diff --git a/helm/keycloak/Chart.yaml b/helm/keycloak/Chart.yaml index 4c610249..999acf80 100644 --- a/helm/keycloak/Chart.yaml +++ b/helm/keycloak/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 name: sso-keycloak -version: 0.1.7 +version: 0.1.8 appVersion: 0.1.0 description: Open Source Identity and Access Management For Modern Applications and Services diff --git a/helm/keycloak/README.md b/helm/keycloak/README.md index 6a62fe3d..d5fd9238 100644 --- a/helm/keycloak/README.md +++ b/helm/keycloak/README.md @@ -72,3 +72,6 @@ The following table lists the configurable parameters of the Keycloak chart and - The helm chart installs two `Secret` k8s objects: 1. `-admin-secret`: it stores the Keycloak admin password. 1. `-jgroups`: it stores the Keycloak cluster jgroups password. + +- k8s resource object label conventions + 1. see https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels diff --git a/helm/keycloak/templates/NOTES.txt b/helm/keycloak/templates/NOTES.txt index 2a32146d..15960e66 100644 --- a/helm/keycloak/templates/NOTES.txt +++ b/helm/keycloak/templates/NOTES.txt @@ -1,4 +1,7 @@ -To get your password for admin run: +To get your username & password for admin run: + + # admin username + ADMIN_USERNAME=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.username}" | base64 --decode) # admin password - ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "..fullname" . }}-admin-secret -o jsonpath="{.data.password-admin}" | base64 --decode) + ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.password}" | base64 --decode) diff --git a/helm/keycloak/templates/_helpers.tpl b/helm/keycloak/templates/_helpers.tpl index 55851fdb..e9a7349a 100644 --- a/helm/keycloak/templates/_helpers.tpl +++ b/helm/keycloak/templates/_helpers.tpl @@ -3,14 +3,14 @@ {{/* Expand the name of the project. */}} -{{- define "..project" -}} +{{- define "sso-keycloak.project" -}} {{- default .Chart.Name .Values.project | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Expand the name of the chart. */}} -{{- define "..name" -}} +{{- define "sso-keycloak.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -19,7 +19,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "..fullname" -}} +{{- define "sso-keycloak.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -35,12 +35,28 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "..chart" -}} +{{- define "sso-keycloak.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + {{/* -Create data url +Common labels */}} -{{- define "..databaseurl" -}} -{{- printf "host=%s port=%s dbname=%s user=%s password=%s sslmode=require" .Values.postgresql.host .Values.postgresql.port .Values.postgresql.database .Values.postgresql.username .Values.postgresql.password -}} -{{- end -}} +{{- define "sso-keycloak.labels" -}} +project: {{ include "sso-keycloak.project" . }} +release: {{ .Release.Name }} +helm.sh/chart: {{ include "sso-keycloak.chart" . }} +{{ include "sso-keycloak.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sso-keycloak.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sso-keycloak.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/helm/keycloak/templates/deployment.yaml b/helm/keycloak/templates/deployment.yaml index 986c7317..415f7ead 100644 --- a/helm/keycloak/templates/deployment.yaml +++ b/helm/keycloak/templates/deployment.yaml @@ -1,26 +1,15 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "..fullname" . }} - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: - matchLabels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - project: {{ include "..project" . }} + matchLabels: {{ include "sso-keycloak.selectorLabels" . | nindent 6 }} template: metadata: - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - project: {{ include "..project" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 8 }} spec: containers: - name: {{ .Chart.Name }} @@ -90,22 +79,36 @@ spec: value: {{ .Values.postgres.port | quote }} # DB Credentials - name: DB_USERNAME + {{- if and .Values.postgres.credentials.secret .Values.postgres.credentials.usernameKey }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgres.credentials.secret }} + key: {{ .Values.postgres.credentials.usernameKey }} + {{- else -}} value: {{ .Values.postgres.credentials.adminUsername }} + {{- end }} - name: DB_PASSWORD + {{- if and .Values.postgres.credentials.secret .Values.postgres.credentials.passwordKey }} valueFrom: secretKeyRef: name: {{ .Values.postgres.credentials.secret }} key: {{ .Values.postgres.credentials.passwordKey }} + {{- else -}} + value: {{ .Values.postgres.credentials.adminPassword }} + {{- end }} - name: DB_DATABASE value: {{ .Values.postgres.dbName }} # DB Admin Credentials - name: SSO_ADMIN_USERNAME - value: admin + valueFrom: + secretKeyRef: + name: {{ include "sso-keycloak.fullname" . }}-admin-secret + key: username - name: SSO_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: {{ include "..fullname" . }}-admin-secret - key: password-admin + name: {{ include "sso-keycloak.fullname" . }}-admin-secret + key: password # DB POOL SIZES - name: DB_MIN_POOL_SIZE value: {{ .Values.postgres.poolSize.min | quote }} @@ -115,7 +118,7 @@ spec: - name: JGROUPS_CLUSTER_PASSWORD valueFrom: secretKeyRef: - name: {{ include "..fullname" . }}-jgroups + name: {{ include "sso-keycloak.fullname" . }}-jgroups key: cluster-password # Additional server startup options (extension of JAVA_OPTS) - name: JAVA_OPTS_APPEND @@ -124,7 +127,7 @@ spec: value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt {{- if .Values.pingService.enabled }} - name: OPENSHIFT_DNS_PING_SERVICE_NAME - value: {{ include "..fullname" . }}-ping + value: {{ include "sso-keycloak.fullname" . }}-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: {{ .Values.pingService.port | quote }} {{- end }} @@ -166,7 +169,7 @@ spec: {{- if .Values.persistentLog.enabled }} - name: logs-volume persistentVolumeClaim: - claimName: {{ include "..fullname" . }}-logs + claimName: {{ include "sso-keycloak.fullname" . }}-logs {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/helm/keycloak/templates/network-policies/intra-project-comms.yaml b/helm/keycloak/templates/network-policies/intra-project-comms.yaml index da196d67..00d3d03a 100644 --- a/helm/keycloak/templates/network-policies/intra-project-comms.yaml +++ b/helm/keycloak/templates/network-policies/intra-project-comms.yaml @@ -2,16 +2,15 @@ kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: - name: {{ include "..project" . }}-intra-project-comms - labels: - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.project" . }}-intra-project-comms + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} spec: podSelector: matchLabels: - project: {{ include "..project" . }} + project: {{ include "sso-keycloak.project" . }} ingress: - from: - podSelector: matchLabels: - project: {{ include "..project" . }} + project: {{ include "sso-keycloak.project" . }} {{- end }} diff --git a/helm/keycloak/templates/pvc-logs.yaml b/helm/keycloak/templates/pvc-logs.yaml index 7fa22dc3..7adb14ec 100644 --- a/helm/keycloak/templates/pvc-logs.yaml +++ b/helm/keycloak/templates/pvc-logs.yaml @@ -2,7 +2,8 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ include "..fullname" . }}-logs + name: {{ include "sso-keycloak.fullname" . }}-logs + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: volume.beta.kubernetes.io/storage-class: {{ .Values.persistentLog.storageClassName }} spec: diff --git a/helm/keycloak/templates/route.yaml b/helm/keycloak/templates/route.yaml index a4b007ef..b1da5072 100644 --- a/helm/keycloak/templates/route.yaml +++ b/helm/keycloak/templates/route.yaml @@ -1,13 +1,8 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: - name: {{ include "..fullname" . }} - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: haproxy.router.openshift.io/balance: roundrobin haproxy.router.openshift.io/disable_cookies: 'true' @@ -21,4 +16,4 @@ spec: {{ end }} to: kind: Service - name: {{ include "..fullname" . }} + name: {{ include "sso-keycloak.fullname" . }} diff --git a/helm/keycloak/templates/secret.yaml b/helm/keycloak/templates/secret.yaml index da811ca6..328e1805 100644 --- a/helm/keycloak/templates/secret.yaml +++ b/helm/keycloak/templates/secret.yaml @@ -1,29 +1,21 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "..fullname" . }}-admin-secret - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }}-admin-secret + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: "helm.sh/hook": "pre-install" "helm.sh/hook-delete-policy": "before-hook-creation" type: Opaque data: - password-admin: {{ randAlphaNum 32 | b64enc | quote }} + username: {{ randAlphaNum 8 | b64enc | quote }} + password: {{ randAlphaNum 32 | b64enc | quote }} --- apiVersion: v1 kind: Secret metadata: - name: {{ include "..fullname" . }}-jgroups - labels: - app: {{ include "..fullname" . }} - chart: {{ include "..chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + name: {{ include "sso-keycloak.fullname" . }}-jgroups + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: "helm.sh/hook": "pre-install" "helm.sh/hook-delete-policy": "before-hook-creation" diff --git a/helm/keycloak/templates/service-app.yaml b/helm/keycloak/templates/service-app.yaml index de6dc1fe..b7775c06 100644 --- a/helm/keycloak/templates/service-app.yaml +++ b/helm/keycloak/templates/service-app.yaml @@ -1,13 +1,8 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "..fullname" . }} - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: {{- if .Values.tls.enabled }} service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.tls.httpsSecret }} @@ -24,6 +19,4 @@ spec: name: http targetPort: http {{ end }} - selector: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + selector: {{ include "sso-keycloak.selectorLabels" . | nindent 4 }} diff --git a/helm/keycloak/templates/service-ping.yaml b/helm/keycloak/templates/service-ping.yaml index 190f9015..abbb48ac 100644 --- a/helm/keycloak/templates/service-ping.yaml +++ b/helm/keycloak/templates/service-ping.yaml @@ -2,13 +2,8 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "..fullname" . }}-ping - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }}-ping + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: description: "The JGroups ping port for clustering." service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" @@ -22,7 +17,5 @@ spec: name: ping targetPort: ping protocol: TCP - selector: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + selector: {{ include "sso-keycloak.selectorLabels" . | nindent 4 }} {{- end }} diff --git a/helm/keycloak/values-6d70e7-test.yaml b/helm/keycloak/values-6d70e7-test.yaml index 11d8444a..483526a2 100644 --- a/helm/keycloak/values-6d70e7-test.yaml +++ b/helm/keycloak/values-6d70e7-test.yaml @@ -1,7 +1,9 @@ replicaCount: 5 +project: sso-keycloak + image: - tag: 7.4-37-rc.2 + tag: 7.4-37-rc.3 service: type: ClusterIP @@ -11,8 +13,8 @@ postgres: host: sso-pgsql-master-test credentials: secret: sso-pgsql-test - admin: - secret: sso-admin-test + usernameKey: app-db-username + passwordKey: app-db-password tls: enabled: true diff --git a/helm/keycloak/values-c6af30-dev.yaml b/helm/keycloak/values-c6af30-dev.yaml index 504d6af7..85fc5389 100644 --- a/helm/keycloak/values-c6af30-dev.yaml +++ b/helm/keycloak/values-c6af30-dev.yaml @@ -13,7 +13,7 @@ postgres: host: sso-patroni credentials: secret: sso-patroni - adminUsername: postgres + usernameKey: username-superuser passwordKey: password-superuser tls: diff --git a/helm/keycloak/values.yaml b/helm/keycloak/values.yaml index 091da82f..57117c11 100644 --- a/helm/keycloak/values.yaml +++ b/helm/keycloak/values.yaml @@ -29,9 +29,11 @@ postgres: dbName: rhsso port: 5432 credentials: - secret: sso-pgsql - adminUsername: postgres + secret: + usernameKey: username-superuser passwordKey: password-superuser + adminUsername: postgres + adminPassword: postgres poolSize: min: 5 max: 20