add keycloak

Author: klinch0

packages/apps/tenant/templates/tenant.yaml

@@ -88,3 +88,57 @@ roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-rw
+  namespace: cozy-public
+rules:
+- apiGroups: ["apps.cozystack.io/v1alpha1"]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helm.toolkit.fluxcd.io/v2"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-rw
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: cozy:{{ include "tenant.name" . }}-rw
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: cozy:{{ include "tenant.name" . }}-rw
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-ro
+  namespace: cozy-public
+rules:
+- apiGroups: ["apps.cozystack.io/v1alpha1"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helm.toolkit.fluxcd.io/v2"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-ro
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: cozy:{{ include "tenant.name" . }}-ro
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: cozy:{{ include "tenant.name" . }}-ro
+  apiGroup: rbac.authorization.k8s.io

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.18.0@sha256:8c0e75ca3c9cbc8289cff7955f83e6d52d077cbb0e1328e64a82026c7bea19b5
+  image: kklinch0/cozystack:9.2.1@sha256:17a8c88cbc4a1805617420164dee90e0b71a92f6013ccf0909c609e829678bb8

packages/core/platform/bundles/distro-full.yaml

@@ -174,3 +174,9 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]

packages/core/platform/bundles/distro-hosted.yaml

@@ -124,3 +124,9 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: []
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]

packages/core/platform/bundles/paas-full.yaml

@@ -249,3 +249,9 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium,kubeovn]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]

packages/core/platform/bundles/paas-hosted.yaml

@@ -19,7 +19,7 @@ releases:
   chart: cozy-cert-manager-crds
   namespace: cozy-cert-manager
   dependsOn: []
-  
+
 - name: cozystack-api
   releaseName: cozystack-api
   chart: cozy-cozystack-api
@@ -145,3 +145,9 @@ releases:
             {{- end }}
   {{- end }}
   {{- end }}
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]

packages/system/keycloak/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-keycloak
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/keycloak/templates/db.yaml

@@ -0,0 +1,12 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: keycloak-db
+spec:
+  instances: 2
+  storage:
+    size: 20Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/system/keycloak/templates/ingress.yaml

@@ -0,0 +1,36 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $rootns := lookup "v1" "Namespace" "" "tenant-root" }}
+{{- $ingress := index $rootns.metadata.annotations "namespace.cozystack.io/ingress" }}
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- if ne $issuerType "cloudflare" }}
+    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+    {{- end }}
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ $ingress }}
+  tls:
+  - hosts:
+      - keycloak.{{ $host }}
+    secretName: web-tls
+  rules:
+  - host: keycloak.{{ $host }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: keycloak-http
+            port:
+              name: http

packages/system/keycloak/templates/service-headless.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-headless
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: keycloak-ha

packages/system/keycloak/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-http
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+  selector:
+    app: keycloak-ha

packages/system/keycloak/templates/sts.yaml

@@ -0,0 +1,135 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $password := randAlphaNum 16 -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  admin: {{ $password }}
+
+---
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak-ha
+spec:
+  selector:
+    matchLabels:
+      app: keycloak-ha
+  replicas: 2
+  serviceName: keycloak-headless
+  podManagementPolicy: Parallel
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: keycloak-ha
+    spec:
+      restartPolicy: Always
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: keycloak
+          image: {{ .Values.image }}
+          imagePullPolicy: Always
+         {{- if or .Values.resources.requests .Values.resources.limits }}
+          resources:
+            {{- if .Values.resources.limits }}
+            limits:
+              {{- toYaml .Values.resources.limits | nindent 14 }}
+            {{- end }}
+            {{- if .Values.resources.requests }}
+            requests:
+              {{- toYaml .Values.resources.requests | nindent 14 }}
+            {{- end }}
+          {{- end }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+                - CAP_NET_RAW
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+          args:
+            - start
+          env:
+            - name: KC_METRICS_ENABLED
+              value: "true"
+            - name: KC_LOG_LEVEL
+              value: "info"
+            - name: KC_CACHE
+              value: "ispn"
+            - name: KC_CACHE_STACK
+              value: "kubernetes"
+            - name: KC_PROXY
+              value: "edge"
+            - name: KEYCLOAK_ADMIN
+              value: {{ .Values.user }}
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              value: {{ $password }}
+            - name: KC_DB
+              value: "postgres"
+            - name: KC_DB_URL_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-app
+                  key: "host"
+            - name: KC_DB_URL_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-app
+                  key: "port"
+            - name: KC_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-app
+                  key: "username"
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-app
+                  key: "password"
+            - name: KC_DB_URL_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-app
+                  key: "dbname"
+            - name: KC_FEATURES
+              value: "docker"
+            - name: KC_HOSTNAME
+              value: https://keycloak.{{ $host }}
+            - name: JAVA_OPTS_APPEND
+              value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc.cozy.local"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 120
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /realms/master
+              port: http
+            initialDelaySeconds: 60
+            timeoutSeconds: 1
+      volumes:
+        - name: init-script
+          configMap:
+            name: keycloak-init-script
+      volumeMounts:
+        - name: init-script
+          mountPath: /scripts
+          readOnly: true
+      terminationGracePeriodSeconds: 60

packages/system/keycloak/values.yaml

@@ -0,0 +1,14 @@
+image: quay.io/keycloak/keycloak:26.0.4
+
+ingress:
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
+    nginx.ingress.kubernetes.io/session-cookie-name: "keycloak-cookie"
+resources:
+  limits:
+    memory: 1500Mi
+  requests:
+    memory: 500Mi
+    cpu: 100m

scripts/installer.sh

@@ -3,7 +3,7 @@ set -o pipefail
 set -e
 
 BUNDLE=$(set -x; kubectl get configmap -n cozy-system cozystack -o 'go-template={{index .data "bundle-name"}}')
-VERSION=7
+VERSION=8
 
 run_migrations() {
   if ! kubectl get configmap -n cozy-system cozystack-version; then

scripts/migrations/7

@@ -0,0 +1,9 @@
+#!/bin/sh
+# Migration 7 --> 8
+
+
+host=$(kubectl get hr tenant-root -n tenant-root -o yaml | grep 'host:' | awk '{print $2}')
+kubectl patch configmap -n cozy-system cozystack --type merge -p "{\"data\":{\"root-host\":\"$host\"}}"
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=8 --dry-run=client -o yaml | kubectl apply -f-