Merge pull request #84 from bcgov/chore/terraform

Chore/terraform

helm/keycloak/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 name: sso-keycloak
-version: 0.1.7
+version: 0.1.8
 appVersion: 0.1.0
 description: Open Source Identity and Access Management For Modern Applications and Services

helm/keycloak/README.md

@@ -72,3 +72,6 @@ The following table lists the configurable parameters of the Keycloak chart and
 - The helm chart installs two `Secret` k8s objects:
   1. `<release-name>-admin-secret`: it stores the Keycloak admin password.
   1. `<release-name>-jgroups`: it stores the Keycloak cluster jgroups password.
+
+- k8s resource object label conventions
+  1. see https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels

helm/keycloak/templates/NOTES.txt

@@ -1,4 +1,7 @@
-To get your password for admin run:
+To get your username & password for admin run:
+
+    # admin username
+    ADMIN_USERNAME=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.username}" | base64 --decode)
 
     # admin password
-    ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "..fullname" . }}-admin-secret -o jsonpath="{.data.password-admin}" | base64 --decode)
+    ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.password}" | base64 --decode)

helm/keycloak/templates/_helpers.tpl

@@ -3,14 +3,14 @@
 {{/*
 Expand the name of the project.
 */}}
-{{- define "..project" -}}
+{{- define "sso-keycloak.project" -}}
 {{- default .Chart.Name .Values.project | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "..name" -}}
+{{- define "sso-keycloak.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -19,7 +19,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "..fullname" -}}
+{{- define "sso-keycloak.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -35,12 +35,28 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "..chart" -}}
+{{- define "sso-keycloak.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
 {{/*
-Create data url
+Common labels
 */}}
-{{- define "..databaseurl" -}}
-{{- printf "host=%s port=%s dbname=%s user=%s password=%s sslmode=require" .Values.postgresql.host .Values.postgresql.port .Values.postgresql.database .Values.postgresql.username .Values.postgresql.password -}}
-{{- end -}}
+{{- define "sso-keycloak.labels" -}}
+project: {{ include "sso-keycloak.project" . }}
+release: {{ .Release.Name }}
+helm.sh/chart: {{ include "sso-keycloak.chart" . }}
+{{ include "sso-keycloak.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "sso-keycloak.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sso-keycloak.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

helm/keycloak/templates/deployment.yaml

@@ -1,26 +1,15 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "..fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    helm.sh/chart: {{ include "..chart" . }}
-    project: {{ include "..project" . }}
+  name: {{ include "sso-keycloak.fullname" . }}
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "..name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      project: {{ include "..project" . }}
+    matchLabels: {{ include "sso-keycloak.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "..name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        project: {{ include "..project" . }}
+      labels: {{ include "sso-keycloak.labels" . | nindent 8 }}
     spec:
       containers:
         - name: {{ .Chart.Name }}
@@ -90,22 +79,36 @@ spec:
               value: {{ .Values.postgres.port | quote }}
             # DB Credentials
             - name: DB_USERNAME
+              {{- if and .Values.postgres.credentials.secret .Values.postgres.credentials.usernameKey }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.postgres.credentials.secret }}
+                  key: {{ .Values.postgres.credentials.usernameKey }}
+              {{- else -}}
               value: {{ .Values.postgres.credentials.adminUsername }}
+              {{- end }}
             - name: DB_PASSWORD
+              {{- if and .Values.postgres.credentials.secret .Values.postgres.credentials.passwordKey }}
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.postgres.credentials.secret }}
                   key: {{ .Values.postgres.credentials.passwordKey }}
+              {{- else -}}
+              value: {{ .Values.postgres.credentials.adminPassword }}
+              {{- end }}
             - name: DB_DATABASE
               value: {{ .Values.postgres.dbName }}
             # DB Admin Credentials
             - name: SSO_ADMIN_USERNAME
-              value: admin
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "sso-keycloak.fullname" . }}-admin-secret
+                  key: username
             - name: SSO_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "..fullname" . }}-admin-secret
-                  key: password-admin
+                  name: {{ include "sso-keycloak.fullname" . }}-admin-secret
+                  key: password
             # DB POOL SIZES
             - name: DB_MIN_POOL_SIZE
               value: {{ .Values.postgres.poolSize.min | quote }}
@@ -115,7 +118,7 @@ spec:
             - name: JGROUPS_CLUSTER_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "..fullname" . }}-jgroups
+                  name: {{ include "sso-keycloak.fullname" . }}-jgroups
                   key: cluster-password
             # Additional server startup options (extension of JAVA_OPTS)
             - name: JAVA_OPTS_APPEND
@@ -124,7 +127,7 @@ spec:
               value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
             {{- if .Values.pingService.enabled }}
             - name: OPENSHIFT_DNS_PING_SERVICE_NAME
-              value: {{ include "..fullname" . }}-ping
+              value: {{ include "sso-keycloak.fullname" . }}-ping
             - name: OPENSHIFT_DNS_PING_SERVICE_PORT
               value: {{ .Values.pingService.port | quote }}
             {{- end }}
@@ -166,7 +169,7 @@ spec:
         {{- if .Values.persistentLog.enabled }}
         - name: logs-volume
           persistentVolumeClaim:
-            claimName: {{ include "..fullname" . }}-logs
+            claimName: {{ include "sso-keycloak.fullname" . }}-logs
         {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

helm/keycloak/templates/network-policies/intra-project-comms.yaml

@@ -2,16 +2,15 @@
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: {{ include "..project" . }}-intra-project-comms
-  labels:
-    project: {{ include "..project" . }}
+  name: {{ include "sso-keycloak.project" . }}-intra-project-comms
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
 spec:
   podSelector:
     matchLabels:
-      project: {{ include "..project" . }}
+      project: {{ include "sso-keycloak.project" . }}
   ingress:
   - from:
     - podSelector:
         matchLabels:
-          project: {{ include "..project" . }}
+          project: {{ include "sso-keycloak.project" . }}
 {{- end }}

helm/keycloak/templates/pvc-logs.yaml

@@ -2,7 +2,8 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "..fullname" . }}-logs
+  name: {{ include "sso-keycloak.fullname" . }}-logs
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
   annotations:
     volume.beta.kubernetes.io/storage-class: {{ .Values.persistentLog.storageClassName }}
 spec:

helm/keycloak/templates/route.yaml

@@ -1,13 +1,8 @@
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
-  name: {{ include "..fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    helm.sh/chart: {{ include "..chart" . }}
-    project: {{ include "..project" . }}
+  name: {{ include "sso-keycloak.fullname" . }}
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
   annotations:
     haproxy.router.openshift.io/balance: roundrobin
     haproxy.router.openshift.io/disable_cookies: 'true'
@@ -21,4 +16,4 @@ spec:
     {{ end }}
   to:
     kind: Service
-    name: {{ include "..fullname" . }}
+    name: {{ include "sso-keycloak.fullname" . }}

helm/keycloak/templates/secret.yaml

@@ -1,29 +1,21 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "..fullname" . }}-admin-secret
-  labels:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    helm.sh/chart: {{ include "..chart" . }}
-    project: {{ include "..project" . }}
+  name: {{ include "sso-keycloak.fullname" . }}-admin-secret
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": "pre-install"
     "helm.sh/hook-delete-policy": "before-hook-creation"
 type: Opaque
 data:
-  password-admin: {{ randAlphaNum 32 | b64enc | quote }}
+  username: {{ randAlphaNum 8 | b64enc | quote }}
+  password: {{ randAlphaNum 32 | b64enc | quote }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "..fullname" . }}-jgroups
-  labels:
-    app: {{ include "..fullname" . }}
-    chart: {{ include "..chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+  name: {{ include "sso-keycloak.fullname" . }}-jgroups
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": "pre-install"
     "helm.sh/hook-delete-policy": "before-hook-creation"

helm/keycloak/templates/service-app.yaml

@@ -1,13 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "..fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    helm.sh/chart: {{ include "..chart" . }}
-    project: {{ include "..project" . }}
+  name: {{ include "sso-keycloak.fullname" . }}
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
   annotations:
     {{- if .Values.tls.enabled }}
     service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.tls.httpsSecret }}
@@ -24,6 +19,4 @@ spec:
       name: http
       targetPort: http
       {{ end }}
-  selector:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+  selector: {{ include "sso-keycloak.selectorLabels" . | nindent 4 }}

helm/keycloak/templates/service-ping.yaml

@@ -2,13 +2,8 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "..fullname" . }}-ping
-  labels:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    helm.sh/chart: {{ include "..chart" . }}
-    project: {{ include "..project" . }}
+  name: {{ include "sso-keycloak.fullname" . }}-ping
+  labels: {{ include "sso-keycloak.labels" . | nindent 4 }}
   annotations:
     description: "The JGroups ping port for clustering."
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
@@ -22,7 +17,5 @@ spec:
       name: ping
       targetPort: ping
       protocol: TCP
-  selector:
-    app.kubernetes.io/name: {{ include "..name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+  selector: {{ include "sso-keycloak.selectorLabels" . | nindent 4 }}
 {{- end }}

helm/keycloak/values-6d70e7-test.yaml

@@ -1,7 +1,9 @@
 replicaCount: 5
 
+project: sso-keycloak
+
 image:
-  tag: 7.4-37-rc.2
+  tag: 7.4-37-rc.3
 
 service:
   type: ClusterIP
@@ -11,8 +13,8 @@ postgres:
   host: sso-pgsql-master-test
   credentials:
     secret: sso-pgsql-test
-  admin:
-    secret: sso-admin-test
+    usernameKey: app-db-username
+    passwordKey: app-db-password
 
 tls:
   enabled: true

helm/keycloak/values-c6af30-dev.yaml

@@ -13,7 +13,7 @@ postgres:
   host: sso-patroni
   credentials:
     secret: sso-patroni
-    adminUsername: postgres
+    usernameKey: username-superuser
     passwordKey: password-superuser
 
 tls:

helm/keycloak/values.yaml

@@ -29,9 +29,11 @@ postgres:
   dbName: rhsso
   port: 5432
   credentials:
-    secret: sso-pgsql
-    adminUsername: postgres
+    secret:
+    usernameKey: username-superuser
     passwordKey: password-superuser
+    adminUsername: postgres
+    adminPassword: postgres
   poolSize:
     min: 5
     max: 20