Skip to content

Commit b5edaaa

Browse files
klinch0klinch0
authored
add kk operator and configure (#485)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Introduced the `keycloak-operator` as an optional component in multiple deployment configurations. - Added a Helm chart for the `keycloak-operator`, enabling streamlined deployment and management of Keycloak instances. - Enhanced documentation with a new README file for the Keycloak Operator Helm chart, detailing installation and usage instructions. - Added various Custom Resource Definitions (CRDs) for managing Keycloak resources effectively within Kubernetes. - **Bug Fixes** - Improved handling of user credentials and realm configurations in the Keycloak operator. - **Documentation** - Comprehensive updates to the README and configuration files to assist users in deploying and managing Keycloak. - **Chores** - Added various Custom Resource Definitions (CRDs) for managing Keycloak resources effectively within Kubernetes. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 parent 5a4c165 commit b5edaaa

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

49 files changed

+4596
-9
lines changed

packages/core/platform/bundles/distro-full.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -181,3 +181,10 @@ releases:
181181
namespace: cozy-keycloak
182182
optional: true
183183
dependsOn: [postgres-operator]
184+
185+
- name: keycloak-operator
186+
releaseName: keycloak-operator
187+
chart: cozy-keycloak-operator
188+
namespace: cozy-keycloak
189+
optional: true
190+
dependsOn: [keycloak]

packages/core/platform/bundles/distro-hosted.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,3 +131,10 @@ releases:
131131
namespace: cozy-keycloak
132132
optional: true
133133
dependsOn: [postgres-operator]
134+
135+
- name: keycloak-operator
136+
releaseName: keycloak-operator
137+
chart: cozy-keycloak-operator
138+
namespace: cozy-keycloak
139+
optional: true
140+
dependsOn: [keycloak]

packages/core/platform/bundles/paas-full.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -255,3 +255,9 @@ releases:
255255
chart: cozy-keycloak
256256
namespace: cozy-keycloak
257257
dependsOn: [postgres-operator]
258+
259+
- name: keycloak-operator
260+
releaseName: keycloak-operator
261+
chart: cozy-keycloak-operator
262+
namespace: cozy-keycloak
263+
dependsOn: [keycloak]

packages/core/platform/bundles/paas-hosted.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,3 +151,9 @@ releases:
151151
chart: cozy-keycloak
152152
namespace: cozy-keycloak
153153
dependsOn: [postgres-operator]
154+
155+
- name: keycloak-operator
156+
releaseName: keycloak-operator
157+
chart: cozy-keycloak-operator
158+
namespace: cozy-keycloak
159+
dependsOn: [keycloak]

packages/system/keycloak-operator/Chart.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
apiVersion: v2
2+
name: cozy-keycloak-operator
3+
version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/keycloak-operator/Makefile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
include ../../../scripts/package.mk
2+
3+
update:
4+
rm -rf charts
5+
helm repo add epamedp https://epam.github.io/edp-helm-charts/stable
6+
helm repo update epamedp
7+
helm pull epamedp/keycloak-operator --untar --untardir charts

packages/system/keycloak-operator/charts/keycloak-operator/.helmignore

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Patterns to ignore when building packages.
2+
# This supports shell glob matching, relative path matching, and
3+
# negation (prefixed with !). Only one pattern per line.
4+
.DS_Store
5+
# Common VCS dirs
6+
.git/
7+
.gitignore
8+
.bzr/
9+
.bzrignore
10+
.hg/
11+
.hgignore
12+
.svn/
13+
# Common backup files
14+
*.swp
15+
*.bak
16+
*.tmp
17+
*.orig
18+
*~
19+
# Various IDEs
20+
.project
21+
.idea/
22+
*.tmproj
23+
.vscode/

packages/system/keycloak-operator/charts/keycloak-operator/Chart.yaml

Lines changed: 311 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,311 @@
1+
annotations:
2+
artifacthub.io/changes: |
3+
- Add frontend url property for realm
4+
- Allow define KeycloakRealmUser password in Kubernetes secret
5+
- Update current development version
6+
- Publish 1.15.0 version on OperatorHub
7+
- Update current development version
8+
- Add a description to the Custom Resources fields
9+
artifacthub.io/crds: |
10+
- kind: Keycloak
11+
version: v1.edp.epam.com/v1
12+
name: keycloak
13+
displayName: keycloak
14+
description: Keycloak instance baseline configuration
15+
- kind: ClusterKeycloak
16+
version: v1.edp.epam.com/v1alpha1
17+
name: clusterkeycloak
18+
displayName: clusterkeycloak
19+
description: Keycloak instance baseline configuration
20+
- kind: KeycloakAuthFlow
21+
version: v1.edp.epam.com/v1
22+
name: keycloakauthflows
23+
displayName: keycloakauthflows
24+
description: Keycloak AuthFlow Management
25+
- kind: KeycloakClient
26+
version: v1.edp.epam.com/v1
27+
name: keycloakpermissiontemplate
28+
displayName: KeycloakClient
29+
description: Keycloak client Management
30+
- kind: KeycloakClientScope
31+
version: v1.edp.epam.com/v1
32+
name: keycloakclientscope
33+
displayName: KeycloakClientScope
34+
description: Keycloak Client Scope Management
35+
- kind: KeycloakRealm
36+
version: v1.edp.epam.com/v1
37+
name: keycloakrealm
38+
displayName: KeycloakRealm
39+
description: Keycloak Realm Management
40+
- kind: KeycloakRealmComponent
41+
version: v1.edp.epam.com/v1
42+
name: keycloakrealmcomponent
43+
displayName: KeycloakRealmComponent
44+
description: Keycloak Realm Component Management
45+
- kind: KeycloakRealmGroup
46+
version: v1.edp.epam.com/v1
47+
name: keycloakrealmgroup
48+
displayName: KeycloakRealmGroup
49+
description: Keycloak Realm Group Management
50+
- kind: KeycloakRealmIdentityProvider
51+
version: v1.edp.epam.com/v1
52+
name: keycloakrealmidentityprovider
53+
displayName: KeycloakRealmIdentityProvider
54+
description: Keycloak Realm Identity Provider Management
55+
- kind: KeycloakRealmRole
56+
version: v1.edp.epam.com/v1
57+
name: keycloakrealmrole
58+
displayName: KeycloakRealmRole
59+
description: Keycloak Realm Role Management
60+
- kind: KeycloakRealmRoleBatch
61+
version: v1.edp.epam.com/v1
62+
name: keycloakrealmrolebatch
63+
displayName: KeycloakRealmRoleBatch
64+
description: Keycloak Realm Role Management in a batch mode
65+
- kind: KeycloakRealmUser
66+
version: v1.edp.epam.com/v1
67+
name: keycloakrealmuser
68+
displayName: KeycloakRealmUser
69+
description: Keycloak Realm User Management
70+
artifacthub.io/crdsExamples: |
71+
- apiVersion: v1.edp.epam.com/v1
72+
kind: KeycloakClientScope
73+
metadata:
74+
name: groups
75+
spec:
76+
name: groups
77+
realm: main
78+
description: "Group Membership"
79+
protocol: openid-connect
80+
protocolMappers:
81+
- name: groups
82+
protocol: openid-connect
83+
protocolMapper: "oidc-group-membership-mapper"
84+
config:
85+
"access.token.claim": "true"
86+
"claim.name": "groups"
87+
"full.path": "false"
88+
"id.token.claim": "true"
89+
"userinfo.token.claim": "true"
90+
- apiVersion: v1.edp.epam.com/v1
91+
kind: KeycloakClient
92+
metadata:
93+
name: argocd
94+
spec:
95+
advancedProtocolMappers: true
96+
clientId: agocd
97+
directAccess: true
98+
public: false
99+
secret: ''
100+
targetRealm: edp-delivery-main
101+
webUrl: https://argocd.example.com
102+
defaultClientScopes:
103+
- argocd_groups
104+
- apiVersion: v1.edp.epam.com/v1
105+
kind: KeycloakRealmGroup
106+
metadata:
107+
name: argocd-admins
108+
spec:
109+
clientRoles: null
110+
name: ArgoCDAdmins
111+
realm: main
112+
- apiVersion: v1.edp.epam.com/v1
113+
kind: KeycloakAuthFlow
114+
metadata:
115+
name: d1-auth-flow
116+
spec:
117+
realm: d2-id-k8s-realm-name
118+
alias: MyBrowser
119+
description: browser with idp
120+
providerId: basic-flow
121+
topLevel: true
122+
builtIn: false
123+
authenticationExecutions:
124+
- authenticator: "auth-cookie"
125+
priority: 0
126+
requirement: "ALTERNATIVE"
127+
- authenticator: "identity-provider-redirector"
128+
priority: 1
129+
requirement: "REQUIRED"
130+
authenticatorConfig:
131+
alias: my-alias
132+
config:
133+
"defaultProvider": "my-alias"
134+
- apiVersion: v1.edp.epam.com/v1
135+
kind: KeycloakRealmComponent
136+
metadata:
137+
name: kerberos-test
138+
spec:
139+
realm: d1-id-k8s-realm-name
140+
name: cr-kerb-test
141+
providerId: kerberos
142+
providerType: "org.keycloak.storage.UserStorageProvider"
143+
config:
144+
allowPasswordAuthentication: ["true"]
145+
cachePolicy: ["EVICT_WEEKLY"]
146+
debug: ["true"]
147+
editMode: ["READ_ONLY"]
148+
enabled: ["true"]
149+
evictionDay: ["3"]
150+
evictionHour: ["5"]
151+
evictionMinute: ["7"]
152+
kerberosRealm: ["test-realm"]
153+
keyTab: ["test-key-tab"]
154+
priority: ["0"]
155+
serverPrincipal: ["srv-principal-test"]
156+
updateProfileFirstLogin: ["true"]
157+
- apiVersion: v1.edp.epam.com/v1
158+
kind: KeycloakRealmIdentityProvider
159+
metadata:
160+
name: instagram-test
161+
spec:
162+
realm: d2-id-k8s-realm-name
163+
alias: instagram
164+
authenticateByDefault: false
165+
enabled: true
166+
firstBrokerLoginFlowAlias: "first broker login"
167+
providerId: "instagram"
168+
config:
169+
clientId: "foo"
170+
clientSecret: "bar"
171+
hideOnLoginPage: "true"
172+
syncMode: "IMPORT"
173+
useJwksUrl: "true"
174+
mappers:
175+
- name: "test3212"
176+
identityProviderMapper: "oidc-hardcoded-role-idp-mapper"
177+
identityProviderAlias: "instagram"
178+
config:
179+
role: "role-tr"
180+
syncMode: "INHERIT"
181+
- name: "test-33221"
182+
identityProviderMapper: "hardcoded-attribute-idp-mapper"
183+
identityProviderAlias: "instagram"
184+
config:
185+
attribute: "foo"
186+
"attribute.value": "bar"
187+
syncMode: "IMPORT"
188+
- apiVersion: v1.edp.epam.com/v1
189+
kind: KeycloakRealm
190+
metadata:
191+
name: d2-id-k8s-realm-name
192+
spec:
193+
id: d1-id-kc-realm-name
194+
realmName: d2-id-kc-realm-name
195+
keycloakOwner: main
196+
passwordPolicy:
197+
- type: "forceExpiredPasswordChange"
198+
value: "365"
199+
- type: "length"
200+
value: "8"
201+
realmEventConfig:
202+
adminEventsDetailsEnabled: false
203+
adminEventsEnabled: true
204+
enabledEventTypes:
205+
- UPDATE_CONSENT_ERROR
206+
- CLIENT_LOGIN
207+
eventsEnabled: true
208+
eventsExpiration: 15000
209+
eventsListeners:
210+
- jboss-logging
211+
- apiVersion: v1.edp.epam.com/v1
212+
kind: KeycloakRealmUser
213+
metadata:
214+
name: d1-user-test1
215+
spec:
216+
realm: d1-id-k8s-realm-name
217+
username: "john.snow13"
218+
firstName: "John"
219+
lastName: "Snow"
220+
email: "john.snow13@example.com"
221+
enabled: true
222+
emailVerified: true
223+
password: "12345678"
224+
keepResource: true
225+
requiredUserActions:
226+
- UPDATE_PASSWORD
227+
attributes:
228+
foo: "bar"
229+
baz: "jazz"
230+
- apiVersion: v1.edp.epam.com/v1
231+
kind: Keycloak
232+
metadata:
233+
name: my-keycloak
234+
spec:
235+
secret: my-keycloak-secret
236+
url: https://example.com
237+
- apiVersion: v1.edp.epam.com/v1
238+
kind: KeycloakRealmRoleBatch
239+
metadata:
240+
name: myrole
241+
spec:
242+
realm: main
243+
roles:
244+
- attributes: null
245+
composite: true
246+
composites: null
247+
description: default developer role
248+
isDefault: false
249+
name: developer
250+
- attributes: null
251+
composite: true
252+
composites: null
253+
description: default administrator role
254+
isDefault: false
255+
name: administrator
256+
- apiVersion: v1.edp.epam.com/v1
257+
kind: KeycloakRealmRole
258+
metadata:
259+
name: realmrole
260+
spec:
261+
attributes: null
262+
composite: true
263+
composites: null
264+
description: default developer role
265+
name: developer
266+
realm: main
267+
- apiVersion: v1.edp.epam.com/v1alpha1
268+
kind: ClusterKeycloak
269+
metadata:
270+
name: keycloak-sample
271+
spec:
272+
secret: secret-name-in-operator-ns
273+
url: https://keycloak.example.com
274+
artifacthub.io/images: |
275+
- name: keycloak-operator:1.23.0
276+
image: epamedp/keycloak-operator:1.23.0
277+
artifacthub.io/license: Apache-2.0
278+
artifacthub.io/links: |
279+
- name: KubeRocketCI Documentation
280+
url: https://docs.kuberocketci.io
281+
- name: EPAM SolutionHub
282+
url: https://solutionshub.epam.com/solution/kuberocketci
283+
artifacthub.io/operator: "true"
284+
artifacthub.io/operatorCapabilities: Deep Insights
285+
apiVersion: v2
286+
appVersion: 1.23.0
287+
description: A Helm chart for KubeRocketCI Keycloak Operator
288+
home: https://docs.kuberocketci.io/
289+
icon: https://docs.kuberocketci.io/img/logo.svg
290+
keywords:
291+
- authentication
292+
- authorization
293+
- edp
294+
- idp
295+
- keycloak
296+
- oauth
297+
- oidc
298+
- operator
299+
- saml
300+
- sso
301+
maintainers:
302+
- email: SupportEPMD-EDP@epam.com
303+
name: epmd-edp
304+
url: https://solutionshub.epam.com/solution/kuberocketci
305+
- name: sergk
306+
url: https://github.com/SergK
307+
name: keycloak-operator
308+
sources:
309+
- https://github.com/epam/edp-keycloak-operator
310+
type: application
311+
version: 1.23.0

0 commit comments

Comments
 (0)