + type: + type: string + user: + type: string + level: + type: string + type: object + readOnlyRootFilesystem: + type: boolean + privileged: + type: boolean + runAsUser: + type: integer + procMount: + type: string + seccompProfile: + properties: + type: + type: string + localhostProfile: + type: string + type: object + type: object + name: + type: string + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + imagePullPolicy: + type: string + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + type: object + type: array + type: object + type: array + automountServiceAccountToken: + type: boolean + containers: + items: + properties: + lifecycle: + properties: + postStart: + properties: + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + preStop: + properties: + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + type: object + command: + items: + type: string + type: array + livenessProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + stdin: + type: boolean + image: + type: string + terminationMessagePolicy: + type: string + readinessProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + terminationMessagePath: + type: string + env: + items: + properties: + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + type: string + type: object + secretKeyRef: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + type: object + name: + type: string + type: object + type: array + tty: + type: boolean + args: + items: + type: string + type: array + startupProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + stdinOnce: + type: boolean + ports: + items: + properties: + containerPort: + type: integer + hostPort: + type: integer + name: + type: string + protocol: + type: string + hostIP: + type: string + type: object + type: array + workingDir: + type: string + envFrom: + items: + properties: + prefix: + type: string + configMapRef: + properties: + optional: + type: boolean + name: + type: string + type: object + secretRef: + properties: + optional: + type: boolean + name: + type: string + type: object + type: object + type: array + volumeMounts: + items: + properties: + readOnly: + type: boolean + subPathExpr: + type: string + mountPath: + type: string + mountPropagation: + type: string + subPath: + type: string + name: + type: string + type: object + type: array + securityContext: + properties: + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + windowsOptions: + properties: + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + gmsaCredentialSpec: + type: string + runAsUserName: + type: string + type: object + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + seLinuxOptions: + properties: + role: + type: string + type: + type: string + user: + type: string + level: + type: string + type: object + readOnlyRootFilesystem: + type: boolean + privileged: + type: boolean + runAsUser: + type: integer + procMount: + type: string + seccompProfile: + properties: + type: + type: string + localhostProfile: + type: string + type: object + type: object + name: + type: string + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + imagePullPolicy: + type: string + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + type: object + type: array + type: object + type: array + initContainers: + items: + properties: + lifecycle: + properties: + postStart: + properties: + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + preStop: + properties: + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + type: object + command: + items: + type: string + type: array + livenessProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + stdin: + type: boolean + image: + type: string + terminationMessagePolicy: + type: string + readinessProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + terminationMessagePath: + type: string + env: + items: + properties: + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + type: string + type: object + secretKeyRef: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + type: object + name: + type: string + type: object + type: array + tty: + type: boolean + args: + items: + type: string + type: array + startupProbe: + properties: + periodSeconds: + type: integer + failureThreshold: + type: integer + initialDelaySeconds: + type: integer + grpc: + properties: + port: + type: integer + service: + type: string + type: object + successThreshold: + type: integer + terminationGracePeriodSeconds: + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + timeoutSeconds: + type: integer + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + path: + type: string + scheme: + type: string + host: + type: string + httpHeaders: + items: + properties: + value: + type: string + name: + type: string + type: object + type: array + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + stdinOnce: + type: boolean + ports: + items: + properties: + containerPort: + type: integer + hostPort: + type: integer + name: + type: string + protocol: + type: string + hostIP: + type: string + type: object + type: array + workingDir: + type: string + envFrom: + items: + properties: + prefix: + type: string + configMapRef: + properties: + optional: + type: boolean + name: + type: string + type: object + secretRef: + properties: + optional: + type: boolean + name: + type: string + type: object + type: object + type: array + volumeMounts: + items: + properties: + readOnly: + type: boolean + subPathExpr: + type: string + mountPath: + type: string + mountPropagation: + type: string + subPath: + type: string + name: + type: string + type: object + type: array + securityContext: + properties: + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + windowsOptions: + properties: + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + gmsaCredentialSpec: + type: string + runAsUserName: + type: string + type: object + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + seLinuxOptions: + properties: + role: + type: string + type: + type: string + user: + type: string + level: + type: string + type: object + readOnlyRootFilesystem: + type: boolean + privileged: + type: boolean + runAsUser: + type: integer + procMount: + type: string + seccompProfile: + properties: + type: + type: string + localhostProfile: + type: string + type: object + type: object + name: + type: string + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: object + imagePullPolicy: + type: string + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + type: object + type: array + type: object + type: array + priorityClassName: + type: string + tolerations: + items: + properties: + key: + type: string + operator: + type: string + tolerationSeconds: + type: integer + value: + type: string + effect: + type: string + type: object + type: array + hostPID: + type: boolean + os: + properties: + name: + type: string + type: object + serviceAccountName: + type: string + shareProcessNamespace: + type: boolean + hostNetwork: + type: boolean + hostname: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + enableServiceLinks: + type: boolean + affinity: + properties: + podAntiAffinity: + properties: + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + namespaces: + items: + type: string + type: array + topologyKey: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + namespaces: + items: + type: string + type: array + topologyKey: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + weight: + type: integer + preference: + properties: + matchFields: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + type: object + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchFields: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + type: object + type: array + type: object + type: object + podAffinity: + properties: + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + namespaces: + items: + type: string + type: array + topologyKey: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + namespaces: + items: + type: string + type: array + topologyKey: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: object + readinessGates: + items: + properties: + conditionType: + type: string + type: object + type: array + dnsPolicy: + type: string + hostIPC: + type: boolean + topologySpreadConstraints: + items: + properties: + topologyKey: + type: string + maxSkew: + type: integer + whenUnsatisfiable: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + values: + items: + type: string + type: array + operator: + type: string + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + schedulerName: + type: string + nodeName: + type: string + preemptionPolicy: + type: string + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + ip: + type: string + type: object + type: array + runtimeClassName: + type: string + type: object + type: object + type: object + tlsSecret: + description: |- + A secret containing the TLS configuration for HTTPS. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. + The special value `INSECURE-DISABLE` disables https. + type: string + disableDefaultIngress: + description: Disable the default ingress. + type: boolean + image: + description: Custom Keycloak image to be used. + type: string + required: + - hostname + - tlsSecret + type: object + status: + properties: + conditions: + items: + properties: + status: + type: boolean + type: + type: string + message: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/kubezero-auth/keycloak.patch b/charts/kubezero-auth/keycloak.patch new file mode 100644 index 0000000..dfaec45 --- /dev/null +++ b/charts/kubezero-auth/keycloak.patch @@ -0,0 +1,12 @@ +--- templates/keycloak-operator/all.yaml.orig 2022-05-11 12:46:15.860204871 +0200 ++++ templates/keycloak-operator/all.yaml 2022-05-11 12:46:02.840068240 +0200 +@@ -1,3 +1,4 @@ ++{{- if .Values.keycloak.enabled }} + --- + apiVersion: v1 + kind: ServiceAccount +@@ -233,3 +234,4 @@ + successThreshold: 1 + timeoutSeconds: 10 + serviceAccountName: keycloak-operator ++{{- end }} diff --git a/charts/kubezero-auth/templates/keycloak-operator/all.yaml b/charts/kubezero-auth/templates/keycloak-operator/all.yaml new file mode 100644 index 0000000..90ee8c0 --- /dev/null +++ b/charts/kubezero-auth/templates/keycloak-operator/all.yaml @@ -0,0 +1,237 @@ +{{- if .Values.keycloak.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 18.0.0 + name: keycloak-operator +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 18.0.0 + name: keycloak-operator +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 18.0.0 + type: ClusterIP +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: keycloak-operator-role +rules: + - apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "" + resources: + - secrets + - services + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - delete + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + name: keycloak-operator-role-binding +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: keycloak-operator-role +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keycloak-operator-view +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: view +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keycloakcontroller-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: keycloakcontroller-cluster-role +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keycloakrealmimportcontroller-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: keycloakrealmimportcontroller-cluster-role +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keycloakcontroller-cluster-role +rules: + - apiGroups: + - k8s.keycloak.org + resources: + - keycloaks + - keycloaks/status + - keycloaks/finalizers + verbs: + - get + - list + - watch + - create + - delete + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keycloakrealmimportcontroller-cluster-role +rules: + - apiGroups: + - k8s.keycloak.org + resources: + - keycloakrealmimports + - keycloakrealmimports/status + - keycloakrealmimports/finalizers + verbs: + - get + - list + - watch + - create + - delete + - patch + - update +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 18.0.0 + name: keycloak-operator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 18.0.0 + template: + metadata: + annotations: + app.quarkus.io/build-timestamp: 2022-04-21 - 08:45:16 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 18.0.0 + spec: + containers: + - env: + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OPERATOR_KEYCLOAK_IMAGE + value: quay.io/keycloak/keycloak:18.0.0 + image: quay.io/keycloak/keycloak-operator:18.0.0 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /q/health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak-operator + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /q/health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + serviceAccountName: keycloak-operator +{{- end }} diff --git a/charts/kubezero-auth/update.sh b/charts/kubezero-auth/update.sh new file mode 100755 index 0000000..2dddaf7 --- /dev/null +++ b/charts/kubezero-auth/update.sh @@ -0,0 +1,15 @@ +#!/bin/bash +set -ex + +helm dep update + +# Operator +VERSION=$(yq eval '.appVersion' Chart.yaml) + +wget -q -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml +# No realm imports needed so far +# wget -q -O crds/keycloak-realmimport.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml + +wget -q -O templates/keycloak-operator/all.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml + +patch -i keycloak.patch -p0 --no-backup-if-mismatch diff --git a/charts/kubezero-auth/values.yaml b/charts/kubezero-auth/values.yaml new file mode 100644 index 0000000..eb5efb8 --- /dev/null +++ b/charts/kubezero-auth/values.yaml @@ -0,0 +1,2 @@ +keycloak: + enabled: false